@PrivacyMatters
Neil BrownNew blogpost:
"Musings on 'digital sovereignty'"
I wanted to jot down some of my thoughts, before I forgot them.
The more I think about it, the less clear the whole thing seems...
https://neilzone.co.uk/2026/03/musings-on-digital-sovereignty/
Colman Reilly@neil there’s a fair bit of nationalist and libertarian nonsense about it.
@Colman Yes, I do wonder that.
AnneH@neil I think of digital sovereignty in terms of autonomy as opposed to subservience/victimhood/exploitation. So sovereignty need not have a geograhical aspect but one of rights and consent - using those tech resources & providers that are relatively more respectful of one's autonomy regardless of whether they are paid for or not. Viewed from this standpoint it allows choice by the vast majority of users who are not in a position to develop/host their own tech. Sovereignty means using tech, not being used by it.
SamuelJohnson@annehargreaves @neil Very good. Exploitation & consent may cover much of it in practice but I'd add one factor very explicitly because most have now encountered it
Freedom from potential imposition of unilateral changes in terms and conditions.
I say potential because even harmless but non transparent changes are undesirable.
My Brother laser printer yesterday:
New firmware found: Install Y/N?
Nothing about it online. Consent without disclosure is an oxymoron.
@samueljohnson @neil ha, yes. Respect for consumer!
jandi@annehargreaves @neil Agree. Sovereignty might not be well defined or even be a misnomer, but oh boy digital coercion is as real as it gets, so no matter the term, ecology, sovereignty, dignity, transparency, the concept is still useful in a "traffic sign" way.
Edited to add: Or, as @Lana says right now, "voting DOES matter", here too: https://beige.party/@Lana/116254827240884565
𝐿𝒶𝓃𝒶 "not yet begun to fight" (@[email protected])
Voting DOES matter. Voting cannot entirely fix a broken system but if that broken system asks you to weigh in on how much even more broken you want it to become, you CAN still choose to tell it "no not that far please that's way way too broken" instead of effectively "Shit I don't care go hog fucking wild".
🏴🏳⚧🏴☠I just listened to this episode last night and is directly related to questions asked in your blog post
https://trashfuturepodcast.podbean.com/e/unlocked-scaffold-to-heaven/
*UNLOCKED* Scaffold to Heaven | TRASHFUTURE
Riley has been driven insane by a… company hinging on a single Australian man that appears to be bamboozling the British State with complex financial chicanery, and now you all have to hear the story of how NScale started out as a landlord for bitcoin miners and became the government’s best hope for a “Sovereign AI” but that has only a scaffolding yard to its name. Except it also doesn’t own the scaffolding yard either. If you want to hear more bonus episodes like this one, consider signing up on our Patreon! TF Merch is still available here! *MILO ALERT* Check out Milo’s tour dates here:https://www.miloedwards.co.uk/liveshows Trashfuture are: Riley (@raaleh), Milo (@Milo_Edwards), Hussein (@HKesvani), Nate (@inthesedeserts), and November (@postoctobrist)
Szescstopni@neil Interesting thoughts. Friends are almost finished moving a legal office to a self-hosted FOSS setup. Sovereign enough for the owners. And of course software comes from all over the world, but nothing requires external US services.
> Friends are almost finished moving a legal office to a self-hosted FOSS setup
I hope that they blog about it!
@neil They will. This is a matter of days. I started talking to my legal friends, and some have expressed some interest too.
LonM@neil For me as an individual the most important part is having a reasonable assurance that I'll never wake up and find someone else has turned all my stuff off overnight, and strategies if it ever did happen.
Your blog has the example if GitHub (either of their own volition or being ordered to) stopped sharing certain code - that would be a huge pain, but code still exists, through the distributed nature of git, and I could rehost elsewhere.
Contrast this with a major email provider turning off my access - far more difficult to recover from if I didn't sync mail offline, copy my address book, and have an alternate recovery account for every single service I use.
Derick Rethans
Shae Erisson@neil lately I've been saying "landlord free" and/or "cage free" as a visceral way to express sovereignty and decentralization.
RevK 
@neil domestic suppliers pulling the rug from under you is indeed a risk. We have had that with various things in the past and had to work around. Usually some level of notice.
A scary thing would be political action and when that can be on a whim of a foreign dictator and effectively happen over night. I think that makes the risk management harder as no local laws protect you from that and you have no real recourse.
ahnlak
penguin42@neil For an individual I don't think the concept makes sense - you are dependent on others; for a large country,(-group) you can choose enough software with support in that country(-group).
