What happened

In February, Trump sanctioned International Criminal Court (ICC) for issuing arrest warrants for Israeli Prime Minister Benjamin Netanyahu and his former defense minister, Yoav Gallant. The court argued that the Israeli politicians have committed war crimes by restricting humanitarian aid in Gaza amid the war against Hamas, thus, harming civilians.

Israeli officials denied all charges, and, consequently, US President Donald Trump issued sanctions against the ICC saying that the court had committed “illegitimate and baseless actions targeting America and our close ally Israel”. Trump also called the warrants “baseless arrest warrants”.

Following these sanctions, the ICC has found itself faced with several issues:

• The chief prosecutor, Karim Khan, has lost access to his email; his bank accounts were frozen.
• American employees of the court risk arrest when traveling to the U.S.

Due to the blocking of Khan’s Microsoft email account, the court is facing severe hurdles in its day-to-day work.

Microsoft blocked email account based on U.S. sanction

Microsoft shut down Khan’s email account.

The blocking of Khan’s Microsoft email account took place because of an executive order signed by Trump which the U.S.-based company – Microsoft – fulfilled. This gets even more explosive when one considers that Microsoft - even if it wanted to - had to obey this order because of the legal and political situation.

The Open-Source Business Alliance (OSBA) told Heise that it considers Microsoft’s actions to be “unprecedented in this context and with this impact”, and that this incident proves that Europe needs digital sovereignty by choosing European-based tech services over US-based Big Tech.

“This must be a wake-up call for all those responsible for the secure availability of state and private IT and communication infrastructures. … We cannot rely on companies that are not under our jurisdiction.”

Wake-up call for digital sovereignty

This, indeed, must be a wake-up call.

U.S. sanctions – unrelated to Europe and imposed by a foreign power – led to the shutdown of the digital communication of a leading public figure, the Chief Prosecutor of the International Criminal Court.

This is a story of digital sovereignty.

And it marks a clear turning point in Europe’s relationship with foreign technology providers. If key figures in international law can be digitally silenced by a company subject to U.S. law, what does that say about our control – or lack thereof – over the very digital foundations we rely on?

For years, European institutions have relied on a false promise of security and data protection by Silicon Valley tech giants. Cloud providers like Microsoft, Amazon, and Google have repeatedly assured us that they respect European law, have built data centers within EU borders, and have pledged to comply with the GDPR. While at the same time Microsoft’s New Outlook uploads all data, including passwords, into the cloud, Microsoft’s Office 365 has been declared illegal for German schools because of data protection issues, and Denmark has banned Gmail from schools due to privacy concerns based on the GDPR. And these are just a few examples.

Jurisdiction trumps everything

Jurisdiction matters more than we used to think: European authorities should stick to European tech services.

In the light of all this, the ICC incident has just put the final nail in the coffin. It reveals a deeper truth, one that Europeans must start acting upon!

Jurisdiction trumps geography. It doesn’t matter if your servers are in Frankfurt, Rome, or Paris – if your provider is subject to foreign law, so is your data.

And this must be included in every worst case scenarios of every business and every authority. The question is obvious: Is my data secure and protected – not just from external threats like malicious attackers, but also from internal threats stemming from the company hosting your data?

If political decisions made thousands of kilometers away can have immediate and severe consequences on European digital communications and European data, this poses a huge risk. One that you should not be taking. And with the recent Microsoft incident, it’s no longer a theoretical threat. That is exactly what just happened.

Dependency is a threat

Let’s imagine this was not about email, but about the energy sector.

Would Europe ever hand over control of its national power grids to foreign companies bound by non-European law? Would we trust a foreign supplier’s guarantee for 99.999% uptime (which is the standard uptime SLA agreement of cloud providers) while at the same time a foreign power could force them anytime to cut Europe’s power?

Of course not.

Yet this is how we’re managing our digital infrastructure in Europe.

We are blind to the risks, and much too trusting of American tech providers. Cloud platforms, communication tools, and email providers are core services that run our governments, schools, hospitals, and courts. And in most cases, European institutions have chosen American providers - while great email alternatives for businesses exist.

Europe has the services – let’s start using them!

What makes all this even more frustrating is that Europe doesn’t lack innovation; Europe has great tech services that are better than their U.S. equivalents. Particularly when it comes to tech services, Europe has much more on offer than some would expect – especially if you value privacy and security.

Across the continent, privacy-first, security-focused, and truly sovereign digital solutions are being developed. One of the best examples is Tuta, which offers secure, encrypted email and calendar tools, even with quantum-safe encryption. The email provider not only operates under German data protection laws with all servers based in German data centers, but it also uses the most advanced encryption technologies to protect businesses’ data.

So why don’t we see services like this one powering ministries, parliaments, and courts?

Because despite all the speeches about “strategic autonomy,” European tech is still often treated as a backup plan by the authorities – and most of them have not even started putting this plan into action. For decades, European authorities have relied on Microsoft’s products. Stemming from Microsoft’s integration into Windows, the most widely used OS since its launch in the 1980s, most businesses and authorities still use Microsoft Outlook for email, Microsoft Word, Excel, etc. While switching from Microsoft to European-based alternatives can’t be done in a day, authorities must start planning the switch.

Now it’s time to break free from the dependency on American tech!

Turn ON Privacy in one click.

Get

The sovereign cloud

There’s a saying in tech that goes as follows: There is no cloud, just other people’s computers.

When taking this concept into action, one has to ask themselves: On whose computer would I like to store my data? With an American tech provider – to which the US (government, NSA, CIA, FBI, etc.) can potentially have full access? Even if the data stays in Europe, the control – the ability to operate, deny, or transfer access – remains elsewhere. As long as American tech providers hold the key, Europe does not own its data.

We need true sovereignty – by choosing European services that are built and operated under European law and that store the data solely in Europe, best end-to-end encrypted.

Looking into a brighter future

The Tuta Team welcoming a brighter future!

If Europe wants to regain control of its digital infrastructure, we need a structural change; and an immense effort from all parties involved. But in the end, the effort will pay off. Not only by gaining sovereignty, but also by supporting and building a European tech industry – one that can easily compete with American and Chinese tech companies.

To achieve this, we don’t even need new laws, all we need is a commitment by the public sector. When Trump says “America first”, Europe must say “Europe first” – and in tech the gain is double: 1. A big share of what the public sector spends on European tech, they get back in the form of company taxes. 2. The public sector could help boost an already vibrating and innovative European tech industry to gain a competitive edge, not just in Europe but also abroad.

Make “European” a requirement for public procurement of tech products: EU institutions, governments and local authorities should make being “European” a requirement for procuring tech products. This way they can make sure that the services they purchase follow European data protection laws and are not under the influence of foreign governments.

Prevent vendor lock-in: Any platform used in the public sector should be interoperable and replaceable. No exceptions. Contracts should be written with exit strategies in mind so that a dependency like the one we are currently seeing with Microsoft never happens again.

Going forward, European and local authorities can make a real difference. All they have to do is get active! The Microsoft email issue of the ICC must not be dismissed and forgotten. It’s a wake-up call for what happens when you build your digital house on someone else’s foundation.

Let’s not wait for the next company to switch off an essential tech service in Europe.

Let’s build systems that adhere to European laws and regulations, protect European citizens and their data, and strengthen European independence.

Let’s stop borrowing digital power – and start generating our own. Together we can make the web a better place!