[Driu] DoH Digests and privacy risks

[Vittorio Bertola <vittorio.bertola@open-xchange.com>]

Hello,
 
this started as a comment on Mark Nottingham's DoH Digests draft as presented today in the BoF, but in the end it deals with more fundamental issues with DoH, so I'm sharing it with the list.

I am a DNS policy guy, not an HTTP guy, and have not been involved in DoH until now. So I was struck by some statements:

1) While encrypted DNS transport removes the potential for MITM eavesdropping, it cannot do anything against privacy breaches by the entity running the resolver. The presentation mentioned, as the intended consequence of DoH, that possibly we will get our name resolution from "big websites". Unfortunately, the business model of most big websites today relies on user data monetization, targeted advertising and so on; so these people would actually have an economic incentive to log and correlate the user's DNS query history with other information that they gather elsewhere, much more than the network access providers. So IMHO in this regard DoH is threatening the user's privacy, rather than increasing it.

2) The draft, right in section 1, assumes that it's the "application's vendor" that gets to vet which DoH servers are good for the user. One would expect that it's rather the user that has the right decide who to trust with their data - this is also the principle underlying most privacy laws around the globe. The user is of course free to delegate that decision to a trusted application vendor or to anyone else, but in the end, the architecture should be conceptually designed to empower the users, not application vendors. Also, if one thinks at how many applications are responsible for user data mistreatment and abuse, this looks like another dangerous policy decision.

So, either I do not understand the privacy threat model that is meant to be addressed by DoH, or such model is perhaps incomplete; yes it's great to encrypt DNS traffic so that no one can sniff or alter it, but that's not the main source of privacy abuses today on the Internet; tracking, centralization and correlation of user activities across multiple services are.

I looked into the main DoH draft as well, but at first sight, notwithstanding the final sections, I could not find any analysis of these security and privacy issues. So while in the end I really like the idea of spreading DoH traffic across multiple services to make tracking and correlation harder, I would first make sure that we have a shared understanding of all the privacy risks that have to be mitigated in this "new DNS ecosystem", and we work on an architecture that addresses them all.

Regards,
-- 

Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
vittorio.bertola@open-xchange.com
Office @ Via Treviso 12, 10144 Torino, Italy