redwitch

📄 Red Witch – External Design Input: “Digital Colonialism” & AI Data Sovereignty

Document Name: “Digital colonialism: how AI companies are following the playbook of empire” Source / Link: The Conversation, Nov 25, 2025 — Jessica Russ-Smith (ACU), Michelle D. Lazarus (Monash University) https://theconversation.com/digital-colonialism-how-ai-companies-are-following-the-playbook-of-empire-269285
Document Type: External Design Input / Regulatory, Ethical & Societal Context Purpose: Provide evidence of systemic risks in large-scale data collection, bundled consent, and “digital terra nullius” practices by AI companies. Used to inform privacy-preserving design requirements, governance controls, and risk management for the Red Witch project.

1. Summary of Key Findings

Large AI companies routinely scrape massive amounts of online data without explicit consent or compensation, justified through broad interpretations of “fair use.”
This extraction mirrors colonial patterns (“digital colonialism”), treating data as if it belongs to no one (digital terra nullius).
Modern digital ecosystems frequently rely on coercive or bundled consent (“accept all”), which forces users to trade privacy for participation in essential services.
Bundled consent creates a Hobson’s choice: refusing consent leads to loss of functionality, essential digital access, or social exclusion.
First Nations resistance and Indigenous data sovereignty movements offer alternative models: local ownership, revocable consent, community control, and continuity-of-consent protocols.
Litigation trends (e.g., Reddit vs. Perplexity, Anthropic book settlement) underscore that uncontrolled data scraping generates legal, ethical, and reputational risk.
A sustainable, ethical data future requires:
- local or community control,
- granular and continuous consent,
- restricted secondary use,
- and recognition that data is not ownerless.

2. Implications for Red Witch Design

Based on the article, Red Witch shall implement the following design inputs / requirements to avoid digital-colonial practices and align with Indigenous data sovereignty principles:

Requirement / Design Input	Description	Linked RMF Risk
DI-101: Reject digital terra nullius	Treat all user data as owned and revocable; never assume implicit or bundled consent	R-Ext-101
DI-102: Continuity of consent	App must request explicit consent for each category of data usage; no all-or-nothing bundles	R-Ext-101, R-Ext-102
DI-103: Community/local data storage	All data stored locally on device or within a community-controlled environment; no cloud scraping	R-Ext-101, R-Ext-103
DI-104: Revocable permissions	Users can revoke consent at any time; data must be deletable without retention	R-Ext-101
DI-105: No data scraping or silent collection	App must never collect data the user did not intentionally enter or authorize	R-Ext-101, R-Ext-102
DI-106: Transparency of access events	Log and expose any instance of data access or processing; provide “why, what, when” visibility	R-Ext-102
DI-107: Legal alignment for data sovereignty	Design aligned to GDPR, UNDRIP Indigenous Data Sovereignty Guidelines, and relevant privacy standards	R-Ext-103
DI-108: Anti-coercive UX	Essential functionality cannot be gated behind bundled consent agreements	R-Ext-102

3. Link to Risk Management File

External risks identified from the “Digital Colonialism” article are added to the RMF:

RMF Risk ID	Source	Risk Description	Mitigation / Control
R-Ext-101	“Digital Colonialism” (2025)	Treating user data as “ownerless,” leading to unauthorized, unethical, or unlawful data extraction	Local-only storage, revocable consent, granular permissions, no scraping, explicit data ownership
R-Ext-102	“Digital Colonialism” (2025)	Bundled/coercive consent creating loss of agency, privacy violations, and digital exclusion	Anti-coercive UX, continuity-of-consent, transparency logs
R-Ext-103	“Digital Colonialism” (2025)	Failure to meet emerging data sovereignty expectations (legal + cultural), leading to litigation and trust failure	Alignment with GDPR/UNDRIP, community-controlled storage, no secondary use

4. Usage

This external design input informs:

SRS – Design Inputs: Data sovereignty, consent architecture, storage requirements.
RMF: Identification of external socio-technical risks related to data exploitation and coerced consent.
QMS Evidence: Demonstrates incorporation of societal-ethical context and external research into risk-based design, fulfilling ISO 9001/13485 expectations for recognizing external issues affecting product quality and safety.

