Posts

digital sovereignty

Sovereignty and digital technology: controlling our own destiny

Annie Blandin-Obernesser, IMT Atlantique – Institut Mines-Télécom

Facebook has an Oversight Board, a kind of “Supreme Court” that rules on content moderation disputes. Digital giants like Google are investing in the submarine telecommunications cable market. France has had to back pedal after choosing Microsoft to host the Health Data Hub.

These are just a few examples demonstrating that the way in which digital technology is developing poses a threat not only to the European Union and France’s economic independence and cultural identity. Sovereignty itself is being questioned, threatened by the digital world, but also finding its own form of expression there.

What is most striking is that major non-European digital platforms are appropriating aspects of sovereignty: a transnational territory, i.e. their market and site where they pronounce norms, a population of internet users, a language, virtual currencies, optimized taxation, and the power to issue rules and regulations. The aspect that is unique to the digital context is based on the production and use of data and control over information access. This represents a form of competition with countries or the EU.

Sovereignty in all its forms being questioned

The concept of digital sovereignty has matured since it was formalized around ten years ago as an objective to “control our own destinies online”. The current context is different to when it emerged. Now, it is sovereignty in general that is seeing a resurgence of interest, or even souverainism (an approach that prioritizes protecting sovereignty).

This topic has never been so politicized. Public debate is structured around themes such as state sovereignty regarding the EU and EU law, economic independence, or even strategic autonomy with regards to the world, citizenship and democracy.

In reality, digital sovereignty is built on the basis of digital regulation, controlling its material elements and creating a democratic space. It is necessary to take real action, or else risk seeing digital sovereignty fall hostage to overly theoretical debates. This means there are many initiatives that claim to be an integral part of sovereignty.

Regulation serving digital sovereignty

The legal framework of the online world is based on values that shape Europe’s path, specifically, protecting personal data and privacy, and promoting general interest, for example in data governance.

The text that best represents the European approach is the General Data Protection Regulation (GDPR), adopted in 2016, which aims to allow citizens to control their own data, similar to a form of individual sovereignty. This regulation is often presented as a success and a model to be followed, even if it has to be put in perspective.

New European digital legislation for 2022

The current situation is marked by proposed new digital legislation with two regulations, to be adopted in 2022.

It aims to regulate platforms that connect service providers and users or offer services to rank or optimize content, goods or services offered or uploaded online by third parties: Google, Meta (Facebook), Apple, Amazon, and many others besides.

The question of sovereignty is also present in this reform, as shown by the debate around the need to focus on GAFAM (Google, Amazon, Facebook, Apple and Microsoft).

On the one hand, the Digital Markets Act (the forthcoming European legislation) includes strengthened obligations for “gatekeeper” platforms, which intermediate and end-users rely on. This affects GAFAM, even if it may be other companies that are concerned – like Booking.com or Airbnb. It all depends on what comes out of the current discussions.

And on the other hand, the Digital Services Act is a regulation for digital services that will structure the responsibility of platforms, specifically in terms of the illegal content that they may contain.

Online space, site of confrontation

Having legal regulations is not enough.

“The United States have GAFA (Google, Amazon, Facebook and Apple), China has BATX (Baidu, Alibaba, Tencent and Xiaomi). And in Europe, we have the GDPR. It is time to no longer depend solely on American or Chinese solutions!” declared French President Emmanuel Macron during an interview on December 8 2020.

Interview between Emmanuel Macron and Niklas Zennström (CEO of Atomico). Source: Atomico on Medium.

The international space is a site of confrontation between different kinds of sovereignty. Every individual wants to truly control their own digital destiny, but we have to reckon with the ambition of countries that demand the general right to control or monitor their online space, such as the United States or China.

The EU and/or its member states, such as France, must therefore take action and promote sovereign solutions, or else risk becoming a “digital colony”.

Controlling infrastructure and strategic resources

With all the focus on intermediary services, there is not enough emphasis placed on the industrial dimension of this topic.

And yet, the most important challenge resides in controlling vital infrastructure and telecommunications networks. The question of submarine cables, used to transfer 98% of the world’s digital data, receives far less media attention than the issue of 5G devices and Huawei’s resistance. However, it demonstrates the need to promote our cable industry in the face of the hegemony of foreign companies and the arrival of giants such as Google or Facebook in the sector.

The adjective “sovereign” is also applied to other strategic resources. For example, the EU wants to secure its supply of semi-conductors, as currently, it depends on Asia significantly. This is the purpose of the European Chips Act, which aims to create a European ecosystem for these materials. For Ursula von der Leyen, “it is not only a question of competitiveness, but also of digital sovereignty.”

