An Alternative to Big Tech AI · Essay 6 of 7

A Control Tower, Not a Watchtower

To run anything at scale you have to see how it is going. The question is whether the tool you build to see is a control tower or a watchtower.

Précis. Every platform operator faces the same temptation. Keeping a service healthy needs oversight: you have to know what is failing, what is slow, where people are unhappy. The instrument you build to see those things is, by default, a surveillance instrument, because the same console that shows system health can usually be turned to read anyone’s messages. Big Tech resolves this by letting the operator see everything and calling it administration. We built the other kind of instrument. The Village’s operator cockpit reports health and metadata and cannot read members’ content, and it inverts the usual pyramid so that the higher you sit, the less you see of any individual. A control tower watches the system to keep it running. A watchtower watches the people. This essay is about that distinction, including the part we have not switched on yet.

Download PDF Present as Slides Briefing PDF

Key messages — tap any line to read the section

When oversight stops being optionalThe tool you build to keep a service healthy is, by default, a surveillance instrument.
  • Running anything at scale means you have to be able to look.
  • The natural shape of that tool — the god-view console — is the watchtower.
  • Big Tech governs admin access by policy and logging; that is, by promises.

Oversight stops being optional at a certain point in a platform’s life. Communities are running, members rely on it, and things break in ordinary ways: a mail queue backs up, a server runs hot, someone reports a problem at two in the morning. Someone has to be able to look. And the instant you build the tool that lets them look, you have made a decision about power, whether you meant to or not. The natural shape of that tool is the admin console, the god-view, the single dashboard that sees every tenant. That is the shape of surveillance: one position from which everything below can be observed.

Big Tech builds the watchtower as a matter of course. The administrator of a cloud platform can read the documents, open the messages, inspect the accounts. Access is governed by policy and logging rather than by architecture, which is to say it is governed by promises. This whole series is about why a promise is the weak form of a safeguard. So our question was never “how do we see everything safely.” It was “how do we see what we need to keep the system healthy, and nothing else.”

Two kinds of lookingA watchtower looks into the people; a control tower looks at the system's health.
  • An air traffic controller keeps aircraft apart without knowing the passengers.
  • The cockpit reports health and the shape of activity — never its content.
  • The line is where the wall is built, not a setting to remember.

A watchtower and a control tower are both high vantage points, and there the resemblance ends. A watchtower looks into: its job is to observe the people below, and its value grows the more it sees of them. A control tower looks at: it watches the state of the system, what is moving and what is about to fail, so that it never has to look inside the cargo. An air traffic controller keeps a hundred aircraft apart without knowing or caring what any passenger is doing. That is the model we took.

So the cockpit reports the platform’s health and the shape of activity, and the content of that activity is not available to it. It can tell an operator that a community raised three support issues this week, that a mail server is failing, that one tenant’s load is climbing, that a piece of correspondence has arrived and what kind it is. It cannot show what a member wrote to another member. The wall is built there, so the line does not depend on an administrator remembering to respect it.

What it shows, and what it cannotPanels report counts, intents and system pulse — never a member's words.
  • Member voice as volume, alerts by severity, correspondence by kind, system health.
  • One scope mechanism decides what is visible to whom.
  • Hardened by adversarial isolation tests — it held 9 cases out of 9.

The cockpit is assembled from a small set of panels, each reporting a kind of health or a count, never content:

  • Member voice: how much feedback is coming in, not what anyone confided.
  • Operational alerts: sorted by severity.
  • Inbound correspondence: the kind of thing that has arrived, without opening it.
  • Governance: the health of the framework itself.
  • Pulse: the physical state of the system — servers, database, inference, backups, queues.

Read the board top to bottom and you know how the platform is doing. You learn nothing you could use to surveil a person, because that information never enters the board.

Underneath sits the least glamorous part, which does the real work: a single mechanism that decides, for whoever is looking, what is in scope for them at all. We hardened it the way you harden a lock, by attacking it. A battery of adversarial isolation tests set a moderator of one community against the wall of another, and a lower tier against the climb to a higher one. It held nine cases out of nine. “Communities are isolated” is the kind of sentence every platform says. What counts is whether someone tried to break it on purpose and wrote down what happened.

A high-country lake below snow peaks at dusk, Aotearoa New ZealandAltitude widens the view of the system, not the person.Aotearoa New Zealand · © My Digital Sovereignty
The higher you sit, the less you seeVisibility of the system widens as you rise; visibility of the individual narrows.
  • Moderator sees their own community; distributor sees only their communities' metadata.
  • The platform operator sees less of any one person than the moderator two tiers below.
  • Scale is not a licence to surveil — the design says so in its grammar.

