Opinion If you've ever flipped over a power brick, you'll be familiar with the hieroglyphics of type approval. It's become less crazy over the years as things have got smaller and signage requirements softened, but at its peak tens of logos and acronyms of testing labs and national approvals covered the backside of PSUs in surrealist graffiti.
There was and is method to it. Type approval means that the device won't kill you, won't jam your airwaves, won't burst into flames, and other desirable negatives. If a business buys approved equipment, it won't invalidate its insurance, and many other legal protections and permissions flow. When the system stops working, which it does when individual consumers can buy cheap stuff directly from overseas, fiery death can follow.
There hasn't been an equivalent concept in software, at least not in general. Life-critical systems with software in, yes, and lots of industry codes and compliance incantations, but never national guarantees of software or service behavior. Now there are good and growing needs for this to change. There are dangerous aspects of design and implementation common to many different classes of product, invisible to users, and no way of knowing what is safe.
Fortunately, organizations, nation-states, and entire blocs can and do recognize what's happening, and are beginning to react. If you use a service or software that stores your data or identity in a place or with people with no legal protection against state interference, you have no privacy or protection from being locked out.
Which is why, of course, digital sovereignty is so desirable. The bigger you are, the more practicable it is to realize, although it is very far from easy. Technologies, standards, procurement policies, implementations, user bases, support hierarchies – all manner of things have to be moved and coordinated. The whole thing must make practical, economic, and sustainable sense. We're seeing this happen, especially in Europe.
Matrix is a good example. A longstanding open messaging protocol with a coherent and sensibly stratified FOSS/commercial client roadmap, it is becoming the underpinning of choice for the digisov desirous, from the EU down. It's no guarantee of goodness, but if you want to go that way, it's a great component.
Or look at the European Payment Initiative (EPI). This isn't an EU initiative, but a project of European payment service providers (PSPs). The clue's in the name: PSPs are the entities that handle electronic transactions between customers and suppliers. Visa and Mastercard manage around two-thirds of all EU-based transactions and neither is European. There is no one European PSP, no one name to go to.
Last week, PSPs from Norway, Spain, Portugal, and Italy signed up to the EPI, sharing a common Europe-based transactional hub and letting customers in 17 countries use their existing payment providers interoperably. This isn't about open source. It isn't about EU-level political decisions. It creates a sovereign digital service just the same. It also demonstrates that digisov does not need to map onto political boundaries. Norway isn't in the EU, and other non-EU and non-Eurozone countries can join. They just need to have compatible regulatory and legal regimes.
It is thus entirely possible to see an EU definition of alignment that would grant membership of the European digital sovereign entity. Don't let the users get burned, then you get to use the regulatory mark. You get access to sectors and markets where alignment is either mandatory or very highly desirable.
Such services and products could be bundled into platforms, markets, and product categories. If it's possible, barely, for a savvy, motivated, focused organization to build its IT with some degree of digisov, think how far away the concept of a European consumer alternative in packaged services and products is to Apple, Google, or Microsoft. How would anyone begin to find AWS or Azure-free services online? Add a compliance mark, and the impossible becomes possible. No changes in law, no international treaties, just a single recognizable symbol that says that this will not catch fire and burn you.
Armed with that, anyone can join forces. You could build a Linux distro. You could align your existing Swiss-based secure email service, or your German datacenter company, or anything that's useful and follows the rules.
All it needs, at heart, is a definition of what qualifies a service, product, component, or entity as aligned. In other words, what the concept means in practice. What rights are guaranteed to users, their identity, and their data, not just in terms of what the organization promises but that the promises can be kept no matter what. That means operating in regimes without overweening laws or exemptions to individual rights. One could even call such a definition a constitution.
There's no need for anyone so minded to wait for permission to start this process. Find fellow travelers and talk to them. A rough consensus will do for starters, alongside honesty, and fearsome commitment. If the concept's good and the timing is right, it will catch fire – in the right way. You can't rally to the flag if there is no flag. If there is, nobody can stop you. ®
Source: The register