Between Two Nerds: Microsoft embraces digital sovereignty - Risky Bulletin

Summary6 min read

Risky Bulletin Podcast Summary

Episode Title: Between Two Nerds: Microsoft Embraces Digital Sovereignty
Host/Author: risky.biz
Release Date: June 30, 2025

Introduction

In this episode of Risky Bulletin, hosts Tom Uren and Garak delve into Microsoft's strategic shift towards supporting digital sovereignty in Europe. The discussion explores the implications of geopolitical tensions on cloud services, data privacy, and the broader tech ecosystem. The conversation is rich with insights into how major tech companies like Microsoft are navigating the complex landscape of international regulations and security concerns.

Microsoft’s New European Security Program

Tom Uren opens the discussion by highlighting Microsoft's recent launch of a security program tailored specifically for Europe. This initiative is a response to growing concerns about digital sovereignty among European nations.

Tom [00:11]: "This week, or maybe last week, Microsoft launched a new security program specifically tailored at Europe."

Garak probes further into the nature of these concerns, questioning whether they are purely European or influenced by other global powers like China.

Garak [00:56]: "Did you say Europe or China or... Because."

Tom clarifies that while China has long been concerned with digital sovereignty, Europe has recently intensified its focus on the matter.

Tom [01:01]: "Chinese have been concerned for a long time and it turns out that Europeans are now getting concerned."

Background and the ICC Sanctions Incident

A significant catalyst for Microsoft's new program is an incident involving sanctions imposed by the Trump administration on the lead prosecutor of the International Criminal Court (ICC). This sanction led Microsoft to suspend the prosecutor's access to Outlook, sparking debates about data control and sovereignty.

Garak [01:37]: "So he's lost access to his only Fans account which was linked to his Outlook."

Tom explains the irony of the situation, noting that the prosecutor faced sexual harassment allegations, which may have influenced the decision to suspend his Outlook access. However, this incident underscores the broader issue of relying on non-EU infrastructure.

Tom [01:55]: "Well, now he's using ProtonMail. But, the broader point is that from the European point of view, we can't have an organization that we endorse the ICC like its IT infrastructure."

This event highlights the European apprehension about third-party control over critical digital infrastructure, emphasizing the need for localized solutions.

Microsoft’s Response and Commitments

Garak inquires about Microsoft's reaction to the European Commission's discussions about potentially replacing Azure, indicating a competitive edge for Microsoft in addressing these concerns proactively.

Garak [02:32]: "So how is Microsoft taking that? Because I'm sure."

Tom references a post by Brad Smith, Microsoft's Vice Chair and President, detailing new commitments to Europe. These include building local data centers, ensuring data residency within Europe, and pledging not to hand over European data.

Tom [03:22]: "It talks about new Commitments to Europe. It mentions building local European data centers and the cloud ecosystem. It talks about keeping data in Europe. It talks about making commitments to not hand over that data."

Garak remains skeptical, questioning whether these commitments genuinely address the underlying concerns or are mere public relations efforts.

Garak [03:41]: "None of these are the problem, though. Yeah, keep going. It's just going to say, like, all of the things that he lists, that's nice, but none of them are, we will not turn off the accounts of people that upset Trump, essentially."

Tom mentions one of the solutions Microsoft is offering: the ability to run the Microsoft Stack in local data centers without Microsoft's direct input, though he expresses doubts about its practicality.

Tom [04:04]: "So one of the solutions they're offering is basically the ability to run Microsoft Stack in your own data center without Microsoft's input."

Despite reservations, Tom acknowledges Microsoft's aggressive approach to addressing digital sovereignty, seeing it as a strategic advantage over competitors like Google and AWS.

Tom [04:46]: "I think that doing this early, relatively early, compared to say, Google or AWS, is actually a really good move."

Comparisons with Other Tech Giants

The hosts compare Microsoft's strategy with the challenges faced by other tech giants like Google, Amazon, and Apple in similar geopolitical contexts.

Garak raises the question of whether companies like Google and Amazon will adopt similar statements and policies to reassure their European customers.

