Understanding the impact of cross-border routing of data during an era of emerging geographic restrictions.
Data may be moving to the cloud, but understanding the physical geography underlying the cloud is becoming increasingly critical. October's decision by the European Court of Justice, striking down key portions of the Safe Harbor rules that some companies had relied on to legally transfer personal data between Europe and the U.S., was only the latest example of the regulatory uncertainty involved in cross-border data flows. While Internet companies have begun to address challenges at the static geographic points where data is resident, understanding the actual paths that data travels is an important and sometimes overlooked part of the compliance analysis.
Since the revelations about data collection by the U.S. government, countries have doubled down on their efforts to require companies to store data on their citizens on local servers or otherwise impose geographic restrictions on data, usually citing some combination of privacy and national-security grounds. Russia is implementing one of the strictest such laws, which requires personal data about Russians to be stored and processed on servers physically located within Russia. Other countries, including Brazil, India, South Korea, and China have floated proposals, while Indonesia, Malaysia, Nigeria, and Vietnam have laws in place requiring local processing of data. A handful of others, including Australia and some provinces in Canada, have specific localization rules related to particularly sensitive categories of data, such as health data. And several governments, including the EU and Argentina, have rules prohibiting the transfer of data overseas unless the foreign jurisdiction has sufficiently strong privacy rules (the issue implicated in the Safe Harbor cases). Enforcement of many of these rules has been limited or put on hold thus far, but the political winds suggest that may not last long.
Some Internet companies have started to address this legislative trend at the data residence level by building in-region data centers, or offering localized cloud or content delivery services. But localized cloud storage is not a panacea and only addresses part of the problem. The cross-border routing of data has received less attention to date and is in many ways a more complex problem.
Here is a seemingly benign scenario. A German company, with a data center in Frankfurt and end-users within Germany limits its internet traffic to a local Tier 1 network such as Deutsche Telekom, expecting to confine its internet traffic to Germany. As the below graph shows, that Company would be disappointed to learn that greater than 20% of its traffic actually exited the geographic boundaries of Germany before crossing the border again to reach end users in Germany.
Consider these other hypotheticals:
Content delivery networks and cloud providers are not positioned to fully solve the problem alone, as many are confined by their own internal networks and geographic commitments. Even major Tier 1 networks, as the above example illustrates, frequently route traffic across several sovereign borders.
While there is no silver bullet for compliance with the emerging regulatory regimes that govern data flows, visibility into routing paths along the open internet and private networks should be part of that solution. To address the problem from only a data residence perspective is incomplete at best, and can lead to a false sense of confidence that these myriad regulations are being appropriately addressed. For companies that rely on the global Internet to serve their customers, it is important to have a non-biased partner who is agnostic when it comes to content and to the physical location of data centers and that offers best-in-class geolocation information and visibility into actual traffic patterns in real time.
By David Allen, Senior VP & General Counsel at Dyn
|Data Center||Policy & Regulation|
|DNS Security||Regional Registries|
|Domain Names||Registry Services|
|Intellectual Property||Top-Level Domains|
|Internet of Things||Web|
|Internet Protocol||White Space|
Afilias - Mobile & Web Services
.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»