The Perils of Digital Sovereignty

Democratic and nondemocratic states share the same logic of digital sovereignty, yielding many diverging internets. That is not what the Internet was supposed to be.

In February 2020, then newly elected President of the European Commission (EC), Ursula von der Leyen, summed up her inaugural op-ed on the EC’s digital strategy in one phrase: “tech sovereignty.” The concept, according to von der Leyen, “refers to the capability that Europe must have to make its own choices, based on its own values, respecting its own rules.” Europe’s maxim of technological sovereignty is fuelled by fears of being swallowed economically by the United States and China. To accomplish this goal, Europe has launched a variety of initiatives, including creating a cloud architecture, to limit dependency on infrastructures and services located outside of Europe. Technological sovereignty is expected to rule many areas of the EC’s digital strategy, from cybersecurity to education and media. 

To those of us who have been studying technology policy elsewhere is the world, particularly in repressive environments, these measures are not unfamiliar. For decades, digital sovereignty has been a cornerstone of Internet and technology policy developments in China and Russia. These states have sought to challenge the dominant American, internationalist approach to Internet governance by limiting the use of US-designed information technologies. To this end, China and Russia have extended state authority over cyberspace, treating the data environment as domestic jurisdiction that is to uphold national values. The Great Firewall of China is a prime case in point. These policies and practices have resulted in restrictive models of Internet governance, built on surveillance, censorship, and other information control mechanisms that impact an array of civil and political rights. While China and Russia have become the beacons of authoritarianism in Internet governance, they are not alone. 

Models of Digital Sovereignty in the Middle East

The maxim of technological sovereignty has gained increasing traction in the Middle East. The rationale lies in a motley of factors, from ideological to economic. Despite having one of the  largest Internet penetration rates in the Middle East, Iran was among the first states in the region to adopt a restrictive, domestic model of Internet governance. The global Internet was perceived as a conduit for a so-called “soft war” that targeted the hearts and the minds of Iranians and undermined public order – it had to be rejected. In the early 2000s, Iran began to impose information control mechanisms such as blocking websites, keywords, and Internet Protocol (IP) addresses. The Green Movement protests, which broke out in reaction to the disputed presidential elections of 2009, underscored the Internet’s power of civil mobilization and political action. The regime saw its very survival in tightening the Internet just as it had done with other mediums since the inception of the Islamic Republic. Over the years, Iran’s Internet governance model has only become more ambitious and more restrictive. 

For over a decade, Iran has pursued a National Information Network (NIN) – a state-sanctioned version of the global Internet in exchange for cheaper and faster services. The concept initially emerged in 2006 as the “Halal Internet,” designed to protect Iranian national and religious values against the intrusion of the “Americanized” Internet. The NIN planners promised national centers of data hosting, search engines, email services, messaging applications, and social networks, and a larger share of high-quality, Persian-language content. Iranian authorities argued that independence from US-designed technologies would minimise the risk of international surveillance and enhance cybersecurity. Since its inception in 2006, the National Information Network has been Iran’s single most expensive technology project, over $6 billion invested, much of which has been incurred since the moderate Rouhani administration took office. 

Meanwhile, Iranian activists worried that increased emphasis on technological sovereignty and domestic data-hosting capabilities would enable the government to cut off Iranians’ access to the global network at a whim. As it turned out, these concerns were not unfounded. In November 2019, the government sought to suppress nation-wide protests in response to a hike in gas prices by shutting down gateways of the global Internet while killing at least 304 people. The near-complete Internet shutdown lasted about a week, during which the NIN, the state-sanctioned version of the Internet, was mostly available.  

Another catalyst for Iran’s expansive interest in digital sovereignty is the United States extensive sanctions regime. These sanctions curtail Iranian industries access to a variety of technologies, such as Google Maps for Business, Digital Ocean data hosting, and Apple’s App store. Iranian authorities argue that these sanctions increase the risk of US control over connectivity in Iran, which can be minimized with digital sovereignty. Under these circumstances, a growing technology and startup scene has emerged and offered domestic alternatives to known international platforms such as Groupon and Amazon. But even this sector often suffers from Iran’s own Internet governance model that is imbued with favoritism and capricious practices like the near-complete shutdown of last November. Yet it gives fodder to the state’s push for digital sovereignty, arguing that a robust domestic technology sector not only curtails reliance on American services, it also benefits the economy. Iran’s rationale for pursuing digital sovereignty is no longer merely about preserving public order. It is also about boosting the economy and protecting national security and interests against US interference. 

