European Resolver Policy
The new policy provides reassurance as to the protection of personal data gained in the operation of DNS resolution services, explains Andrew Campling from 419 Consulting.
The Domain Name System (DNS): Only a tiny percentage of Internet users understand how it works, with few having knowledge of the protocols and other systems that underpin its operation. And yet, every action that a user takes online is dependent on its functioning. The DNS is the mechanism used to translate website names into the associated Internet Protocol (IP) addresses (DNS resolution) that allow computers to locate the right content on the Internet. It is the Internet’s equivalent of a directory service to translate between the memorable names that are useful to humans and the Internet addresses needed by computers.
The emergence of new protocols such as DNS-over HTTPS (DoH) has resulted in some browsers changing security critical behaviour without explaining the implications to users. As more applications opt to implement support for DoH, the policies that the various software companies adopt differ widely in approach, making it even less likely that users will be able to understand how their data is being stored and processed, or how it is being exploited.
Equally, a number of the current policies used by resolver operators, those parties responsible for a great deal of DNS resolution, do not recognize key legislation such as the GDPR and ePrivacy, being more suited to the US market where their authors reside. In addition, not all policies cover key elements such as the jurisdiction under which they operate, with the resulting ambiguity being unhelpful from the perspective of users.
The European Resolver Policy
The above issues prompted a debate within the European industry, which has resulted in the development of the European Resolver Policy (see www.EuropeanResolverPolicy.Com). The European Resolver Policy is intended to provide reassurance to end-users and other stakeholders that personal data gained in the operation of DNS resolution services “are not used for any other purposes except where required by law or regulation, or with GDPR-level consent of the end-user and where it is clearly documented in the operator’s transparency and privacy statement”. Because of this, unless consent has been obtained to do otherwise, users can be confident that their data is only used to operate the DNS service.
The policy has benefited by having input from companies across the tech and telecoms sectors in Europe and North America, as well as from civil society and public sector bodies involved in regulation. There are three main components, each of which is described in outline.
Protecting the privacy of users’ DNS data
The first section of the policy focuses on privacy. It states that, except where required or prohibited by law or with GDPR-level consent of the end user, operators of DNS resolver services:
- Must make, document and publish their operational practices to protect the privacy and security of their users’ data. The practices documented in section 5 of the IETF’s RFC 8932 (“Recommendations for DNS Privacy Service Operators”) should be adopted for this reason.
- Should not retain or transfer to any third party any personal data arising from the use of these services except where anonymised or aggregated data is necessary for cybersecurity, DNS analytics, reporting, and research purposes.
- Should not directly or indirectly monetise any personal data arising from the use of these services and should not enable other parties to monetise the data either.
- Should not use or require HTTP cookies or other tracking techniques when communicating with DNS clients that use HTTP-based DNS transports for resolution.
There are other requirements but those detailed above cover some of the more interesting requirements.
Security and content filtering
Resolver operators are required to provide details of any categories of material that are blocked, unless prohibited to do so by law. In addition, it should be possible for users to opt in or out of any filtering capabilities, and resolver operators need to provide a complaints process for any false positives. Cyber intelligence gathered in the operation of the resolver, for example on malicious content, should be shared as doing so is in the best interests of users.
Unless it is unlawful to provide content protection as a default option to non-expert end-users such as consumers, resolver operators are advised to take care when offering DNS resolution without protection against malicious content or the blocking of child sexual abuse material. Generally speaking, the provision of such protections when allowed in law will be in the best interests of users.
Transparency
Resolver operators are required to offer a transparency and privacy notice. This should be readily accessible, written using plain language and kept up to date. It is important that it provides clarity on compliance with EU and national legislation. In addition, the transparency and privacy notice should include details of any personal data that is stored or processed, together with details of any data requests from law enforcement agencies, including the origin of any requests and the action taken.
Adopting and using the European Resolver Policy
The policy is targeted at a range of companies including Internet Service Providers (ISPs) and cloud-based resolver operators. Other organizations including software developers, membership bodies, industry regulators, and legislators may wish to endorse the policy and encourage its adoption. Whilst developed with European markets in mind, there are no restrictions on the use of the policy by resolver operators that are active in other global markets.
In essence, resolver operators simply need to adapt their processes and then update their transparency and privacy reports. There are no charges to use the policy and details of compliant organizations will be added to the website, with the first updates due within the next month or so. Anyone wishing to adopt the policy can contact the team at Enquiry@EuropeanResolverPolicy.Com.
Full details of the European Resolver Policy are available on the website, which can be accessed at https://www.EuropeanResolverPolicy.Com.
Andrew Campling is Director of 419 Consulting, a public policy and public affairs consultancy focused on the tech and telecom sectors. He has forty years of experience in a wide range of increasingly senior roles in a mainly business-to-business technology context, together with over a decade of non-executive experience. He is currently engaged in a number of initiatives linked to encrypted DNS and related developments.
Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.