Re: [Doh] GDPR and DoH

S Moonesamy <> Sun, 07 April 2019 12:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BC2B9120469 for <>; Sun, 7 Apr 2019 05:30:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id k5SOSRCdX_JE for <>; Sun, 7 Apr 2019 05:30:16 -0700 (PDT)
Received: from ( [IPv6:2001:42d0:0:404::83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B95C0120098 for <>; Sun, 7 Apr 2019 05:30:15 -0700 (PDT)
Received: from [] (port=57759 by with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.84_2) (envelope-from <>) id 1hD6w6-0006Nx-5f; Sun, 07 Apr 2019 16:30:10 +0400
Message-Id: <>
X-Mailer: QUALCOMM Windows Eudora Version
Date: Sun, 07 Apr 2019 05:29:42 -0700
From: S Moonesamy <>
Cc: Vittorio Bertola <>
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Archived-At: <>
X-Mailman-Approved-At: Tue, 09 Apr 2019 08:16:07 -0700
Subject: Re: [Doh] GDPR and DoH
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 07 Apr 2019 12:30:18 -0000

At 01:43 AM 07-04-2019, Vittorio Bertola wrote:
>This said, since I am also one of the people that raised the GDPR 
>issue, let me provide a general view.
>GDPR (article 6.1: see 
>) requires that any processing of personal information related to a 
>European citizen happens only after the citizen has provided 
>explicit and informed consent (as defined in article 4.11 
>), except for a number of situations in which consent is not 
>required (legal obligations, life at stake, "legitimate interest"...).

>When someone signs up for Internet access with an ISP, the ISP gets 
>them to sign a contract, which, in Europe, definitely includes 
>privacy clauses; that is the place where the user provides explicit 
>and informed consent to data processing, including for the DNS.

There is a privacy clause in a contract with a service provider when 
the latter has to comply with the data protection regulations of the 
country in which it is operating.  The contract I am familiar with 
mentions the law which applies instead of the E.U. General Data 
Protection Regulation (GDPR).  It is up to the "data controller" and 
"data processor" to assess whether informed consent is needed.

The data protection angle of the DNS over HTTPS case is 
debatable.  It could be argued that DNS over HTTPS could be used for 
privacy-unfriendly purposes.  There might also be a dissonance with 
respect to BCP 188.

S. Moonesamy