Garak [09:23]: "Do you think Google will do the same? That they'll come out with the same statement and sort of make the same sort of guarantees?"

Tom points out that while Microsoft has already enacted policy changes to handle sanctions and geopolitical pressures, other companies may still grapple with these issues due to lack of specific incidents triggering action.

Tom [10:50]: "So I guess it must have known that these things were coming published in late April about, you know, here are concerns that we're addressing, and they move."

The discussion further explores how companies like Apple handle account suspensions and data privacy in sanctioned scenarios, highlighting the complexities involved in balancing user privacy with geopolitical compliance.

Tom [12:47]: "Well, that's a way that encryption protects them, I think."

Garak [13:17]: "Right, but I mean, they sanctioned him specifically. Right. So surely if he has an iPhone, that would include it."

Digital Sovereignty Implications

The conversation shifts to the broader implications of digital sovereignty, emphasizing its persistent relevance and the necessity for states to develop resilient, localized tech infrastructures.

Tom [19:11]: "So at this point, to me it seems like digital sovereignty is never going to go away."

Garak supports this viewpoint, stressing that digital sovereignty aligns with national interests to control critical infrastructure and mitigate risks associated with external dependencies.

Garak [21:08]: "But yeah. It doesn't necessarily result in better security. Now they're at the point it's like we recognize that digital sovereignty is a thing. Here's all the ways that we will bend over backwards to help you..."

Tom reflects on the historical reluctance of big tech companies to support digital sovereignty due to cost and complexity, noting that Microsoft's current stance marks a significant shift in industry behavior.

Tom [19:25]: "Yeah, well, that's sort of against their interests. They don't want. Yeah, it makes sense. They would rather have everything in one place and it would just be easier for them..."

The hosts agree that while digital sovereignty was previously a contentious issue, it has become an unavoidable aspect of the modern digital landscape, compelling tech giants to adapt their strategies accordingly.

Conclusion

Tom and Garak conclude the episode by reiterating the enduring significance of digital sovereignty and the proactive measures companies like Microsoft are taking to align with European concerns. They acknowledge that while digital sovereignty presents challenges for both tech companies and states, it remains a critical component of national security and data privacy strategies.

Tom [22:03]: "Yep. Thanks. A little crochet."
Garak [22:06]: "Thanks a lot, Tom."

Key Takeaways

Digital Sovereignty: A growing concern for Europe, emphasizing control over digital infrastructure and data residency.
Microsoft’s Strategy: Proactively addressing digital sovereignty through local data centers, data protection commitments, and enabling on-premises deployments.
Geopolitical Tensions: Incidents like the ICC sanctions highlight the fragility of relying on global tech infrastructures.
Industry Comparisons: Other tech giants are yet to fully align with digital sovereignty mandates, potentially positioning Microsoft advantageously.
Future Implications: Digital sovereignty is expected to persist, driving continued evolution in tech company policies and national security strategies.

Notable Quotes

Tom [03:22]: "It talks about building local European data centers and the cloud ecosystem. It talks about keeping data in Europe."
Garak [21:08]: "But yeah. It doesn't necessarily result in better security. Now they're at the point it's like we recognize that digital sovereignty is a thing."
Tom [16:44]: "At the most extreme is you can run all our stuff on your own hardware."

This episode of Risky Bulletin provides a comprehensive analysis of Microsoft's engagement with digital sovereignty, offering listeners valuable insights into the intersection of technology, politics, and security in the European context.

