EU Scream
Politics podcast from Brussels
EU Scream
Ep.129: Sovereignty and Software
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
A handful of American technology companies provide the backbone for much of the world's digital activity, including in public services. But with the current US administration signaling a shift to autocratic government, dystopic scenarios abound about how this plays out. While warnings about an era of technofascism could be overdone, the hazards from US government proximity to Big Tech are no longer theoretical. In response Europe is doubling down on what it calls technological sovereignty, to reduce dependency on China, but more immediately on the US and its tech oligarchs. The EU's tech sovereignty push means more investment in chips and in data centers, incentives for European tech alternatives — and a renewed focus on open source software. In this episode, a major figure in the world of open source: Dries Buytaert, the founder of the Drupal publishing system that powers websites around the world, including for Airbus and the European Union. Dries lays out why open source is vital for Europe's sovereignty goals. But he also pushes back against calls to "Buy European" when it comes to software. That, he says, misses the mark: what matters more for sovereignty is the ability to switch services relatively easily, in order to limit the damage from Big Tech making capricious or systematically adversarial changes. Making software more resilient is one thing. But an even more important vulnerability for Europe is increasingly in the cloud. For now the European Commission plans to let US giants Amazon, Microsoft, and Google continue to handle some sensitive European data. That is partly the result of fierce US lobbying. But there are practical reasons too. Migrating so much European data would be costly and, as Dries explains, Europe is nowhere near ready to deploy viable industrial-grade open source alternatives for the cloud — nor for AI. Getting there, he says, is likely to take ten years of hard-nosed regulation and home-grown innovation. But a decade is an eternity in tech, and that may give the US the opportunity to strengthen what is already a very strong hand. A prospect that will, for some, make those dystopias seem not so far-fetched after all.
This episode was made in partnership with the European Open Source Academy. You can read Dries's blog here.
A handful of American technology companies, companies close to the U.S. government, provide the backbone for much of the world's digital activity, including in public services. But with the current US administration signaling a shift to autocratic government, dystopic scenarios abound about how this plays out. About how big tech, in exchange for contracts and favorable treatment, is reinforcing creeping authoritarianism, not just in the US, but in Europe and even globally. There is talk of mass surveillance and social control. Even an era of technofascism, powered by data centers that gobble up more and more of our energy and our water. Yes, those warnings could be overdone, but the hazards stemming from big tech's proximity to the Trump administration, they are not theoretical. Last year, the then prosecutor of the International Criminal Court, who had issued an arrest warrant for the Israeli Prime Minister Benjamin Netanyahu, that prosecutor saw his Microsoft email service cut. Anthropic's frontier AI models like Mythos and Fable, which are likely critical for the safety of public infrastructure, they are being withheld by the US. And digital laws, like those passed in the EU to rein in companies run by Trump's backers, like Elon Musk, those laws have been rolled back under coercive pressure from Washington. It's been a rude awakening. But Europe is now doubling down on what it calls technological sovereignty to reduce dependency on China, but more immediately on the US and on its tech oligarchs. The tech sovereignty push means more EU investment in chips and data centers, incentives for European tech alternatives, and a new focus on open source software. Open source software is copiable and adaptable according to its license, and that means users can switch services pretty much when they want. Proprietary software is different. Products from the likes of Google, Microsoft, and Meta cannot be copied. Plus, users often find themselves locked in and unable to switch. The interest in free and open software came of age in the 1980s and 90s, and it developed into a countercultural movement opposed to corporate computing models. But more commercially minded open source advocates have long sought to distance themselves from a perceived dogmatism and even cultishness. Now open source is coupling its agenda with Europe's quest for tech sovereignty, not only to stop big tech locking in users, but also to stop big tech taking advantage of Europe's dependencies. In this episode, a major figure in the world of open source, Dries Burthardt. He developed his Drupal software in Europe, but he now lives and works in Boston. Drupal runs websites for giant corporations like Airbus and Nestle, as well as for a slew of governments and organizations, including the European Union. Dries lays out why open source is vital for Europe's sovereignty goals and why he's supporting a European open source academy backed by the EU. But he also pushes back against calls to buy European when it comes to software. That he says misses the mark. Yes, EU states now do more screening of foreign investments. Even so, says Drees, a European software company still can be acquired overnight, along with its data policies too. And for Drees, what matters more for sovereignty is the ability to switch services relatively easily, to limit the damage from big tech, making capricious or systematically adversarial changes to its products. Now, making software more resilient is one thing. But an even more important vulnerability for Europe is increasingly in the cloud. That is the vast infrastructure that includes US-owned data centers, on which the majority of European data still sits and through which it flows. For now, the European Commission plans to let US giants, Amazon, Microsoft, and Google continue to handle some sensitive European data. That outcome is partly the result of fierce US lobbying. But there are also practical reasons. For example, migrating so much European data would be costly. And, as Dries explains, Europe is nowhere near ready to deploy viable industrial-grade open source alternatives for the cloud. Nor for AI. He says getting there is likely to take 10 years of hard-nosed regulation and homegrown innovation. But a decade is an eternity in tech. And that may give the US the opportunity to strengthen what is already a very strong hand. A prospect that will, for some, make those dystopian scenarios seem not so far-fetched after all. I'm James Cantor. This is episode 129 with Dries Berthart, the founder of the Drupal publishing system, which powers websites around the world using open source software. Dries, tech does have an image problem. It's increasingly seen as very reactionary with a lot of sort of toxic masculine energy and just concern about what some people call technofascism. How worried should we really be?