1) Conceptual overview — what data sovereignty is (short)

Data sovereignty (general) — the principle that data is subject to the laws, rights, and governance of the place, people, or community to which it pertains; it covers legal jurisdiction (national/state), ownership, and governance choices about collection, storage, access and reuse. (IBM)

Two distinct but overlapping meanings you’ll see in practice

National / legal data sovereignty (jurisdictional): governments assert control over data located in their territory (data residency vs. localisation; law enforcement / privacy rules). This affects cloud hosting, cross-border transfers, and compliance obligations. (IBM)
Indigenous / community data sovereignty: communities assert that data about them (people, places, knowledge, culture) is owned, governed and used according to their laws, values and protocols — not simply treated as “ownerless” internet fodder. This includes principles like OCAP (First Nations Canada) and CARE (Collective benefit, Authority to control, Responsibility, Ethics). (FNIGC)

Why it matters to your app / QMS

Legal risk (privacy, copyright, cross-border rules) and reputational risk (perceived exploitation) are rising; courts and settlements are already changing business incentives. (AP News)
Ethical and community expectations (Indigenous data sovereignty, consent continuity) create design requirements beyond baseline regulatory compliance. (RDA)

2) Current landscape — key trends (brief, evidence-linked)

Litigation & market pressure pushing companies to change behaviour. High-profile lawsuits and settlements (e.g., Anthropic $1.5B settlement; platform suits against scrapers like Reddit vs Perplexity) demonstrate legal exposure for large-scale scraping and opaque reuse. This raises liability for any app that depends on third-party training data or shares user data. (The Verge)
Stronger Indigenous / community governance frameworks are being adopted and promoted. CARE principles (GIDA), OCAP (First Nations), and regional collectives (Maiam nayri Wingara in Australia) are now referenced by governments, funders and research institutions — meaning community consent and governance expectations are becoming normative. (RDA)
Regulatory and technical emphasis on locality + control. Governments and cloud providers differentiate “residency” vs “sovereign” cloud offerings; organizations are expected to show where data lives, how it crosses borders, and who can access it. (IBM)
Shifting definitions of consent & transparency. The “bundled consent” model is under fire: continuous, revocable, and purpose-specific consent models are being proposed as alternatives (this is central to Indigenous data sovereignty arguments and to civil-society privacy proposals). (RDA)
Academic and policy discourse reframes data extraction as a form of ‘digital colonialism’ — useful for risk analysis and stakeholder engagement because it highlights power asymmetries and historical analogues. (See the Conversation piece you shared and supporting scholarship.) (Vishal Ravate)

3) Immediate, practical follow-up for your app and QMS (prioritized checklist)

Use this as a runnable checklist; each item maps to QMS artifacts (SRS, RMF, DHF, audit evidence).

A. Governance & legal (high priority)

Perform a Data Sovereignty Gap & Impact Assessment (add to RMF). Document: where data is collected, stored, processed, exported, and who has legal rights. (Output = DPIA + Data Map). (IBM)
Legal review for cross-border transfers, copyright and scraping exposures. Ensure EULAs/ToS and vendor contracts prevent unwanted secondary use; check if content you depend on is licensed. Document in contract register. (The Verge)

Adopt a continuity-of-consent architecture. Replace “accept all” with granular, revocable consent flows; log consent events and make revocation effective immediately. Add DI (design input) entries to SRS. (RDA)
Avoid coercive gating. Ensure essential features are not contingent on broad data sharing — document exceptions and justifications in risk files.

C. Technical controls & data lifecycle (high priority)

Local / community storage options. Default to local-device storage; cloud only with explicit, auditable consent or community governance. Add technical requirement (DI-103 style). (Oracle)
Encryption, access logs & provenance. Log “who/why/when” for any data access; make logs auditable for communities and regulators.
Data minimization & retention policies. Capture only what is needed; set auto-delete and data-exportability features.