Loading summary

Transcript86 lines

[00:04]
A
Hello everyone, this is Tom Uren. I'm here with the Gruk for another between two notes discussion. G' day, Garak, how are you?
[00:10]
B
G' day, Tom. Fine, and yourself?
[00:12]
A
I'm well. This week's discussion is brought to you by Sandfly Security. I spoke to Sandfly CEO and founder Craig Rowland this week and we talked about how Linux is the dark matter of security. It's everywhere, but no one really knows how to how much it's compromised and what adversaries get up to. So this week, or maybe last week, Microsoft launched a new security program specifically tailored at Europe. And it turns out that there's kind of a backstory here that I wasn't really aware of. So people in Europe are concerned about digital sovereignty, it turns out.
[00:56]
B
Did you say Europe or China or. Because.
[01:01]
A
Chinese have been concerned for a long time and it turns out that Europeans are now getting concerned. And so there's several different pieces of news that are sort of behind this discussion. So one of them is that the Trump administration sanctioned the lead prosecutor for the International Criminal Court. So the prosecutor had announced some sort of action against Israel. The Trump administration sanctioned him. As a result, Microsoft removed his access to Outlook.
[01:38]
B
So he's lost access to his only Fans account which was linked to his Outlook.
[01:44]
A
Well, ironically the prosecutor is under a sexual harassment cloud. So there have been allegations made against him.
[01:52]
B
But he kept his, he kept his Outlook account.
[01:55]
A
Well, now he's using ProtonMail. But, but the, the broader point is that from the European point of view, we can't have an organization that we endorse the icc like its IT infrastructure.
[02:13]
B
Operated by a third party that is not part of the EU because it might act against the EU's interests at some point.
[02:21]
A
Yeah, the US has never signed onto the Criminal court. So news this week, the European Commission is in talks to replace Azure.
[02:33]
B
So how is Microsoft taking that? Because I'm sure.
[02:37]
A
Well, I think Microsoft has acted like tremendously quickly actually. So I'm looking at a post from Brad Smith, who's Microsoft's vice chair and president and he's the person who over the years has typically dealt with, I guess I would call them digital sovereignty, human rights, anti hacking type campaigns. So he's the, I don't want to say conscience of Microsoft, but he's their public face for advancing those kind of issues. Now in the past I've thought that some of the things he's said has been quite naive. So this post that I'm looking at is from late April.
[03:22]
B
Right.
[03:22]
A
And it talks about new Commitments to Europe. It mentions building local European data centers and the cloud ecosystem. It talks about keeping data in Europe. It talks about making commitments to not hand over that data.
[03:42]
B
None of these are the problem, though. Yeah, keep going. It's just going to say, like, all of the things that he lists, that's nice, but none of them are, we will not turn off the accounts of people that upset Trump, essentially. Right. It's a lot of like, we will defend your cybersecurity. It's like, yeah, that's great, but will you defend me keeping my account?
[04:05]
A
Yeah. So one of the solutions they're offering is basically the ability to run Microsoft Stack in your own data center without Microsoft's input.
[04:15]
B
Oh, yeah, that sounds like a much cheaper option to license and run absolutely everything in house.
[04:24]
A
So I'm not convinced how practical that is, but I think it's really interesting to see Microsoft so early and aggressively try and address this problem. So, like just reading the titles, build a broad AI and cloud ecosystem across Europe. Uphold Europe's digital resilience even when there is geopolitical volatility.
[04:47]
B
Okay, that doesn't mean anything.
[04:48]
A
We will continue to protect the privacy of European data. We will always help and protect and defend Europe's cyber security. We will help strengthen Europe's economic competitiveness, including open source. Now, I think that doing this early, relatively early, compared to say, Google or aws, is actually a really good move.
[05:11]
B
Yep.
[05:12]
A
I don't know how effective it is because I kind of agree with you. The problem is not what Microsoft is doing. The problem is the environment Microsoft sits in.
[05:24]
B
Right. It's, you know, like hypothetically, if there was a telecoms equipment provider, Right. Who was in a politically problematic country, but like they made good equipment and good kit, you know, would you want to deploy that on your national backbone or would you say, you know, it's a problem where these people are based and we can't. Yeah, we just can't use Huawei.
[05:50]
A
