Issue
There is a need to provide country processing/storage location identification of canisters to support the correct handling of sensitive information in accordance with privacy laws, government and/or corporate policies and/or consumer preference for some applications. Not all nodes need to provide this service - just some usecases will need this capability.
Background
Regardless of where the canisters are physically located, when data is stored or processed in the Internet Computer (IC), the data may be subject to the laws of other countries. The IC is envisioned to be a hyper-scale platform with global deployment.
A data centre operator or node provider providing service outside of the application owners’ country could be required to comply with a warrant, court order or subpoena request from a foreign law enforcement agency seeking to obtain data originating in another jurisdiction. This means that a nation cannot ensure full sovereignty over its data when it stores data in the IC. Lack of full data sovereignty has the potential to damage the nation and third parties. Sensitive data such as personal information could be subject to foreign laws and be disclosed to another government. Under some foreign laws, disclosure of data could take place without notice to the data owner or their government. [Portion adapted from Government of Canada White Paper: Data Sovereignty and Public Cloud]
Discussion
IC canisters support orthogonal persistence, meaning they can be used to store data. The canister state is stored on the blockchain. Canister state can be unencrypted or encrypted within a container, however decryption of most data usually must occur at time of processing. Homomorphic encryption has yet to be deemed sufficient to address sovereignty concerns and also has its own implementation complexity. The cansister state when stored on the blockchain is not encrypted to protected its confidentiality unless the application has implemented such a feature…
Future IC evolution is anticipated to support the ability to restrict canisters to certain sub-nets. It is presumed that certain data centre operators and node providers will offer services bound to a particular geography or economic zone to address data sovereignty requirements.
Support of automated contracts with privacy stipulations will require the ability of canisters to determine their own country of residence as derived from the physical location of the sub-net. Canisters must be able to respond to queries about where they are located when queried by other entities. This would allow applications to assemble canisters to meet their privacy obligations dynamically. The NNS may also leverage country code when scaling capacity.
Implementation would require a sub-net operator declare the sub-net country residency. The veracity of the declaration could be certified by a third party or accepted verbatim depending on the assurance requirement of the consumer. In turn, this country location attribute could be used for contracting and demonstrating due diligence with privacy or other contractual constraints. The privacy policy and sovereignty requirements of the contract being fulfilled by the sub-net operator could be exposed as a method that could be queried.
Proposal
• IC Data centre operators and node providers may optionally declare the country location of their nodes and elect to participate in a subnet restricted to a geo/political construct. They would expose a unique subnet identifier bound to the country-code, location declaration and privacy policy. The ISO 3166-1 alpha-3 format should be considered for the country code.
• All canisters be augmented to have a method to self-query their own geographic location inherited from the subnet upon which it resides. Nodes could still remain unaffiliated or unidentified from a geo-political perspective as this usecase also needs support.
• All canisters be augmented to expose a public method of the inherited location country code allowing it to be consumed by other canisters. The country code must be inherited from the subnet and could not be overridden by the canister.
The update aligns with the terminology of Node Provider/Data Centre Operator and an better understanding of the IC constructs.