> In some cases, countries are taking extreme steps, such as building new Internet Exchange Points (IXPs), which allow networks to interconnect directly, and encouraging local interconnection to keep local traffic local. We find that although many of these efforts are extensive, they are often futile, due to the inherent lack of hosting and route diversity for many popular sites.
Anyone with a background of datacenter, IDC or VPS knows a simple fact: most of the time, the default routes are often sub-optimal. Even if you are using a CDN, sometimes the traffic just doesn't terminated at the local/nearest/best-connected datacenter of your CDN provider, but a remote datacenter, sometimes in another country. Pretty frustrating.
Because the traffic travels through the cheapest and/or the most convenient path, not the shortest path, and it also depends on your physical location, your ISP, the network topology of your local ISP, the national/international infrastructure, etc.
Finding the optimal path for a specific ISP is a pretty tricky task. My networking-guru friends have the ability to learn the interconnections of different datacenter through the BGP looking glass, and identify the fastest VPS to rent based on their experience in the industry, the knowledge of the national/international infrastructure (which core router the network is using? which submarine cable does this ISP use? which national subnet of the ISP is the server located?, etc).
It is very common that your traffic have to travel around the entire Earth, and crossing USA in the middle, even if you are just connecting to a nearby continent.
Sadly, there is almost nothing anyone can do to about it.
I wouldn't be surprised if the EU passed a law requiring domestic traffic to stay domestic. You could even argue existing privacy laws require it already - it just hasn't been enforced in that way.
It's not a hard problem to work around if ISPs were sufficiently motivated to deal with it.
A few German ISPs/internet companies made noise about keeping traffic locally during the Snowden leaks, some were slightly miffed when others pointed out that it would already be the case if they played ball and freely peered with everyone at the German IXPs. (Although with the biggest one of those being monitored by German intelligence agencies with whatever filtering rules the NSA gave them fairly pointless too)
May be somewhat of a philosophical argument if you are limiting it to viewing the content of packets. However, there is still a ton of data that can be leaked that could be considered sensitive - volume of transactions, where they are routing from/to, the frequency distribution of that volume. Also, there is also the possibility for manipulation of transmissions - blocking/dropping them altogether causing service outages/censorship, delay/deprioritization that could affect markets, etc. At the nation-state level, this provides a lot of useful opportunities for bad actors.
TLS isn't sufficient. There was at least one country, Kazakhstan, which had a plan to force all of its citizens to install their own CA to MITM all SSL traffic. (I'm not sure if the plan ever got implemented because the original government press release now 404's).
That's a case of traffic originating in an unsafe country. Circumventing local laws is a completely different issue. This is about transiting "unsafe" countries while routing to/from a (reasonably?) "safe" country. (Are you really certain Brazil isn't logging local traffic? I wouldn't be.)
Anyway, TLS does leak a lot of metadata, which perhaps you'd rather publish a bit less widely. It's an improvement in casual security, which is nice, but not gonna save your bacon on anything specific.
There are a lot of information in requests metadata.
For example, even without accessing any encrypted data you can identify:
1. Client (user IP).
2. Service (server IP).
3. Amount of traffic.
4. Direction of traffic.
4. Just watching timestamps, you can identify patterns that will give you information on what type of content user is accessing (e.g. if you are oppression nation state, and want to know who watched or reshared a certain video on youtube, you can get that purely from requests patterns, mainly timestamps). By correlating those timestamps with others, you can identify user's friends/collaborators, or other identities they use.
If you could avoid certain pipes it could only help security. Even with the security of TLS, that doesn't prevent state-level actors from observing meta data with the advantage of internet-wide timing data, which could be useful for say, analyzing TOR traffic.
Not a crypto expert but doesn't trusting TLS imply trusting root certs on your PC? Regardless, the Snowden leaks showed that internet traffic can be modified to contain harmful payloads for targeted individuals. Even if only susceptible over non-TLS it still represents a non-zero percentage of internet traffic.
Trusting root certs is a lot less worrying with the advent of certificate transparency. It's now very noisy if a CA issues a cert for something like google.com, and smaller sites can get notifications about cert issuances for their domains from various free alerting services.
It may seem equally compelling to all countries, but in practice some countries put huge resources in to gathering everything, and some don’t. Avoiding the ones that in practice collect everything in favor of ones that in practice don’t would increase security. Separately, we should stay mindful of who is doing this collection, and simultaneously take additional measures to secure our communications.
> There has been research into circumvention systems, particularly for censorship circumvention, that is related this work, but not sufficient for surveillance circumvention. Tor is an anonymity system that uses three relays and layered encryption to allow users to communicate anonymously [19]. VPNGate is a public VPN relay system aimed at circumventing national firewalls [40]. Unfortunately, VPNGate does not allow a client to choose any
available VPN, which makes surveillance avoidance harder.
Anyone with a background of datacenter, IDC or VPS knows a simple fact: most of the time, the default routes are often sub-optimal. Even if you are using a CDN, sometimes the traffic just doesn't terminated at the local/nearest/best-connected datacenter of your CDN provider, but a remote datacenter, sometimes in another country. Pretty frustrating.
Because the traffic travels through the cheapest and/or the most convenient path, not the shortest path, and it also depends on your physical location, your ISP, the network topology of your local ISP, the national/international infrastructure, etc.
Finding the optimal path for a specific ISP is a pretty tricky task. My networking-guru friends have the ability to learn the interconnections of different datacenter through the BGP looking glass, and identify the fastest VPS to rent based on their experience in the industry, the knowledge of the national/international infrastructure (which core router the network is using? which submarine cable does this ISP use? which national subnet of the ISP is the server located?, etc).
It is very common that your traffic have to travel around the entire Earth, and crossing USA in the middle, even if you are just connecting to a nearby continent.
Sadly, there is almost nothing anyone can do to about it.