Emmanuel Baccelli via RIOT notifications@riot-os.org wrote:
> I’ve been poked with the below questions regarding digital sovereignty,
You don’t shy away from asking impossible questions 
> Q1. What is your definition of *digital sovereignty*? (For an
> individual, an organization, a nation?)
First, these three things are actually often mutually exclusive.
They don’t necessarily have to be, but in the ~27 years since I participated
in the S/MIME escrow/export/signature-only wars, we have yet to have
significant deployment of encrypted email. OpenPGP is the only
cross-enterprise use of secure email, and it didn’t distinguish well enough
between signing and encrypting keys. SMIME is used, but only within
enterprises or specific silos.
Secure email is not digital sovereignty, but it’s a component of it which is
perhaps oldest.
For an individual (particularly in a hostile nation or organization),
relationships with BigTech are ironically, key. One needs to surrender to
Apple and/or Google (via DoH, Android/iOS, HTTPS everywhere) in order to get
help defending yourself against organizational and/or national on-path
attackers (MITM).
For organizations, Google/Apple are the enemy, trying to smuggle devices into
the company that the company does not control.
For hostile nations, they are all enemies, and the organizations try to
cooperate while never really cooperating.
My definition is digital sovereignty is that I control which software runs on
all of my devices, and that I can verify that my devices are running
unmolested software. That doesn’t necessarily mean that I can write and run
my own software on an arbitrary device (but it could include that).
This isn’t about jailbreaking iPhones: this is about deciding if I want to
run the latest from Apple, last year’s OS, or something else from another
party. (True: in Apple only Apple decides. Android has had choices.)
The choice isn’t between run ChromeOS or Windows11 on a PC, or be insecure.
That’s not the choice. It’s that I can install whatever I like on a PC, and
then known that it hasn’t been corrupted by an organization, nation, or
another induhvidual.
> Q2. How would you assess the current situation of *digital sovereignty*
> in your country, or respectively for Europe?
zero. negative even, because they think they have, but don’t.
Countries and governments think they are sovereign, but really it’s
microsoft, apple, google, and whomever last did maintenance on your building elevator.
US Patriot act can compel any US company to supply a trojan to any third party.
(Exactly what the FBI wanted Apple to do, but they aren’t allowed to trojan
US citizens… only foreigners)
> Q3. What do you consider *critical software infrastructures*? (in
> particular: key software associated with a substantial ecosystem of
> developers and users ;)
left-pad, and now Log4j. Everything else is irrelevant
I wouldn’t say,
“key software associated with a substantial ecosystem of
developers and users”
I’d say, instead, “key software required in order to create a patch for a
critical (physical) infrastructure that keeps people alive”
I’d like to say that it’s the contents of Ubuntu Core 20 (or equivalent),
along with the ARM cross-compilers, git. But, I suspect that that’s not
what’s used to patch pipelines. Instead, it’s a Windows XP or 7 desktop with
a copy of the IAR IDE that was current in 2008. Because, if they were using
gcc with a CI system, then:
a) they wouldn’t have lost the ability to build new versions
b) they would have been building and shipping new versions regularly,
and there wouldn’t be any critical issues.
Makefile+cc is now more than 40 years old. If you started doing pipeline
control systems in 1980 using an AT&T 3B1 as your build platform, odds are it
just still runs.
> Q4. How would you define some *digital commons*?
A set of things and/or places which is not constrained by a zero-sum game,
and which all individuals can capture at least as much benefit as they
contribute, if not more.
Bandwidth is not usually considered a digital commons: if I use too much,
then it often prevents others from using any. UNLESS economies of scale mean
that when I use more, I pay more, and that means that we can purchase more,
and the relationship is non-linear, so that a doubling of expenses might
result in a 10x increase in available bandwidth.
Open source projects are mostly digital commons: I can use all I want of a
project (contributing my needs), and it mostly does not result in anyone else
being excluded. Where it breaks down is if there are drive-by contributions
that are expensive to test or maintain.
> Q5. What link(s) do you see between critical software infrastructure
> and these digital commons?
Not enough links!
OpenSSL (Heartbleed), Log4J, etc. shows us how digital commons are exploited
by those charged with maintaining critical infrastructure, and who never
contribute back.
> Q6. Should critical software infrastructures necessarily be *open
> source*?
Open Source is a meaningless term which has been abused to cover anything
someone from marketing wants it to mean.
If you are asking about a specific license, then we could have a discussion.
For many Internet based systems, GPL3 is not a problem, since they never ship
binaries. AFFERO bothers people, and I know a few PHP geeks who never did
understand open source, and who have written PHP equivalents of left-pad, and
who think they ought to be able to retire based upon that.
At the same time, there is very little support for doing maintenance on open
source systems that are in common use. In Canada, I’ve been able to
leverage the SRED credits to some extent to do some of this work.
The Europe NGI.EU and RIPE grants ought to be used more.
> Q7. What software infrastructures/digital commons you see as essential
> at European level? I guess there are (a) those that exist and that need
> to be maintained/reinforced, (b) those that should be developed to
> "catch-up", (c) those we anticipate will emerge soon, (d) those we
> should "master" but the situation is hopeless.
Not being a European (stupid BREXIT)… (YET?!)…
I think that Europeans have done a good job at learning to cooperate with
each other (I speak as an outsider looking in, and I acknowledge that it
doesn’t always look the same from the inside).
That’s something Canada and the US do not know how to do. US states do not
cooperate at all except by federal mandate.
I think that the opportunities for growth markets for IoT and digital services are:
a) full product lifecycle handling
b) intelligent transportation systems
c) cross-jurisdictional mini-payments (think transit) and micro-payments
(using a public toilet, leaving a tip, splitting a bill)
A colleague in Ottawa tried to start a company like Tile Tracker (before
them), which would be used to let you locate your kid’s missing mitten.
(He was too soon, and Tile, at $15 each, are 100x too expensive)
There are immense privacy issues involved, but imagine never losing stuff
again, and not having to replace missing stuff, and the impact to landfills
by returning, refurbishing, etc. stuff.
> Q8. Concerning the above, what concrete/credible actions could/should
> be undertaken/launched in 2022 in your country or at EU level, from
> your point of view?
> Q9. Which type of coalitions of actors should carry these actions in
> your opinion?
I don’t know.
