Sovereign Technology - What technology your country really should manage itself
In CAD, we believe that autonomy is an important characteristic to have in your digital life. This applies not only for individuals, but also for groups of people, and even nation states. When talking about digital autonomy at the level of a country, we can talk about sovereignty. This word itself is closely connected to what it means to be a country. Most countries take it as a serious concept when it comes to their financial system, their trade and their borders. But when it comes to technology, we don’t see the same kind of concern. Most countries patrol their own borders with people that are direct employees of the government. They have a central bank that is part of the government. They don’t allow a private company to be in charge of the currency of the land. But why is it that when it comes to digital infrastructure, many countries do exactly that - give over control to other countries or private companies?
In this article, we would like to explore some concerns around digital sovereignty, and why we believe any country should handle this topic very carefully. We will give some recommendations on how we believe that governments should implement autonomy, both to protect their country and their citizens.
First, let’s talk about something that is fundamental, both in itself, but also as a prerequisite for many of the other points. This is the question of software and its openness. Many governments pay private companies to develop software for running parts of the government. That is not necessarily a problem - it’s clear that not all governments have the budget for doing all software development themselves. But the real problem is when the software built in this way is not available to the citizens. First, the software is paid for by taxes, and should rightly be available for anyone in the country. Another issue is security. Propietary software cannot be inspected by citizens to see that things are actually done in a secure way. It also means that it is possible this software has unacceptably low quality, and there exists no way of holding the parties accountable. Government needs transparency to function. Just saying “trust us” is not enough, especially not when procurement processes are full of corruption of all kinds. For these reasons, we believe that all government software has to be released under free software licenses.
There also exists other practical reasons why free software works better for the public sector. In general, software built by private entities - no matter if they are from the same country or from another one, can easily become hard to maintain. If the company goes away - or gets to expensive - it might be very hard to make changes to propietary software. And in fact, in some cases, the government might not even be the owner of the software. So what do you do if you depend on that software, but the company that wrote it is gone? With free software, this is less likely to happen - if the quality is good enough, you will be able to find someone to work on it, and the ownership is not even a question.
This brings us to the question of using private services, or services that are hosted or controlled by other countries. For example, take presidential speeches to the nation, being broadcast using Facebook. Or, judicial proceedings using Zoom to be make them public. Or public employees using Gmail or Yahoo for their communication. Or for that matter, officals using WhatsApp as an official medium of communication.
There are several problems with this approach. First is one of accessibility. In some cases, not everyone will have the accounts necessary to use these services, and requiring citizens to register themselves for a service in a foreign country in order to access content that by law should be publicly accessible seems problematic. Related to this is the fact that most of these companies have terms and conditions that give the rights both of content, but also of any visitors to the company. Is it really correct that in order to watch a public trial, you have to agree to the conditions of Zoom, which enables Zoom to use your personal information for whatever purpose they like? Yet, governments force their citizens to do this. In some cases, it’s unclear if this is even compatible with norms and regulations. What’s worse is that most of these services are not in the same country, meaning that the data is exposed to the legislation of another country. So, if someone wants to make a legal challenge, they might not even be able to do it in the same country.
On top of these problems, companies such as YouTube, Facebook or Zoom have complete rights to deny transmissions or other content if they feel like it. This has happened with Zoom, for example, where groups have been censored based on political beliefs. What happens if a government official gives a speech about the need for anti-monopoly legislation for technical platforms like YouTube? Will YouTube allow the content? We don’t know. And that gives a company in another country the power over what a government official can say. On top of all these issues, many of the main social networks and platforms are built such that using them in a website leaks information about visitors to these companies. Does it make sense that a citizen looking for government information will have their privacy violated because the government decided to embed a video in the website? This happens right now, all over the world.
Related to this issue comes the question of so called “cloud services”, which are most often used for hosting applications of various kinds. However, most clouds are based in the United States, meaning that these applications are under the control of another legislation, and a private company. Most of these government applications will handle personal data about citizens, which means that this data has to be exported to another country.
Finally, another issue comes with the services that are commonly used, but not necessarily well understood. Many governments use tools such as Google Docs or Office 365. Many people use Google Translate. But how many people have reviewed the terms and conditions for these services? If you compose something in Google Docs, do you still own it? If a government official writes sensitive information in such a document, in what ways can it leak? Can it be used for training AI? It’s really not clear.
Sadly, terms and conditions can also change. This happened with Zoom a few weeks before the writing of this article. And when that happens, you really don’t have a choice. Most of the time, you will be a prisoner to the tools you are currently using. It’s better to avoid this dependence in the first place.
The truth is that for a country to really be sovereign, the digital services that are used by the government have to be owned by the government itself. Anything else gives too much power to other actors, and is fundamentally anti-democratic. That includes both applications and hosting services.
Most countries have data protection laws for the purpose of protecting against these kinds of problems. However, in many cases, the laws are toothless and filled with exceptions - especially for the public sector - which means that it becomes easy to circumvent the protection laws in order to host services in other countries.
So what needs to happen for a country to really have digital sovereignty? First, free software for everything. Second, it is necessary to own the services necessary for the government to function. In practice, it is a good idea for each government to have a cross ministry executive council, which contain people from civil society, industry and academia, who can help with oversight and recommendations for how to manage digital services. This includes people that can give advice on security incidents as well. In order for all of this to work, the government also needs to encourage local companies to build the knowledge the country will need. In this time of transition, it’s useful for the government to also support local companies with advice on security and other software needs.
All of this is not necessarily easy, but it is necessary. In the modern world, everything is connected. But every country needs to take back control of their digital infrastructure, so that at least they can provide the services a country needs to their citizens. This is rapidly becoming a crucial issue of digital rights in many parts of the world.