Digital autonomy

6 min read

TLDR: for European businesses there is a huge class of risks associated with use of services and products originating from USA - including operating systems, AI and cloud solutions. I would like to highlight importance for assessment of these risks, and early implementation of alternate solutions.

I wrote this article after reading Bert Hubert’s article on US ‘cloud’ usage 1, but also touched by recent overwhelming feeling of how fragile is our liberal world2.

Case for digital autonomy

Intro

Quarter of the XXI century passed, and we moved from “technological optimism” emerging from late-90s adoption of Internet under banner of “global village” and “freedom of information”, to ominous, pre-dystopian “broligarchy”, dictated by advert-fuelled, monetized & centralized industry, often entangled in worst kind of politics.

Company where I work develops and supports software which might be considered part of critical infrastructure for predominantly European companies, and I’d like to share my thoughts of some risks arising for us and our clients.

Local backgound:

  1. As modern IT company, we don’t only create and deploy software solutions of our making, but also we use and rely on many tools and services. Synergy of dozens of IT products allow us to grow without re-inventing entire “stack” from scratch. Computers indeed became a “force multiplier” and “bicycle for a brain”, and our business metaphorically “stands on the shoulders of other giants”, where we might forget how many interconnected and interdependent systems we use on daily basis.
  2. Historically, the origin of many inventions and developments was from organisations and businesses established in United States of America - from integrated electronics, to DNS, cryptography, crypto-currencies and AI - inventors proliferated there due to good access to funding and strong patent law.

But our world is rapidly changing,

  1. The government of United States initiated very rapid and worrying changes, within last two months we could observe a departure from liberal democracy standards (including unrivalled attachment to ideals and policies set by US Constitution) to autocracy, oligarchy and enforcement of ad-hoc actions, many of which might be unconstitutional. It is not my intention to discuss it in detail, but I assume that European-based reader already shares the sentiments and can see that neo-mercantilism (“America First”), elitarism and rule of power are something we might be collectively concerned with.
  2. Silcon Valley’s business owners and their top management showed almost unanimous acceptance of new status quo, expecting that compliance and support shown to new administration will bring direct benefits to them and their investors. We should foresee that any future pressure from White House might dictate availability, Terms of Service, or even introduce hidden changes of basic security/privacy features advertised for the products and services used by us (“tariffs”, “sanctions”, “retailiation”).
  3. Erratic and dangerous moves of US executive branch show not only disregard to humanist values and world-wide solidarity, but also undermine purely utilitarian basis for cooperation - by scrapped multiple agreements and commitments on which other stakeholders built their long-term strategies - for our company their withdrawal from World Health Organisation or Paris Agreement might not be too important, but dismantling PCLOB (Privacy and Civil Liberties Oversight Board) jeopardizes bilateral agreement for equivalence of data privacy laws (TADPF - Trans-Atlantic Data Privacy Framework)3.

Worst-case scenario

"Nuclear option" in software world can consist of:

  • Denying the support, security updates or full shutdown of services on which we depend
  • Cyber-espionage and intellectual property theft supported by the State-sponsored hacking groups or directly by developers being forced to comply, through weaponization of update patches, targeting their customers from non-cooperating regions
  • Access to any data hosted by US-based companies using the Espionage Act, Executive Orders, or any other form of direct control shown recently 4
  • Embedding backdoors or other malicious code into software, which might be e.g. executing hidden functions, or leading to immediate lock/shutoff either immediately, or when certain conditions are met

Alternatives exist.

If we put enough effort, we can minimize our dependency on endangered products and services. The most resilient solutions come from Free/Libre/OpenSource world, because whenever management or code is compromised, another version (so-called “fork”) could start its life, under new leadership. This secures users not only from malicious activities, but also abandonment of the project, e.g. by bankrupting owners.

Short list of alternatives:

  • Operating systems: instead of Windows, Linux variants managed by European entities might be safest to use, in particular:
    • openSUSE / SUSE (Germany)
    • NixOS (Nix Foundation in Netherlands)
    • QubesOS (security based on isolation in VMs - not strictly Linux, as it’s XEN hypervisor. Project started in Poland, but Invisible Things Lab is now a company registered in Germany)
  • Office and collaboration
    • Nextcloud – an ecosystem rooted in easy file sharing, which recently became entire suite of apps – commercial but Open Source product by Nextcloud GmbH
    • opendesk.eu – web apps focusing on Project Management (product commissioned by German Federal Ministry of the Interior and Community)
    • LibreOffice as MS Office alternative (directed by The Document Foundation, which is registered in Germany)
  • Communication:
    • Matrix protocol (multiple Free/Libre/OpenSource implementations of servers and clients)
    • Mattermost (Free/Libre/OpenSource Slack alternative, but hq in California)
    • Dozens of other Free/Libre/OpenSource apps and protocols (XMPP & IRC among the oldest)
    • Mail is typically hard to self-host. Thanks to spammers many over-sensitive filters would false-positively categorize messages as spam when it’s coming from anyone but established providers! Still, there are options. Thanks to enormous effort of person behind DigDeeper website5 I was able to chose an independent provider which usually works well for me 6.
  • Internet / cloud / services:
    • Lots of hosted services are offered by our local companies. Naturally, if we consider entire modern Internet ecosystem, we aren’t able to talk about full independence, as ICANN is headquartered in USA.
    • Also, hyperscale cloud services are only provided by Amazon, Google and Microsoft, and their tools, APIs and other exclusive functions are often resulting in vendor lock-in. It’s hard to avoid it once there was already time/money investment in such solutions, but if you are initiating a new project, maybe think carefully what you are sacrificing. Also - it would be fair to inform your clients on inherent risks I’m mentioning in this article.
    • Great lists of alternate services has been collected by others, see below for example(s).7

Hopefully 1Q2025 will become a wake-up call for many involved players, a one where we’ll re-assess our tech stacks, indulgence of outsourced services, lazy use of hyper-scalers and AI “helpers” packaged into any software around us.

I see ironic similarity, with reversed roles. Metaphorically, King George might be sending his armada soon, hope we are ready to defend our independence.

Footnotes

  1. https://berthub.eu/articles/posts/you-can-no-longer-base-your-government-and-society-on-us-clouds/

  2. Great acoup article, summarizing history of political liberalism

  3. PCLOB non operational due to Trump’s purge, EU Commission to react..: https://fosstodon.org/@bert_hubert/114032472494922878

  4. “Largest Data Breach in US History”: Three more lawsuits try to stop DOGE (ArsTechnica article)

  5. https://digdeeper.neocities.org/articles/email.xhtml

  6. https://migadu.com

  7. This one lists online services provided by European entities (not affiliated)

Graph View