Re: [Doh] GDPR and DoH

Jim Reid <> Sun, 07 April 2019 13:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B29DD120491 for <>; Sun, 7 Apr 2019 06:34:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BIE2Plb22UWE for <>; Sun, 7 Apr 2019 06:34:08 -0700 (PDT)
Received: from ( [IPv6:2001:4b10:100:7::25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CD7AB120490 for <>; Sun, 7 Apr 2019 06:34:07 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id A903B242109D; Sun, 7 Apr 2019 13:34:04 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Jim Reid <>
In-Reply-To: <>
Date: Sun, 7 Apr 2019 14:33:56 +0100
Cc: DoH WG <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <> <>
To: Stephen Farrell <>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <>
Subject: Re: [Doh] GDPR and DoH
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 07 Apr 2019 13:34:11 -0000

> On 6 Apr 2019, at 19:53, Stephen Farrell <> wrote:
> FWIW, I also don't get the GDPR angle here. If it's meant as
> an issue of consent related to selection of DNS server....
> So can you explain the specific GDPR-related issue that you
> think is relevant?

Hi Stephen. When has relevance ever mattered on an IETF list? :-)

From a strict protocol design perspective, GDPR issues probably never matter for the IETF. After all the IETF doesn’t exist so it can’t be sued or prosecuted. GDPR does however have an impact on how IETF protocols get used and deployed. Sometimes that might impact need to be assessed in an IETF setting, just like how IETF docs are expected to have security and human rights considerations these days.

GDPR is already covered in the T&Cs between an ISP and the end user. Or should be. [You’ve probably been bombarded by GDPR tweaks to the T&Cs for your bank, utility providers, etc.] When DoH is used, this is likely to introduce third parties - the DoH service provider and a DoH client. GDPR compliance will be an issue for them, particularly the requirement to get meaningful consent from the end user. How these third parties do that is unlikely to be a topic for the IETF.

That said, I think it’s important that this WG is at least aware of these problems and documents them somehow. ie It produces an RFC which somewhere says something like "If you’re responsible for a DoH platform, make sure you’ve sorted out the GDPR concerns”.