SPEAKER_01Definitely a bit concerned. I would agree with that. I will say like technofascism, it's kind of a dramatic word. And I don't know if I love that word, but it points to something real, right? I think the challenge is the concentration of powers. We basically have a handful of companies, a handful of billionaires behind these companies, and they control the large language models, they control the compute, the platforms, and increasingly the information space and like misinformation, all these kinds of problems. And I think it's only getting worse, as you said or alluded to, in terms of that AI will concentrate these powers even more. Yeah, it's a real challenge. And actually, I think the government has a bigger role to play in this, and I think actually open source has a bigger role to play into this as well. And it's not easy to articulate what that looks like because there's so much money involved. But I think the combination of open source and government, I think there is a path because ultimately I think open source kind of builds checks and balances into the technology stack. It can also be used to distribute capabilities to make systems more auditable, like why do they do what they do? How do algorithms work?
SPEAKER_05And all of this is pushing against concentration.
SPEAKER_01Yes, it really is. Yeah. I think open source and governments can push against it. And like for years I've been writing about this concept, it's like an American term, but we need like an FDA, a food and drug administration style concept for algorithms. Not everybody loves that idea. Sometimes I don't even know if I love it, but when companies like Google, through search results, can change the direction of elections, and that has a real impact on society, it may warrant the government having some influence and like, hey, you know what, you know, what's the impact of that? But there's so many big algorithms, AI included, that have such an impact on society.
SPEAKER_05And think about the Google example. I mean, Google is now sending people to AI summaries, right? So chatbot summaries. So we used to do a web search and we would get a lot of links that we would at least have the impression that we had a kind of overview of all the different informational sources there. Now we get an AI summary generated by Google, which of course can be useful, but it may mean that people don't go beyond that. So we uh this AI summary, this AI-generated summary becomes uh even more a powerful source of how to change people's uh view of history, how to change their view of current affairs, how to change their view of science.
SPEAKER_01Exactly. So it's a real problem. And I don't know what the best solution is. Like when you're in the US, people in the US often say uh the US innovates and Europe regulates. I'm sure you've heard this. And I'm actually finding myself also in the camp of like, all right, first Europe needs to innovate. Like we also have to regulate, but there is like a balance there.
SPEAKER_05So your work in technology centers on Drupal, D-R-U-P-A-L. This is the name for the open source software you created about 25 years ago, a quarter century ago. Drupal provides the code and infrastructure used to build and run websites as well as mobile apps and websites that appear on mobile. And also is used by some of the world's largest companies, governments, and public institutions, including NASA, the United Nations, the European Union institutions, parts of NATO, and at one point the White House. What is Drupal's secret sauce? Why why has it been adapted so widely over the years?
SPEAKER_01One of the key things about Drupal is that when I created Drupal, I didn't design Drupal to be finished. But Drupal was designed to be changed. Uh and what that meant is that a lot of other people could come to Drupal and make it theirs. They could add features to it, they could make changes to it, and they could mold it uh to whatever they needed. So in New York, the metro system, uh, when you take a metro in New York, you have these screens, these TVs, and they say when the next metro arrives. That's actually all powered by Drupal. So they put like sensors on all their trains, they feed that data into a Drupal site, and then use a Drupal site to feed all these TVs, if you will. They take the software as an incredible starting point, but then add the things that they needed to apply it to that specific use case.
SPEAKER_05The first Trump White House actually dropped Drupal in December 2017. It switched to WordPress, which is another kind of website services software. The White House claimed it would save three million dollars a year. Now we know to take any Trump administration claims with like a big barrel of salt. I'm just wondering, uh they didn't like open source born in Europe?
SPEAKER_01So actually they switched from one open source project, Drupal, to WordPress, which is another open source project. The difference is that WordPress is for simpler websites, less complex websites. And I would say what happened is that during the Obama administration, the administration was very ambitious. So their website was complex. For example, they gave every American citizen a login to Whitehouse.gov and they allowed citizens to petition the government or something called We the People, actually. They called this thing a petition platform. And so I mean, I'll give you an example of what they did. So like American citizens could say, Hey, I don't like that when I buy a cell phone, it actually automatically comes with a with a cell phone plan. It should be unbundled. And so people petitioned, and the administration, the office of the president, they said, Hey, if you have X amount of votes for this petition, we will officially react.
