Understanding the impact of cross-border routing of data during an era of emerging geographic restrictions.
Data may be moving to the cloud, but understanding the physical geography underlying the cloud is becoming increasingly critical. October’s decision by the European Court of Justice, striking down key portions of the Safe Harbor rules that some companies had relied on to legally transfer personal data between Europe and the U.S., was only the latest example of the regulatory uncertainty involved in cross-border data flows. While Internet companies have begun to address challenges at the static geographic points where data is resident, understanding the actual paths that data travels is an important and sometimes overlooked part of the compliance analysis.
Since the revelations about data collection by the U.S. government, countries have doubled down on their efforts to require companies to store data on their citizens on local servers or otherwise impose geographic restrictions on data, usually citing some combination of privacy and national-security grounds. Russia is implementing one of the strictest such laws, which requires personal data about Russians to be stored and processed on servers physically located within Russia. Other countries, including Brazil, India, South Korea, and China have floated proposals, while Indonesia, Malaysia, Nigeria, and Vietnam have laws in place requiring local processing of data. A handful of others, including Australia and some provinces in Canada, have specific localization rules related to particularly sensitive categories of data, such as health data. And several governments, including the EU and Argentina, have rules prohibiting the transfer of data overseas unless the foreign jurisdiction has sufficiently strong privacy rules (the issue implicated in the Safe Harbor cases). Enforcement of many of these rules has been limited or put on hold thus far, but the political winds suggest that may not last long.
Some Internet companies have started to address this legislative trend at the data residence level by building in-region data centers, or offering localized cloud or content delivery services. But localized cloud storage is not a panacea and only addresses part of the problem. The cross-border routing of data has received less attention to date and is in many ways a more complex problem.
Here is a seemingly benign scenario. A German company, with a data center in Frankfurt and end-users within Germany limits its internet traffic to a local Tier 1 network such as Deutsche Telekom, expecting to confine its internet traffic to Germany. As the below graph shows, that Company would be disappointed to learn that greater than 20% of its traffic actually exited the geographic boundaries of Germany before crossing the border again to reach end users in Germany.
Consider these other hypotheticals:
- A Russian citizen opens an account with your service. Where is her data stored? Are any backups located outside of Russia? What if the data is needed for processing elsewhere in your company’s network? Are there systems in place to control the routing of data? Are there alerts in place if routing changes?
- Given that users may frequently travel, which localization rules apply and when? If a Finnish citizen opens an account while traveling in Russia, or a Russian citizen while traveling in Finland, when and how is localization required by Russian law? Are systems in place to ensure this?
- Consider data that may travel internationally and potentially pass through countries that the end-points may have sensitivity about. That sensitivity could stem from politics (regional sensitivity when data is routed between servers in say Israel and Lebanon), security (data that routes through a country with a high rate of security breaches), or trade sanctions law (data that crosses through a country where import/export sanctions exist). Are transit paths well understood, and are policies in place to reroute traffic? Is any data passing through countries that pose other risks, such as a high rate of hijacks? Can data be rerouted quickly?
- For companies that hold any sensitive data, are routing and storage rules versatile and customized enough to provide specialized routing for particular types of data? Is personally identifiable information, health data, sensitive banking information, etc. routed differently and in compliance with domestic laws?
- The Safe Harbor ruling exemplifies how even highly structured legal regimes can still produce sudden uncertainty. How quickly can you adjust your technical solutions if regulations change?
Content delivery networks and cloud providers are not positioned to fully solve the problem alone, as many are confined by their own internal networks and geographic commitments. Even major Tier 1 networks, as the above example illustrates, frequently route traffic across several sovereign borders.
While there is no silver bullet for compliance with the emerging regulatory regimes that govern data flows, visibility into routing paths along the open internet and private networks should be part of that solution. To address the problem from only a data residence perspective is incomplete at best, and can lead to a false sense of confidence that these myriad regulations are being appropriately addressed. For companies that rely on the global Internet to serve their customers, it is important to have a non-biased partner who is agnostic when it comes to content and to the physical location of data centers and that offers best-in-class geolocation information and visibility into actual traffic patterns in real time.
Dave Allen is the Senior Vice President at Dyn where he oversees Dyn’s legal team, and is responsible for all aspects of the company’s legal matters.