Cyber sovereignty is a rapidly spreading concept in the fields of foreign policy and internet governance. Many countries around the world, whether they have democratic or authoritarian systems, are seeking to apply the concept of cyber sovereignty and expand it for various purposes.
Most countries around the world have begun to implement the principle of cyber sovereignty or some of its policies in one way or another in recent years. This has led to widespread changes in how the internet operates and in the user experience. These changes are on the rise and they impact many individuals’ and institutions’ interests associated with the Internet. They particularly affect individuals’ exercise of their digital rights through their daily interactions with the network.
This paper aims to clarify the meaning of cyber sovereignty and explain the reasons for its emergence and the objectives of its advocates. The paper also seeks to elucidate the effects of implementing cyber sovereignty policies on the future of the Internet and its governance system, including its protocols, independent institutions with roles in its administration, and the governance system based on the principle of multi-stakeholders. In addition, the paper, in its final section, highlights the impact of implementing cyber sovereignty policies on digital rights, specifically the right to access information, the right to freedom of expression, and the right to privacy.
What Is the Concept of Cyber Sovereignty?
The concept of cyber sovereignty largely draws from the traditional political definition of state sovereignty. In this definition, state sovereignty means a state’s independence from other states, not being subject to the authority of another state, and its autonomy in managing its internal affairs without external interference. This is referred to as the external sovereignty of the state.
In addition, state sovereignty means its exclusive authority over any powers within its geographic territory, known as the internal sovereignty of the state. The traditional political concept of states is closely tied to the geographic territory over which a state exercises its sovereignty, where its laws apply to natural and legal persons residing within that territory, and the executive authorities have the power to enforce these laws within its jurisdiction.
With the inherent borderless nature of cyberspace conflicting with the material geographic basis of traditional state sovereignty, the notion of states having any degree of sovereignty in cyberspace was theoretically and practically distant for some time. However, as the importance of the Internet grew and the vital political and economic interests of states became intertwined with it, states began to assert their sovereignty in cyberspace, and the concept of cyber sovereignty emerged with significant variations in its definition.
In general, cyber sovereignty can be understood as a state’s assertion of its authority over the material elements of the communication and information infrastructure located within its borders and the activities conducted using these elements on its territory, including the data generated through these activities.
What Are the Reasons for the Emergence of the Concept of Cyber Sovereignty?
In the early years of the Internet, the vast potential for its growth, expansion, and impact on the daily lives of individuals, as well as the internal and external policies of nations, were not clear to the majority of policymakers worldwide.
Consequently, the governance and management of the Internet did not occupy a significant place in the concerns of authorities in most countries at that time. As the internet evolved in the 1990s and began to spread globally, thanks to the emergence of the World Wide Web, its importance became more evident. Nations started to take an interest in it and began to seek greater control over its administration. This was the primary driver behind international efforts such as the World Summit on the Information Society, convened by the United Nations in Geneva in 2003, with its second phase held in Tunisia in 2005.
When countries around the world started to pay attention to the cyber domain and the Internet, they faced two fundamental challenges to the traditional concept of sovereignty. The first challenge is known as cyber exceptionalism, and the second is multistakeholder governance.
It can be said that these two challenges served as the theoretical motivation for developing the concept of cyber sovereignty in response to them. They are also behind many of the theoretical arguments used to support the concept of cyber sovereignty.
Cyber exceptionalism means that digital cyberspace is distinct in how it operates compared to the non-digital real world. This necessitates dealing with cyberspace differently from how physical spaces are treated, including the geographic boundaries that determine the sovereignty of states.
It is interesting to note that the initial usage of the term “cyber sovereignty” was to express the idea that cyberspace has its independence, justifying its sovereignty independently of states and other political entities. This early usage contrasts with the prevailing concept of the term, which is now used to refer to the right of states to extend their sovereignty into cyberspace.
On the other hand, the principle of multistakeholder naturally emerged with the development of the Internet. Those who needed to develop the Internet itself oversaw the development and management of internet protocols and its virtual resources.
Later, as the Internet evolved, companies started adding more protocols and applications and organizing the management of these. This gave rise to the principle of multistakeholder, meaning that the management of the Internet is a task for those directly affected by its operation and those actively involved in running its various components. In this context, most internet governance processes are based on principles of openness, inclusiveness, bottom-up decision-making, and consensus.
The arguments for cyber sovereignty in the face of both cyber exceptionalism and the principle of multistakeholder revolve around several key elements. One of the most prominent of these elements is that while the virtual nature of cyberspace transcends national borders, the physical components of the infrastructure necessary to operate the internet exist in the physical world within the geographic boundaries of states.
