Open Thinkering

Digital colonialism is where jurisdiction matters more than geography

Technology / CLOUD Act / zero knowledge / trust / verification / digital sovereignty
R2D2 on the set of Star Wars
Photo by André Julien / Unsplash

In June 2025, Anton Carniaux, Director of Public and Legal Affairs at Microsoft France, admitted to a French Senate inquiry that he “couldn't guarantee” French data would remain protected from US government access – even when stored in European data centres.

While it's a shocking revelation, Carniaux's confession only really validates what the 2018 CLOUD Act had already made legally explicit. That is the authorities can compel US-controlled providers to disclose any data they have custody, control, or possession over.

This means that, when we're thinking about where to put our own data, more important that geography is jurisdiction. Regardless of where data sits physically, the US has access and control.

This isn't a theoretical worry, either. When the International Criminal Court (ICC) investigated potential US war crimes, they lost access to their Microsoft Outlook accounts. When Russia invaded and stole Ukrainian tractors, the manufacturer John Deere remotely disabled them via kill switches. The infrastructure we've built our digital lives upon can be switched off, not by technical failures, but by political decisions.

Cory Doctorow's optimistic recent analysis sees this a moment of huge opportunity. The mask of American “neutrality” when it comes to technology has been well and truly taken off. So the question facing organisations, governments, and individuals across Europe is no longer whether to pursue digital sovereignty, but how.

And given that it's not geography but jurisdiction that counts, how can we know who and what to trust?

Promises != verification

Usually, when people are talking about digital sovereignty the conversation is about where data is stored (“data residency”). But Microsoft's admission exposes the core problem: you cannot actually verify what cloud providers promise.

Many services claiming “end-to-end encryption” redefine the concept, treating client-to-server HTTPS connections as sufficient. The “ends” become your browser and their server, rather than you and your intended recipient. This means the company still holds all the keys, the CLOUD Act still applies, and your data remains accessible to US authorities with a warrant. Or perhaps even without one – under Section 702 of the Foreign Intelligence Surveillance Act (FISA).

Trust, but verify. When cloud providers control both infrastructure and keys, verification is impossible. You rely on their audit reports, security certifications, public statements. Remember, Microsoft told the French Senate they cannot actually guarantee data sovereignty.

Zero-knowledge architecture

There are technical solutions to this problem. Zero-knowledge encryption completely changes the trust model by making verification possible by you. Using this approach, data is encrypted on your device before transmission using keys derived from your password. The service provider literally has zero access to unencrypted data because they never possess the decryption keys.

Instead of smoke-and-mirrors marketing language, it's mathematically verifiable. There tools to check whether data being transmitted is genuinely encrypted. And, of course, using Open Source implementations allows code to be audited. This way, the community can verify that encryption happens on your machine, keys never leave your devices, and that the service providers genuinely have zero knowledge of your data.

Services like Proton Drive, Tresorit, and MEGA implement zero-knowledge storage. Password managers like Bitwarden use zero-knowledge architecture to ensure that even they cannot access your credentials. Element provides zero-knowledge messaging, and Nextcloud offers self-hosted alternatives with end-to-end encryption options.

Genuine digital sovereignty requires cryptographic protection that makes data inaccessible to the service provider. Not by blindly trusting a company's marketing materials, but from mathematics. When governments demand data access through laws like the CLOUD Act, providers can only hand over your encrypted blobs of data – which are useless without the keys they don't possess.

Practical next steps

If you're anything like me, you work with and for organisations which are not huge multinationals. What does digital sovereignty mean at this level?

As I mentioned in my previous post, it's not about trying to instantly transition to European providers. As I've mentioned above, it's jurisdiction that matters more than geography anyway. Many organisations will adopt hybrid approaches: European providers for sensitive data, other (perhaps more “convenient” or familiar) providers for less-sensitive workloads, and Open Source tools for communication.

This is a pragmatic approach. The goal isn't zero dependence on US tech – that's almost impossible for all but the most hardcore of organisations. Instead, we're trying to reduce our exposure to the demands of the CLOUD Act demands and re-build diversity into the ecosystem.

Individual sovereignty choices have limits. We can control what we directly operate, but collaboration requires shared platforms. So beyond what I'm talking about here is collective action. Just as no man is an island, so sovereignty is something communities achieve together, not something individuals pursue alone.