There is also the question of a “sovereign” cloud, which has been difficult to implement. There are many conditions required to establish sovereignty, including the territorialization of the cloud, trust and data protection. But with this objective in mind, France has created the label SecNumCloud and announced substantial funding.

Additionally, the adjective “sovereign” is used to describe certain kinds of data, for which states should not depend on anyone for their access, such as geographic data. In a general way, a consensus has been reached around the need to control data and access to information, particularly in areas where the challenge of sovereignty is greatest, such as health, agriculture, food and the environment. Development of artificial intelligence is closely connected to the status of this data.

Time for alternatives

Does all that mean facilitating the emergence of major European or national actors and/or strategic actors, start-ups and SMEs? Certainly, such actors will still need to show good intentions, compared to those that shamelessly exploit personal data, for example.

A pure alternative is difficult to bring about. This is why partnerships develop, although they are still highly criticized, to offer cloud hosting for example, like the collaboration between Thales and OVHcloud in October 2021.

On the other hand, there is reason to hope. Open-source software is a good example of a credible alternative to American private technology firms. It needs to be better promoted, particularly in France.

Lastly, cybersecurity and cyberdefense are critical issues for sovereignty. The situation is critical, with attacks coming from Russia and China in particular. Cybersecurity is one of the major sectors in which France is greatly investing at present and positioning itself as a leader.

Sovereignty of the people

To conclude, it should be noted that challenges relating to digital sovereignty are present in all human activities. One of the major revelations occurred in 2005, in the area of culture, when Jean-Noël Jeanneney observed that Google had defied Europe by creating Google Books and digitizing the continent’s cultural heritage.

The recent period reconnects with this vision, with cultural and democratic issues clearly essential in this time of online misinformation and its multitude of negative consequences, particularly for elections. This means placing citizens at the center of mechanisms and democratizing the digital world, by freeing individuals from the clutches of internet giants, whose control is not limited to economics and sovereignty. The fabric of major platforms is woven from the human cognitive system, attention and freedom. Which means that, in this case, the sovereignty of the people is synonymous with resistance.

Annie Blandin-Obernesser, Law professor, IMT Atlantique – Institut Mines-Télécom

This article was republished from The Conversation under the Creative Commons license. Read the original article here (in French).

Facebook

Facebook: a small update causes major disruption

Hervé Debar, Télécom SudParis – Institut Mines-Télécom

Late on October 4, many users of Facebook, Instagram and WhatsApp were unable to access their accounts. All of these platforms belong to the company Facebook and were all affected by the same type of error: an accidental and erroneous update to the routing information for Facebook’s servers.

The internet employs various different types of technology, two of which were involved in yesterday’s incident: BGP (border gateway protocol) and DNS (domain name system).

In order to communicate, each machine must have an IP address. Online communication involves linking two IP addresses together. The contents of each communication are broken down into packets, which are exchanged by the network between a source and a destination.

How BGP (border gateway protocol) works

The internet is comprised of dozens of “autonomous systems”, or AS, some very large, and others very small. Some AS are interconnected via exchange points, enabling them to exchange data. Each of these systems is comprised of a network of routers, which are connected using either optical or electrical communication links. Communication online circulates using these links, with routers responsible for transferring communications between links in accordance with routing rules. Each AS is connected to at least one other AS, and often several at once.

When a user connects their machine to the internet, they generally do so via an internet service provider or ISP. These ISPs are themselves “autonomous systems”, with address ranges which they allocate to each of their clients’ machines. Each router receiving a packet will analyse both the source and the destination address before deciding to transfer the packet to the next link, following their routing rules.

In order to populate these routing rules, each autonomous system shares information with other autonomous systems describing how to associate a range of addresses in their possession with an autonomous system path. This is done step by step through the use of the BGP or border gateway protocol, ensuring each router has the information it needs to transfer a packet.

DNS (domain name system)

The domain name system was devised in response to concerns surrounding the lack of transparency with IP addresses for end users. For available servers on the internet, this links “facebook.com” with the IP address “157.240.196.35”.

Each holder of a domain name sets up (or delegates) a DNS server, which links domain names to IP addresses. They are considered to be the most reliable source (or authority) for DNS information, but are also often the first cause of an outage – if the machine is unable to resolve a name (i.e. to connect the name requested by the user to an address), then the end user will be sent an error message.

