How Your Domain Extension Could Put Your Data at Risk
Avoiding the Long Arm of Surveillance States
When organisations think about cybersecurity and data sovereignty, they often focus on encryption, hosting locations, and compliance with laws such as GDPR and PIPEDA. However, an often-overlooked risk comes from something as simple as your domain extension.
Many organisations unknowingly expose themselves to US and UK surveillance laws by using domain extensions controlled by entities based in these countries. The CLOUD Act in the United States and the Investigatory Powers Act (commonly known as the Snooper’s Charter) in the UK give authorities sweeping powers to demand access to data—regardless of where it is stored—if the domain is controlled by a US or UK-based company.
How the CLOUD Act Makes .com and Other Extensions Vulnerable
The CLOUD Act (Clarifying Lawful Overseas Use of Data Act) was passed in 2018, granting the US government the power to demand data from US companies, even if the data is stored outside the United States.
This means that domain extensions managed by American companies—even if they are technically "global" extensions—fall under the CLOUD Act. The most at-risk domain extensions include:
.com – Managed by VeriSign, a US company.
.net – Also controlled by VeriSign, making it subject to US law.
.org – Managed by the Public Interest Registry, a US-based entity.
.us – The official country-code domain of the United States, meaning it is fully under US jurisdiction.
.biz – Operated by Neustar, a US-based firm.
.info – Largely controlled by US entities.
.mobi – Managed by US-based companies.
.gov – Exclusively for the US government.
.mil – Restricted to the US military.
The Risk for Non-US Organisations
Even if your business is based in Europe, Canada, or elsewhere, using a domain extension controlled by a US company means your data could still be subject to US government surveillance requests. This applies even if your data is stored in the EU, Canada, or another jurisdiction with strong privacy laws.
UK Domains and the Snooper’s Charter
The UK’s Investigatory Powers Act 2016—referred to as the Snooper’s Charter—gives the British government extensive surveillance capabilities. It allows law enforcement agencies to demand data from UK-based service providers, including domain registrars.
UK Domain Extensions at Risk
The following UK domain extensions are controlled by Nominet, a UK-based non-profit, and are therefore vulnerable to the Snooper’s Charter:
.uk – The primary country-code domain for the UK.
.co.uk – The most common commercial domain in the UK.
.org.uk – Typically used by non-profits in the UK.
.me.uk – Intended for personal use, but still under UK law.
.gov.uk – Exclusively for UK government bodies.
.ac.uk – Used by UK academic institutions.
What This Means for Businesses
If your organisation registers a .uk or .co.uk domain, it may be subject to UK surveillance orders, even if your company is headquartered elsewhere. This is particularly concerning for European businesses that need to remain fully compliant with GDPR, as UK surveillance laws could override European privacy protections.
How to Avoid US and UK Jurisdictional Risks
To protect your data and communications, consider alternative domain extensions that fall under jurisdictions with stronger privacy protections. Some of the best options include:
European and Canadian Domains for Better Privacy
.ch (Switzerland) – Swiss data protection laws are among the strongest in the world.
.is (Iceland) – Iceland has strict privacy and data protection policies.
.eu (European Union) – Adheres to GDPR and prevents access by non-EU governments.
.ca (Canada) – Governed by PIPEDA, which provides better privacy protections than US or UK laws.
.fi (Finland) – Finland has a robust data protection framework.
Other Privacy-Enhancing Strategies
Use a Non-US/UK Registrar – Even if you choose a secure domain extension, ensure your domain registrar is not based in the US or UK. European or Swiss registrars are a safer choice.
Choose a Privacy-Friendly Hosting Provider – Where you host your website matters just as much as the domain itself. Avoid US-based hosting companies.
Consider Decentralised or Anonymous Domains – If privacy is a top concern, decentralised domain systems like Handshake (HNS) or .onion (Tor-based sites) offer additional security.
Final Thoughts
Many businesses unknowingly expose themselves to government surveillance and data access laws simply by choosing the wrong domain extension. While .com, .net, and .org might seem like "default" choices, they come with serious legal risks, as do UK-based domains like .uk and .co.uk.
For organisations outside the US and UK, it is crucial to choose a domain that protects your sovereignty. By opting for Swiss, EU, or Canadian domains, businesses can significantly reduce their exposure to foreign surveillance laws and maintain stronger control over their data.
Here are some European and Canadian cloud services known for their strong data protection measures:
Proton Drive
Based in Switzerland, Proton Drive offers end-to-end encrypted cloud storage, ensuring that only authorised users can access stored data. It complies with GDPR and HIPAA standards and holds ISO 27001 certification for information security. Proton's commitment to privacy is evident across its suite of services, including secure email and VPN offerings.
Fabasoft Folio Cloud
An Austrian cloud service focusing on secure collaboration, Fabasoft Folio Cloud stores data exclusively in European data centres, ensuring compliance with EU data protection standards. It boasts certifications like ISO 27001 and emphasises usability and accessibility across platforms.
ThinkOn
A Canadian sovereign cloud provider, ThinkOn ensures data residency within Canada, aligning with national data sovereignty requirements. It offers services that comply with Canadian laws and regulations, providing assurance against foreign jurisdictional overreach.
Server Cloud Canada
This 100% Canadian-owned and operated cloud provider guarantees that data remains within Canadian borders, adhering to local privacy laws and mitigating risks associated with foreign data access.
Anexia
A European cloud provider that emphasises data sovereignty, Anexia ensures that data is stored in compliance with European data protection regulations, safeguarding against unauthorised foreign access.
This is by no means a complete list, but it is a good place to start if you are looking for strong alternatives.