Who Owns the Wire
Your Secrets Travel Through?

Consider the route of a typical executive communication. An email is composed on a device running a commercial operating system, transmitted through a corporate network managed by a third-party IT provider, routed through a major email platform's servers located in multiple jurisdictions, received by a recipient on a device connected to a different carrier's network. At minimum, five separate infrastructure operators have had the technical capability to observe that communication. In practice, the number is higher.

Each of those infrastructure operators operates under the legal framework of their jurisdiction. Each is subject to lawful intercept requirements in that jurisdiction. Each has contractual obligations that may or may not align with the confidentiality expectations of the parties communicating. None of them are party to the conversation. All of them have, at some level, access to the wire it traveled through.

The Jurisdiction Problem

Communications infrastructure is not jurisdictionally neutral. A voice call placed through a major US carrier is subject to FISA Section 702 collection authority. Email stored on a European cloud provider's servers is subject to GDPR but also to that provider's home country intelligence obligations. A video conference routed through servers in multiple countries may simultaneously be subject to the legal intercept requirements of all of them.

The legal framework governing data in transit and data at rest in third-party infrastructure is not the framework the communicating parties would choose. It is the framework that was in place when the infrastructure was built, in the jurisdiction where the infrastructure is located, under the oversight of regulators who have their own interests and obligations.

For Canadian organizations in particular, the question of jurisdictional sovereignty over communications has become acute. The current geopolitical environment has created real uncertainty about the reliability of US-jurisdiction infrastructure for sensitive Canadian government and enterprise communications. This is not a theoretical concern. It is the reason the Canadian Centre for Cyber Security has accelerated its guidance on sovereign communications infrastructure.

The Custodial Access Question

Beyond legal intercept authority, there is the question of custodial access — the technical capability of infrastructure operators to access communications data independent of any legal process. Major platform providers maintain extensive capabilities to access data stored on their infrastructure. These capabilities exist for legitimate operational reasons: abuse detection, legal compliance, system integrity. They also represent a standing exposure.

When an organization communicates through a third-party platform, the encryption protecting those communications typically operates between the end-user device and the platform's servers. The platform decrypts the communication to process it, apply its features, generate its metadata. The communication exists in plaintext, for some period of time, in infrastructure the organization does not control.

This is the architectural reality of most commercial communications platforms. It is not a flaw. It is a design choice that reflects the commercial priorities of consumer platforms — interoperability, feature richness, content moderation, regulatory compliance. Those commercial priorities are not the same as the security priorities of organizations communicating sensitive information.

What Sovereign Communications Infrastructure Actually Means

Sovereign communications infrastructure is not simply on-premise hardware. Sovereignty requires that the organization — or a custodian operating explicitly in its interest, in a chosen jurisdiction, under a defined legal framework — controls the entire path of communication from transmission to receipt.

This includes the encryption keys. Key material held by a third-party provider is key material accessible to that provider under appropriate legal process or operational necessity. Sovereign key management means the organization holds its own keys, in its own infrastructure, subject to its own key management policy.

It includes the routing. Communications that travel through carrier infrastructure are visible to carrier operators in the degree that carrier encryption allows. Sovereign routing means communications move through infrastructure where the organization has defined and controls the access model.

It includes the jurisdiction. The legal framework governing the infrastructure should be a deliberate choice, not an incidental consequence of which platform offered the best pricing when the organization standardized on its communications stack.

For organizations whose communications carry genuine sensitivity — legal privilege, national security classification, competitive confidentiality — sovereign communications infrastructure is not a luxury. It is the baseline requirement that the current commercial communications market was not built to provide.