D. Community engagement & ethical alignment (high impact)

If your app involves Indigenous or communal data, adopt OCAP/CARE or local equivalents. Work with community representatives to codify governance rules — include MOUs in supplier and research governance files. (FNIGC)
Establish a community advisory board (or Indigenous governance board) where applicable and include meeting minutes as QMS evidence.

E. Monitoring & continuing compliance (medium priority)

Monitor litigation and policy developments. Log news/watchlist (Anthropic settlement, Reddit vs Perplexity etc.) and update risk scores quarterly. (The Verge)
Periodic DPIA and consent process audits. Add to internal audit schedule.

4) Suggested QMS/RMF artefacts to produce

Data Sovereignty DPIA (Data map + legal matrix + risk treatment plan).
Consent & Privacy Requirements (SRS section): granular consent, revocation API, audit log schema, local-storage default.
Community Data Governance Policy (if relevant): OCAP/CARE mapping and MOU template. (FNIGC)
Supplier & Third-party Data Use Contract Clause: forbids scraping, mandates provenance, indemnity for IP infringement. (Reuters)
Audit checklist for external inputs (how you record and evaluate external articles, legal changes, community concerns).

5) Who / what to consult next (resources & contacts)

Organisations & frameworks

Global Indigenous Data Alliance (GIDA) — CARE principles. (Global Indigenous Data Alliance)
First Nations Information Governance Centre — OCAP guidance (Canada). (FNIGC)
Maiam nayri Wingara Indigenous Data Sovereignty collective (Australia) — national practice & frameworks. (Maiam Nayri Wingara)
National privacy / cloud guidance (IBM/Oracle pages are useful technical primers on residency vs sovereignty). (IBM)

Legal / policy watchers

Keep a watchlist for major AI / data litigation and settlements (Anthropic, Reddit v Perplexity). (The Verge)

6) Quick, pragmatic timeline you can adopt now (two-week sprint)

Days 1–3: create Data Map + gap list; schedule legal consult. Days 4–7: draft SRS changes: continuity of consent, local storage default, revocation API. Add to DHF. Days 8–10: stakeholder outreach plan (identify communities, legal counsel, suppliers). Draft MOUs. Days 11–14: implement logging and a minimal consent prototype; add to RMF and arrange a QMS internal audit entry.

7) Example language you can paste into SRS / QMS to link this work to external context

“External Context: ‘Digital colonialism — how AI companies are following the playbook of empire’ (The Conversation, Nov 25, 2025) and related Indigenous Data Sovereignty principles (OCAP, CARE) were reviewed. Controls implemented include continuity of consent, local-default storage, community governance mapping, and contractual prohibitions against scraping; see RMF entries R-Ext-101..103.” (Vishal Ravate)

CARE Principles (Global Indigenous Data Alliance). (Global Indigenous Data Alliance)
OCAP® — First Nations Principles (FNIGC). (FNIGC)
Maiam nayri Wingara Indigenous Data Sovereignty collective (Australia). (Maiam Nayri Wingara)
IBM / Oracle explainers on data residency vs sovereignty. (IBM)
Recent litigation and settlements (Reddit v Perplexity; Anthropic settlement coverage). (Reuters)

✅ What is CANChat (and what’s real vs. rumor)

CANChat is indeed a real generative-AI chatbot created by Shared Services Canada (SSC). (Canada)
It is designed for internal government use — initially for “unclassified work” by federal employees. (Canada)
According to SSC, CANChat “does not use prompts to train” its AI — meaning it does not (or claims not to) feed user-generated prompts or documents back into training datasets. (Canada)
The stated rationale for CANChat is to provide a “sovereign AI” option — i.e., a tool under Canadian control, with data residency and governance aligning with Canadian laws, values, and public-sector data-handling standards. (Canada)

So: yes, Canada is building a public / sovereign-AI capability, of which CANChat is a visible example. It is not (in public documents) a consumer-facing or commercial LLM yet — but it shows that the government is investing in having “AI under Canadian jurisdiction.”