Thus, theoretically, at least, they are subject to traditional sovereignty rules. Internet users, as citizens holding the nationality of states and residing in them or elsewhere, are also theoretically subject to these states’ laws. On the other hand, criticisms have been directed at the practical implementation of the multistakeholder system because it provides a disproportionate amount of influence to major technology companies over other stakeholders.
In addition to theoretical arguments, the development of information technology infrastructure and its various applications has made it easier to monitor, control, and direct the flow of data and information. This trend towards developing technology to achieve greater control over data routing was primarily driven by technology companies looking to profit from controlling access to information and services on the network.
These companies sought to make the network structure less anonymous and less horizontal, allowing for multiple points of intervention and control over its operation. These technologies practically supported states’ efforts to exert greater control over the Internet within their borders.
Edward Snowden’s revelations in 2013 marked a significant turning point in the development of the discourse on cyber sovereignty and the implementation of its policies. These revelations exposed the exploitation of Western nations, particularly the United States, in their dominance over the physical and virtual communication network resources to further their security and political interests by spying on their citizens and the citizens of other countries.
As a result of this disclosure, several countries used the argument of protecting the personal data of their citizens and the national and economic security secrets as a justification for the need to impose their sovereignty over this data and the infrastructure that allows control over access to it. This also coincided with the escalation and growth of cyber security threats, with individuals, groups, and intelligence agencies engaging in electronic operations and attacks that had significant impacts on the economies, security, and strategic interests of some countries.
While the aforementioned factors have been discussed by nearly all countries around the world, countries with authoritarian and oppressive regimes have shown greater concern for how the rise of networked communications impacts freedom of information, freedom of expression, and anonymity. This concern arises from these regimes’ awareness of the threat posed by these rights and freedoms to their stability.
The so-called “Color Revolutions” in Eastern Europe, protests in Iran, and the Arab Spring revolutions practically exemplified the challenges faced by autocratic regimes, particularly in China and Russia. These events prompted these countries to use the arguments of cyber sovereignty to exert more control over the content circulating on the internet.
This control took the form of content censorship that they deemed harmful to their political, social, and cultural systems, imposing restrictions on their citizens’ freedom of expression, and retaining the capability to breach the communication privacy of their citizens to identify and track dissenters.
What Are the Objectives of Cyber Sovereignty?
The primary aim of cyber sovereignty claims is to restore the coherence of the international system based on the principle of the sovereignty of independent nation-states. This is achieved by reaffirming the sovereignty of the nation-state and its exclusive authority to manage the affairs of its citizens and its national economy.
In pursuit of this principle, countries are seeking varying degrees and different means to either have a greater role in the management and governance of the Internet or to replace the current Internet governance system, which is based on the principle of multistakeholder, with an intergovernmental system. Countries aim to achieve this by creating an international organization under the United Nations or by adding internet governance responsibilities to the International Telecommunication Union (ITU).
One of the main objectives of cyber sovereignty is to provide states with the capabilities to protect their national security, their institutions, facilities, and their citizens against the threats of cyberattacks. States are also seeking the means to counter traditional risks that can be exploited using information networks, such as the use of information and communication networks by terrorist groups and other criminal organizations to coordinate their efforts and carry out their operations.
Furthermore, an announced objective of cyber sovereignty is the protection of information security for the citizens of the state and its public and private institutions. In line with this goal, policies such as data localization are designed to require that data produced using the state’s information infrastructure is retained within the state’s borders and cannot be transferred abroad without conditions specified by law.
On the other hand, many countries do not hide the fact that one of their objectives in implementing cyber sovereignty policies is to exert control over the flow of information into and out of their borders. This allows a state to have exclusive control over what its citizens can access under the pretext of affecting its national security or protecting its cultural, social, and religious values. As a result, many cyber sovereignty policies and measures extend to censorship of internet content and the expansion of surveillance capabilities over the activities of citizens on the Internet.
Effects of Cyber Sovereignty on Internet Governance
Modification of Internet Protocols
Internet protocols evolved very early in their history, and their designers did not consider any requirements related to centralized control of information flow and exchange. Consequently, these protocols are by nature open and do not provide easy ways to direct or block data based on its content or even to know the content’s origin. Such objectives can only be achieved through additional means that vary in complexity and implementation but ultimately affect the efficiency of the network.
Therefore, Internet protocols are the target of various efforts to design an alternative that allows for clear jurisdictional boundaries reflecting a nation’s political borders and the ability to examine data content without affecting its transmission efficiency. Such alternatives have already been proposed by experts from countries like China and Russia in technical institution meetings such as the Internet Engineering Task Force (IETF).
