The European Resolver Policy is intended to provide reassurance to end-users and other stakeholders that personal data gained in the operation of DNS resolution services will not be misused. In this guest article, Andrew Campling talks about the aims and benefits of the policy.
The emergence of new protocols such as DNS-over HTTPS (DoH) has resulted in some browsers changing security critical behaviour without explaining the implications to users.
Few Internet users have a deep understanding of the DNS, let alone DoH. New applications that use relatively new protocols like DoH are emerging all the time, and they each have their own resolver policies.
This all adds up to a rapidly changing situation with limited oversight. How can we be sure that the protocols used by resolver operators are abiding by policies such as Europe’s General Data Protection Regulation (GDPR)? In many cases, the authors of these policies may be operating according to US market principles, which, while understandable, present problems when they’re operating globally.
Ambiguity is a problem for users. The policies that the various software companies adopt differ widely in approach, making it even less likely that users will be able to understand how their data is being stored and processed, or how it is being exploited.
This is where the European Resolver Policy comes into play. It represents an industry-led response to these problems across a collection of jurisdictions, and may provide clues on how to engage with these complex problems.
The European Resolver Policy has benefited by having input from companies across the tech and telecoms sectors in Europe and North America, as well as from civil society and public sector bodies involved in regulation.
The policy is intended to provide reassurance to end-users and other stakeholders that personal data gained in the operation of DNS resolution services is “…not used for any other purposes except where required by law or regulation, or with GDPR-level consent of the end-user and where it is clearly documented in the operator’s transparency and privacy statement.”
Because of this, users can be confident that their data is only used to operate the DNS service unless consent has been obtained to do otherwise.
While the goal is to bring the policies and procedures up to a point where they meet European requirements, the specification is likely to meet the needs of other markets including those in the US too.
There are three main components.
The Privacy Requirements
The first section of the policy focuses on privacy. It states that, except where required or prohibited by law or with GDPR-level consent of the end user, operators of DNS resolver services:
- Must make, document and publish their operational practices to protect the privacy and security of their users’ data. The practices documented in section 5 of RFC 8932 should be adopted for this reason
- Should not retain or transfer to any third party any personal data arising from the use of these services except where anonymised or aggregated data is necessary for cybersecurity, DNS analytics, reporting and research purposes
- Should not directly or indirectly monetise any personal data arising from the use of these services and should not enable other parties to monetise the data either
- Should not use or require HTTP cookies or other tracking techniques when communicating with DNS clients that use HTTP-based DNS transports for resolution
There are other requirements, but those detailed above cover some of the more interesting aspects.
Security and Filtering Requirements
Resolver operators are required to provide details of any categories of material that are blocked, unless prohibited to do so by law. In addition, it should be possible for users to opt in or out of any filtering capabilities, and resolver operators need to provide a complaints process for any false positives. Cyber intelligence gathered in the operation of the resolver (such as malicious content) should be shared, as doing so is in the best interests of users.
Resolver operators are advised to take care when offering DNS resolution, without malicious content protection or the blocking of child sexual abuse material, as a default option to non-expert end-users such as consumers, unless it is unlawful to provide such protections. Generally speaking, the provision of such protections, when allowed in law, will be in the best interests of users.
Resolver operators are required to offer a transparency and privacy notice. This should be readily accessible, written using plain language, and kept up to date. It is important that it provides clarity on compliance with EU and national legislation. In addition, the transparency and privacy notice should include details of any personal data that is stored or processed, together with details of any data requests from law enforcement agencies, including the origin of any requests and the action taken.
Adopting and Using the European Resolver Policy
The policy is targeted at a range of companies including Internet Service Providers (ISPs) and cloud-based resolver operators. Other organisations, including software developers, membership bodies, industry regulators and legislators may wish to endorse the policy and encourage its adoption.
While developed with European markets in mind, there are no restrictions on the use of the policy by resolver operators that are active in other global markets.
In essence, resolver operators simply need to adapt their processes and then update their transparency and privacy reports. There are no charges to use the policy and details of compliant organisations will be added to the website, with the first updates due within the next month or so.
Anyone wishing to adopt the policy can email the team via firstname.lastname@example.org.
Full details of the European Resolver Policy are available on the website.
This article was originally published on the APNIC Blog in April 2021.
Comments are disabled on articles published more than a year ago. If you'd like to inform us of any issues, please reach out to us via the contact form here.
Marco Hogewoning •
Hey Andrew, Thanks for this, appreciate the efforts here. What I was wondering, is there a direct link with the DNS4EU initiative as it was presented in the EU's Cybersecurity Strategy that was published late 2020, quoting from the document (JOIN/2020/18): "With a view to reducing security issues related to market concentration, the Commission will encourage relevant stakeholders including EU companies, Internet Service Providers and browser vendors to adopt a DNS resolution diversification strategy. The Commission also intends to contribute to secure Internet connectivity by supporting the development of a public European DNS resolver service. This ‘DNS4EU’ initiative will offer an alternative, European service for accessing the global Internet. DNS4EU will be transparent, conform to the latest security, data protection and privacy by design and by default standards and rules and form part of the European Industrial Alliance for Data and Cloud". Is this initiative seeking to be an implementation of this or could it be? Thanks, MarcoH (Manager Public Policy and Internet Governance, RIPE NCC)
Hide 2 replies
Andrew Campling •
Hi Marco Thank you for your comments. With regards the EU Commission's DNS4EU initiative, there is no direct link between this and the European Resolver Policy, the latter of which comes from industry. However, it is entirely possible (and desirable in my view) that the DNS4EU initiative may specify that resolvers should adopt and be compliant with the policy in order to meet the criteria that you have quoted in your message. Would this have the support of RIPE? This is certainly a point that could be raised during the Commission's next HLIG meeting. Andrew
Hide one reply
Marco Hogewoning •
Thanks for that insight. To be clear, RIPE NCC can't speak for or on behalf of RIPE unless there is an explicit position from the community which allows us to do so. In relation to your question on whether RIPE would support such a position, probably best to defer this to the DNS or Cooperation Working Group. Of course as RIPE NCC, we're happy to help communicate and distribute such a position. But we would need guidance from the community on the merits of your suggestion first.
Daniel Karrenberg •
Hide one reply
Andrew Campling •
Hi Daniel Thank you for highlighting the omission. Human error, now fixed.
Andrew Campling •
With great timing to coincide with the presentation and discussion at the DNS WG today, AdGuard has confirmed that it has adopted the European Resolver Policy. See https://adguard.com/en/blog/adguard-dns-adopted-european-resolver-policy.html for more details.