🌐 Broader Canadian “Sovereign AI” Landscape (2025)

CANChat is part of a broader movement in Canada toward data sovereignty and “sovereign AI.” Key developments:

The federal government launched (in 2025) its first public-service AI Strategy — signaling formal commitment to ethical, accountable, transparent, and locally governed AI. (Canada)
Private-sector initiatives are also launching — for example, CanXP AI recently announced itself as “Canada’s first sovereign AI ecosystem for everyday use,” with hosting on Canadian infrastructure and claims that data “never trains external models.” (Newswire)
Telecom / infrastructure providers are building out “sovereign AI / cloud” infrastructure. For instance, TELUS launched a “Sovereign AI Factory” in Rimouski (Quebec) to allow enterprises to run AI fully inside Canada (data, compute, models, logs under Canadian jurisdiction). (Forbes)
A recent white paper from the Canadian government points out that data stored “in Canada” can nevertheless be subject to foreign court orders if a cloud provider is subject to foreign law — highlighting that “data residency” ≠ “data sovereignty.” (CHAT News Today)

Conclusion of landscape: there is a concerted push — from public and private sectors — to build “sovereign AI” capacity in Canada. The goal is to let Canadians (or Canadian organizations) use powerful AI while keeping data, governance, and legal jurisdiction within Canada.

🔎 How CANChat / Sovereign AI affects “Data Sovereignty” for your app

Given your interest in data sovereignty and embedding it into your QMS / RMF for your app, CANChat and the broader sovereign-AI trend are relevant in a few important ways:

Positive signals / opportunities:

The existence of tools like CANChat — and infrastructure like TELUS’s Sovereign AI Factory or CanXP AI — shows that sovereignty-first AI infrastructure is becoming real and accessible in Canada. That means your app could leverage Canadian-based LLM infrastructure (or call out to it) to provide AI-powered features without exporting user data to foreign jurisdictions.
This supports a data-sovereignty/control model you seem to want (local storage or local-governed AI), reducing risk associated with foreign regulation, foreign court exposure, or unwanted secondary use.
As sovereign-AI capacity grows, “made-in-Canada” AI becomes a competitive differentiator — could align with user trust, compliance (privacy, law), and ethical design principles.

But: caveats & limitations — sovereignty is not yet perfect:

As the 2025 government white paper cautions: even data stored “in Canada” can be subject to foreign laws if infrastructure or providers have foreign ties. So “data in Canada” ≠ “data under full Canadian control.” (CHAT News Today)
CANChat (and perhaps related tools) appear focused on internal government / enterprise use; I haven’t seen public documentation of a widely-available “consumer-grade” Canadian LLM (as of now). So depending on it for a public consumer-facing app may have limitations.
Even sovereign-AI doesn’t automatically solve all ethical, governance, or consent issues — you will still need to implement explicit consent flows, data minimization, and robust governance (as you already plan).

🎯 What this means for your app — and what you should do (next steps)

Because of this evolving landscape, I recommend you treat the rise of sovereign-AI + CANChat as strategic context input for your QMS / design — and use it to strengthen your data-sovereignty posture. Here’s how:

Explore using Canadian-hosted AI infrastructure (e.g., a “sovereign AI factory”, or a private-cloud Canadian LLM) if your app uses AI or large-language models. This helps align with sovereignty, privacy, and compliance goals.
Monitor legal/regulatory developments — e.g. the evolving definition of “data sovereignty” in Canada (the 2025 white paper warns about limits). Use this as part of your external context and risk-watch list in the RMF.
Integrate governance and consent controls regardless of where the AI lives — sovereignty does not remove the need for explicit user consent, transparency, auditability, and data minimization.
Include “sovereign-AI / Canadian infrastructure” as a design / business requirement — e.g. in your SRS, note that any AI backend must be hosted in Canada, on Canadian infrastructure, with Canadian or appropriately aligned legal controls.
Engage with emerging Canadian AI ecosystem & providers (government, private, academic) — possibly as suppliers or partners, to stay ahead of compliance and take advantage of local infrastructure.