Maybe digital Sovereignty was to some degree xenophobic; but once the country has pulled the plug on people for no good reason, it's a real worry not just a fear.
Relying on _one_ external country is dangerous - be that the US or China or whereever.
The same is true of relying on _one_ local provider!
Maybe digital Sovereignty was to some degree xenophobic; but once the country has pulled the plug on people for no good reason, it's a real worry not just a fear.
Relying on _one_ external country is dangerous - be that the US or China or whereever.
The same is true of relying on _one_ local provider!
Simon Brooke@neil you're right that #OpenSource depends of a huge community of individuals (and some corporate entities) cooperating together in what is the world's largest #GiftEconomy.
But I think there is a huge difference to being beholden to and dependent on thousands of our own peers — ordinary people of good will who choose to share — than on one corporation whose sole purpose is to extract as much profit from us as they can wring.
CyGood, but... it sounds uncomfortably like the tired old argument techbros bring up again and again, along the lines of "You can't read every line of open source you haven't done an audit of every single line of open source of every dependency and predicted every possible program state, therefore it's just as bad as closed source!"
To put it simply, security is not a boolean. Maybe you can't be sure that someone didn't sneak something malicious into open source somewhere, but you can sure as hell assume that someone did if the source isn't open. When you use binary distros, you're trusting that the distro compiled from the source they claim, but you're not trusting the original writer of the software with absolutely everything. And it's not illegal to reverse engineer open source software.
So yeah you'll rely on others. You just won't be at the whims of some crummy scam artist nearly as totally as if you use SaaSS.
To put it simply, security is not a boolean. Maybe you can't be sure that someone didn't sneak something malicious into open source somewhere, but you can sure as hell assume that someone did if the source isn't open. When you use binary distros, you're trusting that the distro compiled from the source they claim, but you're not trusting the original writer of the software with absolutely everything. And it's not illegal to reverse engineer open source software.
So yeah you'll rely on others. You just won't be at the whims of some crummy scam artist nearly as totally as if you use SaaSS.
Number 9@neil This feels like similar themes to the Ken Thompson “Trusting Trust” lecture, but on the network and services side.
Its a big internet, and as an individual (or even a large corporation) you only have a very limited reach. Ultimately you have to trust someone, so it really comes down to who do you trust, and who do they trust?
Your self-hosted e-mail system doesn’t do you much good if your ISP goes away, and who are they trusting? Huawei? Cisco? What about the next hop? And the question is essntially fractal; The problem looks very similar at every scale from individual to company to country to all of europe.
advokatt@neil i've written some pieces about this in norwegian, from the perspective of a state's digital sovereignty and free software as a component to contribute to more digital sovereignty, i.e. more own control -- and less of others' control -- on the state's digital infra. and that is a spectrum.
the entire country of norway runs on #microslop, and a lot runs in the "cloud", so there's a lot to do.
but costs and knowledge and costs to obtain and maintain knowledge are there.
Chaddicus@wombatpandaa @neil maybe not replacing #microslop entirely, but introducing some more diversity. i often hear people discussion e.g. #nextcloud. so there's hope
Paul Walker@arafel @neil the published ones were in computerworld, re-published on my firm's web site:
https://foyen.no/aktuelt/fri-programvare-for-digital-beredskap/
https://foyen.no/aktuelt/digital-beredskap-fri-programvare-gir-kontroll/
a third one should be out soon-ish
Fri programvare for digital beredskap - Føyen
For vel 20 år siden var det enkelte politiske forsøk på å satse på fri programvare i Norge. Den gang var argumentene kostnadseffektivitet og stimulering av norsk næring. Nå er fri programvare igjen et tema i politikken. Konteksten er likevel en annen: nå handler det om nasjonal sikkerhet og digital beredskap.
chesheer@neil Your points are totally fair, I think.
But I'd like to point out that you're "infinitely more" sovereign than any usual person or entity that relies on SaaS products.
Because while you rely on other people's work, that work had already been done. And if perchance Internet disappeared, your systems air-gapped or else, you'd still be able to exist quite fine. You don't need a huge staff of your ISP, Cloudflare, Amazon, Microsoft and so on to support you. Given the need you can even develop the software you use further all by yourself or in a small group of enthusiasts.
But I'd like to point out that you're "infinitely more" sovereign than any usual person or entity that relies on SaaS products.
Because while you rely on other people's work, that work had already been done. And if perchance Internet disappeared, your systems air-gapped or else, you'd still be able to exist quite fine. You don't need a huge staff of your ISP, Cloudflare, Amazon, Microsoft and so on to support you. Given the need you can even develop the software you use further all by yourself or in a small group of enthusiasts.
