The main goal of Work Package 5 is to manage both legal challenges and ethical challenges of DNS4EU.
For most people the legal and ethics issues are not necessarily the most exciting elements of infrastructure projects like this one, however, they are important first of all just as a legal requirement. In knowing what the legal requirements obligations are, we may properly address also the ethical challenges in front of us.
Moreover, because DNS4EU is actually one of those projects that is expected to make a difference, the legal and ethical aspects of the DNS4EU infrastructure need to be addressed all the more closely and more carefully.
The consortium members involved in WP5 are: Whalebone, Time-lex and DNSC supported by other consortium members who contribute with their valuable insight into the DNS resolution topic.
Within the project a number of documents have to be drafted and submitted.
First to mention is the Data Management Plan (DMP) that is mandatory for every project co-funded by EU funds. DMP deals with how we handle the data in the course of the project, what data the consortium collects, generates and processes, what datasets are created and whether those data may be re-used outside of the project.
Impact assessment
At the outset of any technology involving data processing on a large scale, consideration must be given to the impact it will have on users of such technology and how it will be perceived by the public. That is why DNS4EU feels compelled to execute a thorough assessment of all operations involving data processing, the purpose and necessity thereof with respect to existing and potential risks for DNS4EU users’ privacy. Basically, to define what data is being processed and why, whether there are sufficient technical security measures in place to prevent leakage or corruption of data, how can the user's data processing itself be minimised. DNS4EU must be and will be fully compliant from the perspective of the applicable law (being it e-privacy, GDPR and/or other).
Public DNS4EU resolver
Public DNS4EU resolver will be a recursive DNS resolver that will serve socio-economic drivers, public internet users in the EU, and offer high reliability and, as an optional feature, protection against general cybersecurity threats and those specific to the EU. It will ensure that DNS resolution data is processed in Europe and personal data is not monetised.
The primary aim of any public DNS resolver should be to give each user his/her freedom in using the internet connection and attending websites without hesitation or fear of their browsing behaviour being monitored. This is also the main objective of the future Public DNS4EU resolver.
To eliminate any doubts and concerns regarding privacy or alleged monitoring of individual users, the provider of a public DNS resolver must be highly transparent. In preparing the public DNS4EU resolver infrastructure the project takes security and privacy very seriously.
Within WP5 we are preparing a Public DNS4EU Resolver Policy - a document that informs the users utilising the DNS resolver about and explains to them:
• what information will be logged, in which case and why
• which data will be retained and retention periods
• how the IP addresses will be treated, with precise description of anonymisation techniques used
• how will the security of the DNS traffic be ensured, and much more.
We took the recommendations of the Internet Engineering Task Force, namely RFC 8932, as the industry standard for this purpose. https://www.rfc-editor.org/rfc/rfc8932.html#example-rps.
We closely cooperate with other consortium members, as deSEC or NASK, on this task and listen to the interested audience, e.g. members of Project’s Stakeholder Group.
Data sharing
It must be pointed out that it is not the primary intention of the project to share data on a regular basis. However, obtaining the data is closely connected with the necessity to set up suitable policies and rules for providing data to third parties, individuals and entities that are not involved in the project. The interested parties might be the selected national cybersecurity centers, universities, cybersecurity research organisations (CERTs, CSIRTs, etc), other threat intelligence partners, and law enforcement authorities, if any. The Policy and Rules for Providing Data to Third Parties defines processes, guidelines, and criteria for sharing data with external parties in a controlled and secure manner and sets the conditions for the provision of anonymised data e.g. for further security analysis. Each party interested in such data has to enter into a Data Sharing Agreement in order to safeguard confidentiality and privacy as default approach of the project.
Legislation assessment
The goal set by the project is to provide an overview of new, including forthcoming, legislation in the field of DNS resolution services, to assess the impact of such laws and based on the findings to propose and implement changes to the project.
This task has proved to be complex. On the one hand, there are various acts coming at the level of EU legislation, on the other hand, national legislations are very fragmented in terms of ensuring a safe Internet, i.e. combating illegal activities on the Internet such as various criminal activities violating cybersecurity regulations, illegal content, copyright infringement etc.
With respect to the national law of individual EU member states, we are currently focusing on getting an overview on the specifics of the particular laws, what kind of threats are regulated, whether blocking/filtering is obligatory or on a recommendation basis only, etc.
In cooperation with DNSC and Time.lex we prepared a questionnaire in order to collect the relevant information from the national stakeholders. The questionnaire is accessible here. Anybody who is willing to contribute with addressing the questions posted there is encouraged to participate.
This blog post has been written by Alena Hipsrova, Legal Counsel at Whalebone
Picture source: https://www.freepik.com/author/pch-vector