SPEAKER_05It was a direct democracy function within the Obama White House website software.
SPEAKER_01Yeah. And so that that's an example. And so what happened is we got the votes, the office of the president got involved, and they forced the teleco companies to unbundle plans from physical cell phones. And it's a great example that had a real impact. Now, when Trump came into the administration, all of these capabilities went straight out of the window, I guess. Plus, as another example, during the Obama administration, the website was translated in multiple languages, like Spanish language is an important language in the US. All of that got thrown away too. So now the resulting website is a simpler website. And it didn't need all of the horsepower, so to speak, that came with Drupal.
SPEAKER_05This is fascinating about the change in political culture that then can lead to sort of website design and what sort of software is used. And I'd also make this broader observation, and that's the extent to which the Trump administration is actually stripping government web pages of data sets related to things like DEI, gender, equality, and climate research while simultaneously using US government websites to wage its own sort of partisan battles. And this shows just how easily the information environment can be weaponized, including through the kinds of products that we're talking about right now.
SPEAKER_01There's a segment because like the European Commission uses Drupal a lot. Yeah, Europe.eu. Is that that's the same thing?
SPEAKER_05Yeah, Europe.eu, I guess, is the main domain.
SPEAKER_01Yeah. And there some of these are examples of complex use cases like your European Commission website. Obviously, a lot of content gets translated into many languages as an example. So yeah.
SPEAKER_05Now Dries, the name of your software, it comes from Drupal.
SPEAKER_01Yeah.
SPEAKER_05Drupp, yeah. Drupal. The Dutch word for a drop of water, and that came about through a spelling mistake. I know. Your your original project was called Dorp.
SPEAKER_01Dorp.
SPEAKER_05Dorp, which in Flemish means a village. And this village, this DORP, was an online communication system you built for your student dormitory at the University of Antwerp that had a kind of front page where the group could post news about each other, what was going on. And when you left university, you released this to the world. So a bit like Facebook, but really not Facebook, because Mark Zuckerberg never released Facebook's core source code as open source. Facebook is proprietary code. It still is. But you did the opposite. And so was this a deliberate choice for open source? Was it ideological at that point? Was it convenient? Was it naive?
SPEAKER_01It was a little bit of everything, to be honest. Like so before I started working on Drupal, so to speak, or working on this message board, I had been a small contributor to the Linux kernel. And I've kind of fell in love with the model in open source.
SPEAKER_05It was just very And the Linux kernel is a um operating system.
SPEAKER_01Yeah, Linux is an open source operating system. It's sort of one of the original great open source projects. And so I was following what's going on with the Linux kernel. I was contributing a little bit on the edges of it. And I was using Linux as a user. And so when I decided to make Drupal open source, I literally copied the license file from the Linux kernel tree into my website and created a zip file and uploaded it. So I was already bought into open source at the time, but I didn't expect again Drupal to grow to what it is today. And of course, fast forward 25 years, and Drupal is one of the largest open source projects in the world. I guess what I'm trying to say is there wasn't like a master plan when I made it available. It's just kind of me having fun.
SPEAKER_05That's very interesting that you say there wasn't a master plan because there's always been a really wide array of diverse users and developers and supporters of open source, including libertarian investors and entrepreneurs and mainstream political liberals. And now, of course, we have many, many governments that are backing open source. So how closely does your vision align with that of the folk heroes of the so-called free software movement? And here I'm thinking of people like Richard Stallman, who uh is the founder of the Free Software Foundation who worked out of the MIT AI lab in in the 70s and 80s.
SPEAKER_00The crucial point is a non-free program is an injustice. It shouldn't be developed at all. A non-free program is an injustice, first of all, because the developer has power over the users. They make the non-free software with back doors, which are channels to allow the developer to attack the user of that program. So to be to use non-free software is to basically invite the developer to put its foot on your neck.
SPEAKER_01Yeah, I feel like I'm maybe a little bit more pragmatic. I think some of the early free software advocates or open source advocates, there was like a really sort of anti-commercialism associated with that as well, which I don't have. I I've I deeply believe in the four freedoms of open source and why these are good. I believe in pro-privacy, in transparency of data. I believe in all of these things, but I also believe in making money. And I also believe in building a commercial ecosystem. We have uh thousands of digital agencies, you know, companies all around the world. You know, I think it's great that open source can also provide a livelihood for people. So I think I would say some of the sort of diehard open source people, they have that kind of like anti-commercialism, or they may not be too keen on those things, but I find myself being a little bit more on the other side of that spectrum.
SPEAKER_05It's a big tent, open source. And back to Stallman, under the Stallman model, all software derived from or forked, and this is an important term, forked, derived from open source must still be available. That forked code must be made fully available so that further users can inspect it. And that is the case with Drupal.
