Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] GDPR Compliance

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] GDPR Compliance


Chronological Thread 
  • From: Rex Lampier <dns.opennic.289 AT ls-principals.co.uk>
  • To: discuss AT lists.opennicproject.org
  • Subject: Re: [opennic-discuss] GDPR Compliance
  • Date: Wed, 30 May 2018 13:48:12 +0200

Hi -

There are a set of 6 bases for processing lawfully under GDPR -
including legitimate interest and processing for the delivery of a
service which I think DNS is relevant to. Consent is another lawful
basis.

This is only in the instances where PII is involved of course; or
perhaps data which is only one degree of separation from PII in some
cases.

An IP address cannot directly identify an individual - it has to be
combined with other data first (consider the effect of VPN's, proxies,
shared accommodation, IP spoofing etc). We can get the IP range - and
who owns the range - easily enough, but a warrant would be needed for
the ISP to disclose the subscriber at the time. A separate warrant
would be needed to get the DNS server logs in the first place of
course.

Then it has to be proven that an individual was using that specific IP
address at the time. That's a long way to stretch to call an IP PII on
it's own.

The opt-in for logging servers Jonah talks about is interesting, just
make sure it's clear that the person is opt-ing in (and what the
consequences might be).

By removing all potential linkage from the logs DNS servers themselves
cannot reveal the origin of requests, and the initial warrant to
disclose this data would be useless.

HTH

Rex


-----Original Message-----
From: Jonah Aragon <jonah AT triplebit.net>
Reply-to: discuss AT lists.opennicproject.org
To: discuss AT lists.opennicproject.org <discuss AT lists.opennicproject.org>
Subject: [opennic-discuss] GDPR Compliance
Date: Thu, 24 May 2018 13:53:42 -0500

This hasn’t really been brought up here, but I’ve been looking into
GDPR compliance and how it fits in to our Matomo website tracking, and
I think it’s relevant to a lot more aspects of this community.

So I wanted to get some thoughts from the community, especially
concerning DNS server logging. At this point in time, we don’t seem to
have an official stance on DNS logging, but it seems to me that any
logging involving IP addresses, but especially query logging, is
directly impacted by GDPR.

As far as I can tell, the onus of GDPR compliance falls on the
individual operators, as they are both the data processor and
controller of the information collected.

Even if that is the case, I think OpenNIC should finally take a
stricter no-logging stance in regard to the DNS servers regardless. I’m
proposing the following ideas:

- Immediately, OpenNIC should adopt a no/anon logging policy for all
new servers.
- Immediately, any servers that don’t have the no/anon logging flag
enabled should be filtered out from the server list. We could implement
some sort of checkbox along the lines of “show servers that log
queries” (this would act as opt-in consent).
- Eventually (TBD), we should begin the removal of any remaining
logging servers.

Regarding website tracking (Matomo), I currently believe we are fully
GDPR compliant. We do not collect any data that could be used to
identify an individual (no PII), as all of the data we collect is
adequately anonymized (negating the need for opt-in consent).
Additionally, the data we collect is publicly available and we have a
simple tracking opt-out system.

As an aside, my Tier 2 servers are currently disabled pending GDPR
compliance. All logs regardless of content are being deleted. Please
don’t use them in the meantime.

Jonah

--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicprojec
t.org



Archive powered by MHonArc 2.6.19.

Top of Page