Derived Country Code in support of Privacy, Sovereignty and Consumer Preference

Issue
There is a need to provide country processing/storage location identification of canisters to support the correct handling of sensitive information in accordance with privacy laws, government and/or corporate policies and/or consumer preference for some applications.

Background
Regardless of where the canisters are physically located, when data is stored or processed in the Internet Computer (IC), the data may be subject to the laws of other countries. The IC is envisioned to be a hyper-scale platform with global deployment.

A sub-net operator providing service outside of the application owners’ country could be required to comply with a warrant, court order or subpoena request from a foreign law enforcement agency seeking to obtain data originating in another jurisdiction. This means that a nation cannot ensure full sovereignty over its data when it stores data in the IC. Lack of full data sovereignty has the potential to damage the nation and third parties. Sensitive data such as personal information could be subject to foreign laws and be disclosed to another government. Under some foreign laws, disclosure of data could take place without notice to the data owner or their government. [Portion adapted from Government of Canada White Paper: Data Sovereignty and Public Cloud]

Discussion
IC canisters support orthogonal persistence, meaning they can be used to store data. The canister state is stored on the blockchain. Canister data can be unencrypted or encrypted within a container, however decryption of most data must occur at time of processing. Homomorphic encryption has yet to be deemed sufficient to address sovereignty concerns and also has its own implementation complexity. The cansister when stored on the blockchain is believed to be encrypted.
Future IC evolution is anticipated to support the ability to restrict canisters to certain sub-nets. It is presumed that certain data centre operators will offer sub-nets bound to a particular geography to address national data sovereignty requirements.
Support of automated contracts with privacy stipulations will require the ability of canisters to determine their own country of residence as derived from the physical location of the sub-net. Canisters must be able to respond to queries about where they are located when queried by other entities. This would allow applications to assemble canisters to meet their privacy obligations dynamically. The NNS may also leverage country code when scaling capacity.
Implementation would require a sub-net operator declare the sub-net country residency. The veracity of the declaration could be certified by a third party or accepted verbatim depending on the assurance requirement of the consumer. In turn, this country location attribute could be used for contracting and demonstrating due diligence with privacy or other contractual constraints. The privacy policy and sovereignty requirements of the contract being fulfilled by the sub-net operator could be exposed as a method that could be queried.

Proposal

• IC Data centre operators be required to declare the country location of a subnet and expose a unique subnet identifier bound to the country-code, location declaration and privacy policy.  The ISO 3166-1 alpha-3 format should be considered for the country code.
• All canisters be augmented to have a method to self-query their own geographic location inherited from the subnet upon which it resides.
• All canisters be augmented to expose a public method exposing their inherited location country code allowing it to be consumed by other canisters.  The country code must be inherited from the data centre subnet and cannot be overridden by the canister.
4 Likes