ESP DP Privacy and DNS Protocols

On Nov. 29, ESP DP issued technical note on privacy, DNS protocol.

  • ESP DP issued privacy recommendations for name resolution system protocols (DNS).
  • Overview
  • Internet access from smartphones/desktops, uses services to gain access to websites.
  • DNS protocol, involve data processing by 3rd parties, to pages where access is sought.
  • This processing could reveal navigation habits, geolocation information, allowing for profile generation, be conserved in undefined way, and so involves risk to user privacy.
  • Despite increased awareness of internet privacy, DNS is somewhat forgotten process.
  • Thus, ESP DP note identifies privacy issues and implication of illegitimate data process.
  • Identifies guarantees to help manage the risks, for both users and service providers.
  • Mainly for software developers, network administrator, DNS and web access providers.
  • DNS Background and Challenges
  • When browse web, computers query via DNS to other servers to determine IP address.
  • Queries contain not only IP address, which identifies a user and can geolocate people.
  • Also name of page accessed, enables profiling as per browsing habits of device owner.
  • DNS was not originally defined with privacy in mind, so queries made are mostly not protected by e.g. encryption and some DNS servers may keep record of queries made.
  • On top of being sensitive information data could be filtered to third parties, and added problem is lack of security measures of DNS protocol could end on DNS impersonation.
  • User could browse sites not sought, with attached risks to privacy, data theft/ransom.
  • Technology Improvements
  • Although security extensions were incorporated into DNS protocol i.e. DNSSEC, they do not have encryption mechanisms that allow confidentiality of DNS communications.
  • New measures, of DNS over TLS (DoT) or DNS over HTTPS (DoH) are being developed.
  • Should they be intercepted, information becomes illegible, so improves confidentiality.
  • Firefox opted for the latter option, Chrome plans to incorporate it in upcoming version.
  • Recommendations
  • ESP DP considers incorporation of these solutions can advance communication privacy.
  • Only overcome limitations when technology matures and is widely put into operation.
  • Recommendations include promoting greater use of DNSSEC security extensions, and wider use of DNS encrypted queries, where providers inform of service terms of use.
  • Or internet firms using 3rd-party DNS servers choose GDPR-compliant providers, etc.
  • It reminded that data processed by DNS server are collected for specific treatment.
  • Therefore, any additional processing e.g. user profiling could have privacy implications.
  • In latter case, processing should identify its legal basis of information use, inform user it is occurring, guarantee exercise of user rights plus keep overall GDPR compliance.

Regulators ESP DP
Entity Types B/D; Bank; Corp; IA; Ins; Inv Co
Reference Gd, PR 11/29/2019; GDPR Reg 2016/679
Functions Compliance; Legal; Operations; Outsourcing; Privacy; Reporting; Technology
Countries Spain
Products Banking; Corporate; Fund Mgt; Insurance; Securities
Regions EMEA
Rule Type Guidance
Rule Date 11/29/2019
Effective Date 11/29/2019
Rule Id 68335
Linked to N/A
Reg. Last Update 11/29/2019
Report Section EU

Last substantive update on 12/02/2019