Re: [Doh] GDPR and DoH

Vittorio Bertola <vittorio.bertola@open-xchange.com> Sun, 07 April 2019 08:43 UTC

Return-Path: <vittorio.bertola@open-xchange.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33EA31202E9 for <doh@ietfa.amsl.com>; Sun, 7 Apr 2019 01:43:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=open-xchange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Alwg7XoqUpaC for <doh@ietfa.amsl.com>; Sun, 7 Apr 2019 01:43:09 -0700 (PDT)
Received: from mx4.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16CE41202E8 for <doh@ietf.org>; Sun, 7 Apr 2019 01:43:08 -0700 (PDT)
Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx4.open-xchange.com (Postfix) with ESMTPS id 9613C6A26A; Sun, 7 Apr 2019 10:43:06 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=open-xchange.com; s=201705; t=1554626586; bh=I5gwywpfhKhSO1YnpjYYr9tg+htjS8gknhYeLb5VS9w=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From; b=0FV48AHkLD7mhur8sWIidvX5FiSDl4bk7NBwSWs7qCw4gtXvTXtIvN2DvVnWk6rrC bd8DxBKEXM3159p3uU2uIf8Xim3ugyWIwuOyZCp7+u8BDkXnprTEIwkSlOKEOZePHP mMF96HWYkAfQh4ex+IQMHSBoRMG9v9dpVksA8hAd4V6rtpfb9V0NixZ7f83evYjCOf DBIiWKxQaNJwty8u04hw+LyBYtNKmdDZQki0xR4P4cmgASoOlkqnwr9Cy2FS5WPF4r geGkGCxZFPA6cu1aCv2qVpfgyLVB7hml5wSGaPKLu98Hz9p/0nm82A5ksHU6MhBtaf d4CyvnyWr5wFA==
Received: from appsuite-gw2.open-xchange.com (appsuite-gw2.open-xchange.com [10.20.28.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id 7E46D3C0045; Sun, 7 Apr 2019 10:43:06 +0200 (CEST)
Date: Sun, 7 Apr 2019 10:43:05 +0200 (CEST)
From: Vittorio Bertola <vittorio.bertola@open-xchange.com>
To: Adam Roach <adam@nostrum.com>
Cc: DoH WG <doh@ietf.org>
Message-ID: <608310409.9575.1554626586437@appsuite.open-xchange.com>
In-Reply-To: <346c2bdb-1c9c-369f-1959-a3ec964c0c52@nostrum.com>
References: <1700920918.12557.1552229700654@appsuite.open-xchange.com> <7667c4d7-2e78-0a27-84af-cf1c00fd4897@cs.tcd.ie> <1991054337.12802.1552259263075@appsuite.open-xchange.com> <eea64b30-aad0-a030-5360-1b1484f1d0e3@huitema.net> <CAPsNn2WhjHSEHJUEL8GB6X0d24fkajgPnY4YgkOQbXjyxb5q8Q@mail.gmail.com> <CACfw2hj07TDCxK9bm0T=JguKyuCEfW2zb_yRJnewjOYL4oxdjA@mail.gmail.com> <CACsn0cmk7NbF+ti0dU7Fp0PK8Gt4P5knC5hrHVLDY59-jaYYzA@mail.gmail.com> <6030358E-24FF-4033-B0A1-AB1123FED964@rfc1035.com> <5ce0d730-aac2-95c9-fead-64cbffa03d52@cs.tcd.ie> <D6EE01DE-EE98-4CDE-A869-6205AD3D584A@gmail.com> <6654d063-de2d-9aeb-2ad5-bea3d5c7bea3@cs.tcd.ie> <F838CF7D-9389-4A4A-ADA6-824E7BA4FE21@gmail.com> <ead4d1b3-f8b7-3d8e-877b-734ffa132c67@cs.tcd.ie> <BFEDACF7-F539-4466-A9F3-5688EA4993B8@gmail.com> <346c2bdb-1c9c-369f-1959-a3ec964c0c52@nostrum.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Priority: 3
Importance: Medium
X-Mailer: Open-Xchange Mailer v7.10.1-Rev10
X-Originating-Client: open-xchange-appsuite
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/0Bh9QUktgwHAmGJaQqOTz14csYA>
Subject: Re: [Doh] GDPR and DoH
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Apr 2019 08:43:12 -0000

> Il 7 aprile 2019 alle 0.20 Adam Roach <adam@nostrum.com> ha scritto:
> 
> Jim and Watson 
> both wisely deferred, at least in the abstract, to legal experts. I 
> advise that this is the proper tactic.

First of all, I agree: we are not lawyers, and even if we were, GDPR sets the basic principles but its application to concrete situations is often arguable, and clarity only appears when a competent data protection authority examines a specific case and comes to a decision, and even then, the decision could still be challenged and go all the way up to the highest national and European courts.

This said, since I am also one of the people that raised the GDPR issue, let me provide a general view.

GDPR (article 6.1: see http://www.privacy-regulation.eu/en/article-6-lawfulness-of-processing-GDPR.htm ) requires that any processing of personal information related to a European citizen happens only after the citizen has provided explicit and informed consent (as defined in article 4.11 http://www.privacy-regulation.eu/en/article-4-definitions-GDPR.htm#a4_nr11 ), except for a number of situations in which consent is not required (legal obligations, life at stake, "legitimate interest"...). 

It is hard to see how the processing of DNS queries could fall in any of the non-consensual cases, though indeed the DoH operator could look for one of these exceptions, or try to argue that DNS queries are not personal information. But if we assume that consent is necessary, then the operator needs to acquire it before starting to process any personal information.

When someone signs up for Internet access with an ISP, the ISP gets them to sign a contract, which, in Europe, definitely includes privacy clauses; that is the place where the user provides explicit and informed consent to data processing, including for the DNS.

When the user connects to a random wifi network, usually they get to go through a captive portal which requires them to accept terms and conditions, which, again, include the consent for data processing.

When the user changes the recursor manually in a configuration entry (even today, even with standard DNS), no terms are shown and no consent is asked, but there is an explicit action by the user; so the operator can argue that the consent was explicit, though not informed ("informed" in GDPR terms requires the showing of certain information, such as the name and contacts of the entity that treats the data). So this is IMHO not GDPR-compliant, but since there has been no controversy and there is at least the most important half of the consensus (the "explicit" part, i.e. "specific, freely given, unambiguous" in GDPR terms), no one complained about this yet.

If the application changes the name server by default, then the situation is worse, because the consent is neither explicit nor informed. Installing the application cannot be taken as "specific, freely given, unambiguous" consent, especially if the application never processed DNS data before and so this cannot be expected by the user. So IMHO this is definitely not GDPR compliant.

This however is not a problem that cannot be solved; it will be enough for the application to show a more detailed, GDPR-compliant request for consent when it wants to change the recursor and use one for which the user has not provided consent yet, rather than just tell the user "we are giving you better DNS, ok?". And I guess that Mozilla's lawyers are aware of this and we will see this happening if they actually decide to turn DoH on by default in Europe.

Still, apart from the legal details, the principle underlying the GDPR consent requirements is that if you want to claim that you do something on behalf of the user, you have to ask the user properly. This is the objection that led several people to raise this point in the discussion, and I think it is a valid objection even if we are not lawyers. But, as I said, there are ways to address it.

Ciao,
-- 

Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
vittorio.bertola@open-xchange.com
Office @ Via Treviso 12, 10144 Torino, Italy