Re: [Doh] GDPR and DoH

[Vittorio Bertola <vittorio.bertola@open-xchange.com>]

> Il 7 aprile 2019 alle 0.20 Adam Roach <adam@nostrum.com> ha scritto:
> 
> Jim and Watson 
> both wisely deferred, at least in the abstract, to legal experts. I 
> advise that this is the proper tactic.

First of all, I agree: we are not lawyers, and even if we were, GDPR sets the basic principles but its application to concrete situations is often arguable, and clarity only appears when a competent data protection authority examines a specific case and comes to a decision, and even then, the decision could still be challenged and go all the way up to the highest national and European courts.

This said, since I am also one of the people that raised the GDPR issue, let me provide a general view.

GDPR (article 6.1: see http://www.privacy-regulation.eu/en/article-6-lawfulness-of-processing-GDPR.htm ) requires that any processing of personal information related to a European citizen happens only after the citizen has provided explicit and informed consent (as defined in article 4.11 http://www.privacy-regulation.eu/en/article-4-definitions-GDPR.htm#a4_nr11 ), except for a number of situations in which consent is not required (legal obligations, life at stake, "legitimate interest"...). 

It is hard to see how the processing of DNS queries could fall in any of the non-consensual cases, though indeed the DoH operator could look for one of these exceptions, or try to argue that DNS queries are not personal information. But if we assume that consent is necessary, then the operator needs to acquire it before starting to process any personal information.

When someone signs up for Internet access with an ISP, the ISP gets them to sign a contract, which, in Europe, definitely includes privacy clauses; that is the place where the user provides explicit and informed consent to data processing, including for the DNS.

When the user connects to a random wifi network, usually they get to go through a captive portal which requires them to accept terms and conditions, which, again, include the consent for data processing.

When the user changes the recursor manually in a configuration entry (even today, even with standard DNS), no terms are shown and no consent is asked, but there is an explicit action by the user; so the operator can argue that the consent was explicit, though not informed ("informed" in GDPR terms requires the showing of certain information, such as the name and contacts of the entity that treats the data). So this is IMHO not GDPR-compliant, but since there has been no controversy and there is at least the most important half of the consensus (the "explicit" part, i.e. "specific, freely given, unambiguous" in GDPR terms), no one complained about this yet.

If the application changes the name server by default, then the situation is worse, because the consent is neither explicit nor informed. Installing the application cannot be taken as "specific, freely given, unambiguous" consent, especially if the application never processed DNS data before and so this cannot be expected by the user. So IMHO this is definitely not GDPR compliant.

This however is not a problem that cannot be solved; it will be enough for the application to show a more detailed, GDPR-compliant request for consent when it wants to change the recursor and use one for which the user has not provided consent yet, rather than just tell the user "we are giving you better DNS, ok?". And I guess that Mozilla's lawyers are aware of this and we will see this happening if they actually decide to turn DoH on by default in Europe.

Still, apart from the legal details, the principle underlying the GDPR consent requirements is that if you want to claim that you do something on behalf of the user, you have to ask the user properly. This is the objection that led several people to raise this point in the discussion, and I think it is a valid objection even if we are not lawyers. But, as I said, there are ways to address it.

Ciao,
-- 

Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
vittorio.bertola@open-xchange.com
Office @ Via Treviso 12, 10144 Torino, Italy