Home / Blogs

Which Way Does Your Data Flow?

David Allen

Understanding the impact of cross-border routing of data during an era of emerging geographic restrictions.

Data may be moving to the cloud, but understanding the physical geography underlying the cloud is becoming increasingly critical. October's decision by the European Court of Justice, striking down key portions of the Safe Harbor rules that some companies had relied on to legally transfer personal data between Europe and the U.S., was only the latest example of the regulatory uncertainty involved in cross-border data flows. While Internet companies have begun to address challenges at the static geographic points where data is resident, understanding the actual paths that data travels is an important and sometimes overlooked part of the compliance analysis.

Since the revelations about data collection by the U.S. government, countries have doubled down on their efforts to require companies to store data on their citizens on local servers or otherwise impose geographic restrictions on data, usually citing some combination of privacy and national-security grounds. Russia is implementing one of the strictest such laws, which requires personal data about Russians to be stored and processed on servers physically located within Russia. Other countries, including Brazil, India, South Korea, and China have floated proposals, while Indonesia, Malaysia, Nigeria, and Vietnam have laws in place requiring local processing of data. A handful of others, including Australia and some provinces in Canada, have specific localization rules related to particularly sensitive categories of data, such as health data. And several governments, including the EU and Argentina, have rules prohibiting the transfer of data overseas unless the foreign jurisdiction has sufficiently strong privacy rules (the issue implicated in the Safe Harbor cases). Enforcement of many of these rules has been limited or put on hold thus far, but the political winds suggest that may not last long.

Some Internet companies have started to address this legislative trend at the data residence level by building in-region data centers, or offering localized cloud or content delivery services. But localized cloud storage is not a panacea and only addresses part of the problem. The cross-border routing of data has received less attention to date and is in many ways a more complex problem.

Here is a seemingly benign scenario. A German company, with a data center in Frankfurt and end-users within Germany limits its internet traffic to a local Tier 1 network such as Deutsche Telekom, expecting to confine its internet traffic to Germany. As the below graph shows, that Company would be disappointed to learn that greater than 20% of its traffic actually exited the geographic boundaries of Germany before crossing the border again to reach end users in Germany.

Consider these other hypotheticals:

  • A Russian citizen opens an account with your service. Where is her data stored? Are any backups located outside of Russia? What if the data is needed for processing elsewhere in your company's network? Are there systems in place to control the routing of data? Are there alerts in place if routing changes?
  • Given that users may frequently travel, which localization rules apply and when? If a Finnish citizen opens an account while traveling in Russia, or a Russian citizen while traveling in Finland, when and how is localization required by Russian law? Are systems in place to ensure this?
  • Consider data that may travel internationally and potentially pass through countries that the end-points may have sensitivity about. That sensitivity could stem from politics (regional sensitivity when data is routed between servers in say Israel and Lebanon), security (data that routes through a country with a high rate of security breaches), or trade sanctions law (data that crosses through a country where import/export sanctions exist). Are transit paths well understood, and are policies in place to reroute traffic? Is any data passing through countries that pose other risks, such as a high rate of hijacks? Can data be rerouted quickly?
  • For companies that hold any sensitive data, are routing and storage rules versatile and customized enough to provide specialized routing for particular types of data? Is personally identifiable information, health data, sensitive banking information, etc. routed differently and in compliance with domestic laws?
  • The Safe Harbor ruling exemplifies how even highly structured legal regimes can still produce sudden uncertainty. How quickly can you adjust your technical solutions if regulations change?

Content delivery networks and cloud providers are not positioned to fully solve the problem alone, as many are confined by their own internal networks and geographic commitments. Even major Tier 1 networks, as the above example illustrates, frequently route traffic across several sovereign borders.

While there is no silver bullet for compliance with the emerging regulatory regimes that govern data flows, visibility into routing paths along the open internet and private networks should be part of that solution. To address the problem from only a data residence perspective is incomplete at best, and can lead to a false sense of confidence that these myriad regulations are being appropriately addressed. For companies that rely on the global Internet to serve their customers, it is important to have a non-biased partner who is agnostic when it comes to content and to the physical location of data centers and that offers best-in-class geolocation information and visibility into actual traffic patterns in real time.

By David Allen, Senior VP & General Counsel at Dyn

Related topics: Cloud Computing, Data Center, Internet Governance, Law, Networks, Policy & Regulation


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

DNS Security

Sponsored by Afilias

IP Addressing

Sponsored by Avenue4 LLC


Sponsored by Verisign

Mobile Internet

Sponsored by Afilias Mobile & Web Services

Promoted Posts

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Join Neustar's Town Hall Meeting and Help Shape the Future Of .US

Why the Record Number of Reverse Domain Name Hijacking UDRP Filings in 2016?

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

Michele Neylon Appointed Chair Elect of i2Coalition

2016 U.S. Election: An Internet Forecast

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Mobile Web Intelligence Report: Bots and Crawlers May Represent up to 50% of Web Traffic

i2Coalition to Host First Ever Smarter Internet Forum

US Court Grants DCA Trust's Motion for Preliminary Injunction on .Africa gTLD

What Holds Firms Back from Choosing Cloud-Based External DNS?

Dyn Weighs In On Whois

Season's Greetings - 2015 End of Year Message from DotConnectAfrica

Data Volumes and Network Stress to Be Top IoT Concerns

Verisign Mitigates More Attack Activity in Q3 2015 Than Any Other Quarter During Last Two Years

Verisign & Forrester Webinar: Defending Against Cyber Threats in Complex Hybrid-Cloud Environments

"The Market Has No Morality" Sophia Bekele Speaks on Business Ethics and Accountability