Saudi Arabia; Casting a Wider Net for Digital Surveillance

Iran is not the only state in the region in pursuit of more aggressive digital policies. Its arch regional rival, Saudi Arabia, is also embracing digital sovereignty. In August 2020, Saudi Arabia announced the launch of an alternative national platform to WhatsApp within a year. Data security and national interests were among the reasons provided for the move. Saudi Arabia plans to minimize the risk that foreign hosting of sensitive data poses to national security by replacing WhatsApp with a secure, domestically brewed application. This policy may usher in a new era in the Kingdom of Saudi Arabia’s Internet governance. 

In addition to Internet regulation, which includes content removal requests to social networks, often related to political or sexual content, the kingdom has had a complicated relationship with social messaging services. Until 2017, Skype, WhatsApp, and other online voice and video call services were banned in Saudi Arabia for economic concerns they posed to the telecommunication infrastructure and its revenue. Lifting the ban was announced as part of Saudi’s economic reforms to attract international investment, but the state vowed, without evidence, to monitor and censor such calls. Saudi’s information control practices have become far more aggressive since then. 

In October 2018, Jamal Khashoggi, a Saudi dissident and columnist for the Washington Post, was killed and dismembered at the Saudi consulate in Istanbul. The assassination was authorized by the Saudi Crown Prince, Mohammad Bin Salman (MBS). An infamous Israeli spyware by the NSO Group had been reportedly used to intercept Khashoggi’s communications with another Saudi dissident, which ultimately contributed to the decision to murder him. Moreover, in November 2018, the iPhone device of Jeff Bezos, the owner of Washington Post and the CEO of Amazon, was reportedly hacked with an infected file that MBS sent to Bezos on WhatsApp. The file was, yet again, a NSO malware. 

In light of these events, Saudi’s push for a domestic alternative to WhatsApp indicates a shift in the prospect of foreign platforms in the kingdom. The rationale has switched from an economic one to a national security one – it seeks to vindicate the state from allegations of interference in communications of private citizens around the world. Instead, it portrays the Saudi regime as a responsible actor seeking to protect the nation’s most sensitive data. Nonetheless, with more control over data gateways, the kingdom will be able to monitor, or shut down, domestic communications with limited scrutiny from third parties – a looming scenario given Saudi’s concerning human rights records. Digital sovereignty is a double edged sword indeed.

Turkey and Social Media Platforms; It’s Complicated 

Other states in the region have similarly used the digital sovereignty maxim to their own interests. In July 2020, Turkey passed a controversial law that seeks to tighten the oversight of international social media platforms, penalizing noncompliance with state rules. The new law came as an amendment to the law on Internet crimes, which has already been extensively exploited to silence dissent on the Internet since its passing in 2007. The amendment requires foreign social media sites with more than 1 million connections a day to appoint a representative in Turkey to address authorities’ concerns over content. It also includes deadlines for removal of material that includes insult, intimidation, and violation of privacy. 

In response to the intense domestic and international backlash the law has instigated, Turkey’s ruling party cited similar legal efforts in Germany and France that force social media companies to remove hate speech and other illegal content within a certain period of time. The self-comparison with two major powers is noteworthy. It goes to underscore the significance of the precedence that liberal democracies are setting with regards to digital sovereignty. It demonstrates how smaller but ambitious states with questionable human rights records can weaponize the same logic to their own benefit. 

Implications of the Digital Sovereignty Approach

Digital sovereignty has as diverse a meaning as these cases demonstrate. At its core, digital sovereignty denotes the states’ will to assert control over infrastructures of information and communication technologies (ICTs) in their territories and the data produced by their citizens. But, perhaps more importantly, it has become a rhetorical trope that promotes a distinctive national vision of what the Internet should be. It seeks to make technology beholden to states in a process that is heavily influenced by geopolitics, economics, and ideology. The lack of adequate norms, regulations, and cooperation among states for the management of cyberspace perpetuates this growing trend toward digital sovereignty. The result is distinct and somewhat arbitrary, Internet governance models based on national identities that are not always compatible with the global architecture of the Internet. 

