Conception of an Index for Digital Sovereignty Based on the Example of TYPO3

Categories: Community Created by Anastasia Schmidt
Digital sovereignty is a nation's ability to control its digital destiny and may include control over the entire supply chain, from data to hardware and software.

Digital sovereignty is especially important when there is a high level of dependency on specific technology providers. This dependency introduces the risk of losing control over your data protection, and no longer being able to fulfill national and EU-wide requirements.

This article by Anastasia Schmidt from TYPO3 agency coding. powerful. systems. CPS GmbH in Berlin, Germany, explores the idea of creating an index to measure a CMS’s sovereignty — and uses TYPO3 as an example.

Introduction 

Digital sovereignty is especially important when there is a high level of dependency on specific technology providers. Then there is a risk of losing control over its own IT and data protection and no longer being able to fulfill national and EU-wide requirements. In order to secure the government's ability to operate in the digital space in the long term and minimize  dependencies on specific technology providers, open source and open interfaces should be  used, among other things. 

There is currently the problem that it is not possible to measure and compare the digital  sovereignty of an application that consists of several individual components. It is of interest  whether the digital sovereignty of an application can be measured according to a general  system and made comparable via an index. This article deals with the conception of such an  index. The focus is limited to content management systems, especially TYPO3. Content  management systems are used for the creation and administration of websites and TYPO3 has a large part of the market in government administration. 

The Weizenbaum-Institut and OSB Alliance have started an initiative to make digital  sovereignty measurable through an index. The index, which analyzes parameters from  different areas, creates a comprehensive picture of the current situation and can display  changes in the level of digital sovereignty over time. This makes it possible to derive measures for politics, business and society to adjust individual indicators and achieve political goals.

How Can Digital Sovereignty be Measured?

Currently, there is no methodology for measuring digital sovereignty. To find an approach for  measurement, it is necessary to look at the definition. But even this is not unambiguous.  Digital sovereignty is defined differently in various sources, but all definitions have similarities. Generally, we are talking about digital sovereignty, when an individual, a company or even a government has the ability and possibility to maintain control over its own digital resources and its digital identity and to act independently of external influences. 

To be able to measure the digital sovereignty of a web application, it is necessary to define  first when a web application can be seen as digitally sovereign. 

From the perspective of the owner of this web application, this is when the owner has control  over all data and functions, is not dependent on other services or platforms, and can manage and publish content on its own.

From the user's point of view, there are additional points for the digital sovereignty of a web  application. The application must provide a high level of privacy and data protection. As little  data as possible should be collected about the user and not passed on to third parties, and the user should be able to manage his own data. Additionally, aspects such as reliability and  security are also important, as users should be able to interact with the website without  hesitation. Furthermore, the web application should be easy to use for all user groups. 

From these thoughts, some characteristics of a web application are derived. These  characteristics will be considered in the measurement of digital sovereignty: 

  • Control over data, content and functions:
    It can be checked whether the owner has full access to all functions and settings of the CMS and whether he can freely manage and, for example, export his data and settings. 
  • Independence from external providers:
    It can be checked whether the web application has external dependencies and the degree to which it depends on third-party providers. 
  • Privacy and security: 
    It can be checked whether the web application is compliant with data protection  regulations and is secure. This includes, for example, using appropriate encryption for data transmission and closing security gaps.
  • Accessibility:
    It can be checked if the web application is designed to be used by a large number of people or if certain groups are excluded. 

For the creation of an index these characteristics have to be included and because reference  is made to the CMS TYPO3, it is necessary to derive components from the TYPO3 structure  which should be investigated. It is possible to select the following components and investigate them in more detail: 

  • Operating system (ex. Linux, Microsoft Windows, macOS) 
  • Execution environment (e.g. PHP) 
  • Web server (e.g. Apache, Nginx, Microsoft IIS, Caddy Server) 
  • Database (e.g. MariaDB, Microsoft SQL Server, MySQL, PostgreSQL, SQLite) 
  • System extensions and 3rd party extensions 
  • Configuration and customization options in the backend and frontend (e.g. Tsconfig, TypoScript, Fluid Template Engine) 
  • Support and documentation

In addition, there are CMS-independent characteristics such as the human factor, including  skills and dependencies among employees and suppliers, as well as characteristics of a web  application such as privacy and accessibility implementation.

Survey for the Calculation of an Index for Digital Sovereignty 

A digital sovereignty index can be calculated with the help of a survey. This involves reference to vendors, certain technologies, or people. The aim is to identify where a lock-in effect or other problems that affect digital sovereignty may occur. 

The index has a color scale that indicates the degree of digital sovereignty. The score ranges from a green A for optimal application to a red E for a very large number of non-compliances. There are points that have a positive or negative impact on the index. Examples of these can be found in the figure below. 

The following survey is designed to help to identify the areas in which digital sovereignty  may be violated. The 20 statements are to be rated according to the following scale: 

1 = Do not agree 
2 = Rather not agree 
3 = Undecided 
4 = Rather agree  
5 = Agrees 

CMS in General 

  • The CMS is written in a digitally sovereign programming language such as PHP or Python.
  • The CMS can be described as digitally sovereign. 
  • The CMS is on a high technical level. 
  • The CMS is on a current and LTS version. 
  • The CMS is extendable (e.g. by extensions or plugins). 
  • All installed components are necessary and in use. 
  • All installed components are on a high technical level and in a LTS version. 

System 

  • Open source software is used for the operating system. 
  • The operating system is on a current and stable version. 
  • The execution environment (e.g. PHP) is on a current and stable version.
  • Open source software is used for the web server. 
  • The web server is on a current and stable version. 
  • Open source software is used for the database. 
  • The database is on a current and stable version. 

Configuration and Customization 

  • Back-end settings (e.g. general or user-specific settings) can be reused fully or partly  when migrating to another CMS. 
  • Frontend settings (e.g. page templates, page settings) can be reused fully or partly when migrating to another CMS. 

Web Application 

  • The web application is user-friendly and accessible. 
  • The web application is secure and compliant with privacy requirements.

Human Factor

  • The employees have the necessary skills to work with the CMS. 
  • There is no problem with personnel changes or moving to another service provider who takes care of the CMS. 

The scores should be summed up. The final result of the index calculation is shown in the  following figure.

Final Note

Most of the statements in the survey are formulated very generally, and it can be assumed  that many other aspects have to be examined in order to evaluate such a statement: 

Example 1

The statement “there is no problem with personnel changes or moving to another service provider who takes care of the CMS” indirectly includes the question of how well everything is documented and whether there are strong dependencies on individual employees within the company. 

Example 2

Statements such as “web application is user-friendly and accessible” must consider  numerous aspects, for example, whether guidelines such as WCAG are to be complied with. 

Example 3

For some components, it should be checked if they are open source or proprietary software; in this context, it would be possible to make more precise differentiations and to check other licensing models for restrictions and dependencies. There is shared-source software, where the source code is made available to selected individuals or groups, as is the case with Microsoft, for example. Another model is dual licensing, where a software is available under different licenses, such as MySQL. 

This test is useful for CMS-based web applications in general and not only for TYPO3, but it is not very detailed and should only be used as an impulse to explore the topic of digital sovereignty.

Literature

Additional contributors for this article
  • Reviewer : Claudia Nölker
  • Reviewer : Felicity Brand
  • Content Publisher : Mathias Bolt Lesniak