Sovereignty is a spectrum: from the European Union that is urgently building its techno-political autonomy to the authoritarian states that are steadily growing their national intranets capabilities. How can we better distinguish and define the different flavors of sovereignty? One option that seems to become popular is to measure them and develop special Indexes.

As we know, indexes are not mere rankings. They serve “as a strategic tool for producing authoritative expertise – or at least the public appearance of expertise” (Broome & Quirk, 2015). Indexes are “performative”, they have a strong impact on the funding and regulation of technological solutions, and on the fundamental policy decision. Among the most well-known Internet freedom rankings we can quote the Freedom of the Net index by Freedom house, Enemies of the Internet by Reporters Without Borders and Corporate Accountability Index by Ranking Digital Rights. Country-specific indexes also exist (see The Index of Freedom of RuNet by the Society of Internet Protection, or Project Ainita for measuring connectivity in Iran). The network measurement community is also producing its own metrics that can be used to evaluate specific parameters of digital sovereignty and Internet fragmentation, such as connectivity and routing (RIPE Atlas or Cloudflare Radar), shutdowns (IODA project by CAIDA) or censorship (OONI).

We have interviewed the author of the new Index that tries to measure digital autonomy in a positive way: Jos Poortvliet, the author of The Digital Sovereignty Index. The Digital Sovereignty Index is a project driven by a team of enthusiasts inside Nextcloud who decided to offer an alternative approach to defining Internet sovereignty. The idea behind is to shift from policy level to physical level in order to measure actual infrastructure that is running locally, and not in a foreign cloud. The DSI is a metric that illustrates how much self hosted applications are actively used across nearly 60 countries. It represents the relative amount of deployments of self-hosted productivity and collaboration tools per 100,000 citizens, compared to other countries. DSI analyzes the deployment of 50 of the most relevant self-hosted tools for digital collaboration and communication. These include platforms for file sharing, video conferencing, groupware, notes, project management, and more. The results of the first Digital Sovereignty Index show significant differences in the adoption of self-hosted infrastructure across Europe and beyond. While the public debate around digital sovereignty has gained momentum in recent years, actual usage of sovereign digital tools remains fragmented – and in many places surprisingly low.

 A minute after we start our conversation, he’s already sharing a link to a recent article that describes the US Federal Trade Commission’s decision that Apple, Google, Meta and other American Big Tech players do not necessarily have to comply with the EU platform regulation Digital Services Act. 

Nextcloud has published an opinion piece on this subject, criticizing the Microsoft “European Digital Sovereignty” campaign and the promises of the Big Tech to preserve European tech autonomy and data privacy of the EU citizens. However, the idea of Digital Sovereignty Index wasn’t born in the heat of political debates. The story behind the Index is unexpectedly nerdy, as Jos explains:

JP:  So, shortly after we started Nextcloud, almost 10 years ago, we discovered a security issue in our product. When we fixed it, I told our head of security at the time, you know, we should tell people to update, and he confessed that a lot of people just don’t update their server deployments. I asked if he could provide concrete numbers on that, so we looked around and found a way to use a network scanning tool called Shodan. He wrote a script that checks on each of those nextcloud or owncloud servers the version they were running, and counts how many insecure versions were out there. That was in the past, many years ago, and then we decided to take that to a next level, to look not only at the nextcloud, but also at other solutions, just to get an idea of where people use these self hosted technologies more. Many interesting things came out of it. I had not expected Finland to be number one and the differences between to be so big, that really surprised me.

KE: Using Shodan to measure sovereignty is of course an unexpected approach, but aren’t there limitations? Many authoritarian countries like Russia for example may have less publicly visible servers, while still running free software solutions. 

JP: Of course, there are many limitations. For example, about a third of the Nextcloud instances don’t show up in this scan. I know roughly the real number of Nextcloud servers out there because our updater has statistics. It’s not 100% precise, but it covers the vast majority. That number is more like 400k, but we could only see 130k coming out of the scan. We already know, there are firewalls, governments or people who are blocking Shodan. That’s why we decided to make it a relative rating. And the other thing we did is that we decided to normalize the numbers between different products and didn’t distinguish between large servers with tens of thousands of users and smaller ones with a thousand or a hundred. That’s also why we don’t draw a lot of conclusions on the website and in the report. We give the numbers, but we don’t really say a lot about what they mean. 

KE:  Have you thought about cross-Index collaboration? Looking at what other Indexes do and may be working together? 