@chesheer Yes - definitely "better", but also definitely reliant on others!
Phil Dennis-Jordan@neil As I see it, there are a number of dimensions to this topic, and I think it‘s valuable to consider which dimensions one cares about, and where solutions lie in each dimension. And this will vary greatly depending on the individual, company, or nation state.
- Data sovereignty. Where does the data reside, who has access to it, and who could delete, surreptitiously modify, or deny access to it? Edit: Also, how portable is the data and its format?
1/
- Data sovereignty. Where does the data reside, who has access to it, and who could delete, surreptitiously modify, or deny access to it? Edit: Also, how portable is the data and its format?
1/
@neil
- Commoditisation of services. If renting a service, how much control does the operator have, versus customer/user freedom? How difficult is it to move to a competing service? Can I spread my risk by sourcing from multiple vendors simultaneously?
- Origin of the actual software, & where it runs. This is the one you mostly touch on in your post. I‘ll specifically point out transparency: it can be valuable to be able to inspect and audit the function of software.
2/3
- Commoditisation of services. If renting a service, how much control does the operator have, versus customer/user freedom? How difficult is it to move to a competing service? Can I spread my risk by sourcing from multiple vendors simultaneously?
- Origin of the actual software, & where it runs. This is the one you mostly touch on in your post. I‘ll specifically point out transparency: it can be valuable to be able to inspect and audit the function of software.
2/3
@neil By the sound of it, your own setup already scores pretty "sovereign“ on all dimensions, but the vast majority of people & orgs are beholden to big tech in most regards.
Personally, I‘m in pretty good shape in terms of data, which is the aspect I care most about. I have some data in the “cloud” for convenience or redundancy, but I also have everything offline.
For the software itself, my fussiness varies depending on purpose and sensitivity of the data it touches.
Personally, I‘m in pretty good shape in terms of data, which is the aspect I care most about. I have some data in the “cloud” for convenience or redundancy, but I also have everything offline.
For the software itself, my fussiness varies depending on purpose and sensitivity of the data it touches.
Funambolo@neil Microsoft et al depend on a "divide and conquer" model. For any single entity it is generally easier and cheaper to use their product than spend time and money replicating its functionality with OSS. However, if a significant portion of the money going to them would get redirected to funding OSS then this equation would soon stop working in their favor.
Thomas Depierre@neil from an EUC perspective, look at it like France's would. This is not about being fully independent. This is about reducing dependency so that you can be less impacted if someone you depend on go bonkers.
Look at the ICC sanction situation to understand where they come from.
They don't care about geographic borders. They care about outcome. Like. We all depend on the US not blocking the use of package registry. We could setup a new one ofc, not that hard. But we would be vulnerable in the meantime and it would inflict significant cost.
Also note. Commercial software, even european, is still mostly made of FOSS. So the EUC sees it as a massively strategic thing to ensure that the FOSS can keep flowing.
@neil the whole "replace microsoft" discussion is sadly missing the forest from the tree. It matters, kinda, but it is a few decades late. Software changed since then
Language package managers are more like rare earth production.
@neil on cost, i have two pieces and more to come, but mostly... I think it would be cheaper than we think to massively reduce risks and threat over the whole thing
https://www.softwaremaxims.com/blog/hobbyist-gravity-well
https://www.softwaremaxims.com/blog/how-foss-won-consequences
The Hobbyist Maintainer Economic Gravity Well
In the OpenSource Supply Chain discourse in the past few years, we got many versions of the same article. The title is usually something like “unpaid maintainer of library X demand Big Company to shut up or pay them money”. There are variations on that theme, like Github Sponsors launching, pieces that explains how the CRA will magically make companies pay maintainers, etc. It is usually cheered on by the peanuts gallery, which applaud making the Evil Big Tech pays for the abuse they impose over their “exploitation of the Commons”.
@neil i hint at solutions there, but I am still trying to put it into nice words that makes sense to policymakers.
https://www.softwaremaxims.com/blog/memory-safety-end-history
Paul Sutton (zleap)Nice article, I think your definition is fair. So I will try and comment further, I think trying to reduce reliance is the end game, or at least reliance on big tech companies. So I am using LinuxMint, firefox, LibreOffice etc but also using Overleaf (LaTeX) which is via a website. Data / projects is saved in their cloud, which makes it easier to access from any device that can access the internet.