Each major internet operator – not just Facebook, but also Google, Netflix, Orange, OVH, etc. – has one or more autonomous systems and coordinates the respective BGP in conjunction with their peers. They also each have one or more DNS servers, which act as an authority over their domains.

The outage

Towards the end of the morning of October 4, Facebook made a modification to its BGP configuration which it then shared with the autonomous systems it is connected to. This modification resulted in all of the routes leading to Facebook disappearing, across the entire internet.

Ongoing communications with Facebook’s servers were interrupted as a result, as the deletion of the routes spread from one autonomous system to the next, since the routers were no longer able to transfer packets.

The most visible consequence for users was an interruption to the DNS and an error message, followed by the DNS servers of ISPs no longer being able to contact the Facebook authoritative server as a result of the BGP error.

This outage also caused major disruption on Facebook’s end as it rendered remote access and, therefore, teleworking, impossible. Because they had been using the same tools for communication, Facebook employees found themselves unable to communicate with each other, and so repairs had to be carried out at their data centres. With building security also online, access proved more complex than first thought.

Finally, with the domain name “facebook.com” no longer referenced, it was identified as free by a number of specialist sites for the duration of the outage, and was even put up for auction.

Impact on users

Facebook users were unable to access any information for the duration of the outage. Facebook has become vitally important for many communities of users, with both professionals and students using it to communicate via private groups. During the outage, these users were unable to continue working as normal.

Facebook is also an identity provider for many online services, enabling “single sign-on”, which involves users reusing their Facebook accounts in order to access services offered by other platforms. Unable to access Facebook, users were forced to use other login details (which they may have forgotten) in order to gain access.

Throughout the outage, users continued to request access to Facebook, leading to an increase in the number of DNS requests made online and a temporary but very much visible overload of DNS activity worldwide.

This outage demonstrated the critical role played by online services in our daily lives, while also illustrating just how fragile these services still are and how difficult it can be to control them. As a consequence, we must now look for these services to be operated with the same level of professionalism and care as other critical services.

Banking, for example, now takes place almost entirely online. A breakdown like the one that affected Facebook is less likely to happen to a bank given the standards and regulations in place for banking, such as the Directive On Network And Service Securitythe General Data Protection Regulation or PCI-DSS.

In contrast, Facebook writes its own rules and is partially able to evade regulations such as the GDPR. Introducing service obligations for these major platforms could improve service quality. It is worth pointing out that no bank operates a network as impressive as Facebook’s infrastructure, the size of which exacerbates any operating errors.

More generally, after several years of research and standardisation, safety mechanisms for BGP and DNS are now being deployed, the aim being to prevent attacks which could have a similar impact. The deployment of these security mechanisms will need to be accelerated in order to make the internet more reliable.

Hervé Debar, Director of Research and PhDs, Deputy director, Télécom SudParis – Institut Mines-Télécom

This article has been republished from The Conversation under a Creative Commons licence. Read the original article.

web browsing

How our Web browsing has changed in 30 years

Victor Charpenay, Mines Saint-Étienne – Institut Mines-Télécom

On August 5, 1991, a few months before I was born, Tim Berners-Lee unveiled his invention, called the “World Wide Web”, to the public and encouraged anyone who wanted to discover it to download the world’s very first prototype Web “browser”. This means that the Web as a public entity is now thirty years old.

Tim Berners-Lee extolled the simplicity with which the World Wide Web could be used to access any information using a single program: his browser. Thanks to hypertext links (now abbreviated to hyperlinks), navigation from one page to another was just a click away.

However, the principle, which was still a research topic at that time, seems to have been undermined over time. Thirty years later, the nature of our web browsing has changed: we are visiting fewer websites but spending more time on each individual site.

Hypertext in the past: exploration

One of the first scientific studies of our browsing behavior was conducted in 1998 and made a strong assumption: that hypertext browsing was mainly used to search for information on websites – in short, to explore the tree structure of websites by clicking. Search engines remained relatively inefficient, and Google Inc. had just been registered as a company. As recently as 2006 (according to another study published during the following year), it was found that search engines were only used to launch one in six browsing sessions, each of which then required an average of a dozen clicks.

L’attribut alt de cette image est vide, son nom de fichier est file-20210906-17-xeytzq.jpg.
Jade boat, China. Metropolitan Museum of Art, archive.org

Today, like most Internet users, your first instinct will doubtless be to “Google” what you are looking for, bypassing the (sometimes tedious) click-by-click search process. The first result of your search will often be the right one. Sometimes, Google will even display the information you are looking for directly on the results page, which means that there will be no more clicks and therefore no more need for hypertext browsing.

