Data, processes and entire infrastructures are increasingly migrating to the cloud – and thus often to the USA or China. Does this endanger the right of European and German businesses, societies and governments to maintain digital autonomy? The German “Plattform Innovative Digitalisierung der Wirtschaft” answers this question with a clear yes and presents a catalogue of measures that help to maintain control over European IT. Open Software plays a fundamental role in this debate.
Those who rely on the cloud today often rely on services outside the EU: by 2019, 60 percent of all IT-supported business processes will be realized in the cloud. But without political countermeasures, 80 percent of the cloud infrastructure in 2020 will originate from the USA and 15 percent from China, according to the authors of the position paper “Digital sovereignty and artificial intelligence – prerequisites, responsibilities and recommendations for action”. As part of the German Digital Summit 2018, several experts discussed how governments, companies and authorities within the EU can achieve data sovereignty. One measure stands out in particular: Only systems in which the source code can at least be checked and individually adapted can be given control and management capability.
Minimum Requirement: Open Source Code
In order to guarantee maximum security, control and innovation in the future, a minimum of trust, transparency, traceability, interoperability and adaptability is required when operating cloud solutions.
This refers to systems whose source code can at least be viewed and changed at key points. The demands of the position paper (available here in German language) thus go far beyond the demands of the national IT summit of the German federal government (2015), at which the term “digital sovereignty” was introduced for the first time.
Recommendations For Improving Digital Sovereignty
Since 100% sovereignty can virtually be ruled out, organizations and states must first make the fundamental decision “in which areas a high level of digital sovereignty is elementary and of high strategic importance,” according to the 2018 paper. The decisions described must therefore be made at the following levels:
Location Of Data Centres
Whether a data centre is located in Europe or outside is of great importance for digital sovereignty, as the data stored there can only be withdrawn from external control if they are located in one’s own “territory”. The position paper clearly states: “The storage of data by German authorities, European companies, institutions or consumers almost exclusively in the hands of non-European cloud operators represents a strategic and competitive disadvantage for Europe”.
From a cloud perspective, the answer at this point can only be that critical data should always be stored in data centers on European soil. Especially since the US Cloud Act, this is the only way to ensure that investigating authorities from jurisdictions with lower levels of data protection (e.g. the USA) do not have access to criticaldata. At present, this seems to be only possible by excluding companies that are subject to US jurisdiction. But this control is often difficult: who knows whether a French company is really an American subsidiary? With the help of Cloud Federation, hosting on the company’s own servers is also economically feasible, as the large – non-critical – data amounts can still be stored in public clouds, while only the data worth protecting is stored on the company’s own servers. Both data sources can then be accessed via a central interface. Public and private clouds are thus combined under a single user interface. This allows each organization to decide for each data source where the data is located. In this way, everyone can participate in the possibilities of the technology market without having to disclose their data – without their knowledge – and certainly not to a foreign government without any legal protection of their own.
Confidence In Technology
A technology that can be trusted by the economy, politics, society and science has to “ensure that the data flows in the right direction, reaches the intended recipient, is not wiretapped and is not manipulated”. While there can never be absolute security in the use of IT, it can however be maximized. Here, too, hosting in secure data centers should be an absolute minimum standard. In addition, when exchanging critical data with internal and external partners, further security measures must be taken. Ideally, the use of secure file sharing systems is recommended , as these are easier to use and more secure than classic e-mail. Systems such as ownCloud also offer a number of other security add-ons such as a file firewall, ransomware protection or – most importantly – end-to-end encryption.
Compatibility and Customization
In order for the state, industry and scientific community to be able to make the most out of innovation when creating new knowledge, services or products, there needs to be more agreement on the broadest possible public availability of data and freely usable program codes. “As far as possible” in this context means that data can of course also be used for one’s own products and services and thus remain in private hands.