With regard to geographic borders, I think in the case of the EU they want solutions that keep everything within the EU Law juristiction, esp around the GDPR, so data on EU citizens stays under their control.
I don't think we can be fully soveriegn, programs will have updates esp around security, so we then rely on the people writing the software to id problems and implement / distribute patches, as we have seen with Microsoft, evey they get it wrong and an update can cause real issues (that is just an example,) and Microsoft also rely on 3rd parties who control other infrastructure.
2/2
This can impact anyone, if cloudflare (or what ever they are called) goes down, so does any connected services.
When we look at cost of free software, we should remember the free means freedom it still costs money to install and run the software, or it costs YOU time and effort to set up and learn how to use it.
No such thing as free as in cost.
So it means different things to different people and it is important to critically think your situation when trying to move towards digital soverienty, even being here you are at the mercy of admins keeping an instance open, they could be at the mercy of their employment (salary helps pay for hosting). Even if you then self host, you have costs.
vksxypants@neil your blog is mostly about individuals but I've only really heard 'digital sovereignty' in the context of states, e.g. "France" or "The EU". It makes a lot more sense in that context. We are, to some extent, dependent on US law (and executive power) when we depend on US technology. Our government gives up some degree of sovereignty when it hands govt IT contracts to Microsoft or Palantir, because some element of US law and executive power extends beyond its borders.
@vksxypants I think that most, if not all, of my points apply to governments as well as individuals?
@neil I agree but I think they're weaker with respect to govts, because governments already assess the risk of dependency on foreign states in this way. Military technology is the most obvious, but in the civilian sphere, we also got quite exercised over 5G infrastructure supplied by Huawei. In the past, a US provider of 5G infrastructure would have been seen automatically as "safe", as it would be unthinkable for the US to be considered an adversary in the way that China is. Now though...
@neil I think it makes sense for govts to extend the same thinking from physical infrastructure to digital infrastructure, to reassess the US as a provider of infrastructure, and to frame that as "digital sovereignty" or "cost savings" for political reasons. The substantial question, as always, is *who* do we pool sovereignty with - because, as you identify, it's impossible to entirely "go it alone". Govts are just reassessing the "who", and putting the US increasingly in the "not them" bucket.
@neil for the individual I think "sovereignty" in the narrow definition you make at the start is entirely sufficient.
Minotaurs at Work@neil On the one hand, I think the terminology is fraught, because what the people saying "digital sovereignty" often mean is "not relying on for-profit companies whose interests might not align with one's own." On the other, the reason why state borders are part of the discussion is because the interests of the largest tech companies in the world are linked to the fascist US gov's, now overtly, and they do not align with other countries' sovereignty.
richh"I imagine that, in reality, “digital sovereignty” would be a remarkably expensive undertaking. Perhaps more expensive than buying commodity services from overseas third parties."
For business, yes maybe.
For the public sector, I suspect it's only expensive from a purchasing perspective. Yes, MS employ quite a few people in the UK, but a chunk of the £9Bn UKGov just signed will go direct to Ireland/tax havens. That £9Bn spent with Collabora/Canonical/etc would employ Brits, develop/support a UK skillbase AND mostly circulate back to HMRC eventually.
IIRC there was a report last year that EU industry sends ~€100/mo/worker to the US in software licensing... It's not just that the money could be spent domestically... by leaving the country, it doesn't loop back as tax revenue.
In that respect, "cheap" overseas vendors are only cheap on the price tag - they're expensive both socially and economically, but procurement doesn't seem to account for that monetary cycle.
Kwlio@neil A combination of reducing reliance where possible (rather than removing all reliance, which is impossible) and choosing not to financially support dodgy governments through tax paid on purchases and subscriptions feels right for me.
I know that withdrawing my financial support is a drop in the ocean, but so is saving a spider rather than killing it. It's more about what the action means to who I am as a person than the ultimate impact of the action.
Tom Stoneham@neil FWIW in my day job I have identified 9 different models of 'digital sovereignty' for governments (of which only one is properly called that). Ther emay be a preprint ready in due course.
But for an example of a government switching to the state-level version of self-hosting, there is France (https://lasuite.numerique.gouv.fr/en). Schleswig-Holstein, teh Austrian Army and one Danish Ministry (https://www.windowscentral.com/software-apps/windows-11/its-the-year-of-linux-at-least-for-denmark-heres-why-the-countrys-government-is-dumping-windows-and-office-365) have ditched MSOffice for LibreOffice. (1/2)
@neil A common pattern in these European civil service examples is that they seem to struggle with the move from Windows to Linux. That may be easier done through regular end-user hardware updates.