Home / Blogs

Which Way Does Your Data Flow?

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
David Allen

Understanding the impact of cross-border routing of data during an era of emerging geographic restrictions.

Data may be moving to the cloud, but understanding the physical geography underlying the cloud is becoming increasingly critical. October's decision by the European Court of Justice, striking down key portions of the Safe Harbor rules that some companies had relied on to legally transfer personal data between Europe and the U.S., was only the latest example of the regulatory uncertainty involved in cross-border data flows. While Internet companies have begun to address challenges at the static geographic points where data is resident, understanding the actual paths that data travels is an important and sometimes overlooked part of the compliance analysis.

Since the revelations about data collection by the U.S. government, countries have doubled down on their efforts to require companies to store data on their citizens on local servers or otherwise impose geographic restrictions on data, usually citing some combination of privacy and national-security grounds. Russia is implementing one of the strictest such laws, which requires personal data about Russians to be stored and processed on servers physically located within Russia. Other countries, including Brazil, India, South Korea, and China have floated proposals, while Indonesia, Malaysia, Nigeria, and Vietnam have laws in place requiring local processing of data. A handful of others, including Australia and some provinces in Canada, have specific localization rules related to particularly sensitive categories of data, such as health data. And several governments, including the EU and Argentina, have rules prohibiting the transfer of data overseas unless the foreign jurisdiction has sufficiently strong privacy rules (the issue implicated in the Safe Harbor cases). Enforcement of many of these rules has been limited or put on hold thus far, but the political winds suggest that may not last long.

Some Internet companies have started to address this legislative trend at the data residence level by building in-region data centers, or offering localized cloud or content delivery services. But localized cloud storage is not a panacea and only addresses part of the problem. The cross-border routing of data has received less attention to date and is in many ways a more complex problem.

Here is a seemingly benign scenario. A German company, with a data center in Frankfurt and end-users within Germany limits its internet traffic to a local Tier 1 network such as Deutsche Telekom, expecting to confine its internet traffic to Germany. As the below graph shows, that Company would be disappointed to learn that greater than 20% of its traffic actually exited the geographic boundaries of Germany before crossing the border again to reach end users in Germany.

Consider these other hypotheticals:

  • A Russian citizen opens an account with your service. Where is her data stored? Are any backups located outside of Russia? What if the data is needed for processing elsewhere in your company's network? Are there systems in place to control the routing of data? Are there alerts in place if routing changes?
  • Given that users may frequently travel, which localization rules apply and when? If a Finnish citizen opens an account while traveling in Russia, or a Russian citizen while traveling in Finland, when and how is localization required by Russian law? Are systems in place to ensure this?
  • Consider data that may travel internationally and potentially pass through countries that the end-points may have sensitivity about. That sensitivity could stem from politics (regional sensitivity when data is routed between servers in say Israel and Lebanon), security (data that routes through a country with a high rate of security breaches), or trade sanctions law (data that crosses through a country where import/export sanctions exist). Are transit paths well understood, and are policies in place to reroute traffic? Is any data passing through countries that pose other risks, such as a high rate of hijacks? Can data be rerouted quickly?
  • For companies that hold any sensitive data, are routing and storage rules versatile and customized enough to provide specialized routing for particular types of data? Is personally identifiable information, health data, sensitive banking information, etc. routed differently and in compliance with domestic laws?
  • The Safe Harbor ruling exemplifies how even highly structured legal regimes can still produce sudden uncertainty. How quickly can you adjust your technical solutions if regulations change?

Content delivery networks and cloud providers are not positioned to fully solve the problem alone, as many are confined by their own internal networks and geographic commitments. Even major Tier 1 networks, as the above example illustrates, frequently route traffic across several sovereign borders.

While there is no silver bullet for compliance with the emerging regulatory regimes that govern data flows, visibility into routing paths along the open internet and private networks should be part of that solution. To address the problem from only a data residence perspective is incomplete at best, and can lead to a false sense of confidence that these myriad regulations are being appropriately addressed. For companies that rely on the global Internet to serve their customers, it is important to have a non-biased partner who is agnostic when it comes to content and to the physical location of data centers and that offers best-in-class geolocation information and visibility into actual traffic patterns in real time.

By David Allen, Senior VP & General Counsel at Dyn

Related topics: Cloud Computing, Data Center, Internet Governance, Law, Policy & Regulation



To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Sponsored Topics

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Leading Internet Associations Strengthen Cooperation

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

Michele Neylon Appointed Chair Elect of i2Coalition

2016 U.S. Election: An Internet Forecast

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

i2Coalition to Host First Ever Smarter Internet Forum

US Court Grants DCA Trust's Motion for Preliminary Injunction on .Africa gTLD

What Holds Firms Back from Choosing Cloud-Based External DNS?

Dyn Weighs In On Whois

Season's Greetings - 2015 End of Year Message from DotConnectAfrica

Verisign & Forrester Webinar: Defending Against Cyber Threats in Complex Hybrid-Cloud Environments

"The Market Has No Morality" Sophia Bekele Speaks on Business Ethics and Accountability

Dyn Evolves Internet Performance Space with Launch of Internet Intelligence

Dyn Comments on ICG Proposal for IANA Transition

Hybrid Cloud Proves Clouds Are Worthy of Email Infrastructure

Verisign OpenHybrid for Corero and Amazon Web Services Now Available

DotConnectAfrica on "CONNECTing the Dots: Options for Future Action" at UNESCO, Paris

IBCA Presentation to ICANN GAC on Protection of Geographic Names in New gTLDs

Season's Greetings - 2014 End of Year Message from DotConnectAfrica

Domain Name .Africa Faces Hurdles - Q&A with Sophia Bekele