According to the experts, the following principles promote competition in innovation: “The program code must be adaptable and transferable to other systems in order to be able to solve problems independently if necessary, to transfer solutions to other data centers and to ensure the interoperability of solutions already in use with new systems”.
This should be understood as a clear commitment to open code. This not only guarantees individual adaptability, which is of particular importance in the public sector, but also the participation of many specialised companies in the further development of software. This avoids oligopolies of a few large providers, the knowledge remains in the hands of many, which ultimately ensures the independence of the software. Everyone can participate in such software development under the same conditions.
Open Interfaces and Modifiable Source Codes
The public and the private sector must work closely together to make individual countries and the EU as a whole a strong location for research and innovation. Ideally, they should work together to establish decentralised, independent and freely scalable data storage and processing based on open and interoperable standards. Especially for systems that are strategically important for digital sovereignty, it is essential that the source code can be checked and changed at any time and that data and systems can be transferred to other environments at any time. The experts consider “central competence” to be “the ability to develop open interfaces and (de facto) standards that allow the sovereign design of ecosystems or the secure integration of external solutions”.
This interoperability is guaranteed at all times with technologies such as ownCloud. Due to the fact that open source file-sharing software links many different data sources, these data sources can also be exchanged at will by simply moving the information hosted there from one cloud to another. This makes it easier to change providers and avoid vendor lock-ins. Multi-cloud environments therefore directly translate to achieving a high degree of independence from foreign IT-markets.
ownCloud As A Gateway To Digital Sovereignty
As an open source product, ownCloud has a modular structure, can be expanded when required and can be integrated into any existing infrastructure. The source code is freely available and can be adapted as needed. This also applies to all extensions ownCloud offers as enterprise-only features and which are available as part of an Enterprise Subscription.
However, large companies, the public sector and entire countries in particular are often relying on keeping changes and adaptations to their software a secret. Third-party providers who provide additional applications must also have this option.
For these cases ownCloud provides the “Commercial License”, under which the core of a software is freely available (usually under the AGPLv3 license), but the extensions used are licensed as a protected enterprise version. This “dual licensing” enables a freely available source code, which can be changed at any time without any obligation to publish. Users all over the world have the possibility to use a free version, where all changes and extensions are published, or to purchase a commercial license, where this requirement does not apply. The IT-Departments of the private and the public sector always retain full control over all confidential data and administrators always know where a file is, who accessed it when and how, and who shared it with whom, even outside the company.
Large companies use ownCloud in particular to control access to all storage systems themselves via a central front-end,regardless of where the data is located, whether in file systems, object stores, on-premises or in the cloud. But since IT projects generally do not start from scratch, ownCloud can be easily adapted to the respective storage systems, servers, cloud management and backup tools or other applications. wnCloud’s open architecture allows companies to expand their own core functions or to further develop technical solutions, e.g. to meet special user requirements.
If the participants in the digital summit demand a minimum level of trust, transparency, traceability, interoperability and adaptability, then one can safely say that solutions such as ownCloud already meet these demands today. In the European states’ struggle for digital sovereignty, free software is becoming the key “enablers” of companies, governments and all social groups. In order not to finally lose control over their own data in the near future, it is absolutely necessary to create an awareness of data protection, data security and data control. The realisation of digital sovereignty is not a mere question of technical possibilities. It is very much available and realizable today. In order to gain digital sovereignty in Europe, we do not need a complicated capital and technology intensive multinational effort, such as a “digital Airbus”. We only need to take the initiative to use existing technologies with freely available source code and open standards while setting up any IT infrastructure.
ownCloud is the largest Open Source Filesharing solution in the world with 200.000 installations and more than 25 million users. The Open Platform for Secure Enterprise Filesharing combines consumer-grade usability with enterprise-grade security. It enables users to access data no matter where it is stored or which device is used. By giving organizations the visibility and control required to manage sensitive data while offering users the modern collaboration experience they demand, productivity and security are increased at the same time. For more information, visit: https://owncloud.com.