Home / Blogs

Why Over Compliance With Sanctions at Internet Infrastructure Level Can Have Devastating Effects on Ordinary People

On Friday, Mykhailo Fedorov, Ukraine’s digital transformation minister, asked Cloudflare and Amazon to stop serving Russian web resources and protecting Russian services.

He said in a tweet that Ukraine was “calling on Amazon to stop providing cloud services in Russia.” He also said that “Cloudflare should not protect Russian web resources while their tanks and missiles attack our kindergartens.”

Content Delivery Networks might already refrain from serving sanctioned countries, including Russia. However, sanctions that affect Internet traffic have been under-discussed for a long time. So far, it is unclear how any sanctions have affected CDN services and traffic either destined for or coming from Russia. There is some evidence that CDN “geoblocking” has affected Russian sites. It is documented in an excellent paper published in 2018 that discusses geoblocking and economic sanctions in CDNs by validating the observations through Cloudflare. But sanctions might affect CDNs and Internet traffic beyond geoblocking.

In this post, I will provide an analysis of how sanctions may affect Internet traffic. These sanctions have been affecting Internet traffic from countries such as Iran, Cuba, Syria and Russia for a while.

What is a Content Delivery Network?

A CDN is a system of servers located around the globe that facilitate website performance by delivering the content from the closest servers to the users. It provides various services that affect global connectivity through website operators, IXPs, ISPs, web browsers and others. There are different business models that CDNs use, and the differences are important in how sanctions affect their services, so all the issues I am raising here might not apply to every CDN.

Content Delivery Networks or CDNs generally help with Internet performance by keeping Internet traffic contained within a geographic area or network. They often also provide security services (by combating DDoS attacks, for example). CDNs are very often used by even relatively small website operators. Some of them also provide DNS over HTTPS (DoH) resolution services. They are also often used to make mobile apps work quickly and to provide large-scale software distribution (such as when an operating system update becomes available).

It is important to understand that the consumers of CDN services are ordinary users of the Internet but that those users are not customers. The customers of CDNs are the website operators, software publishers, and so on who pay the CDNs to distribute content. CDNs nevertheless can have an effect on ordinary Internet users. So, we should examine how CDNs might affect various people around the world.

Not serving people in sanctioned countries at all

It is well known to residents of sanctioned countries that some cloud services and CDNs based primarily in the US do not directly serve these residents as customers or as ordinary users. There was, in fact, an outcry about AWS not serving developers from Iran in 2019. Amazon responded about not providing web services to Iranians:

“We comply with all applicable laws in the countries in which we operate, including any international sanctions and other restrictions that may be in place for certain countries,” an AWS spokesperson told Al Jazeera in an emailed statement. “Because Iran is subject to broad trade restrictions, limiting virtually all business with Iran, we do not serve customers in that country.”

It is not true that sanctions limit virtually all business with Iran and sanctioned countries. Sanctions don’t apply to noncommercial and personal communication. But this over-compliance with sanctions can be observed in many places and affects not only CDN customers but even ordinary Internet users.

Peering policy and sanctions

CDNs generally benefit from peering, and many of them maintain an open peering policy (Cloudflare is one example). An open peering policy means that any other network can normally peer with the open peering network without any monetary cost. But while open peering generally includes any network, it does not mean that networks based in sanctioned countries are not affected by the sanctions. In Cloudflare’s case, for example, if peering is also deemed to be a “transaction,” then sanctions might well affect them. Cloudflare’s policy on peering and sanctions is silent as to their view of these kinds of sanctions, but their policy, while allowing open peering, also allows them to restrict peering or not peer when they desire to do so.

Enabling customers to block access to sanctioned countries

CDNs allow their customers to decide “what content” is served to “which users.” In effect, website operators use the geoblocking features to prevent serving users merely because they are based in a certain country. Often, this is used to enforce various content licenses or to conform to distribution restrictions, such as when a video is available in one country but not another. Sometimes, however, site operators use geoblocking not to serve any content to users in sanctioned countries. It’s a blanket compliance with sanctions that is probably not even required by law. But when users are considered as “legal risks” because of their location, then this discriminatory practice is justified internally. Website operators have already been discriminating based on geographical location for years, including against users in Russia.

Content Delivery Network not serving a certain region or country

A CDN can decide not to serve a country or a region at all because of sanctions. So, it might adopt a policy, for example, not to allow its DoH resolvers to serve IP addresses based in Russia. This would mean that for example if the Web Browser uses DoH resolvers of that CDN, users of the web browser-based in sanctioned countries won’t be able to look up any website on that web browser without reconfiguring the browser.

Domain and website operators

Cloudflare offers a free tier customer account that helps with better access to services that are not large enough to afford full-paid service. Residents of sanctioned countries might use these services (especially since they are free). However, these customers might want to hide their origins so they cannot be blocked from the service and might use various VPNs to hide their actual origin IP address (because they can otherwise be blocked). But this technique also effectively moves the customer’s geolocated IP address, so such customers might also not be served with the most efficient routing service. For example, if Cloudflare thinks a connection is coming from North America, it will likely use a North American server to answer queries. In reality, the customer might be in Russia. As a result, the website might load at a lower speed for the Internet user.

Internet, sanctions and global connectivity

When it comes to compliance with sanctions, many industries over comply. Services and products related to the Internet, be it the New gTLDs, Content Delivery Networks and other services, are not exempt. But over compliance with sanctions at the Internet infrastructure level can have a devastating effect on ordinary people’s access to the Internet while not having the optimal deterrent outcome on States and their decision-makers. Perhaps we need to rethink the sanction regime for the Internet to keep the Internet global and open, facilitate free flow of information and discuss meaningful remedies during wars and conflicts.

By Farzaneh Badii, Founder of Digital Medusa

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Russian sanction blacklist Anthony Rutkowski  –  Mar 7, 2022 10:27 AM

What seems clearly needed if for the government authorities in relevant jurisdictions, e.g., U.S. and EU, to develop a Russian Sanction Blacklist the enables organizations and ISPs to block specific domains and IP address blocks by whatever means they have at their disposal.  Such an action would also provide requisite notice, be carefully tailored, and be enforceable.
Better to over comply than under comply - especially where wholesale warcrimes are involved.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

Related

Topics

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global