Every German who renews a passport, files taxes through ELSTER, fights for a Bürgeramt appointment, or signs into a statutory health insurer does all of it inside a rendering engine they do not control, cannot audit, and that rewrites itself overnight from a server on the American west coast. The browser engine is the most widely deployed piece of foreign software in the whole of German public life. And it is not on a single critical-infrastructure list.

The thing nobody puts on the list

KRITIS, the German critical-infrastructure regime overseen by the BSI, names everything: energy, water, food, telecommunications, health, finance, and transport. NIS2 widened the perimeter across the EU. And the browser engine? It is the door into every one of those sectors — the layer through which the citizen actually reaches the services — and it sits outside everything we have ever designated.

Three engines run the open web. Google’s Blink carries roughly three-quarters of all traffic, through Chrome, Edge, and nearly all the rest. Apple’s WebKit has iOS locked down. Mozilla’s Gecko, the heart of Firefox, now languishes below five percent. All three are steered from the United States. The European Commission’s June 2026 tech-sovereignty package admits it outright: for the important digital technologies, the Union depends on sources outside Europe for over eighty percent. That is no longer a dependency, it is a relationship.

And here is the point: this is not ownership anxiety. It is an open barn door in governance. An engine that updates itself is a remotely controlled write channel into every public machine that runs it: whoever controls the update server decides what gets pushed onto those devices tonight. We would never tolerate that for an electricity meter or a telephone exchange. But for the layer through which the entire state meets its citizens, we look the other way — because it “works.” That is exactly what every captured piece of infrastructure looks like. Right up to the day it stops working.

Three engines — two of them you’ll never build yourself

Take the romance out of the word and an engine is an assembly of seven parts in a loop: networking, HTML parsing, the DOM, the CSS cascade together with style computation, layout, rendering and compositing, and the bindings that couple JavaScript to the tree. The trick is to grasp that the deepest and most expensive of those parts are commodities. A JavaScript engine, a stack for text shaping and font rasterization, and the GPU primitives beneath rendering — each is person-millennia of work, and rebuilding them buys you exactly zero sovereignty. Nobody controls the web because they own a font rasterizer.

What actually belongs to you — the sovereign silver — is the layout engine, the rendering pipeline, and the security boundary around them. That is the part money is worth spending on, and you do not rebuild it on a greenfield. Servo already exists: a memory-safe engine in Rust, stewarded by the Linux Foundation Europe, taken by a five-person team at Igalia from 41 to 62 percent on the Web Platform Tests, with its first tagged release in 2026. A German engine is therefore a problem of forking and funding — on a European foundation, not a blank page. The full accounting, including the costs below, is laid out in this excellent reality check on browsers and sovereignty.

The shopping list, all in Rust

Here is the stack a funder should actually pay for — selected by a single rule: no American platform gatekeeper in any load-bearing part.

The one component that decides whether the word “sovereign” survives the reality check is the JavaScript engine. Embed Google’s V8 or Apple’s JavaScriptCore and you have merely rebuilt the dependency with a nicer logo. Mozilla’s SpiderMonkey is the honest bridge — open, embeddable, the fastest path to a running browser — but it is still code from the US. Boa is the target: an embeddable engine in Rust, MIT-licensed, community-maintained, and already at roughly 94 percent conformance on Test262, the official ECMAScript suite. It is further along than anyone gives it credit for — its Temporal library for dates and times is good enough that V8 itself now uses it. The gap to V8 and SpiderMonkey is real, but it lies in raw speed and in the thousand edge cases, not in correctness. And a gap of exactly that kind is the sort of work a state initiative is good at: bounded, affordable, no black magic. Fund Boa up to web grade, and the JavaScript layer of the European stack contains no foreign-controlled code at all.

Where the money actually goes

The honest engineering picture is the opposite of frightening. Almost everything on the list is either a commodity you wire in once or a bounded problem you solve once. There is exactly one barrier that money only buys down slowly, and that is web compatibility — concretely: it has to behave like Chrome. Layout is loosely specified at the edges, so “correct” in practice means “behaves like Blink, including where Blink departs from the spec” — because the world’s websites are tested against Chrome and not against the specification. There is no elegant shortcut. It is long, stubborn testing against the Web Platform Tests, and that is where the lion’s share of the work will sit over time.

Two other problems are genuinely hard, and both are security problems where a Rust engine can be better than the incumbents rather than merely catching up: the renderer sandbox and the trust boundary between it and the privileged process — and the lifetimes of the DOM objects the JavaScript garbage collector tracks, the classic source of exploitable use-after-free bugs, the very thing memory safety was invented to kill.

The money for all of it? Estimated at roughly 50 to 70 million euros a year — for developers, testing, security audits, and standards work. Set that next to the European Space Agency’s 7.8-billion budget, or the 300 billion the EuroStack initiative wants to pour into digital infrastructure, and a browser engine is a rounding error. It was never about the money. It is about permanence: an engine is not a project that finishes, it is a commitment that has to outlive the ministry that paid for it.

