The Circuitous International Travel of Your Data (Guest Blog Post)

by guest blogger Marketa Trimble

Most Internet users probably do not know where their online data (aka “cloud data”) reside. Even fewer users likely have any idea of the paths over which their data travel. It is not difficult to picture data residing in one of the large data centers where companies locate their servers. But travel routes – the routes between users and data centers, and between data centers and other persons who access the data – are largely a mystery. Occasionally, researchers explain this mystery – and with some troubling revelations concerning the volume of traffic that is routed through countries that we might not want our packets to transit.

The route that data take is significant because deep packet inspection (“DPI”) might reveal the content of the packets that carry data. Inevitably, packets travel through places where DPI can be performed, and it might be of concern if these places are hostile and/or have no laws or regard for the protection of privacy. Some governments use DPI to identify and block certain incoming Internet traffic as part of their government’s curtailment of free speech, and this censorship can even affect the services that users rely on to safeguard their privacy, such as Tor (The Onion Routing service), which has been the target of DPI and blocking by several governments.

Through traffic has been intercepted and spied on by governments, but apart from the application of national security laws, governments have not openly claimed jurisdiction over data in transit. If a government were to decide to block traffic as part of an open or covert trade blockade, such an action could be a violation of some international commitments (e.g., Article 19.11 of NAFTA 2.0 and Article 14.11 of the CPTPP/TPP) and cause significant damage before the situation were discovered or resolved. But could a government legally stop packets transiting its territory that carry content that violates its laws? Or stop packets in transit if the content violates the rights of someone in the country or someone in another country on the packets’ route?

Whether countries should exercise jurisdiction based on the location of data (i.e. the location of the server containing the data) has been debated. Some countries, such as Russia, insist that servers be located in their country to maintain their country’s power over the data. Other countries maintain that no country should ever (or in most circumstances) mandate server location (e.g., Article 19.12 of NAFTA 2.0 and the more nuanced Article 14.13 of the CPTPP/TPP). If countries may not mandate the location of data, they ensure that entities under their jurisdiction cannot evade their laws by simply locating data servers outside the territory of the country (e.g., the CLOUD Act and Article 3 of the EU GDPR). A clarification of jurisdiction over data in transit might be the next step, particularly in light of the volume of traffic transiting through countries that have nothing to do with the origin and destination of the packets and the packets’ geographically logical route.

It is not new that packets can be, and are, routed via illogical paths; tools have existed to monitor the paths of Internet packets (e.g., BGPmon), users have reported their packets’ international “adventures,” and researchers have studied the “needless exposure” of Internet packets through illogical routing. But a new draft paper by Holland, Smith & Schuchard reports some alarming findings concerning the extent of this phenomenon. Their research showed that at least one-third of the packets they studied were routed through a country that was not on a geographically logical path, based on the origin of the packets and their destination. This finding might not be surprising; people use the services of companies that are located in or have legal ties to third countries and should expect that data could travel through these third countries. But even when the researchers took such third countries into account, they still found that almost half of the packets were routed through an illogical country.

Holland, Smith & Schuchard do not identify in their draft paper how much of the rerouting that they observed was intentional and malicious, but it is known that some actors, likely including government actors, actively reroute packets through their countries. For example, it was shown that in 2013 some Internet packets coming from and intended for certain countries were intentionally rerouted through a Belorussian ISP. But the extent of the actual exposure of data packets on routes between their origin and destination that Holland, Smith & Schuchard show is concerning. It will therefore not be surprising to see even more calls for more predictable, safer, and even specific data routing. In addition to physical infrastructure measures and other methods of preventing the misrouting of Internet traffic, technologies may be deployed to geotag packets and route them in a specific manner (as I described in an earlier post). This may or may not be a good direction to take to continue to improve the Internet, but we may not have a choice.