SPEAKER_01It is. So Drupal actually uses the GPL license, and it's sort of the license that Stallman created. Well, what's unique about that license, and not all open source licenses have this, is that it says that if you create a derivative work, if you take Drupal, you make changes to it, and then if you choose to share those changes, you also have to share them under the GPL license.
SPEAKER_03It's basically saying, here's the code. It's yours to use as you wish, but you need to get on board with this sharing thing as well. Use one tiny little GPL library somewhere and bam, your entire program now has to be open source. All of it.
SPEAKER_01Now, that doesn't mean you have to share the code. Like you can make changes and keep them for yourself. That is totally fine. Right. But the moment you decide to share it, it has to be shared under terms of the GPS.
SPEAKER_05And some companies might want to keep their software in-house, for example.
SPEAKER_01Yeah. So there's other licenses, like the MIT license, and it's more permissive. And basically, it allows you to make changes to the code. But then when you share those changes, you can actually change the license. And that has pros and cons. Maybe in the lens of digital sovereignty, I do think Drupal's license is a better license because like sometimes companies will change the license. They have maybe second thoughts. They say, well, actually, I don't want it to be open source. Or they start adding features to it, and they say, ah, actually, we don't want those new features to be available as open source. And this has happened.
SPEAKER_05Aaron Ross Powell How might using proprietary and hidden code actually be a less safe option than freely available open source code? A lot of people find this highly counterintuitive.
SPEAKER_01Aaron Powell It is counterintuitive. It's actually a little bit scary sometimes for organizations because the first thing that these licenses do, they disclaim any warranty. They say use at your own risk. Now, if you're a company, that's like, well, that's a little bit scary. So the difference between, I think typically the difference between a small open source project and a large, successful open source project is that the large open source projects have taken on additional responsibility that's not strictly required by the license. And so in the case of Drupal, it means we said, hey, actually we want to do better than the license actually specifies. We want to have a security team. We want to do long-term supported releases. And so we built these additional responsibilities on top of the license. So you can look at the license alone, but I think it's also useful to look at the other commitments an open source project makes. Now, there's a saying and actually between quotes a law. It's called Linus's Law. And Linus is the founder of Linux.
SPEAKER_05Linus Torvald.
SPEAKER_01Yeah, Linus Torvald. He's the founder of Linux and he was finished. Linus made a statement once that was along the lines of many eyes makes bugs shallow. And it's an interesting concept because he argues that because the software is open source, everybody can look at the source code and if it's used by hundreds of thousands of organizations, they're all going to look at the source code and they're going to find security bugs versus maybe in a proprietary software company where you have 10 people looking for security problems. And I can make that real. So in the case of Drupal, like all of these big mission critical government websites in Europe, NASDAQ with financial statements, their sensitivities there. So security matters a great deal for them, and the list goes on and on, a lot of these companies do deep security audits of Drupal. So imagine tens of thousands of mission critical websites, all of these organizations doing security scans, pen testing, trying to find bugs in order to protect themselves. But then also when they do find the security problem, many, most of them have the instinct to contribute back just the fix. They'll report that there's a problem, that they found something and they'll work together with our security team to get these things fixed.
SPEAKER_05And so this is why many eyes can actually make bugs shallow but open source developers and maintainers are everywhere in the world. So what if like a Russian state sponsored developer or a Chinese one spent a couple years say building credibility in the Drupal community before inserting like a subtle vulnerability? At what point does accepting contributions from developers in adversarial states become a liability? Is there a need for any vetting?
SPEAKER_01Well we do extreme vetting. So we I would say we do more vetting than any the most proprietary software companies. So I'll I'll give you a quick example like in most software companies an engineer making a change will commit the change. Best case scenario there's maybe one other person in that company that will look at the changes made by that engineer and then he gets committed to the next version of the software. In the Drupal scenario every change often has 20 or so people looking at it. Because we do everything in the open and our governance model the way we work requires sign-offs from multiple people before actually a change makes it into Drupal. So this is the thing that people don't know about open source and about mature open source.
SPEAKER_05Security seems especially relevant in light of all the hype around Mythos, this newish AI model from the US company Anthropic, which says that Mythos outperforms humans at hacking, at tearing apart cybersecurity. And it's also relevant in light of how China and Russia also are very sophisticated open source users.
SPEAKER_01Yeah we have governance we have a dedicated team and more than 20 people like one of our products is um a cloud hosting solution for Drupal. We're one of very few companies that are FedRAM compliant and you may not know what FedRAMP is but it's in the US government it's the highest level of security requirements and it's very very hard to achieve FedRAMP was created to allow reciprocity.
SPEAKER_04Cloud service providers can have their products the cloud service offering evaluated once in that same evaluation leveraged by multiple agencies.
SPEAKER_01Or simply put, FedRAMP enables the model of assess once, report many basically to run websites like Whitehouse.gov like you know basically certain websites in the US governments that they consider mission critical if if they were hacked, if they were to go down it could cause kind of mayhem, I guess. And you can only host those kinds of websites if you're FedRM compliant.