In public hands — and federally

Germany already builds sovereign public software, and already does it federally. ZenDiS, the Center for Digital Sovereignty of Public Administration — a federally owned company founded in late 2022 and explicitly on its way to becoming a joint federal-state body — runs openCode, the public sector’s code forge, and openDesk, the sovereign alternative to Microsoft 365. When the heads of government of all sixteen states gathered for the Minister-Presidents’ Conference, they used openDesk — a week after launch. And at EU level the apparatus is taking shape too: an EU consortium for digital infrastructure and digital commons, with ZenDiS and Germany’s Sovereign Tech Agency set to carry the first projects. The chassis a browser engine would need is half-built before anyone has written a line of layout code.

So put the engine where the rest of the sovereign stack already lives: one upstream, sixteen stewards. A single federal browser authority would recreate the very thing you are running from — one point for political capture and one blast radius for every vulnerability. A federated model, maintained at the state level, distributes the security review, fits the subsidiarity the German state is built on, and ensures no single ministry and no single company holds the keys. Engines do not pool at Google because it would be impossible for everyone else. They pool there because no one else was willing to pay for permanence. A federated public mandate is the one structure that can fund permanence without raising a fresh monopoly under a European flag.

And now the plain truth about the real risk: it is not technical. Germany’s own open-source efforts have already been throttled because federal departments protected their legacy contracts — netzpolitik documented exactly how this agency got the red pencil. The threat to a German engine is procurement politics at home. It was never Rust.

A republic that cannot render its own government in a browser it controls has already handed the front door to someone else. The standards are open, the language is Rust, the foundation is Servo, the JavaScript engine is Boa, and the chassis to govern it is already standing. Fork it. Fund it. Put it in KRITIS. And the keys — those go to the states.

Für meinen Großonkel Lutz und seine Familie, 1941 – die wir nicht mehr aus Berlin herausholen konnten, bevor sie wegen der Angaben in ihren Papieren getötet wurden.

I was watching a report about the Tesla murder of a woman in Texas, and this chart popped up.

This is Tesla’s Vehicle Safety Report rebroadcast without a single control applied. CBS intentionally, openly, runs a fraudulent “safety” graphic claiming roughly 8x safer (5.5M ÷ 660K = 8.3, 1.6M ÷ 222K = 7.2) in a story about Tesla killing a woman, directly above a chyron saying as much.

The graphic asserts the exact inverse of the news it runs with, a perfect illustration of targeted disinformation. The Tesla numbers are inflated at both ends.

Numerator suppressed. Tesla counts a crash only inside roughly five seconds of disengagement where NHTSA’s reporting order specifies thirty, and counts mainly events at the airbag and restraint threshold. By the agency’s own finding Tesla captures data on around 18 percent of police-reported crashes. Fewer crashes counted means more miles per crash as an intentionally artificial construction.

The Tesla death headline is a cooked definition, not a measurement. It’s Enron, it’s WorldCom, it’s Bernie Madoff.

Denominator gamed. The 5.5M figure is supervised, highway-weighted miles in good conditions. The “US average” is every road, every condition, every vehicle age, including cars built before electronic stability control. Another artificial construction to lie about safety. New beats old carries no information about the system.

And their “active supervision” label is propaganda that concedes the rest: a human monitor was preventing crashes, so the number measures human plus machine, then it credits the unsafe machine instead of the actual safety from a human intervention.

Closed and unsafe. Singer testified there is no math and no science behind the Vehicle Safety Report. CBS ran the lie.

Waymo adjusts for road and neighborhood type, compares against human drivers in the same markets, and publishes through outside review; Tesla keeps the data secret and seeks none.

A self-attesting number, a lie, against an externally validated one. Run the apples-to-apples correction and the advantage collapses. Marco Benedetti matched airbag to airbag and got about three times, calling even that generous because Tesla measures a Tesla driver against the average driver and hides the rest behind fleet age. Three times worse, generously. The Tesla chart claims eight times better.

Here is the cleanest way to state the fraud. The latest 8x worse data from Tesla robotaxis is the same category of driving the CBS chart is bragging about: supervised autonomy with a monitor in the seat. Against NHTSA’s police-reported baseline of roughly one crash per 500,000 miles, the supervised fleet runs about eight times the human rate. On the tighter baseline the arithmetic is 7 crashes in roughly 300,000 miles against one per 700,000, which is 16.3x. Same multiplier, exact opposite result.

CBS broadcasts the fraudulent 8x safer slide for the exact driving mode that measures 8x more dangerous, once a real baseline is used. The two numbers describe the same thing and differ by a factor near sixty.

Another external check also proves the lie. LendingTree’s analysis of 30 brands put Tesla drivers first in accidents at 23.54 per 1,000. Fatal rate runs 5.6 deaths per billion miles against 2.8 for all brands. The marketing chart is a bald faced lie, which begs why a television segment ran it unedited instead of asking me. Someday, maybe.