On the other hand, Internet protocols may be the most resistant to modification in the near future. The close connection between these protocols and the underlying telecommunications infrastructure that supports the Internet, including the settings of all devices and equipment required for Internet connectivity, makes the task of modifying these protocols and the resulting changes in all relevant physical and virtual details financially costly and time-consuming.
Preserving the unity of Internet protocols is supported by the fact that the current structure of the Internet and its importance for the economic development goals of all countries depend on the unity of the network, which can only be achieved through the unity of its protocols. However, there are efforts to circumvent these constraints. In practice, several countries have built a layer of software above the protocol layer that performs roles in censorship, collective monitoring, and user privacy intrusion. Thus, the fragmentation of the Internet into separate networks with varying degrees of separation is a process that has already begun and is progressing continuously.
The role of independent institutions and bodies
The role of independent institutions and bodies in internet governance may diminish over time, particularly with countries’ inclination to assert sovereignty over the infrastructure of information and communication technology. Several countries have long sought to replace institutions such as the Internet Corporation for Assigned Names and Numbers (ICANN) with international intergovernmental organizations, placing the oversight of these operations under state control.
While the World Summit on the Information Society process resulted in the retention of ICANN and ruled out its replacement, this situation is not necessarily stable indefinitely. This is because of the ongoing adjustments of power and influence dynamics among different countries in cyberspace and the information and communication technology sphere. With the growing influence of countries like China, further changes can be expected, reflecting their political orientations and visions for the future of the Internet, including the role of independent institutions and bodies vis-à-vis local government institutions and international intergovernmental organizations.
The fate of the multi-stakeholder system
The fate of the multi-stakeholder system is closely related to the ability of technology companies, especially major ones, to maintain their influence in the face of national governments. The current landscape illustrates an evident struggle to assert national sovereignty over the digital space, in contrast to the efforts of major companies to establish self-regulation within this space.
This struggle is evident in the passing of relevant laws by the European Union concerning data protection, social media platforms, search engines, and more recently, the regulation of artificial intelligence technology. It’s also apparent in the legislative efforts within the United States to develop similar laws, and in the Chinese government’s campaigns to restrain major Chinese technology companies and keep them under control.
The direction this power struggle between governments and companies will take is still uncertain. Companies can still successfully exert pressure to limit the impact of the laws enacted in Europe and the United States on their business operations, for example, while they may lack the ability to exert such pressure in countries like China and Russia.
However, the growth of governmental influence in the West is possible, as is the growth of local technology companies’ influence in China and Russia, given the conditions of global competition in the former and the needs related to the conflict with Ukraine in the latter. As a result, the balance of power remains subject to change.
The fate of the multistakeholder system is not certain, but it is unlikely that this system will solely govern and manage the Internet in the future. Instead, it’s more likely that this system will represent a parallel governance structure, managing specific sectors of the network, while states assert control over other sectors.
Effects of Cyber Sovereignty on Digital Rights
The right to access information
The right to access information is the most connected right to the way the Internet operates. It is the most influenced by network management policies, whether implemented by states, companies, or independent organizations.
It is also highly susceptible to the impacts of cyber sovereignty policies, especially since these policies often aim to allow states to control what information their citizens can access and to regulate the availability and blocking of this information based on the state’s perception of how it might harm its national security, economic interests, or conflict with prevailing cultural, social, or religious values.
One of the prominent policies of cyber sovereignty is data localization, which means that a state imposes on different service providers on the Internet to store data generated from activities within its territory on storage facilities (data centers) also located within its territory. It also requires that such data should not be processed outside the country itself.
While the stated purpose of this policy is to protect the private data of a state’s citizens from unauthorized access, its implementation mechanisms present numerous obstacles to the free movement of data across national borders. This makes access to information more challenging for network users.
The costs of data localization can lead various service providers to refrain from offering their services in certain countries based on economic feasibility calculations. This, in turn, deprives users in these countries of access to these services and the information they used to access through them.
Cyber sovereignty policies can also affect the right to access information by enacting laws that regulate the operation of social media platforms and the content published on them. Through these laws, states seek to compel service providers of these platforms to exercise regulatory control over the content available to their citizens. They may block what these countries and their governing systems perceive as harmful to their security or interests.
This policy can either lead to platform service providers complying with these laws and exercising this regulatory role, thereby depriving users in these countries of access to information freely, or service providers may decide that the return on offering their services in these countries does not cover the costs of implementing a regulatory role in compliance with their laws. Consequently, they may refrain from offering their services in these countries entirely, which deprives users in these countries of access to the service and the information available through it entirely.