https://aiatsis.gov.au/publication/116530

📚 What is that 2019 document — and why does it matter

The document is Delivering Indigenous Data Sovereignty, published by Australian Institute of Aboriginal and Torres Strait Islander Studies (AIATSIS) in July 2019. (AIATSIS)
It forms part of a broader movement called Maiam nayri Wingara Indigenous Data Sovereignty Collective (and similar networks worldwide) — efforts to define and assert that Indigenous communities have sovereign rights over “Indigenous data”: data about Indigenous peoples, lands, cultures, resources, heritage, etc. (AIATSIS)
The core ideas were already well-developed by 2016, as shown in Indigenous Data Sovereignty – Toward An Agenda which laid much of the foundational theory and arguments for Indigenous control over data as part of self-determination. (caepr.cass.anu.edu.au)

So — yes, data-sovereignty thinking predates the explosion of generative-AI tools by several years. Importantly, that means concerns about data extraction, representation, colonization via data, and governance — which seem very contemporary given AI — have been under discussion for a long time within Indigenous, academic, and policy circles.

🔎 What this long history implies / why it resonates now (and for you)

Several implications of that early origin are relevant, especially to a project like yours that aims to embed data-sovereignty and ethical design:

Longstanding awareness of power imbalances in data collection and reuse. The fact that Indigenous communities began shaping data-sovereignty frameworks before the AI boom shows the problem isn’t new — data collection has long been a vector for exploitation, misrepresentation, erasure, or misuse. The “digital colonialism” framing today is, in part, a continuation of those earlier concerns.
Well-established governance frameworks & principles. Thanks to these earlier efforts, there already exist mature conceptual frameworks, such as the CARE principles for Indigenous Data Governance, or the “data-sovereignty = self-determination” model. (Treaty Authority) That means you don’t have to invent from scratch — you can draw on those frameworks when designing policies for your app (or for broader data governance).
Precedent for “data as rights” rather than “data as resource.” The message from those 2010s publications reframes data not as an extractable commodity but as something inherently tied to people, communities, cultural identity, heritage — with moral, legal, and political dimensions. Embedding that mindset now gives your design a deeper ethical grounding.
Earlier context helps avoid “reactive ethics” inertia. Because data-sovereignty debates predate AI hype, you can treat these not as a bandwagon but as enduring values. That helps you position your QMS not as a “response to AI backlash” but as part of a deeper commitment to responsible, just, and equitable data handling.

✅ What this means for your app / QMS — and how to build on it

Because “data sovereignty thinking” is not new but has deep roots — you have an advantage. Use that history to ground your design and governance:

Reference foundational texts (like the 2019 AIATSIS document, and the 2016/2017 treatises) as external context inputs. They show that concerns about data, power, and colonial legacies are not fads but persistent issues.
When designing for “sovereignty / consent / governance,” treat them as part of a continuum — not reactive add-ons. For example: design local storage, user control, and revocable consent assuming that data belongs to people (or communities), not platforms.
Consider whether your app could — even optionally — support or respect community-level data governance (if relevant). The principles developed in the Indigenous Data Sovereignty movement (e.g. control, ownership, stewardship) can apply beyond Indigenous contexts: focusing on shared data ownership, user-driven control, transparency, and ethical reuse.
Use these materials as part of training, audits, or documentation: in QMS / RMF you could record that “legacy scholarly work demonstrates systemic risks in data colonialism,” and that your design is responding to them proactively.

