Routing public traffic across county boundaries in Europe

I think this is a pretty dumb question, because I presume this is how
most organisations save money and provide resilience.

What (if any) are the legal implications of taking internet destined
traffic in one country and egressing it in another (with an ip block
correctly marked for the correct country).

Somebody mentioned to me the other day that they thought the Dutch
government didn't allow an ISP to take internet traffic from a Dutch
citizen and egress in another country because it makes it easy for the
local country to snoop.

I've done lots of searching and have our legal council investigating but
I thought someone here might be able to point me in the direction of any
legislation?

(I'll summarise any off-list replies)...
Thanks,

Andy,

I've always wondered this as well. Similar scenario, although not
necessarily egress in a foreign country, but transiting through.

For a brief period, we had an OC48 that carried packets on our network
between Chicago and Seattle that traversed a router of ours in Vancouver, BC
Canada.

Any legal minds here that may know the answer?

Randy

I'm not in a position where I would know for sure, but I'd be
surprised if it were the case, in a atmosphere of European common
market and police cooperation and all European police-judiciary trust
all other European police-judiciary even more than the ones of US
states do (as in a Dutch judge can issue a arrest warrant and French /
German / ... police will execute it without intervention of a French /
German / ... judge, nor decision by any administration, ... Possibly,
it could be construed as a violation of the concept of European common
market, and thus it is forbidden to forbid.

What I would expect is that you still have to obey lawful intercept
legislation, so you need to interconnect with the government "black
box" rooms, and these are at the major IXs in the country. (And I've
repeatedly heard that in the Netherlands, for some time in the past at
least, the way the ISPs got rid of the lawful intercept obligation was
to have the AMS-IX send a copy of *all* the traffic to the government
black box. Not that they had to do that, but it was the easiest /
cheapest way.)

If there were any such obligation, I'd expect the real reason not to
be "the egress country can snoop", but "it is harder for the
originating country to snoop".

Also, I've heard that Canada had (maybe still has) this legislation
forbidding you to route intra-Canadian *telephone* traffic through
another country. Something about else nobody would build a
intercontinental coast-to-coast Canadian network, would just send
long-distance traffic to the USA, go to other coast and send it back
to Canada and being this dependent on a foreign country, that's bad.

What I would expect is that you still have to obey lawful intercept
legislation, so you need to interconnect with the government “black
box” rooms, and these are at the major IXs in the country. (And I’ve
repeatedly heard that in the Netherlands, for some time in the past at
least, the way the ISPs got rid of the lawful intercept obligation was
to have the AMS-IX send a copy of all the traffic to the government
black box. Not that they had to do that, but it was the easiest /
cheapest way.)

Easiest/cheapest for the Dutch ISPs. Not for the government though! AMS-IX can be 200GBits a second, so I wonder if this was an exercise in killing the snoopers with kindness.

If there were any such obligation, I’d expect the real reason not to
be “the egress country can snoop”, but “it is harder for the
originating country to snoop”.

Perhaps. The French and German govts are not keen on their officials using Blackberrys ‘cos all European BlackBerry traffic goes via a building near my house (single point of failure? we don’t need no stinkin’ redundancy!) in London.

[...]

(And I've repeatedly heard that in the Netherlands, for some time in the past at
least, the way the ISPs got rid of the lawful intercept obligation was
to have the AMS-IX send a copy of *all* the traffic to the government
black box. Not that they had to do that, but it was the easiest /
cheapest way.)

[...]

That is complete and utter nonsens. That never ever happend.

As everybody can see in the public member list [1] on the AMS-IX website, the Dutch police (AS16147) is connected via 100Mbit/s port. They are just another member, nothing more nothing less.

Encrypted and signed tapped traffic from lawful interceptions may be send from the Dutch ISPs to the police via peering. That traffic may go over AMS-IX indeed. The Dutch ISP are obligated to apply these taps on *access-lines* after some form of legal order. They have to have the the right procedures and equipment to do that (at their own costs) [2].

-- Arien

OTOH, the spirit of the Bretton Woods conferences at the end of WWII
on preventing a repeat was that such critical industrial
interdependencies were fundamental to dissuading nations from going to
war on one another. So far the idea has worked pretty well, exceptions
excepted.

Obviously YMMV.