Here’s why server location matters when it comes to securing your information
Most of the time we don’t think about where in the world the server you’re connecting to is located, but sometimes it matters. Sometimes—like confidential business information—where a server is located makes a big difference to your privacy and security.
When a company like Facebook, Google, or Twitter are served with a lawful warrant from authorities seeking customer data, they must comply with the request. If their servers (and the customer data) are in the U.S. or Canada, we know the legal standards for getting customer information.
However, when servers are located in other countries, countries with fewer protections on personal privacy and speech, companies can be forced to share information with authorities that many of us would consider private. Countries with weaker protections on personal privacy and have histories of spying on their citizens, those countries are not the places where you want to put a server hosting sensitive customer information.
Many countries have data localization laws that require if companies like Facebook, Apple, or Twitter want to operate in the country, they must store the data associated with its citizens, in that country. For example for Apple to offer iCloud and iMessage in China, Apple must put servers in China that hold all the data for Chinese Apple users.
And this is where handling secure communications can become very tricky, and why we considered server security as key to our secure messaging app.
Server location has to be local or else
Data localization laws pose real ethical and legal dilemmas for companies. Companies who want to operate in countries like China or Russia (two of the largest countries that have data sovereignty laws), know that by doing so, Chinese and Russian security agencies will ask for, and must be granted, broad access to customer data on those servers. Sometimes to the extent of monitoring all the traffic in and out of the server all the time. Companies which pay attention to server location are pulling out of Russia:
Today, Russia is demanding VPN companies to be complicit with censorship, and we refuse. Read more on our blog, and learn why we don’t keep physical servers in Russia. https://t.co/s9g7J0fJwz
— VyprVPN (@VyprVPN) March 28, 2019
This access can include decrypting data for authorities, because, as in the case of Apple and iCloud in China, the encryption keys needed to decrypt data must also stored on the local server too. When Chinese authorities ask for the keys to decrypt a user’s information, Apple will be forced to comply.
When Edward Snowden revealed the extent of the NSA’s surveillance and data gathering on servers in the U.S. and U.S. internet traffic, the entire world was alarmed at the scale of the NSA’s activities. Russia and China cited the NSA surveillance program as justifications for their data sovereignty laws.
While Russia and China cite protecting their own citizens from U.S. spying to justify data sovereignty laws. The reality is that Russia and China demand broad and unfettered access to data stored on the servers hosted in those countries. And it’s not just data from their citizens that would be exposed. If you communicate with customers in those countries (for example), even if you live outside Russia or China, your portion of the conversation with a Russian or Chinese national would be given to authorities.
The combination of a post-9/11 world and Snowden’s revelations about NSA surveillance were catalysts for people and companies to start asking where their data is stored and who might get access to it. The question for security companies, like SKY ECC, is where to place servers so they have maximum protection for customers while still having superior performance. Because all hosting companies must comply with law enforcement regulations of the respective countries where they operate, the question becomes “how much data can law enforcement be granted when a warrant is issued?”.
Server location is about privacy
It doesn’t matter how large or small your company is, you must abide by the laws of the country you are in. So if you have servers in the U.S., and are served with a lawful warrant for access to those servers, you need to comply and provide the access or information authorities are seeking (or fight it in court as many companies have). However, there are countries that offer better data protection for their customers in terms of privacy and security than others.
Switzerland is one of the best known places where you can place servers and have unparalleled customer privacy protections. Kaspersky Labs, which has long been rumored to have connections to Russian intelligence services, went as far as moving R&D and servers to Zurich to ease concerns that Russian authorities might be snooping on customer data. Placing servers in Switzerland gives companies and customers the same level of protections that Swiss banks are famous for.
Data havens have become a reality
In Neal Stephenson’s 1999 book Cryptonomicon, the characters in one storyline want to build a data haven on a fictional island in a fictional country so there will always be a safe server location for people to store their data away from the prying eyes of government. At the time, data havens were seen as something only a small number of users would need. What government in the West would want to get broad, unfettered, and secret access to servers? After September 11, 2001 the answer became—all of them.
To protect customer privacy, server location became a lot more complicated than the usual requirements of redundant utilities, internet access, and physical security. Now companies need to consider the privacy and security laws where a server is physically housed, and if you want to place servers in multiple data centers around the world for stability and performance, you need to find several suitable countries.
It’s no easy task to find several locations to host servers in conditions that offer stability and security, but this is a task we take very seriously. We work with data centres around the world to give our customers the best experience (minimal downtime, fast response times, and low latency) and maximum protection that guarantees 100% privacy, security, and anonymity. Our end-to-end encryption would be meaningless without this extra work, but we’re always prepared to do that work for our users.