Re: [Doh] GDPR and DoH

Vittorio Bertola <> Sun, 07 April 2019 17:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6E0E1120334 for <>; Sun, 7 Apr 2019 10:23:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id N3ufdyk0MSVo for <>; Sun, 7 Apr 2019 10:23:16 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7BBE81202C4 for <>; Sun, 7 Apr 2019 10:23:16 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D65286A264; Sun, 7 Apr 2019 19:23:13 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=201705; t=1554657793; bh=ReTbDVxB/xZ302NbuLecF8uOYyexds4KWaEWA4PDbbI=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From; b=0PaAdo20WHZz01zat3LOgAFveu/eyJOJHr1yxDC2LCZ8D2B1MdMNyz1oHQj457HXv kloQr/CYVCuWJ+u78fuvRWQtD/Ceya/oOnmIdAnUHW6xh0G7sCCJXti+X7THrD+TfW goxAwFcBf+GZaxSSqRw9dmDstZ4pdK9TXmFyv1OeND/CBNM8kswJGOBuWiIj8oG44p kIA/kBuX2ym9k68BzTP4b367UA/PLAclznCybU0YWZZq1EO5m2/Kv6IDnAyI/BrDyk nlnZaCbZPOQ+V8/Wwt6Ncy+gZ9yHGSEbYwQbXs3Xnb6I3qAs4EjvmQ0JDeHVCXDQpd 5SCqqkNMSpiMw==
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id C10203C00AB; Sun, 7 Apr 2019 19:23:13 +0200 (CEST)
Date: Sun, 7 Apr 2019 19:23:13 +0200 (CEST)
From: Vittorio Bertola <>
To: Stephen Farrell <>
Cc: DoH WG <>
Message-ID: <>
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_9702_1665162217.1554657793718"
X-Priority: 3
Importance: Medium
X-Mailer: Open-Xchange Mailer v7.10.1-Rev10
X-Originating-Client: open-xchange-appsuite
Archived-At: <>
Subject: Re: [Doh] GDPR and DoH
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 07 Apr 2019 17:23:20 -0000

>     Il 7 aprile 2019 alle 16.07 Stephen Farrell < > ha scritto:
>     On 07/04/2019 14:33, Jim Reid wrote:
>         > > 
> >     > 
>         > >         GDPR is already covered in the T&Cs between an ISP and the end user.
> >         Or should be.
> > 
> >     >     As far as DNS query privacy is concerned, that doesn't appear
>     to be explicitly mentioned by my ISP. Maybe that's an outlier
>     but I'd be surprised. So I don't accept that "already covered"
>     is correct, for DNS query privacy.
I suspect that your ISP has a general consent request in their contract or privacy annex, in which they ask you for consent to treat any personal information that you provide or generate in the context of the Internet access service you are acquiring, for the purpose of what is necessary to provide you such access. That would cover treating DNS queries for giving you back IP addresses, though it would not cover any monetization of them, unless they also ask you for consent for the purpose of targeted advertising or other types of processing (except possibly any processing connected with network security, as that would likely fall under the exceptions to consent listed in the GDPR, as a legitimate interest and/or as necessary to comply with cybersecurity laws).

However, this would mean that DNS is already covered in legal compliance terms, but less so in terms of specific communication of what the operator does with your queries, and I agree with you that this is a different problem than legal compliance, though I disagree that it cannot be solved:

>     (Separately, I also don't accept that one can get informed
>     consent from a person who doesn't understand the question being
>     asked. So from my POV, all this "click to accept" crap is
>     just crap and no more. I do realise that some lawyers likely
>     disagree.)
One positive outcome of this discussion could be a collective attempt to define standard terminology and ways to communicate DNS operator behaviour and policies to final users. It would be great to see all recursor operators, ISP or OTT, communicate their DNS data policies clearly to final users, and uniformity would facilitate user education a lot.

>     Except people keep raising this as an issue, but without being
>     specific enough for me at least to understand if there is or is
>     not any effect on protocols.
I think this was raised in the context of the discussion of DoH deployment policies and of the drafts that were meant to formalize the concerns and discuss best practices, and that, as I understand, are now frozen (hopefully not for long) waiting for the IESG to tell us if and where they can be discussed.



Vittorio Bertola | Head of Policy & Innovation, Open-Xchange 
Office @ Via Treviso 12, 10144 Torino, Italy