SPEAKER_05I do think that we are going to see this kind of backlash a little bit from proprietary users who will say you know unsafe and you know a bunch of people with funny looking hair. But actually vibe around open source and like it's really misunderstood almost all big tech companies benefit from the open source ecosystem without really giving back. You know at the same time you have this big global mostly volunteer community doing bug fixes and and mission critical updates for open source. This is grueling work but this work again much of it quite a lot of it by volunteers actually ends up subsidizing the code base that the Metas and the Amazons and so on depend on. Meta, for example, uses open source to build its products and then makes those products mostly proprietary. Even its famous llama large language model which it says is open source is actually proprietary at the end of the day. The reality is that these volunteers some of whom might be very idealistic about tech probably end up supporting proprietary software. And that sort of seems iniquitous.
SPEAKER_01Yes and no I think when you get involved with open source, you should take the time to understand what you're signing up for. Like if you understand the license of the project that you're going to get involved in, you can then see like could commercial companies like Emeda use my contributions? And it's not like we're pulling the rug underneath them. Like this is actually what the license allows you to do or not allows you to do. So I think as a contributor you also have a responsibility to decide if you want to yeah support that or not.
SPEAKER_05Either way this maintaining of open source code is very taxing and very tiring work. And we've already seen lapses in in bug fixes and vulnerabilities having a scary impact on our systems when they they do fail or they get hacked. To make matters even more complicated the original maintainer generation these are the original volunteers who are involved in the open source community they're getting older they're aging and there's some impetus to train the next generation that's some of the thinking behind the European open source academy which is part funded by the EU, right? And and you're sort of part of that initiative as well.
SPEAKER_01The reason I've gotten involved with the academy is because I feel like we're at this important time in history for open source I think of it as like this open source moment. And the and the goal is really to help educate I think policymakers because open source I mean they're not necessarily technologists that they don't they didn't necessarily grew up with open source. And so we can help them, you know, because there's a lot of different parties pushing and pulling here and I actually do believe that open source is the only path to real digital sovereignty. And I think open source as a technology has kind of won. Like I think we've shown that through the open source model you can build superior technology or technology that's on par with commercial software. And you see that because every proprietary software company actually, like you said, uses open source under the hood. Like there's been studies and it's like 96% or something of all technology companies are actually using open source. So open source is one in that sense where the challenge is in the sustainability of open source so that you can actually pay maintainers to do the hard work of maintaining the open source software. 15 years ago I kind of made this prediction that open source would evolve from volunteer driven to commercially driven to basically supported by governments. And I made that prediction after I realized that open source is a public good and then looking at how other public goods in the world have evolved. So an example would be the road system uh schools again same thing with the military went from like volunteer driven to you know militia commercial where we pay people to protect villages or now governments are obviously involved. So I've kind of predicted that open source would follow the same path and like you know many of us or many open source projects Linux created by Linus, Drupal created by me, we were born out of volunteer hobbyist efforts. But now in the last few years especially in light of some of the geopolitical tensions governments are starting to wake up and they say whoa actually we use open source everywhere and it's actually pretty important now for critical citizen services and all of these things and so maybe we need to get involved.
SPEAKER_05You've written that the EU's proposed funding for open source including for this kind of maintenance work, the this maintaining of the code is nowhere near enough.
SPEAKER_01Yeah actually they quote this number that the European economy so that's the economy more broadly spends uh $264 billion a year on US proprietary IT and the fund that they're going to create to help support open source in Europe, they're basically committing $2 billion over seven years.
SPEAKER_05So if you compare these two numbers it's basically you know three days of the American software bill it's a good start but it's still a stark contrast let's say and you conclude that the EU is not yet funding open source like sovereignty infrastructure you use that expression sovereignty infrastructure and that's a pointed criticism because a key policy right now for the EU is this idea of technological sovereignty sovereignty mainly from the United States but also China. But there is this EU tech sovereignty package that was presented June 2026 and there was an accompanying open source strategy.
SPEAKER_01What is the significance of this step they also adopted some of the language that we have been using for a while in open source which is public money, public code. And the idea is very simple like if the government uses tax dollars to develop custom software that software should belong to the taxpayers so that means the software should be open source. Like why would we take money from taxpayers people like you and I and then fund proprietary software that we can't use. They are saying that by default research funding should lead to open source which is kind of the same concept. They also said that they would have an open source first principle in procurement now that's great but it's not requiring open source which is not so great still and I think for certain mission critical things open source would be important. So yeah when when this package came out I think it was June 3rd so just recently I immediately started reading it. And actually one thing that put a smile on my face is one of the blog posts that I wrote was actually in one of the footnotes and it was about the sovereignty scale I proposed the scale a little bit like when you buy food in Belgium or in Europe there's like this A B C D E um score on it. I proposed something similar like where you can look at a piece of software and then you get like a rating for how sovereign it is and they actually in a footnote I should say they quoted this as something to maybe explore further. But maybe most importantly was the overall reframe because the old argument for open source was always about saving money. And now when you read the report it was clearly about freedom of action and it's clearly about treating open source as infrastructure that needs to be sustained with investment not like software that magically maintains itself. And so the tech sovereignty package mentions open source 300 times. So open source has really gone from like a footnote to taking the central stage.