Pursuing digital sovereignty has vexing implications not only for the future of the Internet but also human digital rights in the Middle East. As Iran’s NIN and attempts with Internet shutdown indicate, sovereignty over a state’s “digital borders” can mean near-comprehensive control of national cyberspace to curtail the flow of information at will. The lack of access to the global Internet last November hindered fact checking about casualties, exact location, and the scope of protests. It also impeded the assessment of human rights violations. Digital sovereignty thus has implications for upholding international human rights, including the rights to life and freedom of information and peaceful assembly.  

The maxim of digital sovereignty gives a legitimate pretense to states’ efforts to pick, choose, even produce content and platforms that their populations are allowed to consume. These practices offer state-sanctioned versions of the Internet that are imbued with misinformation, disinformation, and propaganda. Truth gets lost on these platforms far more easily as they are less susceptible to outside scrutiny and fact checking. For example, Parsijoo, one of Iran’s domestic search engines returns mixed results for the November 2019 protests, the majority of which characterize the protests as acts of vandalism or US interference in Iran’s domestic affairs. Such revisionist narratives of critical socio-political junctures can shape and impact the public discourse for years to come.  

As more politically ambitious governments in the Middle East turn to digital sovereignty, the future of encryption and privacy seems gloomier than ever before. State-sanctioned social messaging applications can lure users to trade data privacy and security for convenience, lower costs, and increased bandwidth. Following the permanent blocking of Telegram in 2018, unofficial fork versions of the application, such as Hotgram and Talagram, with alleged connection to Iran’s security apparatus were released and promoted to the public. These applications had such a devastating effect on the security of individuals inside Iran and around the world that Google took down the two apps from its Android Play Store for spying and theft of users’ personal information. Contrary to its logic, digital sovereignty travels borders and affects individuals beyond intended territories.  

Worse yet, the national security framing makes it more difficult for users to contest the introduction of domestic applications and other digital sovereignty policies. If WhatsApp is repeatedly labeled as a threat to Saudi Arabia’s national security, fewer people may be willing to challenge the government decision for fear of retribution, or out of nationalistic considerations. Considering the abysmal human rights records of many states across the Middle East, the national security rationale is particularly troubling as it may be used to intimidate users to refrain from defying state interests. 

Digital sovereignty has normative ramifications as well. Policy and technical measures justified under digital sovereignty in one authoritarian state provide not just a blueprint for others to follow. They also normalize, even encourage, subsequent intrusions into privacy and other human rights under the guise of national interests, security, and sovereignty – a model that non-democratic states seem to be thriving on. Iran may have been the first country in the region to pursue a National Information Network but its underlying desire for total control within its ‘cyber borders’ is certainly not unique. Saudi Arabia and Turkey are but the latest actors to embrace the new ‘normal.’

There is also an unacknowledged irony in the logic that brings authoritarian and democratic systems together under the umbrella of digital sovereignty. Concerned with the US (or China’s) expansive technical dominance over Internet infrastructure and their asymmetric economic gains from the digital economy, both groups seek to protect their sovereignty in cyberspace. To reinstate control over digital borders, each camp has moved toward data localization, Internet regulation, and oversight of key social media platforms. This shared logic is not without risks, however. In an international environment where digital surveillance is on the rise and authoritarian states increasingly seek to restrict online speech, changes in the name of digital sovereignty in democratic states may unwittingly legitimate similar efforts elsewhere. Turkey’s consistent progress toward digital authoritarianism and its recent legal developments to enhance oversight of social media platforms, citing Germany and France as role models, represents this worrisome domino effect. The legitimacy of democratic states’ digital sovereignty is, at best, questionable if they fail to address the normative consequences of their policies.

Where Digital Sovereignty Is Headed 

At its core, digital sovereignty is about exercise of power. States have traditionally balanced their relative power against other states through such measures as cooperation, deterrence, and even war. However, the Internet has amplified the weight of technological capabilities as an indicator of power in favor of a handful of players. Under the new power dynamics, the asymmetry of economic resources and technical capabilities has put some states on a fast track in the digital economy while others have struggled to catch up. Meanwhile, the United States has remained the chief contributor to the Internet design, infrastructure, and governance. Its dominance over different aspects of the Internet has made other actors, including its European allies, wary of the economic and security implications of a US-centric Internet. The push for digital sovereignty is thus a reaction to this imbalance of power that seeks to overhaul the current US-dominated Internet governance system. 

