Subject to United States jurisdiction

Guest writer Douglas Guy explores how a U.S. government order to Anthropic exposed the fragility of digital sovereignty, arguing that Scotland’s key public systems, built on platforms like Amazon Web Services, sit under foreign jurisdiction with little scrutiny or an exit plan.

On Friday, an American company switched off its best software for every foreigner on earth, on a government order that didn't explain itself, and complied while it was busy suing that same government. The servers under Scotland's health records, its digital identity, and its government post answer to the same power. The government's own files show it didn't assess the risk, and has no plan to leave.

At 5:21 on a Friday evening in Washington, the American firm Anthropic received a letter from the United States government and did as it was told. Within hours, it had cut off its two most capable AI systems to every foreign national on earth, including the foreigners working in its own offices. The instrument was an export control from the Commerce Department, and it had no half-measure: because the order counted any foreign national's access as an export, barring foreigners meant pulling the systems for everyone. It came wrapped in national-security language; the letter named no specific concern. The software had been on sale that week. It was gone by the weekend.

The software was the visible part; the lever is the transferable one. A company incorporated in the United States can be ordered, by a single stroke of executive power, to deny its service to foreigners, at no notice, on a Friday, for a reason that need not survive daylight. And it will comply: Anthropic was suing the same government in two courts at the time, and complied anyway. Its goodwill didn't protect its foreign users; the jurisdiction did the deciding.  What an order like that takes is whatever you've built on the thing it switches off. Friday's software was days old. Scotland's foundations are no

So ask the plain question. What does Scotland run on?

Over the past month, I put that question to the Scottish state under freedom of information, system by system, and the answers point one way. NHS Scotland's National Digital Platform, the shared spine of the health service's data, runs on Amazon Web Services. The Community Health Index, the register that holds a record for every patient in Scotland, runs on Microsoft Azure. ScotAccount, the Scottish Government's own digital identity service, the one it wants you to use to prove who you are to the government online, runs on Amazon. So does the new Digital Mailbox, the channel through which it intends to send you official mail.  Four foundations, all of them on American cloud platforms, one direction of travel.

The data centres really do sit in Britain, and that buys less than it looks. The point is law, not geography: an American company answers to Washington's courts wherever its servers sit, and these particular ones aren't neutral pipes.  Microsoft told a French Senate committee last year, under oath, that it couldn't guarantee European data would be kept from American authorities; it has also spent years under government secrecy orders that barred it from telling customers their data had been handed over at all. The Scottish Government conceded it in writing. Asked about ScotAccount, it stated that "AWS is subject to United States jurisdiction." 

That jurisdiction reaches you by two routes. The first gets the occasional mention: the CLOUD Act lets the US government compel an American company to surrender data, wherever in the world the data is held. Call it the disclosure lever, the one that takes your information. The second is the one Anthropic demonstrated on Friday: the same government can order the same kind of company to switch the service off. Call it the denial lever, the one that takes your tool. They're separate powers, and Scotland's infrastructure stands in front of both.

When I asked whether these systems had been weighed against that exposure, the answer kept coming back no. ScotAccount's data-protection assessment doesn't consider the CLOUD Act at all, as stated in the policy. The Digital Mailbox holds no record of any review of whether recent American demands for cloud-held data have changed the risk. This isn't a government that examined the danger and judged it small. It did not examine it at all. And on leaving, on what happens if one of these arrangements has to end, the files say the same thing: no plan with a date or a cost on it.

Nobody is going to switch off the NHS. That is the reassurance, and Friday is what it's worth. Look again at why the order was given at all. The fear officials pointed to was that the software was unusually good at finding flaws in other software, a cyber-weapon in waiting. The researchers who reviewed the finding said it was the opposite of a weapon: the same capability is how defenders find and patch holes before state-sponsored hackers reach them, and it should never have triggered an export control.

The trick is common to rival systems and a trade thirty years old, with tools anyone can download; the blocked software made it quicker, not possible. Switching off one company contained nothing. The order was fired on a reason the experts who examined it rejected, and it fired regardless. A rule you can predict, you can build around.  An order whose reasons dissolve on contact, you cannot. You're not depending on a regulator. You're depending on a mood, in a capital that isn't yours, acted on at five on a Friday.

Friday's pull was a frontier AI model, not a hosting contract. It showed the mechanism is real, and indifferent to whether the provider likes it. The same jurisdiction sits over the machines that hold your medical record and your verified identity, and the government's own answers show it never planned for the day it's used.

None of this argues against digital public services, or against proving who you are once and getting on with your day. It argues for governing the thing before it sets hard. Assess the exposure you've admitted you never assessed. Hold a real plan to leave, so that the dependence is a choice and not a trap. And for systems at the scale of a nation's health and identity, they require hosting that answers to Scottish or European law, with the resilience a serious state keeps for the things it can't afford to lose. Estonia, whose whole government runs on digital identity, keeps a backup of its critical registers in a data embassy in Luxembourg, so that no single jurisdiction holds the off switch. Scotland’s built the dependence and skipped the plan.

The capability was there on Thursday and gone by the weekend, for everyone outside one country and every foreigner and immigrant inside it, switched off by the company that made it, even as it fought the order in court. The machines under Scotland's health records and its identity layer answer to the power that threw that switch, and the files I was sent show no one planned for the day it reached them. It was all theoretical, right up until 5:21 on a Friday evening.