ESP DP Privacy and DNS Protocols
On Nov. 29, ESP DP issued technical note on privacy, DNS protocol.
- ESP DP issued privacy recommendations for name resolution system protocols (DNS).
- Internet access from smartphones/desktops, uses services to gain access to websites.
- DNS protocol, involve data processing by 3rd parties, to pages where access is sought.
- This processing could reveal navigation habits, geolocation information, allowing for profile generation, be conserved in undefined way, and so involves risk to user privacy.
- Despite increased awareness of internet privacy, DNS is somewhat forgotten process.
- Thus, ESP DP note identifies privacy issues and implication of illegitimate data process.
- Identifies guarantees to help manage the risks, for both users and service providers.
- Mainly for software developers, network administrator, DNS and web access providers.
- DNS Background and Challenges
- When browse web, computers query via DNS to other servers to determine IP address.
- Queries contain not only IP address, which identifies a user and can geolocate people.
- Also name of page accessed, enables profiling as per browsing habits of device owner.
- DNS was not originally defined with privacy in mind, so queries made are mostly not protected by e.g. encryption and some DNS servers may keep record of queries made.
- On top of being sensitive information data could be filtered to third parties, and added problem is lack of security measures of DNS protocol could end on DNS impersonation.
- User could browse sites not sought, with attached risks to privacy, data theft/ransom.
- Technology Improvements
- Although security extensions were incorporated into DNS protocol i.e. DNSSEC, they do not have encryption mechanisms that allow confidentiality of DNS communications.
- New measures, of DNS over TLS (DoT) or DNS over HTTPS (DoH) are being developed.
- Should they be intercepted, information becomes illegible, so improves confidentiality.
- Firefox opted for the latter option, Chrome plans to incorporate it in upcoming version.
- ESP DP considers incorporation of these solutions can advance communication privacy.
- Only overcome limitations when technology matures and is widely put into operation.
- Or internet firms using 3rd-party DNS servers choose GDPR-compliant providers, etc.
- It reminded that data processed by DNS server are collected for specific treatment.
- Therefore, any additional processing e.g. user profiling could have privacy implications.
- In latter case, processing should identify its legal basis of information use, inform user it is occurring, guarantee exercise of user rights plus keep overall GDPR compliance.
||B/D; Bank; Corp; IA; Ins; Inv Co
||Gd, PR 11/29/2019; GDPR Reg 2016/679
||Compliance; Legal; Operations; Outsourcing; Privacy; Reporting; Technology
||Banking; Corporate; Fund Mgt; Insurance; Securities
|Reg. Last Update
Last substantive update on 12/02/2019