✅ Key Canadian / Indigenous Data Sovereignty Frameworks

First Nations Information Governance Centre (FNIGC) + OCAP® Principles

OCAP® stands for Ownership, Control, Access, and Possession. It is widely accepted in Canada as a foundational framework for First Nations data governance. (FNIGC)
Under OCAP®, a First Nation community collectively owns its data (not individuals or external researchers). They have the right to control how data is collected, used, stored, interpreted, and shared; to control access; and to physically possess their data (or govern its storage), regardless of external hosting. (Canada School of Public Service)
FNIGC presents OCAP® not as a rigid one-size-fits-all regime, but as a set of guiding principles — each Nation may implement it according to its worldview, customs, governance structures and priorities. (FNIGC)
The mandate of FNIGC is to support First Nations to achieve data sovereignty through community-driven data governance, capacity building, culturally relevant data collection, and representation. (FNIGC)

Thus OCAP® is perhaps the best-known Indigenous data-sovereignty framework in Canada for First Nations data.

Broader / Pan-Indigenous or Cross-Community Principles & Emerging Models (Métis, Inuit, Multi-Nation, research contexts)

Because Canada includes multiple Indigenous peoples (First Nations, Inuit, Métis), and because different communities have distinct cultures, protocols, and governance traditions — many data-governance frameworks emphasize distinctions-based approaches (i.e. recognizing that what works for one community may not for another). (CIHI)

Some of the broader governance models include:

The Global Indigenous Data Alliance (GIDA)’s CARE Principles: Collective Benefit; Authority to Control; Responsibility; Ethics. These principles echo and overlap with OCAP®, and aim to guide ethical, community-led stewardship and shared benefit. (BCcampus Open Publishing)
For Métis communities: there are culturally-competent ethical research frameworks (e.g. “Métis-specific ethical research principles”) that may complement or extend OCAP-like governance to reflect Métis protocols. (UVic Library Guides)
For Inuit communities: there is the National Inuit Strategy on Research (NISR), which outlines how research and data practices involving Inuit communities should be governed to respect cultural knowledge, priorities, and consent. (BORN Ontario)
In research and institutional contexts in Canada (universities, health research bodies, etc.), many strive to align with OCAP®, CARE, or community-driven data-governance frameworks when involving Indigenous data — especially for studies involving land, environment, health, culture, or traditional knowledge. (Research Data Management)

Thus there isn’t a single monolithic “Canadian Indigenous data sovereignty framework” that covers all Indigenous peoples — but a suite of recognized frameworks and principles, many of which are internationally aligned, and adaptable depending on which community is involved.

🎯 Why these frameworks matter (and how they work in practice)

They recognize that data about Indigenous peoples, communities, lands, culture, resources, traditional knowledge, etc., is not neutral. It’s entwined with identity, rights, history, and collective sovereignty. Governance must respect collective — not just individual — rights. (UBC IT)
They shift power: from outside researchers, governments, or corporations — back to Indigenous nations and communities. Data collection, interpretation, dissemination, and storage become decisions under Indigenous authority. (FNIGC)
They provide practical tools and standards (OCAP®, CARE, community-specific research protocols) for engaging ethically — useful for researchers, developers, institutions, and even private-sector actors. (Canada School of Public Service)
They encourage free, prior, informed consent (FPIC); respect for traditional knowledge; cultural sensitivity; and community benefit — not just extraction or academic/commercial hypotheticals. (BCcampus Open Publishing)

🧰 What this means if you build an app / data-driven product in Canada

Since you are designing an app and a QMS with data-sovereignty concerns — knowing that these frameworks exist gives you a real, formal reference point:

If your app deals with Indigenous data (or targets Indigenous users/communities), you should refer to OCAP®, CARE, and possibly community-specific protocols and treaty-based or self-governance laws.
If not — still worthwhile to be aware, especially if your app may later collect demographic, cultural, geographic, or community-based data; respecting these frameworks helps avoid misuse, fosters trust, and demonstrates ethical design.
Your external context / risk-management documentation can reference OCAP® / Indigenous data sovereignty as “external context inputs” — this strengthens the ethical and legal grounding of your design.
It highlights that “data sovereignty” doesn’t always equate to just “storing data locally” — it also means governance, consent, collective rights, control over use, and respect for cultural/communal context.

This site is open source. Improve this page.