In January 1917, Germany sent a secret telegram.
It went to Mexico. The offer: join the war against the United States, and you can have Texas, Arizona and New Mexico back. The Germans were careful and they put it in cipher.
However, their own transatlantic cables had been cut, so they sent it the only convenient way left. Down lines that ran through British territory. Part of it over an American cable.
The cable was stated to be private. Contractually, and because they had encoded the message.
Except Britain was quietly tapping those wires. A room of codebreakers in the Admiralty, Room 40, read the whole thing. Six weeks later it was on the front page of every American newspaper. Not long after, the United States was in the war.
It doesn’t matter whose message it is. If it runs on infrastructure you don’t control, whoever controls it can read it.
I thought about that this week, reading about Microsoft.
Microsoft are alleged to have handed documents to the US Congress. Emails, minutes, meeting invites. Belonging to regulators at two Dutch authorities. The people whose actual job is enforcing Europe’s Digital Services Act against US tech.
And it handed them over without redacting their names. A ready-made list of the people holding US giants to account. This changes the Data Sovereignty picture significantly.
The mechanism is the US CLOUD Act. It can compel an American company to give up data even when that data sits on European soil.
Microsoft’s own lawyer admitted as much under oath to the French Senate. Astonishingly, he could not guarantee that French data in European datacentres was safe from quiet US access.
So “our servers are in Frankfurt” turns out to mean very little.
This isn’t really about Microsoft
It’s tempting to make this a Microsoft story. It isn’t.
Microsoft followed the law it’s bound by. Swap in any US hyperscaler and the answer is the same. The jurisdiction comes with the operator, not the postcode.
Every dependency you don’t control is a risk you’ve deferred.
You don’t feel it on the day you sign. You feel it the day the terms change, the price jumps, the subpoena lands, or the supplier you built your whole stack on decides your use case isn’t a priority any more.
The bill was always there. It was just scheduled for later.
What I’d actually do about it
I’m not telling you to rip out your cloud and move to a shed. That’s its own kind of silly.
I’m telling you to know which bills you’ve deferred, and decide if you’re comfortable holding them.
For the things that don’t matter, convenience is the right call. Rent it. Outsource it. Don’t think about it again.
For the things that do, the data that would end careers if it leaked, the systems a regulator will ask about, the layer your whole business runs through, ownership and Data Sovereignty is surely worth the friction?
That’s the quiet case for open source and for infrastructure you can actually run yourself. Not ideology. The boring freedom of knowing where your data lives, who can reach it, and what happens when the relationship sours.
If your critical layer runs on infrastructure you don’t control, you’ve accepted that someone else can read your mail. If it’s open source, no black-box installed, and you can run it where you choose, the wires are yours.
I’ll admit the convenient path is convenient for a reason. We’ve all taken it. Running your own infrastructure is more work than renting someone else’s, right up until the morning it isn’t.
Convenience has a bill that can be more expensive than you budget for.
The Zimmermann Telegram, 1917. US National Archives and Records Administration, public domain (via Wikimedia Commons).
Further reading
- Microsoft allegedly leaked data of Dutch civil servants to the US government (Cybernews)
- Microsoft’s ICC email block reignites European data sovereignty concerns (Computer Weekly)
- The US CLOUD Act explained (MassiveGRID)
- The secret history of the Zimmermann Telegram (History.com)
- Open source: how and why we built a cloud-native API gateway (Tyk)
- Open source API gateway (Tyk)