To measure this decline of hypertext from 1998 to today, I conducted my own (modest) analysis of browsing behavior, based on the browsing history of eight people over a two-month period (April-May 2021), who sent me their histories voluntarily (no code was hidden in their web pages, in contrast to the practices of other browsing analysis algorithms), and the names of the visited web sites were anonymized (www.facebook.com became *.com). Summarizing the recurrent patterns that emerged from these browsing histories shows not only the importance of search engines, but also the concentration of our browsing on a small number of sites.

Hypertext today: the cruise analogy

Not everyone uses the Web with the same intensity. Some of the histories analyzed came from people who spend the vast majority of their time in front of the screen (me, for example). These histories contain between 200 and 400 clicks per day, or one every 2-3 minutes for a 12-hour day. In comparison, people who use their browser for personal use only perform an average of 35 clicks per day. Based on a daily average of 2.5 hours of browsing, an Internet user clicks once every 4 minutes.

What is the breakdown of these clicks during a browsing session? One statistic seems to illustrate the persistence of hypertext in our habits: three quarters of the websites we visit are accessed by a single click on a hyperlink. More precisely, on average, only 23% of websites are “source” sites, originating from the home page, a bookmark or a browser suggestion.

However, the dynamics change when we analyze the number of page views per website. Indeed, most of the pages visited come from the same sites. On average, 83% of clicks take place within the same site. This figure remains relatively stable over the eight histories analyzed: the minimum is 73%, the maximum 89%. We typically jump from one Facebook page to another, or from one YouTube video to another.

There is therefore a dichotomy between “main” sites, on which we linger, and “secondary” sites, which we consult occasionally. There are very few main sites: ten at the most, which is barely 2% of all the websites a person visits. Most people in the analysis have only two main sites (perhaps Google and YouTube, according to the statistics of the most visited websites in France).

On this basis, we can paint a portrait of a typical hypertext browsing session, thirty years after the widespread adoption of this principle. A browsing session typically begins with a search engine, from which a multitude of websites can be accessed. We visit most of these sites once before leaving our search engine. We always visit the handful of main sites in our browsing session via our search engine, but once on a site, we carry out numerous activities on it before ending the session.

The diagram below summarizes the portrait I have just painted. The websites that initiate a browsing session are in yellow, the others in blue. By analogy with the exploratory browsing of the 90s, today’s browsing is more like a slow cruise on a select few platforms, most likely social platforms like YouTube and Facebook.

L’attribut alt de cette image est vide, son nom de fichier est file-20210831-23-1jlvak1.png.
A simplified graph of browsing behavior; the nodes of the graph represent a website (yellow for a site initiating a browsing session, blue for other sites) and the lines represent one or more clicks from one site toward another (the thickness of the lines is proportional to the number of clicks). Victor Charpenay, provided by the author.

The phenomenon that restricts our browsing to a handful of websites is not unique to the web. This is one of the many examples of Pareto’s law, which originally stated that the majority of the wealth produced was owned by a minority of individuals. This statistical law crops up in many socio-economic case studies.

However, what is interesting here is that this concentration phenomenon is intensifying. The 1998 study gave an average of 3 to 8 pages visited per website. The 2006 survey reported 3.4 page visits per site. The average I obtained in 2021 was 11 page visits per site.

Equip your navigator with a “porthole”

The principle of hypertext browsing is nowadays widely abused by the big Web platforms. The majority of hyperlinks between websites – as opposed to self-referencing links (those directed by websites back to themselves, shown in blue on the diagram above) – are no longer used by humans for browsing but by machines for automatically installing fragments of spyware code on our browsers.

There is a small community of researchers who still see the value of hypermedia on the web, especially when users are no longer humans, but bots or “autonomous agents” (which are programmed to explore the Web rather than remain on a single website). Other initiatives, like Solid – Tim Berners-Lee’s new project – are trying to find ways to give Internet users (humans or bots) more control over their browsing, as in the past.

As an individual, you can monitor your own web browsing in order to identify habits (and possibly change them). The Web Navigation Window browser extension, available online for Chrome and Firefox, can be used for this purpose. If you wish, you could also contribute to my analysis by submitting your own history (with anonymized site names) via this extension. To do so, just follow the corresponding hyperlink.

Victor Charpenay, Lecturer and researcher at the Laboratory of Informatics, Modeling and Optimization of Systems (LIMOS), Mines Saint-Étienne – Institut Mines-Télécom

This article has been republished from The Conversation under a Creative Commons license. Read the original article (in French).