SPEAKER_05And the and and the key factor here is this drive for sovereignty that organizations relying on open source or on a vendor of open source they sort of have an insurance policy that if that vendor is acquired by a US company the underlying software can be forked so we go back to that concept of forking forked meaning again essentially the same software can be duplicated and further developed independently right and in this world where we suddenly have more adversarial relations with some of our old trading partners that idea of that insurance policy seems to be one that Europe is now embracing when it comes to software.
SPEAKER_01Yeah exactly like yeah fork means that you can take the code copy it and basically make it your own without having to rely on maybe like the vendor that provided the code. It's like in the most simple term it's kind of like having a spare key to your own house like you invested all of this money in building a house but imagine you only have one key and if you lose the key you can ever get in like it's like that you know it gives you a spare key and obviously you hope that you never have to use a spare key but it's good to have one in case something changes with the vendor you know maybe they misbehave maybe they get acquired maybe politics or pricing and so it's a legal right really to copy the code just keep going with it. There's actually a couple of examples of where this was very useful. So MySQL is one of the most prominent open source databases they were bought by Sun in 2010 and then Sun was bought by Oracle one of the largest technology companies and the community immediately forked MySQL into MariaDB and that meant that many many organizations in the world could just keep using an open source version of that database.
SPEAKER_05And was MySQL originally European or it was original European as well yeah it in this sense open source is a structural check on the power of any single actor including hostile state actors to trap users into having to accept that kind of control over over their software.
SPEAKER_01Yeah it basically gives you leverage as a government and it means that you can be held hostage if you will you know the technology cannot be held hostage. You cannot be held hostage. You can keep doing what you're doing.
SPEAKER_05So forking means you can in principle move to a purely European solution if you if you wish to butries what do you make of the idea of making everything European? Yeah this is what is behind calls for example for a so-called Eurostack, a stack in tech being a way of describing the overall collection of software systems that are used together to get work done. So a Eurostack would be a collection of European alternatives in AI, cloud and cybersecurity and so on and so forth. Do you think that these Europe-only policies like Eurostack would be some kind of path to meaningful sovereignty? And if not why not?
SPEAKER_01Yeah I think it's actually flawed there's this concept of bi European. And I think if you're talking about true digital sovereignty it's a flawed idea. Now don't get me wrong I think it's great to invest in European companies. It's good for the industry and what have you if you actually look at it through the lens of digital sovereignty it's not enough because the headquarters or the jurisdiction of a company does not guarantee digital sovereignty because what can happen in a single board meeting is that a European software company can be bought by an American company and immediately like you lose control as Europe. And this has happened with Skype for example Skype was a hundred percent European software company a great success story eBay bought them an American company bought them and then Microsoft bought eBay later and all of a sudden literally in one board meeting you lose a European company and when a company becomes an American company American law applies. Most recently one of the flagship European content management systems a company called ComTentful was bought by Salesforce and Comptful is used by governments you know Salesforce is an American and is an American company like Comptentful is a German company headquartered in Berlin and once that deal closes they'll be subject to US law and that has all kinds of implications. And that's why buy European is not enough because it's not a durable property of a company. It can literally just change and you don't have that with open source.
SPEAKER_05This goes back to some of the great thinkers uh when it comes to code and software that that code is somehow more powerful and more durable than some of the other standard ways of looking at the way the economy and political economy operates. Lawrence Lessig comes to mind.
SPEAKER_01Exactly and that's why I'm also speaking up because I think I I see policymakers, they put too much emphasis on the location of the headquarter and not enough emphasis on the license. And one of the things that I've been like sort of hammering on my blog and is like well actually you should put a lot more emphasis on the license of software and almost no emphasis on jurisdiction. And that's what this digital sovereignty scale is that I published. So at the very bottom like a D or whatever is American proprietary software. One notch up above it is European proprietary software but it's only a little bit better because of what we just talked about. And then the three layers above it C, B, and A, are different flavors of open source. That's actually the hard part. That's where it starts, I can imagine, for a policymaker to say bi-European is not necessarily I think both can be true. Like we can still invest in European software but for certain things bi-European is not the right thing. That's a tough thing to say.
SPEAKER_05But it starts by being radically candid, yum.
SPEAKER_01I mean I think some people would say well Drees is now based in Boston Yeah so he would say that you know there might be cynics who would say well I'm also talking against my own business like like it's weird for my colleagues in the US that I'm here like saying hey don't buy American you know like I have an American company. I'm like I'm actually coming from you know like my my truth as an individual I'm not um this is not promoting Acquia. You know what I mean? I'm promoting Drupal yeah but I'm I'm all like we have a lot of European customers. So it's interesting that way.
