Digital Sovereignty and Open Source

Jyotiprasad Rath heads the Open Source Program Office (OSPO) at Societe Generale’s Global Solution Centre. The mission of OSPO is to drive the ‘Open Source First’ philosophy across the Group. Jyoti has around 18 years of experience in the Information Technology & Financial Services industry, having helmed multiple leadership roles within technology functions. In this blog post, he discusses how all roads lead to open source as one of the most preferred solutions to reclaim digital sovereignty.

“A supreme authority, marked by the ability to make decision without the consent of any other.” – ‘Sovereignty’ as per French philosopher Jean Bodin

Though sovereignty originally referred to a political state of being, it’s overwhelming digital pertinence in today’s technological world is paramount. Of the numerous interpretations of digital sovereignty, the one which sums up the concept aptly is

Ability and opportunity of individuals and institutions to execute their role(s) in the digital world independently, intentionally and safely.”  – Competence Centre for Public IT, Germany

Recently, the context of digital sovereignty has been critical in Europe which led to the General Data Protection Regulation (GDPR) and the US-EU Privacy Shield framework. Nevertheless, the topic still looms large with open questions on data security, cloud and software usage, to name a few.

Open source adoption: public organisations take the lead

When it comes to software usage, public organisations are at the forefront as they keep looking for efficient and effective ways to deliver quality technological services, while being obliged to shareholders, investors or taxpayers for keeping costs under check.

However, the tipping point in costs is not the only factor. The important aspects driving organisations’ move away from use of proprietary software include:

  • Dependency on a limited set of providers, vendor lock-in
  • Inability to share and collaborate openly
  • Lack of access to source code
  • No control over product evolution/innovation

Be it the MAlt (Microsoft Alternatives) project of CERN (2018), official recommendation of French Economic, Social and Environmental Council (ESEC) ‘towards an European digital sovereignty policy (2019)’ or the most recent study ‘Dependence on individual software vendors – strategic market analysis’ by PwC Strategy and (Germany) GmbH conducted on behalf of the Federal Ministry of the Interior, Building and Community, Germany  – all roads lead to open source as one of the most preferred solutions to reclaim digital sovereignty.

The French Gendarmerie, Europe’s largest example of a public administration using open source on workstations, believes that “The direct benefits of saving on licenses are the tip of the iceberg. An industrialised open source workplace is a powerful lever for IT governance.” The French national police force had migrated 90% of its inventory to Ubuntu in 2019.

Similarly, Barcelona’s strategy has been to replace all user applications with open-source alternatives, and as a final step, the operating system to be replaced with Linux, the first municipality to have joined the European campaign ‘Public Money, Public Code‘ (legislation requiring publicly financed software developed for the public sector be made publicly available under a free and open source software license).

In Italy, it has been made a law that public administrations should preferentially acquire open source software and must publish all developed software in open source through:

  • Comparative assessment before acquiring new software, which will favour open source solutions (including those reused by other administrations)
  • Justification for development of new software and the purchase of proprietary software licenses 
  • Availability of all software developed in a publicly accessible repository and included in the Developers Italia catalogue

Germany, at the same time has a strong open source approach to exercise digital sovereignty in the federal state of Schleswig-Holstein, free state of Thuringia, city municipality of Bremen, Dortmund, administration of Munich (after a few flip-flop decisions), German Federal Office for Information Security (BSI) and most recently Hamburg.

Apart from these,  from Rome to the Federal Supreme Court of Switzerland to Austria Ministry of Justice to Jordan Information Ministry, Government of Peru, Government of Venezuela and many more such as Malaysia, Kerala (India), Ecuador (the list is endless) – all of them have taken a strong stand on adoption of open source as their right to exercise digital sovereignty in order to protect their costs, data security, innovation and taxpayers’ interest.

Recommendations only, not actions?

All these initiatives represent an important milestone of the journey towards a more transparent and open public sector. But it’s important to point out that many of them (excluding laws and other binding legal acts) are still in the form of recommendations.

Non-binding acts, such as recommendations, allow institutions to make their views known on a topic but don’t involve any obligation. This is the case, for example, of the recent decision proposal made by the European Pirate Party and endorsed by the EU Parliament, which states, “From now on, all IT solutions developed by and for the EU institutions will first need to be assessed against the possibility of using open source solutions.”

These non-binding initiatives will help enhance the importance of data sovereignty and introduce the open-source concept to many.

But shouldn’t governments adopt ‘stricter’ methods to prevent any attempt to bypass recommendations? This was probably one of the questions that came up in the Italian government and in Barcelona municipality before they decided to go beyond simple recommendations.

Another example is the Russian government, who decided to pass a law that will require high-tech manufacturers to use only preinstalled Russian software on their devices. The law, effective 2021, aims at promoting Russian technology and helping the industry which suffered as a result of the Covid-19 crisis.

Though overall the broader approach on open source as an alternative in the IT ecosystem has gathered a lot of importance, the magnitude and impact of selective transformation in various public organisations cannot be ignored. One such example is LibreOffice, an open source office software suite.

Is the private sector doing enough?

Controlling the technology world can never be a matter restricted to public organisations. It will require a strategy based on close cooperation with the corporate world. In this sense, the quest for digital sovereignty is a goal shared by public authorities, who need it for the success of digital services, and private companies, who must face consumers’ growing concerns over the use of private data.

The former has already started taking important steps towards this goal (GDPR, CCPA), but what is the private sector doing to contribute to the cause?

Data sovereignty is a hot topic in the corporate world too. Different countries have laws, and understanding how, where and by whom data is stored is important to avoid issues. Furthermore, the recent take-up of cloud-based storage further exposes businesses to issues around data sovereignty.

Today many companies have made data protection and privacy a priority in their digital transformation strategy. Data sovereignty is on the agenda of many corporates, but not at a maturity level that allows concrete, visible outcomes yet.

This is mainly because:

  • The concept is complex and often hardly understood and therefore, underestimated. Data sovereignty can become an issue even if a business does not have direct operations overseas (Data stored through a cloud service is subject to the legal jurisdiction of the area where the cloud provider maintains data)
  • Businesses operate globally and must face a fragmented market of digital policies (laws vary across countries; some stricter than others) and navigating this maze can be very complicated and time consuming
  • Companies have never possessed such an extensive quantity of personal data and are facing unprecedented legal and technical challenges. Increased volume of data means closer relationship with customers but also greater risk in terms of security and integrity

The only solution to speed up the adoption of data sovereignty policies is to remove barriers and initiate a stronger collaboration between public and private stakeholders. Governments and public authorities do not operate globally and could benefit from the contribution of companies in order to shape effective digital policies.

GAIA-X, the recent Franco-German data infrastructure project which aims to grow a sovereign and self-determined digital ecosystem in Europe, deserves a mention here. The project is, de facto, meant to develop an alternative to US cloud services. It’s completely based on open source and already has the participation of many private companies as well. Could this be the foundation for much-needed public-private collaboration? Only time will tell.

There’s still more to it than meets the eye. Open source is such a megatrend that its promising present and certain future is going to complement digital sovereignty by transforming the way software/hardware is used, transparency is exhibited, data is protected, innovation is envisioned, and collaboration is ingrained, while ensuring a state of open and liberated autonomy.

Not only Jean Bodin, but also Machiavelli, Hobbes and other members of early sovereignty defining fraternity would have been ecstatic about practicing open source today.

(This blog post has been authored by Jyotiprasad Rath with inputs from Alberto Fresia.)

Leave a Reply