Networks

Canadian live route map highlights vulnerabilities to NSA spying efforts

You knew routing was odd, but did you know how odd?

Researchers at the University of Toronto have created a mapping tool that shows how internet data moves around and how the NSA can use just a few surveillance sites to scoop up online traffic.

IXmaps is a visual, interactive database of traffic routes, and uses real data to help Canadians get a sense of what happens when they are sending and receiving information. In some cases, even when the servers you are accessing are next door, the data packets will move around the United States before heading back into Canada.

The researchers call these "boomerang routes" and note that they move your information "into the jurisdiction of the U.S. National Security Agency." In other words, put your details in the hands of the US government. It includes on the maps the sites of NSA listening stations.

Route 666

Anyone who has a basic grasp of how the internet works will know that data packets will try to take the shortest and easiest route to their end point, and that can mean they travel to nodes that are physically located all over the world.

It is also well known that due to the size, scale, and speed of networks in the United States, huge amounts of global traffic end up going through US networks. And that the fastest route is often dependent on private agreements between different ISPs.

But what the researchers have been able to do is highlight how those peering arrangements between ISPs actually cause data packets to bounce around the world.

They have discovered that many of Canada's ISPs have networks that tend to send data flows south of the border and back up again rather than across the country. Mostly this goes through a small number of key routing hubs in New York, Chicago, Seattle, and San Francisco. Hubs in which, incidentally, the NSA has installed splitter devices that provide it with a copy of everything going through.

"Canadians may be surprised to learn that when accessing Canadian sites, even those in the same city, their data often still flows through the United States," the researchers note. "IXmaps research has found thousands of Internet traffic routes in which both ends of a data transfer are located in Canada, but the information travels via the US."

It takes the view that this is "highly problematic," as it undermines Canadians' privacy and may expose "private or sensitive data, such as health information, student records, political affiliation, religious beliefs, financial information, controversial viewpoints, or intimate communications."

The revelations of mass surveillance by the NSA have sparked a wide range of responses from other countries when it comes to their data traffic. Most significantly, the safe harbor agreement that covers data flows between Europe and the US has been effectively torn up following a successful legal challenge.

Keep it in-house

Many countries are starting to see how they can keep their country's data flows within their own borders, and some are even considering laws to oblige companies to keep data on their citizens on servers in their own country: a level of complexity that gives Facebook and Google heart palpitations.

Brazil is known to be heavily researching how it can avoid so much of its traffic flowing through US systems, even going so far as to build a new submarine cable directly to Europe.

Such efforts are dividing internet engineers, who typically maintain the traditional view that the internet is borderless and should continue to be considered so in order to build the most effective network.

As such, the calm and pragmatic Canadians are working on a less dramatic and more effective solution than forcing data flows into self-contained boxes. They intend to use the internet's own inner workings to limit the amount of spill into the United States.

The company that runs the country's ".ca" domain names, CIRA, among other companies, has been investing in a national network of internet exchange points (IXPs) that will share and exchange traffic within Canada.

By building up capacity and increasing the number of Canadian peering arrangements, the likelihood of data only flowing through Canada rather than crossing over into other jurisdictions is much higher (assuming of course you are only trying to connect to servers within Canada).

Lead researcher Andrew Clement notes: "There is nothing inherently wrong with data moving unencumbered across an interconnected global Internet infrastructure. It is, however, critical that Canadians understand the implications of their data being stored on US servers and moving through US jurisdiction. ISPs need to be transparent, privacy protective, and accountable custodians of user information in this regard. Internet users should be fully informed consumers and citizens when making choices about their sensitive personal data."

If you are interested, you can contribute your own data to the project by installing the IXmaps Client traceroute generating software built by the researchers. It will carry out anonymized traceroute requests from your location and share the results. ®

Sponsored: The Nuts and Bolts of Ransomware in 2016