Web Analytics Made Easy - Statcounter
Sign in Subscribe

A framework for digital sovereignty in higher education (and beyond)

A framework for digital sovereignty in higher education (and beyond)
Photo by Victoria Heath / Unsplash

Notes from my OTESSA talk, extended with what I have been reading since.

What made me happy this week:

  • Being away with my camper for a couple of days at French Beach.
  • Getting our local bear on video x 2 (included at end of post!), he is quite big and we are giving him his space!
  • Wrapping up a deliverable for one of my contracts, am very pleased with how that's gone (will share when they do).
  • Getting another iteration of our AI Alignment feedback metric - this time embedding some things I learned from How to Theorize So Empiricists Will Listen.

I thought I would share a bit from my OTESSA talk earlier this month. I've tried my best to write this in blog-format, so that others can adapt and build on.

The moment we are in: rapidly evolving political, tech and human landscape. There's a groundswell of realization and demand in Canada - all demanding digital sovereignty.

In my talk - that one way to look at the 'sovereignty challenge' is to apply the four freedoms to decisions about technology with pillars of governance and capabilities driving the sovereignty.

"Digital Sovereignty Framework diagram. Top row, four freedoms as columns: Use (purpose, continuity, reach); Inspect (compliance, control, changeability); Change (right, means, sustainability); Share (right, means, mutuality). Beneath, two horizontal pillars running through all four freedoms: Governance (authority to decide, enforcement of that decision); Capability (in-house competence, pooled across peers, dependency stewardship). Footer note: the framework applies at every layer: state, institution, business, individual, and nation."
Framework for Digital Sovereignty


What is digital sovereignty?

Depending on your geographic location - the definition changes, not in opposition, but rather in evolutional maturity.

New is Canada's Digital Sovereignty Framework (the closest I can find to a statement) - which defines sovereignty as the Government of Canada's capacity to exercise autonomy over digital assets and services. Operational resilience, system integrity, institutional control.

The EU Berlin Declaration, on the other hand defines digital sovereignty as the ability of member states AS WELL AS - institutions, businesses, and individuals to act independently and make autonomous decisions about digital systems.

Europe's declaration encompasses individuals, and businesses - while Canada's is starting with government agencies. Not better, or worse - but behind.

In many conversations I've seen about this topic, people also silo the conversation to be about 'not the USA' or 'only in Canada', which neglects risk associated with isolation.
As Canada pursues digital sovereignty through initiatives such as AI for All and sovereign AI investments, the question is no longer whether governments will digitize services, but whether they can do so on foundations they collectively trust and govern. - Patrick Spencer - Canada Is Building Digital Government One Doorway at a Time

Digital sovereignty falls into specific categories

Data: collected, stored, and processed under the laws of where it originates. Canadian data under Canadian privacy law, for instance. Not the same as data residency.

Operational: complete control over who manages, maintains, and accesses your IT systems. The ability to run what you have, on your terms.

Technology (often labeled "technical" in policy writing): the ability to develop, control, and govern the technologies you depend on. Not just the tools, but the stack underneath: infrastructure, software, models, standards, and the people who can build and modify any of it. Running an LMS is operational. Being able to fork or replace the LMS is technological.

Legal: the assurance that all of your digital operations and data transfers are subject only to local courts and national laws.

Framing the challenge similarly to the four software freedoms with governance and capability as pillars

Note: The four software freedoms originate with the Free Software Foundation's Free Software Definition: run, study, change, redistribute. - but I am rendering them here as Use, Inspect, Change, Share to surface the audit and adaptation work a sovereignty lens asks of each."

Broken down into categories, it might look like this:

Use

Run for any purpose translates to:

  • Purpose: run it for whatever you decide, not limited by a foreign vendor's restrictions on what you are allowed to use it for.
  • Continuity: run it when you need to, including offline, under sanctions, or after a foreign vendor's policy change.
  • Reach: run it for the users, regions, and institutions you choose.

Inspect

Study how it works, translates to:

  • Compliance: does it follow local law.
  • Control: do you actually hold the control you were promised, or are there hidden kill switches, remote disables, telemetry, signing keys you don't own.
  • Changeability: can you actually modify what you need to, or is the change-right notional (encrypted blobs, undocumented binaries, contractual restrictions on forking).

Change

The right to change and modify, translates to:

  • Right to modify: the licence and contract permit modification under your jurisdiction. No foreign-vendor no-derivatives clause, no anti-circumvention provision, no extraterritorial veto on your fork.
  • Means to modify: the source, documentation, build chain, and signing keys are actually accessible. The change can be executed without breaking the trust chain (no encrypted blobs, no locked bootloader, no vendor-held keys you cannot reissue).
  • Sustainable modification: a modified system still runs, still interoperates, still receives security maintenance. A fork is not a death sentence.

Share

The right to distribute and share , translates to:

  • Right to share: licence and law permit redistribution and contribution under your jurisdiction. Consider things like CLAs in open source.
  • Means to share: the infrastructure to distribute and accept contributions sits within reach you can actually control. Package registries, code-hosting, signing and distribution channels are not single-vendor chokepoints.
  • Mutuality of benefit: contributions flow both ways. Improvements you push upstream actually land and propagate; improvements upstream flow back to you. You are inside the commons.

Change without Share keeps your improvements stranded in your jurisdiction. Share without Change makes you a redistribution channel for someone else's roadmap. Sovereignty needs both freedoms intact.

PLUS governance

The four freedoms are helpful, but governance is a pilar that I suggest runs throughout:

Authority to decide: whose decision counts, under whose law, recognised by the people affected.

Enforcement of that decision: can that authority actually be exercised, especially across borders. Authority without enforcement is performance. A faculty council that decides against US-jurisdiction proctoring needs the contractual, technical, and institutional teeth to hold when the vendor pushes back.

