The Digital Roads to Government Services: Uncovering Consolidation and Exposure

People who access government websites and their associated domains often assume the service is hosted domestically. If so, their data is generally expected to take a direct and local route to the hosting server.

In reality, even when a government domain is hosted locally, the path our data takes can be surprisingly indirect, weaving through foreign networks, crossing international borders, and passing through infrastructure owned by entities in other jurisdictions.

Understanding these network dependencies matters for digital sovereignty, resilience, and security. If critical services rely on foreign networks or overly centralized infrastructure, they may be more vulnerable to outages, censorship, surveillance, or political pressure.

As part of my 2025 Internet Society Pulse Research Fellowship, I have mapped these paths for 58 countries to understand better how government services are reached and where those paths may put control at risk.

How We Follow the Traffic

I began with a curated list of government domains across 58 countries, using the dataset introduced in our IMC 2024 study on government content hosting. Using RIPE Atlas measurement probes inside each country, we ran traceroutes to these domains to map the “on-path” infrastructure: the transit networks (Autonomous Systems, or ASes) and Internet Exchange Points (IXPs) that traffic flows through.

We then classified this infrastructure by jurisdiction. Is it domestic, foreign-owned, or located in another country entirely? This allowed us to quantify how much of the journey is under national control and where it slips beyond.

Local Hosting Does Not Guarantee Local Routing

In several countries, including Albania, Latvia, Pakistan, and the United Arab Emirates, more than 10 percent of paths to domestically hosted government services pass through IXP facilities located in a third country (that is, a country other than where the user or the hosting server is located). 

The reliance is often far greater for foreign-hosted services, with 23 to 43 percent of paths to government services in countries such as Malaysia, Norway, South Africa, and Thailand routed through exchange points in third-country jurisdictions.

Kazakhstan offers a striking contrast. All government services are hosted domestically, and any IXP traffic flows through a single, government-operated exchange. This is a deliberate sovereignty strategy, although it can also create a single point of failure.

Read: Report Highlights Kazakhstan’s Role In Developing Internet Resilience in Central Asia

Regional patterns are equally telling. 

• East Asia and the Pacific tend to keep routing local or within the region, often via hubs like Singapore. 
• In South Asia, Sub-Saharan Africa, and MENA, even locally hosted services frequently pass through far-away jurisdictions, most often in Europe or East Asia.

When Risks Stack Up

We also studied cases where technical and policy vulnerabilities compound. Our measurements show that countries with high foreign routing exposure often also have low adoption of HTTPS encryption. For example, Albania sends 86 percent of its government-bound paths through foreign networks and 15 percent through foreign IXPs, yet only one-third of its government domains use HTTPS.

Figure 1 shows HTTPS adoption varies widely, with some countries leaving a significant share of government services unencrypted. With lower HTTPS adoption, data can be exposed to interception or tampering, which is even more concerning when it traverses networks in other jurisdictions, increasing the risk of surveillance or manipulation.

Figure 1— Percentage of government domains supporting HTTPS (directly or via enforced redirects).

Another risk we measured comes from heavy consolidation, where a small number of providers carry most government-bound traffic. For example,

• In the UAE, more than three-quarters of paths go through a single network, Etisalat.
• In Kazakhstan, JSC Kazakhtelecom handles over 70 percent of government traffic.
• Bangladesh, Pakistan, and Turkey display similar patterns, often rooted in the legacy of state-owned telecom monopolies. 

In these environments, a single outage, misconfiguration, or targeted disruption could ripple across all government services. Figure 2 shows how, in several countries, most transit paths to government services pass through incumbent providers, underscoring this consolidation risk.

Figure 2 —Percentage of government-bound transit paths crossing incumbent ASNs.

By contrast, we found that countries like Canada, Sweden, Switzerland, the UK, and the USA distribute their government-bound traffic across multiple operators and exchange points, creating greater resilience against technical failures and geopolitical shocks.

Why this matters for policy and practice

These findings highlight that improving digital sovereignty isn’t just about hosting domestically. The routes matter too.

For countries aiming to reduce dependency on foreign infrastructure, this might mean:

• Investing in domestic IXPs so local traffic stays local
• Diversifying transit providers to mitigate single points of failure
• Improving encryption coverage so that, when traffic does cross borders, it’s protected.

Looking ahead

This work contributes to a larger research agenda on Internet resilience, focusing on the physical and logical infrastructure that underpins global connectivity. Within this context, our study examines the transparency of the infrastructure delivering web services as a lens to understand its implications for resilience, security, and control.

Rashna Kumar is a final-year PhD candidate at Prof. Bustamante’s AquaLab research group,  Department of Computer Science, Northwestern University.

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of the Internet Society.