There is a need to provide country processing/storage location identification of canisters to support the correct handling of sensitive information in accordance with privacy laws, government and/or corporate policies and/or consumer preference for some applications.
Regardless of where the canisters are physically located, when data is stored or processed in the Internet Computer (IC), the data may be subject to the laws of other countries. The IC is envisioned to be a hyper-scale platform with global deployment.
A sub-net operator providing service outside of the application owners’ country could be required to comply with a warrant, court order or subpoena request from a foreign law enforcement agency seeking to obtain data originating in another jurisdiction. This means that a nation cannot ensure full sovereignty over its data when it stores data in the IC. Lack of full data sovereignty has the potential to damage the nation and third parties. Sensitive data such as personal information could be subject to foreign laws and be disclosed to another government. Under some foreign laws, disclosure of data could take place without notice to the data owner or their government. [Portion adapted from Government of Canada White Paper: Data Sovereignty and Public Cloud]
IC canisters support orthogonal persistence, meaning they can be used to store data. The canister state is stored on the blockchain. Canister data can be unencrypted or encrypted within a container, however decryption of most data must occur at time of processing. Homomorphic encryption has yet to be deemed sufficient to address sovereignty concerns and also has its own implementation complexity. The cansister when stored on the blockchain is believed to be encrypted.
Future IC evolution is anticipated to support the ability to restrict canisters to certain sub-nets. It is presumed that certain data centre operators will offer sub-nets bound to a particular geography to address national data sovereignty requirements.
Support of automated contracts with privacy stipulations will require the ability of canisters to determine their own country of residence as derived from the physical location of the sub-net. Canisters must be able to respond to queries about where they are located when queried by other entities. This would allow applications to assemble canisters to meet their privacy obligations dynamically. The NNS may also leverage country code when scaling capacity.