A few months ago, I landed at New York’s JFK airport. Fortunately, my flight went smoothly, and we arrived on time in the early evening. After a long walk to the immigration booths, the cue lines were long, as expected. Usually, arriving passengers are split into citizens, residents, and visitors (previously grouped as “aliens”) Diplomats and flight crews get their own exclusive cues. Sixty minutes later, I was finally getting closer to the booth, with just one person ahead of me. Then I saw it, stuck to the lower front panel of one of the nearby booths. A notice about picture-taking or facial digital biometrics, written in black and red letters on a white background. I was tempted to unleash my own “notice biometrics” using my cell phone but I was aware such a simple action would trigger trouble. I do not remember the exact language, but the notice said that no-grinning, no-glasses face pictures would be deleted after 12 hours for US citizens. Moreover, the latter could also opt out of the facial intrusion altogether and instead prove who they are in good analog fashion. What about the rest of us, aliens? The answer to that question is here, which I found after officially entering sovereign territory and doing my homework.
After reading the notice, the seemingly disconnected ideas of surveillance and sovereignty popped up in the corners of my mind unexpectedly. While the former seems to have been displaced by disinformation in theory but not in practice, the latter is gaining terrain at the speed of light, thanks to dramatic geopolitical changes. So, how did we get here?
The US Patriot Act of 2001 provides the perfect background. An excellent official summary is here (PDF)—no need to digest the original text for our purposes. Among its many legal enhancements, the Act explicitly calls for deploying and using digital technologies to track suspected terrorists, including hackers. Welcome to the age of global digital surveillance. Moreover, it also allowed for monitoring citizens and foreigners that handle “foreign intelligence information,” as defined in Section 203. Furthermore, the indefinite detention of “terrorist aliens” (Section 412) was also put in place. Many of the Act’s provisions were supposed to expire in 2005, but most were eventually extended. The Act underwent several changes since, including its name under the Obama presidency, but was finally allowed to expire in 2020 under the Trump administration. That does not imply surveillance has vanished, too. Remember that after Russia invaded Ukraine, leaked US government documents showed that it was still spying on “aliens,” foreign allies included. Of course, all nations do the same, but most do not readily have the required digital capabilities. They are probably envious.
Figures for US Intelligence budgeting indicate that by 2013, its size was larger than its peak during the Cold War, almost 80 billion USD. Legislation attracts money, of course. The NSA is one of the many agencies included here, but the agency’s numbers are classified and thus not available to the public. I have already covered how the spook agency, in 2009, amid the Global Financial Crisis, was busy building a vast data center of undisclosed size with an unknown budget. Such financial resources are also absent in the vast majority of countries.
In any case, there is an evident dialectical tension between unfettered global digital surveillance and traditional national sovereignty. The Snowden 2013 revelations and WikiLeaks leaks brought such tension to the forefront. Reports on spying on Angela Merkel, then Chancellor of Germany, and Brazil’s President at the time, Dilma Rousseff, among many others, led to the consolidation of digital sovereignty.
The introductory chapter of a recent open-access book summarizes the above, albeit without mentioning the US Patriot Act. Indeed, several countries started to take action to manage unfettered surveillance while developing ideas around potential digital sovereignty. Brazil and Germany explored the development of data localization laws at the time, while the EU launched the European Cloud Initiative (PDF), which was approved in 2016. The GDPR followed soon thereafter. More recently, GAIA-X, a federated data infrastructure initiative, saw the light of day. It is also possible to argue that the latest EU digital legislation, such as the DSA, the DMA and the AI Act, are part of the EU digital sovereignty package.
Needless to say, digital sovereignty is a contested idea. The abovementioned book defines it as “the exercise of agency, power, and control in shaping digital infrastructure, data, services, and protocols” (pg. 4) and compares it to other alternatives. In any case, its key point is that digital sovereignty is not limited to the nation-state. Instead, it comes in a variety of flavors. The book proposes seven digital sovereignty types, one being the purview of national states. The other six are supranational, network, corporate, postcolonial, individual and commons digital sovereignty. While the authors acknowledge that these categories are not mutually exclusive, the book does not study their relationships, unfortunately. I also think there is a key adjective is missing from the various definitions shared by the book.
ICANN is, in my view, a good example of digital sovereignty. First, nation-states are only one of the many actors involved and do not have the last word. A multistakeholder governance model prevails here. Second, ICANN can be classified under the network digital sovereignty rubric, which the book suggests without offering a lot of detail. Before ICANN, obtaining domain names and IP addresses was a first-come, first-serve affair managed by the late Jon Postel. In the mid-1990s, when I was running a global internet-related project, I was able to register domain names, including a couple of Country code top-level domains (ccTLDs), and obtain IP addresses, which were becoming scarce as the Internet rapidly grew. All that changed in 1998 when ICANN was created by the US government and operated under the wings of the US Department of Commerce. That came to an end in January 2017. ICANN is now an independent multistakeholder non-profit organization based in California and subject to the laws of that state and to US federal legislation related to non-profit organizations, as the book notes correctly.
Regardless, from the vantage point of digital sovereignty, ICANN has absolute or supreme power over the overall management of all Internet names and addresses. In other words, it has “monopoly power.” No one can get an Internet address or name without involving ICANN. Even if I am pushing, say, for Commons digital sovereignty, I still need to have access to the digital real estate ICANN manages to be able to be an agent in such space who wants to exercise control over it. And that seems to be missing from the various definitions offered by the book.
Next, I will look at the traditional idea of sovereignty to delve deeper into the issues.
Raul