Yeah, that's exactly what strikes me as. Well, this is exactly the same as the situation Huawei found itself in, I don't know, maybe a decade ago now, where fundamentally people don't trust them because of the political system. Now, the difference between the US and China is that there is in the US a strong history of independent courts and you could bet that Microsoft would take cases to the court and represent their customers interests, but it's the exact same dynamic. How much do you believe in the strength of the rule of law in the U.S. on our ongoing baseness, would you place Your entire government in the hands of that for perhaps decades to come.
[06:40]
B
Right. Or would you go in house and develop national resilience?
[06:46]
A
Yeah, I think you'd have to be thinking of a plan B at this point.
[06:49]
B
Yeah, it would be irresponsible not to. I think I like that. The very first thing that they say is that they're going to help Europe with AI and it's like they're going to make sure that you get copilot no matter what. That's the problem. It's like somehow Europe is complaining that they might lose access to Copilot.
[07:12]
A
Well, I mean, Microsoft does have that partnership with OpenAI. I'm not sure where that's at anymore. So it could be a range of different models, to be fair. There's also another post, also by Brad Smith in early June, just five days later, about a new European security program. So this doesn't specifically talk about digital sovereignty per se. It's focused on security. But I think it's got the same.
[07:40]
B
Same themes.
[07:41]
A
Yeah, same themes. It's pushing along the same line. You can rely on us for security.
[07:46]
B
It's like digital sovereignty. It's a thing that Russia, China and now the EU are worried about, but there's very different aspects of it. Russia and China are very concerned about their information ecosystem, the information environments. And so their idea of digital sovereignty is a lot more about controlling the information that people have access to. And I think that Europe is less concerned about that and more concerned about whether they have control over their own infrastructure or if a potentially hostile third party does. And so they're both digital sovereignty, but they're sort of different ends of the spectrum, I guess.
[08:29]
A
So, going back to the first post, it's actually quite frank, I think, which I think is good. So, for example, it says business continuity partnerships. After a long section where it says we respect European law, it also says, finally, we will designate and rely upon European partners with contingency arrangements for operational continuity in the unlikely event Microsoft were ever required by a court to suspend services. And so it's saying, we recognize that you're concerned about this. We've got a plan for that, so you don't have to worry about it. And I think from a messaging point of view, it's better to say, yeah, look, we understand why you're concerned and we want to work through this with you together. So I actually think, like, I kind of admire that. I think it would be very easy for PR people to say, oh, no, no, no, we can't mention the bad Thing that everyone is thinking about?
[09:24]
B
Yeah, I think they can get away with it because this is not going to be covered by Fox News, basically. Do you think Google will do the same? That they'll come out with the same statement and sort of make the same sort of guarantees? If the four judges that are involved in this thing, are they going to lose their Gmail accounts, their Google accounts, and sort of like all of their data for that?
[09:51]
A
Yeah. So when it comes to the International Criminal Court, there were sanctions. They suspended Mr. Khan's email, so he was the chief prosecutor. And then there were further sanctions where another four people in the criminal court were sanctioned. And so I'm looking at this New York Times article, and it says that when Khan was sanctioned, they talked to the criminal court and then they switched off his email. The company said it had since enacted policy changes that had been in the works before the episode to protect customers in similar geopolitical situations in the future. When the Trump administration sanctioned four additional ICC judges this month, their email accounts were not suspended. And that is dated June 20th. So I guess it must have known that these things were coming published in late April about, you know, here are concerns that we're addressing, and they move.
[10:51]
B
To address them fairly quickly. And I think that's smart because it looks like they would be losing a lot of business otherwise.
[10:58]
A
I think they might lose a lot of business anyway, but I think you've got to do what you can. And to me, it sounds like the sanctions are the incident that precipitates action. Like, all of a sudden you realize, oh, we've got a problem. We need to figure out a plan of action. And so my theory is, I'm sure.
[11:18]
B