PLUS capability

What capabilities does a country need if it wants to shape its own digital future rather than simply consume technologies developed elsewhere? - Regina Nkenchor

Capability is the second pilar I suggest runs throughout, governments, individuals and businesses must have capabilities (or be part of a capability effort) to reduce security, legal, reputational and sustainability risk.

  • In-house competence: the engineering, architecture, procurement, and product capacity to do the work. People on staff who understand the technology stack and business logic, audit the system, evaluate the alternative, and deploy the replacement. A licence that permits modification means nothing without the people to read it.
  • Pooled across peer institutions: structures that share competence and infrastructure across schools so one institution's work is reusable at another. The Netherlands' SURF cooperative is the working example: pooled ICT infrastructure across 100+ Dutch universities and research institutions, with Nextcloud deployed as a sovereign collaboration platform across most.
  • Sustained at the open-source dependency layer: the upstream projects the whole stack rests on (curl, OpenSSL, GnuPG, log4j, language toolchains, build systems) are shared infrastructure that no single institution can fund alone. Germany's Sovereign Tech Fund is the working example: public funding for critical open-source dependencies as digital public infrastructure, with sustained grants to maintainers rather than one-off bug bounties.
Patrick Spencer at Open Canada and Regina Nkenchor, on 'From Technologies to Capabilities', helped inspire this section as well as what I know of the great work of the Sovereign Tech Fund.

Also - open is not automatically sovereign

During the Canvas outage, there were a lot of calls for 'open', but as this framework describes, open is not (alone) a default pathway to sovereign.

An example I like to use is this quote from the White House, if they are building open models, that align with 'American' values, then that's a misalignment for Canada, and if we are not part of the governance or capability, it's not a sovereign option for Canada:

"We need to ensure America has leading open models founded on American values... The new White House plan also aims to ensure these models are free from any ideological biases."   - 2025 White House Statement on Open Source AI

Examples of sovereign misalignment for Canada

I use the term 'alignment' borrowed from AI Alignment to talk about incidents like these below; increasingly as AI becomes part of technology stacks, alignment becomes a critical language to speak.

  • Canvas breach: 275M users, 9000 institutions, 3.65 TB. Use, Inspect, Share, Govern all forfeited.
  • CrowdStrike outage: 8.5M devices, ~$10B losses, one update. No freedom to stop the broken update, no inspection, total dependency.
  • Respondus: biometric, non-compliant per Ontario IPC, US jurisdiction. Stored in Canada is not enough when the vendor is subject to the US CLOUD Act. Location is not control.

AI, digital sovereignty and openness

And this is really before we really get into AI, and the implications of Canada's new national AI strategy 'AI for all;'. On the note of 'openness' and AI its even murkier as the industry seeks clarity, we've move towards more of a description of WHAT is possible versus, defined by a license (as I am proposing).

G7 grades on a spectrum across weights, deployment code, training code, training data, use restrictions. Tiers: Open Source AI with Open Data, Open Source AI, Open Weights AI, Weights Available AI. No widely-used competitive model meets the top two tiers today.

"Matrix showing four AI release types and which of the four freedoms each satisfies. Open weights (weights downloadable): Use yes, Inspect no, Change limited (warning), Share yes. Open data (training data published): Use yes, Inspect partial (warning), Change yes, Share yes. Fully open source (weights + data + code): Use, Inspect, Change, Share all yes. Canada Sovereign Infrastructure (as proposed): Use, Inspect, Change, Share all yes."
How open is it

A sovereignty lens for AI in Canada has to hold many layers at once: state, institution, business, individual, and nation. The Berlin Declaration is an inspiration in this regard : sovereignty lives in member states, institutions, businesses, and individuals. In Canada the lens must stretch further to hold Indigenous nations as sovereign peoples within the federation, with their own data governance principles (OCAP, CARE) and their own claims on what may be collected, shared, modelled, or owned about them.

The four freedoms, held together by governance and capability, are how that question gets asked at every layer. Alignment is the AI question that follows. If sovereignty is distributed, alignment has to be too. A system aligned to vendor convenience is not aligned to the people whose data, learning, and life it touches.

Higher Education is a place to start

Higher education has the relationships, the mandate for public interest, and in Europe examples like SURF as a working model.

  • The culture exists: open education communities sharing textbooks, practices, resources for over a decade.
  • The infrastructure exists: cross-institution networks, shared repositories, communities of practice.
  • The mandate fits: public institutions, public interest, shared infrastructure as extension of mission.

Ways to get started

Dear higher ed folks, consider some of these ways to get started:

  1. Inspect - Assess duplication and dependency: measure collective spend, who controls the tools, where data sits, what risk that creates.
  2. Share — Pool digital infrastructure: move from dozens of separate contracts to shared services and collective procurement; talk to other institutions and collaborative efforts.
  3. Change - Require exit-readiness in every tool selection: forkability, migration paths, and contractual rights to modify before adoption.
  4. Governance - Adopt a sovereignty procurement policy: require a sovereignty and privacy assessment, and check for controlled alternatives.
  5. Capability (in-house) - Invest in retaining and growing internal engineering, architecture, procurement, and product capacity. Again, look to other institutions to share the effort.
  6. Capability (shared) - Co-fund critical open-source dependencies and join or build peer-cooperative structures (SURF, Sovereign Tech Fund as models).
  7. Use — Build new programs sovereign-first: start sovereign and expand, rather than defaulting and deepening dependency.

I am of course, available by contract for any organizations looking to get started!

My bear videos!

While I was writing this the bear came for another visit (here is the one from just a couple of hours ago, and earlier last week.

Licensed under CC BY-SA 4.0