JP:  We did a bit of research in other indexes and a lot of them, of course, take a qualitative approach. They do surveys, which is also really interesting. We also got feedback from a couple of academics before we published our Index. We wanted to compensate a bit for the limitations of the DSI and look at other parameters. For example, if a country just doesn’t have a lot of its own servers, it would score low in our Index. But maybe they use zero foreign software, and in this way they could score high in another Index. We could also take into account a digitalization index, or look for an indication of how much of the Microsoft, Amazon or Google servers are used in a country but you cannot do a count on Big Tech because they’re just running a bunch of IP addresses. So there’s no relation between IP addresses and how many users they have or anything.. But the Index we did is extremely simple. It’s just a plain count without any kind of complications and it’s very objective. If you start to add in other sub-indexes, how much would you weigh them? That’s a choice. And it becomes a political choice, not objective anymore. How would you calculate? What weight would you give to it? We’re a vendor and we obviously have our own ideas and opinions so it won’t be credible anymore if we start to put our opinion in the Index. 

KE: In the DSI France is only at fourth place, however, the French government relies on a decentralized self-hosted messaging suite which is called Tchap, it’s a fork of Element based on Matrix protocol. How would you explain the fourth place here?  

JP: Well, two things. One, a single government instance with 100,000 users counts as one, just like a single private user instance with two users. We just count IP addresses that run the service. We know that in Germany the government has been very slow to digitalize, so most German governments are still running on-premise software. They’re not in the cloud. While in the Netherlands, the whole government is on Microsoft 365. If Microsoft shuts down 365, does the government stop functioning? The Dutch recently figured this out and are now starting to do something about it. The Germans, they’re just behind, which is now an advantage because now they can actually do a smart move towards self-hosting and never get onto Big Tech. But you don’t see any of that in the numbers in our Index. 

KE: What about peer-to-peer technologies? Aren’t they also a factor of digital sovereignty? They are designed to be run collectively, by a community of users, and often are local-first. Why haven’t you included them in the Index? 

JP:  With peer-to-peer it’s not so much about hosting your data yourself, but it’s more about anonymity or circumvention, or sharing without being seen. I didn’t look at something like Bit Torrent or Tor because I think for the digital sovereignty of Europe it is important where the data is, which is actually the opposite of distributed architectures or traffic anonymity. I think control is actually important for sovereignty. For instance, Nextcloud is not built around end-to-end encryption because we designed it with the idea that you trust the server. That’s also why Nextcloud is big in business and in governments. As a government, you have laws around transparency and accountability. As an administrator or a compliance officer you don’t want the civil servants to use encryption. That would be simply illegal. Which, by the way, I find very interesting about the government using Matrix. Privacy is important for people, users should have privacy. Companies and governments should not have privacy. They should be transparent and accountable. 

KE:  Do you think the Digital Sovereignty Index also tells something about shutdown or censorship resilience? If a country scores high, would it mean that it is better connected?

JP: If there are a lot of people who are running collaborative services locally, and if a crisis happens, say, for example, the US companies stop offering service, then there are a lot of people in Germany or in the Netherlands who know how to run a server and who can provide services locally and that means resilience. 

Table: DSI scores across countries

KE:  When you compare countries, you see, for example, that Russia is red, which is interesting because what Russia tries to do is exactly to build a sovereign internet. 

JP: It is entirely possible that the Russian government and big Russian tech companies are all running self-hosted services that we just might not see. While in the Netherlands, a lot of people are running their own servers, which gives the Netherlands a higher number than Russia, even though the Dutch government is dependent on Microsoft 365. And maybe we’re not checking software that is very popular in Russia, for example, we don’t yet have Delta Chat or XMPP which seems to be popular out there.  

KE:  So this Russian case is pointing at a controversy with the term “sovereignty”: how would you define it? 

JP:  We’re talking a lot about European sovereignty and we keep saying to each other that we don’t want to agree with the nationalists here. Open source is a global movement, and we are pro-open borders and open standards, we have employees from all over the world. I would say it’s more against big tech. Okay. It just shouldn’t be that five companies own all the data on the planet Earth. That’s crazy, that’s a risk for humanity. You know what I mean? It’s about sovereignty for humanity. 

KE:  So, if governments use your index for consultancy, for decision making, how would you hope it will shape their policy choices?

JP: I am Dutch, so it was interesting for me to see that the Netherlands is number three, while a ton of studies have been coming out over the last year showing that the Dutch government is completely dependent on Big Tech. And I thought, there is knowledge, skills and also interest in the Netherlands from the Dutch people in being digitally sovereign. And yet the government doesn’t seem to be aligned with that. So when you’re not using your people’s skills and interest, that means instead you’re giving money and creating jobs in California. Countries that have less servers, for example, Spain should first look to develop locally the skills and the economic knowledge, while countries that strike high, such as Netherlands, France or Germany, should align better with the social demand for self-hosting.