The Internet has also introduced new players, like technology companies, that states need to reckon with. Thus far, this reckoning has been crude at best. As data has become the precious commodity of the Internet age, it is coveted by governments and technology companies alike, albeit for different reasons. States seek to protect national data and exert sovereignty within their digital borders while companies claim their own rights to collect, keep, and process data as commercial service providers. The result is intense friction between two competing models of data governance, each of which has distinct implications for citizens’ information and rights. 

Faced with pressure from customers on one hand and the threat of state regulation on the other, companies have increasingly turned to self-regulation and implementing privacy policies that place more emphasis on security, transparency, and ethics of data management. States, however, mostly find these measures inadequate and argue for the introduction of appropriate legal frameworks. They also point out that most technology giants, including Internet infrastructure providers, social media companies, and cloud services, are headquartered in the United States. This once again perpetuates the push against US dominance over Internet governance. The adoption of the General Data Protection Regulation (GDPR) in Europe has been a move in the direction of national data protection against the hegemony of the United States and its technology sector within regional jurisdictions. 

Yet sovereignty implies responsibilities as well as rights. States must protect their own population and refrain from internal acts that threaten the citizens and security of other states. Admittedly, approaches toward exercising digital sovereignty and their implications cannot be more different between the two camps of authoritarian and democratic states. While the European Commission remains respectful of the exercise of human rights on the Internet as well as the multistakeholder Internet governance model, repressive regimes in the Middle East use digital sovereignty to shield themselves from scrutiny from the outside world. A reassessment of balance of power between governments, citizens, and companies is thus required to mitigate  harms of the digital sovereignty pretext.  

This is no easy task. The international Internet governance system needs to be revised in order to foster a secure and prosperous environment for cooperation and dialogue among different stakeholders. The first step would be to promote a system that respects the public interest without allowing commercial, regional, or specific states’ influence to prevail. 

A significant step was taken in 2016, when the Internet Corporation for Assigned Names and Numbers (ICANN) became independent of the US government. ICANN, which manages the global Domain Name System (DNS) and runs a court of arbitration for settling disputes, had been overseen by the US Department of Commerce since 1998. Under the new arrangement, it has transitioned Internet domain name functions to the global multi-stakeholder community representing the private sector, technical experts, civil society and governments. While the new governance model of ICANN does not drastically alter how the Internet operates, it has symbolic significance that traditional models of Internet governance can be democratized in creative ways. 

Nonetheless, we are still far from a truly transnational, multi-stakeholder Internet authority that sets norms and standards, oversees data governance models, establishes new collective security frameworks, attributes cybersecurity breaches, and holds states accountable when they exploit digital sovereignty to their strategic advantages. Such a system may not be perfect but it can provide an international framework for revisiting what a rights-based digital sovereignty approach can look like – a model based on public interest and balance of power. 

There are other measures that can contribute to the balance of power among different stakeholders. States need to guide and support local companies to survive and thrive in a highly competitive global market while engaging major technological actors for greater accountability. Technology companies need to regain the trust of users and states by offering greater transparency into their data governance processes while complying with the universal principles of business and human rights. Both states and companies need to educate users about their rights and responsibilities under their proposed models of data governance. Local advocacy groups, media, and academia should shed light on the implications of public and private models of data governance for human rights, security, and economy. 

These measures often induce incremental progress. They take time and patience to come to fruition. The main question is how each of these stakeholders approach the complex questions in front of them – question that will undoubtedly have a long lasting impact on what we once called the global Internet. It takes a whole-of-society approach to secure public interest amid the current surge in calls for digital sovereignty. How democratic states pursue digital sovereignty has implications for security and human rights globally. As cases from the Middle East indicate, non-democratic states will not shy away from utilizing the same maxim to tighten information control, enhance surveillance, and undermine the global architecture of the Internet. These implications are not only perilous from a technical perspective, but also detrimental to the values that liberal democracies have long stood for. Acknowledging the unintended harm is the first step to reconsider alternative models to digital sovereignty.