Another aspect of cyber sovereignty policies is the local development of digital infrastructure, which can also impact the right to access information. This depends on the ability to provide efficient and compatible digital infrastructure equipment with standard information exchange protocols. The concentration of states on controlling digital infrastructure within their territories, at the expense of the efficiency of their services, can deprive their citizens of access to information available through the network due to technological barriers. Especially if the financial capabilities of the state do not allow it to develop its technologies to keep up with the continuous development of global digital technologies.
The right to freedom of expression
Freedom of expression is significantly affected by cyber sovereignty policies. With states imposing their authority over the digital domain, they increase their potential to engage in collective surveillance of their citizens’ online activities. This makes citizens permanently susceptible to prosecution, both within and outside the legal framework, based on their political or social opinions and positions. It also leads users to exercise self-censorship in what they share online to avoid persecution and its consequences.
On the other hand, cyber sovereignty policies, especially in authoritarian countries, can lead to measures for controlling online content and regulating what can and cannot be published on the Internet. States can justify such measures by protecting their national interests and controlling the digital realm, resulting in restrictions on the available online content. These measures can be used specifically to silence opponents of the ruling systems and to censor information exposing political and financial corruption practices and human rights violations.
Cyber sovereignty policies also affect the exercise of the right to freedom of expression by regulating the operation of social media platforms. These platforms have long been a window for expressing various social and political opinions and opposition more freely.
As countries seek to legislate laws regulating these platforms, they impose content control on them under various pretexts, such as protecting national security, cultural and moral values, and more. This leaves service providers of these platforms with two options: either comply with these laws to maintain their operations in the concerned country, or sacrifice these operations. In both cases, users of these platforms in the concerned country are negatively affected.
In the first case, they face content censorship that hinders their ability to freely express their opinions and positions, and in the second case, they are completely deprived of a window for expression and access to information.
Right to privacy
Cyber sovereignty policies can significantly impact the exercise of Internet users’ right to privacy. In the context of the following discussion, this paper uses a definition of online privacy as people’s control over their data, and their right to determine who can access it, whether for viewing, copying, transferring, processing, or sharing it in any way and for any purpose. The right to privacy also includes people’s right to give prior consent to any entity collecting their personal data, knowing the purpose of the collection and how it will be handled, including storage, copying, transfer, processing, and sharing with any third party.
Cyber sovereignty policies allow countries more freedom to engage in collective surveillance of their citizens’ online activities, including easier access to their personal data. Among these policies is data localization. This subjects data to the laws of the state, which can conflict with the requirements for protecting the right to privacy, in addition to being subject to pressure from law enforcement agencies outside the legal framework.
Data localization also violates the right of users to choose or give prior consent to the location and manner of storing their personal data, which is one of the main elements of the right to privacy. Additionally, services that store data operating on the state’s territory can be subjected to its laws, which may impose practices that threaten data privacy. For example, the retention of data for longer periods than required for the purpose of collection, making this data more vulnerable to unauthorized access, whether by state-affiliated agencies or other parties.
Data localization policies can also concentrate data within a specific geographic scope, making them more vulnerable to unauthorized access. The enforcement of this policy in developing or economically disadvantaged countries can lead to data being stored by less efficient facilities that lack appropriate security measures.
Within the framework of cyber sovereignty policies, countries can enact laws regulating the operations of social media platforms. This might force operators of these platforms to comply with the requirements of these laws or face penalties ranging from fines to the suspension of their services in the concerned country. Such legal requirements can infringe upon the privacy rights of users of these platforms who are citizens of the relevant country, such as requiring cooperation with security agencies that may request access to users’ personal data, including their contact information with other individuals, whether they are citizens of the same country or not.
This paper provided a brief overview of the concept of cyber sovereignty, the policies used to implement it, and their impact on the future of the Internet and the digital rights of its users. The purpose of presenting this overview is to point out the fact that the concept of cyber sovereignty is not a future-oriented or aspirational idea; it is, in fact, being actively implemented in the real world. Unlike some abstract or distant concepts, we are already living in a world where cyber sovereignty policies are shaping the Internet and its use.
The boundaries of what cyber sovereignty policies can achieve in the future are currently subject to the power dynamics between governments and major technology companies. However, the possibility that internet users themselves may have a role in shaping their future through international civil society initiatives should not be ruled out. While it may be remote, it is not beyond consideration that the future may bring changes that allow for greater space for individual voices in this evolving landscape.