Traffic to government domains often crosses national borders, or flows through risky bottlenecks
- Reference: 1756706351
- News link: https://www.theregister.co.uk/2025/09/01/isoc_government_domain_traffic_measurement/
- Source link:
PhD student Rashna Kumar reached the conclusions above after mapping paths for traffic to government websites in 58 countries, research conducted under an Internet Society Pulse Research Fellowship.
Kumar found that plenty of data destined for government websites or services crosses borders, or uses offshore internet exchange points (IXPs). 23 to 43 percent of paths to government services in countries such as Malaysia, Norway, South Africa, and Thailand routed through exchange points in third-country jurisdictions. Data destined for New Zealand government sites, she told The Register , often visits Australia on the way.
[1]
In conversation with The Register , Kumar suggested that less-developed countries are more likely to route traffic to government domains through offshore infrastructure, and not to use HTTPS to secure that traffic.
[2]
[3]
“Albania sends 86 percent of its government-bound paths through foreign networks and 15 percent through foreign IXPs, yet only one-third of its government domains use HTTPS,” she [4]observed .
Some of that data is therefore vulnerable to man-in-the-middle attacks that could pluck plaintext from data flows.
[5]
Kazakhstan, by contrast, keeps all government traffic within its borders, uses local internet exchange points and boasts 71.5 percent HTTPS adoption. However, it also relies on a single telco – JSC Kazakhtelecom – to carry 70 percent of traffic, a dependency that creates risks because a failure or attack on the telco would be more likely to disrupt services.
“Bangladesh, Pakistan, and Turkey display similar patterns, often rooted in the legacy of state-owned telecom monopolies,” Kumar wrote. In the United Arab Emirates, more than three-quarters of paths go through a single network, Etisalat. She thinks some offshore data flows – like the frequent routing of Moroccan traffic through Spain and France, suggest the possibility of “interesting colonial ties.”
[6]Internet exchange points are ignored, vulnerable, and absent from infrastructure protection plans
[7]Asia reaches 50 percent IPv6 capability and leads the world in user numbers
[8]Regional Internet Registries work to prevent one of their own going rogue
[9]Huawei handed 2,596,148,429,267,413,
814,265,248,164,610,048 IPv6 addresses
Kumar’s research found Canada, Sweden, Switzerland, the UK, and the USA “distribute their government-bound traffic across multiple operators and exchange points, creating greater resilience against technical failures and geopolitical shocks.”
Kumar told The Register Africa is hard to measure, because internet measurement tools like [10]RIPE ATLAS don’t have many probes on the continent.
If you’d like to know how your government performs, the [11]Internet Society article summarizing Kumar’s research includes interactive maps that detail data for 58 nations.
[12]
Kumar submitted the research for peer review, but at the time of writing only a summary is available to the public. ®
Get our [13]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aLVuu02sOwwjdIpMmXYIUwAAABE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLVuu02sOwwjdIpMmXYIUwAAABE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aLVuu02sOwwjdIpMmXYIUwAAABE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://pulse.internetsociety.org/blog/the-digital-roads-to-government-services-uncovering-consolidation-and-exposure
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLVuu02sOwwjdIpMmXYIUwAAABE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2025/07/31/ixp_resilience_call/
[7] https://www.theregister.com/2025/04/23/apnic_half_ipv6_capable/
[8] https://www.theregister.com/2025/03/02/internet_governance_update/
[9] https://www.theregister.com/2024/12/06/apnic_huawei_ipv6/
[10] https://atlas.ripe.net/
[11] https://pulse.internetsociety.org/blog/the-digital-roads-to-government-services-uncovering-consolidation-and-exposure
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aLVuu02sOwwjdIpMmXYIUwAAABE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[13] https://whitepapers.theregister.com/
Re: So what about borders
The study was about whether if, you are in a particular country, and visit that country's government website, your internet traffic will remain within the country, or go to another country at some point along the way.
Re: So what about borders
> The study was about whether if, you are in a particular country, and visit that country's government website, your internet traffic will remain within the country, or go to another country at some point along the way.
Exactly. So if you’re accessing your own country’s gov services and the traffic routes through $neighbour-country, and there’s no https, that’s a problem as it opens up MiTM attack potential. Organised crime and oligarchs will be all over that.
It's called the internet
I think that's how it's supposed to work.
Re: It's called the internet
According to the NSA, anyway.
Re: It's called the internet
In the absolute, you're right.
Unfortunately, some organizations (NSA) and some countries (USA, China among others) do everything they can to hoover up every bit of data they can get their hands on, whether or not they have a court order authorizing them to do so.
So it is becoming useful, if not imperative, to control where the data flows in you own country.
When your own government is sending your data to be processed offshore anyway, does the first hop between you and them even matter?
The issue here isn't really that traffic is routed externally, it's the lack of HTTPS. There also seems to be an assumption that the government websites aren't just being hosted in some American vendor's cloud and thus open to interference in that way regardless of how the traffic is routed.
So what about borders
"Internet traffic to government domains often flows across borders"
So what? If there is appropriate security it shouldn't matter. People travel. I assume we're worrying about individual personal information not intra government traffic? If an individual wants to use a government website from overseas it should be allowed. 86% of Albanian traffic tells a story in itself. Probably from London.