That this is a thing that they've been thinking about for a long time, but there's never been any, like, there's never been any need to prioritize it compared to, like, literally anything else. Like, I can't imagine that this is brand new to them. Like, they must have considered it. But it's just until it literally happened to a major customer in a major market.
[11:37]
A
I guess the ICC is a politically symbolically important customer, maybe not a major customer. In a way, it sort of wraps up the concerns about the rule of law, I suppose, just because of the nature of the sanctioned entity. I think maybe Google and Amazon have not yet had to face that because they haven't had a specific incident that's triggered a process in quite the same way. Yeah, yeah. So maybe if the ICC had used Google Workspace, for example.
[12:11]
B
Right.
[12:11]
A
Which is Kind of hard to imagine. I mean, lawyers run on Word documents.
[12:15]
B
No, it's exactly. I was going to say, like, it seems like this is a thing that Apple would have to be concerned about as well because an icloud account is sort of like your hardware is linked to it. Like you're just like with a Google account, it's linked to. You know, if you've got an Android phone without a Google account, it's quite difficult to use. Whereas if you have an iPhone without an Apple account, it's impossible to use.
[12:39]
A
Right. I mean, I suppose if I was Apple, I would say that I don't know who the qz32@icloud.com is.
[12:47]
B
Well, that's a way that encryption protects them, I think.
[12:51]
A
Whereas for an organization like the ICC, you can say, oh yes, we know the ICC and yes, we know that Mr. Kahn has an account with a Microsoft account which gets email. Like you can't say, oh, whose account.
[13:05]
B
Is this new phone? Who dis.
[13:09]
A
Yeah, exactly. Whereas I think for a lot of Apple services, it's not necessarily tied to an organization in the same way.
[13:18]
B
Right, but I mean, they sanctioned him specifically. Right. So surely if he has an iPhone, that would include it.
[13:26]
A
Well, I mean, I think it would. But how much responsibility, like how much do you think Apple should know who a phone belongs to? Like how many Mr. Kahns are there that have iPhones? There must be thousands.
[13:41]
B
Yeah, certainly, yeah. I just say like very briefly, because he has to have a credit card that's registered with them in order to pay for his stuff. They could figure out who he is if they want to.
[13:54]
A
Right, right, right. I think it's interesting that Microsoft found some policy solution to avoid having to do the same thing to more.
[14:04]
B
If only Huawei had thought of that, then we want to assure you that we have policies in place that will protect you in case of this worst case scenario that you guys have made of the Chinese government forcing us to do something against your interests. We have internal policies in place.
[14:25]
A
So I think in a very real sense Microsoft's in a better situation because it can demonstrate that you've still got service. Whereas the case against Huawei was always the hypothetical they could degrade.
[14:42]
B
Yeah, they could do something invisible as well. Right. Like they could monitor that and you.
[14:47]
A
Wouldn'T know about it.
[14:48]
B
And you can't really verify that they're not monitoring. The same way that you can verify that you still have an email account.
[14:53]
A
Right, yeah, exactly. And in Australia the debate was in a crisis. They could do something that would be essentially maybe not irrecoverable, but would be maybe decisive or very significant. So it was a sort of hypothetical threat for some point in the future. And you can never assuage concerns about a hypothetical threat that's very serious sometime in the future. It's impossible. Whereas this is Microsoft can allay concerns about a current threat right now by keeping those four email accounts active.
[15:27]
B
It's not quite the same thing. Right. Like if you do lose your email, that's bad. But if an entire country loses its telecommunications backbone, that's a bit worse.
[15:38]
A
Yeah. So that was the Huawei was a tail risk argument, like very significant consequences, like a small chance but. But a chance, a threat that you could never eliminate.
[15:50]
B
Yeah. And it's sort of. You can't risk it because no matter how small the chance is, the consequences are just too catastrophic. It's not possible to live with that sort of Damocles of your head.
[16:04]
A
Yeah, exactly. And it was a coercive state threat. Now I guess talking about it in these terms makes me think that what Microsoft has to do is remove that sort of Damocles, make sure that it doesn't exist. And I guess it's got different layers to that. And at the most extreme is you can run all our stuff on your own hardware. If you're in that situation where you must remove that threat. There you go. Here's our answer. And I suppose their pitch is that you're used to Microsoft stuff. It interoperates with everything. You can have all the benefits and no sword.
