Most of us don’t worry too much about where our data goes. We store documents in the cloud, collaborate online with Slack and Zoom and rely on platforms like Microsoft 365, Amazon Web Services and Google Workspace. These tools are efficient, convenient and deeply embedded in how universities, businesses and governments operate. Our everyday digital life also involves online banking and payment systems, streaming platforms like Netflix and Disney+, news and social media platforms, loyalty programs, fitness apps and smart-home services. Many of these services are developed, hosted or routed outside Canada. They are part of global systems shaped by governance frameworks, commercial interests and geopolitical dynamics. This raises simple but uncomfortable questions: Who controls the systems through which our data flows? Who can access our data and how is is used? The answers to these questions impact our privacy, as well as the autonomy of our institutions and the economic competitiveness and sovereignty of our nation.Data sovereignty is not just a technical issue — it is a collective challenge that all Canadians need to start taking seriously. CTV’s Austin Lee tours ThinkOn’s data centre in Nepean, Ont., and considers data sovereignty. Dual-use technologiesIn the United States, the 2018 CLOUD Act means that the government can demand access to data held by U.S.-based companies, even if that data belongs to foreigners and is stored on servers outside the U.S. Read more: How Eurostack could offer Canada a route to digital independence from the United States This point was confirmed in an exchange between Microsoft and the French Senate, in which Microsoft admitted it cannot oppose an American injunction targeting data hosted in France. This is why countries like France are moving some public services away from U.S.-based platforms and toward domestically or European-controlled alternatives. The concern is not that foreign providers are inherently dangerous, but that dependence on infrastructure controlled elsewhere can become a vulnerability.Canada is not exempt. Our reliance — across government and the public and private sectors — on platforms such as Microsoft, Amazon Web Services (which underpins our banking systems) and Google creates a tension between operational convenience and control over sensitive information.This is also an example of a broader phenomenon known as “dual use.”Beneficial intent, harmful useDual use refers to research, data and technologies that are developed for beneficial purposes but can also be repurposed in ways that are harmful or contrary to the public interest.Familiar examples include nuclear research that can produce energy or weapons and biomedical research that can be used to support public health or create biological threats. However, dual use is not confined to these high-risk fields. Dual-use dynamics are embedded in many areas of everyday research and innovation, including digital technologies, environmental data and even the social sciences. Read more: Is someone watching you? Facial recognition tech is here and Canada offers little privacy protection What matters is not only what a technology is designed to do, but how it is taken up and used in different contexts, by whom and for what purposes.Wildfire monitoring, doorbell camerasHealth research data provides an example as it can be used to both improve care and enable new forms of surveillance — as with COVID-19 contact-tracing apps during the pandemic. Similarly, satellite imagery used for wildfire monitoring can support climate science and disaster response but is also used by open-source intelligence communities to identify military strikes in the war in Ukraine. Artificial intelligence systems developed for productivity can also be adapted to generate deceptive content. Research in psychology or communication can be used to design effective public health campaigns or to shape political opinions. Smart-home technologies such as doorbell cameras can help protect homes and even help people find their pets, but also raise concerns about surveillance of a neighbourhood.The original intent may be benevolent. But as knowledge, data and technologies circulate across institutions, sectors and countries, they can be repurposed in ways that are difficult to predict and with impacts that are hard to control.Dual use, in this sense, is not a property of specific technologies. It is a feature of how modern knowledge and communications systems operate.Fragmented responsibilityResponsibility for managing dual-use risks is spread between individual researchers, universities, companies and governments. Each plays a role, but none has a full view of, or control over, how knowledge is used.In Canada, current approaches tend to focus on research security. This involves protecting sensitive data, managing partnerships and ensuring compliance with regulations. These efforts are important, but they often address risks that have already been identified rather than anticipating those that are coming.Governments and research institutions are expected to manage these diverse risks, but their respective roles and powers are not clearly delineated. The result is that while responsibility is widely shared, the regulatory toolkit is still fragmented and incomplete.Awareness is the first stepDual-use risks cannot be eliminated. They are part of a world in which knowledge is produced within global systems, information moves freely across borders and technologies are widely accessible. The question is how to manage these risks in ways that are informed, proportionate and legitimate. That begins with awareness.For individuals, this means asking basic questions about the tools and platforms we use: Where is our data stored? Who has access to it? What protections are in place and are they sufficient?For universities, it means integrating dual-use considerations into decisions about research, partnerships and infrastructure: Are researchers sufficiently informed and engaged? Are they adequately supported? Are existing policies adapted to the range of potential risks?For governments, it means moving beyond reactive approaches toward co-ordinated strategies that align innovation, security and public accountability, and that provide clear, actionable guidance.A collective problemNone of these responses is sufficient on their own. Dual use is a collective problem. It requires shared attention, ongoing dialogue and a willingness to make trade-offs between different priorities. It also requires a shift in posture — from assuming that risks are isolated to certain sectors and managed elsewhere to recognizing that risks are diffuse and responsibility is distributed.Awareness is not a solution in itself. But without it, there can be no sustained pressure — from citizens, institutions or governments — to take dual-use risks seriously and to act on them.As debates over cloud infrastructure and data sovereignty continue, the question is no longer simply where our data is stored, but who ultimately controls how it can be used — and whether those uses align with our collective interests.Bryn Williams-Jones does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.