The emergence of new protocols such as DNS-over HTTPS (DoH) has resulted in some browsers changing security critical behaviour without explaining the implications to users.
Few Internet users have a deep understanding of the DNS, let alone DoH. New applications that use relatively new protocols like DoH are emerging all the time, and they each have their own resolver policies.
This all adds up to a rapidly changing situation with limited oversight. How can we be sure that the protocols used by resolver operators are abiding by policies such as Europe’s General Data Protection Regulation (GDPR)? In many cases, the authors of these policies may be operating according to US market principles, which, while understandable, present problems when they’re operating globally.
Ambiguity is a problem for users. The policies that the various software companies adopt differ widely in approach, making it even less likely that users will be able to understand how their data is being stored and processed, or how it is being exploited.
This is where the European Resolver Policy comes into play. It represents an industry-led response to these problems across a collection of jurisdictions, and may provide clues on how to engage with these complex problems.
The policy
The European Resolver Policy has benefited by having input from companies across the tech and telecoms sectors in Europe and North America, as well as from civil society and public sector bodies involved in regulation.
The policy is intended to provide reassurance to end-users and other stakeholders that personal data gained in the operation of DNS resolution services is “…not used for any other purposes except where required by law or regulation, or with GDPR-level consent of the end-user and where it is clearly documented in the operator’s transparency and privacy statement.”
Because of this, users can be confident that their data is only used to operate the DNS service unless consent has been obtained to do otherwise.
While the goal is to bring the policies and procedures up to a point where they meet European requirements, the specification is likely to meet the needs of other markets including those in the US too.
There are three main components.
The privacy requirements
The first section of the policy focuses on privacy. It states that, except where required or prohibited by law or with GDPR-level consent of the end user, operators of DNS resolver services:
- Must make, document and publish their operational practices to protect the privacy and security of their users’ data. The practices documented in section 5 of RFC 8932 should be adopted for this reason
- Should not retain or transfer to any third party any personal data arising from the use of these services except where anonymized or aggregated data is necessary for cybersecurity, DNS analytics, reporting and research purposes
- Should not directly or indirectly monetize any personal data arising from the use of these services and should not enable other parties to monetize the data either
- Should not use or require HTTP cookies or other tracking techniques when communicating with DNS clients that use HTTP-based DNS transports for resolution
There are other requirements, but those detailed above cover some of the more interesting aspects.
Security and filtering requirements
Resolver operators are required to provide details of any categories of material that are blocked, unless prohibited to do so by law. In addition, it should be possible for users to opt in or out of any filtering capabilities, and resolver operators need to provide a complaints process for any false positives. Cyber intelligence gathered in the operation of the resolver (such as malicious content) should be shared, as doing so is in the best interests of users.
Resolver operators are advised to take care when offering DNS resolution, without malicious content protection or the blocking of child sexual abuse material, as a default option to non-expert end-users such as consumers, unless it is unlawful to provide such protections. Generally speaking, the provision of such protections, when allowed in law, will be in the best interests of users.
Transparency requirements
Resolver operators are required to offer a transparency and privacy notice. This should be readily accessible, written using plain language, and kept up to date. It is important that it provides clarity on compliance with EU and national legislation. In addition, the transparency and privacy notice should include details of any personal data that is stored or processed, together with details of any data requests from law enforcement agencies, including the origin of any requests and the action taken.
Adopting and using the European Resolver Policy
The policy is targeted at a range of companies including Internet Service Providers (ISPs) and cloud-based resolver operators. Other organizations, including software developers, membership bodies, industry regulators and legislators may wish to endorse the policy and encourage its adoption.
While developed with European markets in mind, there are no restrictions on the use of the policy by resolver operators that are active in other global markets.
In essence, resolver operators simply need to adapt their processes and then update their transparency and privacy reports. There are no charges to use the policy and details of compliant organizations will be added to the website, with the first updates due within the next month or so.
Anyone wishing to adopt the policy can email the team via enquiry [at] europeanresolverpolicy [dot] com.
Full details of the European Resolver Policy are available on the website.
Andrew Campling is Director of 419 Consulting, a public policy and public affairs consultancy focused on the tech and telecom sectors.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.