[16:44]
B
Right. They've got layers of stuff as well. Right. They can say like look, we've got European subsidiaries. We're going to have a data center owned by a European subsidiary that is legally responsible for all of European email accounts, you know, Microsoft accounts registered within that jurisdiction. Therefore, regardless of what happens to Microsoft us, that will not impact the European part. They can find ways of making that work, I think which is.
[17:16]
A
Yeah. So one of those companies in a previous job, I was talking to them and they said that the like self interest delete. They said the way to do it would be to place legal obligations on local staff. So you've basically got essentially hostages who if you ever thought the company was doing the wrong thing by you, you had a recourse that would be very powerful for local staff. So I guess Microsoft must have tens of thousands of employees in Europe.
[17:48]
B
Yeah, I'm struggling to see how that's like. I don't think they want their executives to be arrested.
[17:55]
A
No, no. But I Think that's the point. Right, right. We don't want to be arrested. And our presence there is in a way a guarantee or a sign of.
[18:07]
B
Good faith or there are hostages is what you're saying.
[18:11]
A
Yeah, yeah, I think that's right. And like at the time this was in the context of a discussion about classified material and it was several years ago. So it's a very different political context, but it was. When you're really concerned about that stuff, you can raise the stakes locally with laws about responsibility and who's responsible, I guess. And so I think that still applies.
[18:38]
B
Countries have a great track record of holding executives accountable for bad things that their companies do. I mean, that's.
[18:47]
A
Well, ironically, maybe not ironically. This also plays out in terms of Huawei in that the dual daughter of the CEO was held in Canada for a long time. I don't know. That didn't really help anyone. I think there were any winners in that situation. Yeah, it seems like Microsoft has been forced to act, but it's also gone quite aggressively to try and allay these concerns.
[19:11]
B
Right.
[19:11]
A
So at this point, to me it seems like digital sovereignty is never going to go away. It was a thing that the big tech companies fought against for a long time because I guess it was just expensive.
[19:26]
B
Yeah, well, that's sort of against their interests. They don't want. Yeah, it makes sense. They would rather have everything in one place and it would just be easier for them and they don't want to be forced into a billion different local laws because that's just gonna expensive and confusing and they won't be as competitive against locals and so on and so forth. And it makes sense. But it's still like it's not necessarily what's in their best interest is not necessarily in a state's best interest. Right.
[20:00]
A
I think that's fair enough. I think this is a recognition of that. Like I think in the past they would have tried to marshal all these arguments about why digital sovereignty doesn't make sense.
[20:15]
B
Right.
[20:16]
A
It doesn't necessarily result in better security. Now they're at the point it's like we recognize that digital sovereignty is a thing. Here's all the ways that we will bend over backwards to help you, to.
[20:29]
B
Reassure you have access to copilot.
[20:34]
A
That does feel like one thing where marketing has resulted in that getting pushed up the list. I think that actually there is a legitimate concern there in terms of if you're going to use AI tools, often they're cloud based and one of the concerns is data leakage into the cloud. So that actually seems fair enough, I suppose.
[20:54]
B
Absolutely.
[20:55]
A
But I don't know that it's your top concern. Like, I don't know that I would put it number one. I think Microsoft switching off your accounts because of sanctions is probably a higher up concern. Maybe.
[21:08]
B
Well, I mean, not for me. Yeah. But yeah. No, as a state, I think the things that you're worried about are critical parts of your infrastructure, such as your IT services being controlled by an outside entity that you don't have any leverage over.
[21:27]
A
Yep.
[21:27]
B
Right. Like that's just an implicit. And while you're in a state of agreement with this external entity and where they're located and everything's going fine, you can avoid thinking about it because it's just not an issue at that point. But when it does become an issue, this is the sort of thing that would have been a lot cheaper to solve if Europe had their own tech infrastructure. They had their own IT giants.
[21:57]
A
Midnight. Now.
[22:00]
B
The best way to establish Digital sovereignty is 20 years ago.
[22:03]
A
Yep. Thanks. A little crochet.
[22:07]
B
Thanks a lot, Tom.