The inversion that matters most runs opposite to how oversight normally works. In the usual pyramid, authority and visibility rise together: the higher your role, the more you see, until someone at the top sees everything. The Village’s cockpit is tiered the other way for individuals. There are three vantage points:

  • A community’s owner or moderator sees their own community: the people they are responsible for, and the content their role already permits.
  • An accredited distributor who provisions and supports a set of communities sees those communities only as metadata and health — how each is doing, what needs attention, the state of their infrastructure. Never members’ content, never inside any single community.
  • The platform operator sees the whole estate as an umbrella of health and segments, and sees less of any one person than the moderator two tiers below.

Visibility of the system widens as you rise; visibility of the individual narrows. The only person whose content anyone can see is the one closest to them, in their own community, and only because their role already carries that responsibility. Climb the structure and you trade intimacy for altitude. Scale is not a licence to surveil.

A weathered bench looking out over rolling farmland, Aotearoa New ZealandA vantage that only shows.Aotearoa New Zealand · © My Digital Sovereignty
Surfaces that enforce their own restraintEach place oversight lives carries its limit in the hardware, not just the rules.
  • The wallboard is read-only by construction — device-bound token, no action controls.
  • The operator's tablet requires fresh step-up before any action.
  • Being logged in is never the same as being able to act.

Oversight has to live somewhere physical, and each place we put it carries its own limit in the hardware, not just the software. The standing display, a wallboard that rotates on a screen on a wall, is read-only: it runs on a device-bound, auto-expiring token and has no action controls at all. You cannot do anything from it because there is nothing on it to do anything with. Where action is possible, on the operator’s gated tablet reached over a private network, it takes a fresh step-up authentication first. Being logged in is never the same as being able to act. The restraint is a property of the surface the operator stands at.

A rain squall sweeping over farmland toward the sea, Aotearoa New ZealandWe built the gate before the actuator.Aotearoa New Zealand · © My Digital Sovereignty
What we have deliberately not switched onWe built the gate before the actuator — the action layer is inert by choice.
  • The cockpit can propose routine fixes; the executing parts are held behind an off switch.
  • Proposed actions wait in a queue for a human to approve.
  • The whole cockpit is off by default — where unturned, the routes aren't there.

The plain state of it: the cockpit also has the beginnings of an action layer, a way for routine fixes to be proposed and carried out, such as a failed mail retried or a stale answer corrected. We built that layer to propose, not to perform. A proposed action goes into a queue for a human to approve, and the parts that would execute are inert, held behind a flag that is off. The whole cockpit sits behind a switch that is off by default; where it is not turned on, the routes are simply not there.

We say this plainly because the series demands it, and because the restraint is the point. We built the gate before the actuator. An oversight system that could act on its own across communities, before the machinery keeping each action human-approved and scope-bound was proven, would be the watchtower we set out not to build. So the seeing came first, the proposing second, and the acting waits behind a gate a human opens or leaves shut. A model can suggest a fix; an operator authorises it. That order is the same boundary every essay here returns to, applied to the people who run the platform rather than the people who use it.

Why this is the opposite of the thing it replacesOversight that respects the boundaries it enforces is the only kind a no-surveillance platform can use.
  • Big Tech's console separates oversight from surveillance only by rules.
  • The cockpit watches the system so it never has to watch the people.
  • The watchtower sees everyone to control the system; the control tower never has to.

Set the two architectures side by side. The administrative console of a large cloud platform is, in its bones, a watchtower: one elevated position from which, subject to policy and logging, the content below can be read. Oversight and surveillance are the same instrument there, separated only by rules about when to point it. The Village’s cockpit watches the health of the system so closely that it never needs to watch the people, and watching people is not a capability the architecture grants.

That is the same trade the series describes, seen from the operator’s chair. The community owns its record, and the operator cannot read it. The community runs a model that is theirs, and the operator oversees the platform, not the conversations. Oversight that respects the boundaries it enforces is the only kind fit for a platform built on the principle that the people on it are not the product. The watchtower sees everyone to control the system. The control tower watches the system so it never has to see anyone. We built the second one, and left the first unbuilt on purpose.

The Village is a running system, not a brochure — see it at mysovereignty.digital, and how oversight is scoped for owners and moderators in the operator briefing. The operator cockpit described here is built and being brought into service behind a feature switch; its action layer is inert, holding proposed fixes for human approval rather than performing them. The isolation that keeps each vantage point in its own scope has been adversarially tested. — John G. Stroh, My Digital Sovereignty Ltd., June 2026.