European Resolver Policy
Jump to navigation
Jump to search
The European Resolver Policy is an industry-led initiative that sets out best practices for the protection of personal data by DNS resolver operators in Europe in response to the GDPR.[1] It was developed in recognition of most users' lack of understanding of DNS and concerns over being tracked and data monetized.[2] Key figures: Andrew Campling, of 419 Consulting, Andrey Meshkov, of AdGuard, Richard Malovic, of Whalebone, Vittorio Bertola, of Open Xchange, Ken Carnesi, of DNSFilter, and John Todd, of Quad9.[3]
| Policy Area | Component 1 | Component 2 | Component 3 | Component 4 | Component 5 | Component 6 |
|---|---|---|---|---|---|---|
| privacy | DNS Operators MUST make, document and publish their operational practices to protect the privacy and security of their users' data. | DNS Operators SHOULD NOT retain or transfer to any third party any personal data arising from the use of these services except where anonymized or aggregated data is necessary for cybersecurity, DNS analytics, reporting, and research purposes. | DNS Operators SHOULD NOT directly or indirectly monetize any personal data arising from the use of these services and SHOULD NOT enable other parties to monetize the data either. | DNS Operators SHOULD NOT use or require HTTP cookies or other tracking techniques when communicating | The practices documented in section 5 of the IETFs RFC 8932 (Recommendations for DNS Privacy Service Operators) SHOULD be adopted | |
| security/filtering | Blocking: must detail categories of material | Filtering: should be possible to both opt-in and opt-out | Cyber intelligence: aggregated material should be shared with DNS clients that use HTTP-based DNS transports for resolution. | |||
| transparency | Transparency and privacy notice – readily accessible, written using plain language kept up to date | Confirmation of the national jurisdiction that it operates under | Clarity on compliance with EU and national legislation | Details of any personal data that is stored or processed | Details of data requests from law enforcement agencies – origin and action taken | Complaints procedure for filtering |