Important changes are underway for web users, as browser manufacturers are set to put domain name system (DNS) look ups in the hands of more predictable, trusted and transparent sources.
DNS-over-HTTPS (DoH) will introduce much-needed security and privacy features to web-browsing by looking up DNS requests made in the browser using a trusted DNS provider of that browser. The DNS is the internet architecture that ties a website address to the server where the content of that website is stored. This new feature will make transparent which DNS look-up service is being used.
By default all new DNS look-ups are handled by a chain of requests until an IP address for the website is found: first to one’s internet service provider (ISP), next to the closest DNS root server, then potentially to a cloud hosting provider and other intermediary servers until the
address is located and sent back to the user. The DNS information is stored back along the chain, from the ISP to one’s home router and finally in the web browser itself.
Private persons and consumers need a high level of technical skill to even find out who is providing their DNS, and it gets even more esoteric if they want to know privacy terms. Having a trusted DNS provider and knowing how to configure default DNS queries is even further beyond the reach of most users.
Every DNS request sends data about the website a user is visiting and in particular or in aggregate, this data can be used to infer behaviours of individual users or groups of users. Often internet usage statistics are made from DNS request data. It is a small and technically specific form of personal data collection that has not received much attention by EU regulatory authorities to date.
DoH will solve some of these issues, but at a considerable price that must be recognised. In practice, these privacy-enhancing changes will reduce the number of DNS look-up services that users are in contact with, yet since the trusted DNS services will be chosen by the browser, the new reduced number of DNS look-up services will be predominantly US-based.
As in so many internet issues, this is a trade-off between the parties who retain control over individual persons or consumers in a commercial and technical sense. In the case of Mozilla’s Firefox, the trusted DNS provider will be Cloudflare. If Chrome adopts DoH, the DNS provider is likely to be itself, i.e. Google.
If EU providers had to establish whether they would want to make a better privacy-by-design effort than Cloudflare and Google have already done then, according to Article 25 of the GDPR, they would have tobe the preferred choice for browsers in the EU. Data Protection Agencies would have to assess whether the browser makers have really opted for the most privacy enhancing DNS providers. However, as of today, there is nothing to suggest any EU DNS company would be able to credibly claim that they top Cloudflare on DNS privacy. Like it or not, the current plethora of DNS providers is not conducive to data privacy at all.
DNS discussions are currently ongoing at the Internet Engineering Task Force (IETF), the global standardisation community for low-layer internet protocols. EDRi member ARTICLE 19 is following the discussions on best practices for state-of-the-art privacy-by-design and data management.
DoH is, at least partially, a concrete and positive effect of EU leadership on data protection issues.Hopefully, it will serve to enhance protections of personal privacy while making internet back-end services less obscure. IETF standard setting will provide a benchmark for robust privacy protections in DNS. But these developments are also an example of how EU internet infrastructure organisations and their governors have some way to go before they can be at the top of the privacy game. The success of European global privacy leadership will be measurable by how it reacts to these necessary privacy enhancements.
Improving DNS Privacy in Firefox
“Avskrivningsbeslut Säkerhetsbrister i kundplacerad utrustning” (Only in Swedish)
IETF DNS PRIVate Exchange (dprive) Working Group
(Contribution by Amelia Andersdotter and Mallory Knodel, EDRi member Article 19, United Kingdom)