Re: [Doh] GDPR and DoH

[Stephen Farrell <stephen.farrell@cs.tcd.ie>]

Hiya,

On 07/04/2019 14:33, Jim Reid wrote:
> 
> 
>> On 6 Apr 2019, at 19:53, Stephen Farrell
>> <stephen.farrell@cs.tcd.ie> wrote:
>> 
>> FWIW, I also don't get the GDPR angle here. If it's meant as an
>> issue of consent related to selection of DNS server....
>> 
>> So can you explain the specific GDPR-related issue that you think
>> is relevant?
> 
> Hi Stephen. When has relevance ever mattered on an IETF list? :-)

Either never or always, depending who you're arguing with:-)

> 
> From a strict protocol design perspective, GDPR issues probably never
> matter for the IETF. After all the IETF doesn’t exist so it can’t be
> sued or prosecuted. 

Didn't you notice the LLC thing? :-)

> GDPR does however have an impact on how IETF
> protocols get used and deployed. Sometimes that might impact need to
> be assessed in an IETF setting, just like how IETF docs are expected
> to have security and human rights considerations these days.

I agree that we need to consider GDPR issues, where they exist.
The question I'm posing here is whether there are any new GDPR
issues caused by DoT/DoH and I'm just not seeing them. I can
totally accept that there are privacy/GDPR issues in providing
DNS service that have been largely or totally ignored until
very recently.

(Security considerations btw are needed in drafts, but human
rights considerations are not a requirement, and nor should they
be IMO.)

> 
> GDPR is already covered in the T&Cs between an ISP and the end user.
> Or should be.

As far as DNS query privacy is concerned, that doesn't appear
to be explicitly mentioned by my ISP. Maybe that's an outlier
but I'd be surprised. So I don't accept that "already covered"
is correct, for DNS query privacy.

(Separately, I also don't accept that one can get informed
consent from a person who doesn't understand the question being
asked. So from my POV, all this "click to accept" crap is
just crap and no more. I do realise that some lawyers likely
disagree.)

> [You’ve probably been bombarded by GDPR tweaks to the
> T&Cs for your bank, utility providers, etc.] When DoH is used, this
> is likely to introduce third parties - the DoH service provider and a
> DoH client. 

An ISP could as easily be forwarding all my queries to a quad-N
service, and/or be providing a sample-point for passive DNS, so
ISTM these aren't really new issues at all. (WRT passive DNS, even
if no stub IP addresses are provided, I suspect one could identify
or re-identify based on patterns of QNAMEs and timing.)

> GDPR compliance will be an issue for them, particularly
> the requirement to get meaningful consent from the end user. How
> these third parties do that is unlikely to be a topic for the IETF.

Except people keep raising this as an issue, but without being
specific enough for me at least to understand if there is or is
not any effect on protocols.

From the above, it sounds like you agree there is no effect on
the DoH WG. If that's right then we should accept that there is
no GDPR discussion to have here.

> 
> That said, I think it’s important that this WG is at least aware of
> these problems and documents them somehow. ie It produces an RFC
> which somewhere says something like "If you’re responsible for a DoH
> platform, make sure you’ve sorted out the GDPR concerns”. 

I think that's way too vague to be useful in an I-D. An I-D that
had such text could be described as possibly baselessly generating
FUD, which'd be bad.

I think [1] could provide a fine place to discuss these issues,
but perhaps it needs a permutation applied to the title so that
becomes "Privacy Recommendations for DNS Service Operators." I'm
not sure if we'd find rough consensus to try tackle all the issues
that'd raise though.

S.

[1] https://tools.ietf.org/html/draft-ietf-dprive-bcp-op


> _______________________________________________ Doh mailing list 
> Doh@ietf.org https://www.ietf.org/mailman/listinfo/doh
>