SPEAKER_05And then a lot of your a lot of the people who may not like or or or on social media who may not like or share your posts, I suppose if they're also in software, they maybe have very complex relationships with American providers.
SPEAKER_01And so they're worried about exactly it's complex we're speaking in Flanders in in Belgium where you come from but nowadays you spend a lot of your time in the US That's right I moved to the US in 2010 because I started Acquia it's a company born out of Drupal we provide Drupal products and services and Company was really taking off. And so I decided to move to the US. I've been living in the US for like 16 years.
SPEAKER_05Aaron Powell It's a sizable and important software vendor. And in 2019, Vista Equity Partners, a Texas-based private equity firm, took a majority stake. This was a stake valuing Acquia at a billion dollars?
SPEAKER_01Aaron Ross Powell It was valuing Acquia at a billion dollars, yeah.
SPEAKER_05And what is Vista's, I mean, their their their private equity partners. So what do we know about their strategy? We don't really know yet what's going to happen with Acquia. We're not really thinking about that right now. Aaron Powell You're still thinking about being in the private equity investor space in a way for Acquia rather than having an initial public offering or going onto the market.
SPEAKER_01Aaron Powell Yeah, we're not really thinking about IPO. And we we did think about it sort of eight or nine years into the company. Like, because honestly, most companies when they IPO, at least at the time, you know, you're around 100 million in annual revenue and growing at a certain speed, and we check those boxes. Now we're like at least three times bigger. And so like we're big enough to IPO, but there's pros and cons to being a public company, the quarterly pressures, you know, all of these things. And we really and people IPO, companies IPO because they need access to the capital markets, they because it allows them to raise money from the public. But we don't have a need to raise money from the public. So if you put all of these things together, it just the pros and the cons don't lead to like basically going public.
SPEAKER_05Aaron Powell But going public is not off the cards. I mean, it could happen at some point.
SPEAKER_01Aaron Powell It could happen at some point, but it's not something that we're pursuing right now.
SPEAKER_05Aaron Powell So Dries, you basically want us to accept that software that's open source, the ability to fork the code is the best guarantee of sovereignty.
SPEAKER_01Correct.
SPEAKER_05Okay. But there is something called the US Cloud Act, the Clarifying Lawful Overseas Use of Data Act. This is US legislation. It came into force in 2018 with bipartisan support, actually. The key point is that it allows US authorities to compel US technology providers to hand over data regardless of where in the world that data is physically stored. Long story short, even EU resident data held by US companies can be accessed by a US warrant. And that's also a profound sovereignty and privacy problem for Europeans who are so heavily dependent on US tech infrastructure. Now, here's what I want to get to. In this sense, a hostile US need not attack the underlying or buy the vendor of the underlying open source software at all. It just needs to lean on the cloud providers to withdraw their services, right?
SPEAKER_01That's right. It's like they have a kill switch. They can get your data. If they really wanted to, they could actually turn off access to the software as well. And that's a problem. And this is what happens when a European company changes owners to an American software company. And by the way, all the data centers could stay in Europe. All the employees could stay in Europe. Like nothing could change except ownership, right? And even so, what you just said applies all of a sudden to existing European software companies.
SPEAKER_05And a big concern in this technological sovereignty package, and I and I wonder if you share this concern, is that the European Commission proposals actually left the door open somewhat to US cloud providers like Amazon or Amazon AWS, Google and Microsoft continuing to handle sensitive European data. In other words, the proposed framework still permits these US platforms to win sensitive contracts. Does that kind of undermine your previous argument that the code itself is the safeguard? When in fact the data can still fall under US jurisdiction?
SPEAKER_01I don't know if it undermines it, but I do think there's like layers. And we have to think about each of the layers separately. So like I've been very focused on the software layer, the application layer. But yes, we also need to talk about that cloud layer. And if you want true hundred percent digital sovereignty, you need both to be truly sovereign, right? And so yeah, you have to work every layer of the stack.
SPEAKER_05And the cloud layer, it's it does seem to me that there is a kind of buy European, locate European argument there.
SPEAKER_01As well, for sure. And there should be, because it's good to have your cloud in Europe if you have sensitive data on it. But again, these cloud providers can also be bought, you know, by American or Chinese or whatever software companies or private equity companies. And then what do you do? And I think that's where open source matters a great deal. I made a statement once, which made a lot of people kind of go like, huh? And I said open source software on an American cloud provider is actually more sovereign than proprietary European software on a European data center. Probably takes a little bit of time to think through that. And the reason I said that is because if you have open source software on an American data center, let's say, you're actually in charge of the data in the software. You can move it anytime you want. Anytime you feel like you can make backups, like you're still in control. Like you have to decide do I want to live with that potential of American the American government taking my data? By the way, they can just take it. I think they need a warrant. They need a warrant. So there's a legal, there's some legal steps before they can, you know, take your data.
SPEAKER_05But we know that they do it. I mean, there was a big court case over whether Microsoft in Ireland needed to hand over data that was uh that was held there. That's right. And in fact, that is why the US Cloud Act was passed. It was to resolve that case.
SPEAKER_01Exactly. And actually, Congress stepped in and they said, we're not gonna wait for this lawsuit to play out. We're gonna tell them that yes, we can take their data.
SPEAKER_05Yeah, the Supreme Court didn't even have to rule on it.
SPEAKER_01Right. Yeah. So it's very interesting. Now we also know it's very rare, right? Like there is an example, or maybe there's a couple of examples. And by the way, I also think we need to make a distinction between important or critical software and maybe non-critical software, because we have to ask ourselves, what is a switching cost? And for some software, the switching cost is low. And maybe then it's okay to go with a proprietary European solution, but we can take some risk, if you will. In a week or so, we can switch everything over. But if the switching cost is very high, like you mentioned, maybe the website of the European Commission, like that would take maybe years to switch. Like we need to be way more thoughtful, and then open source actually needs to become a prerequisite. Like it just needs to become a gate. It needs to needs to be open source whenever these kinds of big decisions are made.
SPEAKER_05Aaron Powell, including about cloud providers.
SPEAKER_01Yes.
SPEAKER_05To me, uh open source, it seems like a necessary but insufficient condition for any viable democratic pushback against what some would call technofascism, but others would call just a very high concentration of tech bros and billionaires with some pretty kooky ideas. They already have so much power. The AI giants are already operating as de facto extensions of US power. Uh, they're almost like state actors. The EU is not really trying to prevent itself at the moment from becoming a digital colony. It is a digital colony. And that's not just me saying that. That's the free market liberals in the Renew group in the European Parliament who are saying that. So it in this sense, aren't even the best open source policies uh just a bit defensive at the moment?
SPEAKER_01It's not enough on its own. So I think it's a necessary step, but it's not enough on its own.
SPEAKER_05And it does get us on to what's really needed, which might be robust antitrust enforcement, uh, tougher trade laws, real public procurement mandates. So there's not this wiggle room to still uh not have non-open source winning sensitive contracts. An international digital rights framework. I think that's that's one that a lot of people talk about. But then there's this other one, which is break up big tech. This is what we hear a lot about. Break up big tech. That may become a much more mainstream idea.
SPEAKER_01What's your betting on that? So it may help to do all of these things that you just said and break up big tech and regulate more, but it does feel a little bit defeatist. It like I feel there's a real race going on, and only the US and China are truly playing. You know, talking about AI, like all of the AI players are basically American companies or Chinese companies, and yes, we have mistroll in Europe, but like my understanding of mistroll is like at Boeing back in the, I don't know when it was, when the French government said, hey, we can't just rely on American plates for everything, so we're gonna they created Airbus, by the way, a Drupal user. Airbus was like heavily funded by French government and it was a success, right? Now there's another credible player for aircrafts, and Mistral is kind of the same idea, heavily funded by French government to create a counterweight to OpenAI and Anthropic and some of the Chinese platforms. But the irony is they immediately had to go to NVIDIA for chips and they had to go to Microsoft for Azure. And so this idea of let's fund a European alternative in the AI space is still today, in fairness, heavily dependent on US software companies. And I think that's going to be.
SPEAKER_05Oh, of course.
SPEAKER_01And yes, and that sh shows you the problem that Europe has, I think.
SPEAKER_05I think this quant search engine, for example, that the European Parliament has adopted so that it makes headlines quite recently that the European Parliament is now going to uh have people use quant, which is a European product rather than Google search. But then when you look at quant, I think it was actually being powered by Bing, which is a Microsoft uh.
SPEAKER_01And I think it it goes to show that Europe has so underinvested in like some of these technologies. And we can do all of these things in Europe, but what really needs to happen is we need to get in the race. We need to do whatever it takes to get in the race, and we can we can use defensive techniques to slow them down or you know, protect our citizens, and we should probably do all of these things in Europe, but most importantly, we need to get in the game, and we're coming from behind, so that means like you have to make the right moves to actually first catch up and then you know actually be in the race.
SPEAKER_05That's it for this episode. It was made in partnership with the European Open Source Academy, which advocates for public recognition of open source software and hardware. You can check out their work at Europeanopensource.academy. EU Scream is nonprofit journalism and is produced in association with the Brussels Times. It's your feedback and support that helps us delve into this new darker era in our politics, into how the EU should be responding, and into the thoughts and experience of people who really know what they're talking about. Small donations to large ones, that's all incredibly appreciated. It also helps when we get a five-star rating at Spotify or a review at Apple Podcasts. And passing on episodes to family, colleagues, and friends, that's yet another great way to show support. For more details and for more EU Scream, do please visit BrusselsTimes.com and look for the podcast. Thanks for listening.