This is a breakdown of some issues many people have with Google's Privacy Policy for their DNS.
Temporarily Logs (2 days):
- Google logs the IP address of every device sending a DNS query.
- For DNS-over-HTTPS, logs Content-Type & Accept HTTP headers
Permanently Logs:
- Client's autonomous system number
- User's geolocation within 1 km^2 and 1000 people.
- Timestamp
- Requested Domain Name
- Request Domain type
- Transport Protocol
- EDNS version, option
- and a few more, essentially everything but your IP address.
This is enough permanent information to successfully identify the vast majority of people even if they never permanently log your IP - and that's just by itself, not including if you use other google services. Other services such as Cloudflare DNS or OpenDNS provide a higher degree of privacy and can even be faster than Google's DNS.
Could you please point to what I've reworded that you believe is misleading or misconstrued, I will happily edit my comment and fix it - I have more or less directly quoted within context. I have omitted stuff because I didn't feel the need to include the whole privacy policy in a comment (which is why I linked it) but nothing I felt was misleading. If there is a critical point you feel I should include, let me know and I will add it.
As for this not being enough information to identify someone, it really is. Lets assume you use Google's DNS and no google tools, block all trackers, etc. (which the vast majority of people do not do). Lets say the authorities grab your computer, and somehow have access to Google DNS data (CLOUD Act) and want to see what you did online. They can already filter down DNS queries to 1000 people (and thats assuming all 1000 people use google dns, which again they do not). They can figure out what software performed queries based on EDNS data. Timestamps further filter down the dataset if you have a general idea of a person's schedule. With ECS they can further narrow down by service provider. All of sudden those 1000 autonomous ids have been significantly narrowed down using just general techniques, if you're targeting a person you will almost certainly be able to use the rest of the data to tie an ID to machine. If you use other google services or even just visit sites with google analytics that ID is even easier to compromise. Every piece of data collected is a piece of data that can be used to identify you, that's the price of convenience.
EDIT: Would like to mention even the act of an machine going offline, which will occur if an authority confiscates your machine will narrow down IDs as now you only have to look for IDs that stopped communicating with Google's DNS at time of confiscation.
Google logs and stores forever every DNS request (and other info related to it like approximate geolocation), they also temporary store even more information that can identify you (like your IP address).
Edit: let's suppose for a moment that Google is not evil, does not cooperate with the NSA and doesn't make bad use of that information. It's still a liability and any data leak will be a problem for anyone using Google's DNS. Some things are better not being logged at all or at least not permanently.
There’s also the CLOUD Act, which compels them to share the information with law enforcement in the US and abroad. (The latter don’t have to have any due process around the data requests they issue, unless they have other laws requiring it.)
> The permanent logs are a sampling of the temporary logs where your IP address is removed and replaced by a city or region-level location.
What I understood from it is that they replace your IP address with an approximate location but keep the rest of the data. Can you explain me how you interpreted it?
> What bad does someone expect to happen as a result of this.
Google is enriched when it can associate consumer IPs with DNS queries. Collecting that sort of information and compiling it into a advertising profile is part of Google's business. Giving state actors a view of that information part of Google's history.
Some people are just philosophically opposed to Google's information gathering mission. From such people's perspective, anything that directly helps Google learn something (or even make a little money) is bad.
The question was posed, "What bad does someone expect to happen as a result of this[?]". So I'm putting on my least-charitable-to-Google hat. I'm not trying to make the most accurate predictions.
> They specifically claim not to though
That additional vector for monetization still exists. I stand by the statement that the ability to make those ad-relevant associations enriches Google. They are not necessarily monetizing that part of their empire right now, but they've pivoted other products in the past from "we're just trying to improve the Internet for it's own sake" to "we use this for advertising".
Privacy policies change all the time, often with little warning. There'll be a post here on HN if it happens and a bunch more techie folks will switch their DNS to 1.1.1.1 or something, but lots of people will just stick with 8.8.8.8, many of them unknowingly. Perhaps unknowingly because the Google address has become so common that FOSS projects are using it as a default.
Yeah, but I got this uneasy feeling about relying too much on google services. Their policy can change in the future, and when it do change, we will scramble trying migrate to something else, only to find that the competitions in the space has been killed. Think about Reader, when they shut it down, there were no good alternatives for users to migrate to. Also google maps api, when they suddenly jack up the price and there were nothing the users could migrate to.
Google can tie the DNS requests you make to your IP address and then tie that to you Google accounts. Google now knows every website you go to and can either monetize the data or sell access to it. It also knows your name.
For fun uses of this data, I recently talked to a company that ties medical conditions derived from your browsing behavior to your online profile and then provides a platform for insurances companies to target you based on it.
That assumes you trust Google and many people don't. The fines companies face for violations are peanuts and there may be real incentives internally to using this data. "Accidents" happen after all in complex data systems and they're already allowed to mix the data for "security and abuse". On that note, as I read it, closing all your Google accounts as a result of suspected abuse due to DNS data would be fine under the policy.
First is whether you can trust it, second yes, their privacy states that they don't log IP, and frankly with dynamic IP it isn't really that much valuable anyway. The other information together can tie that to you as a person. Combined with other information that you are disclosing when using their services (since their policy changed many years ago, to allow sharing data between their services) they know exactly who you are and what you're doing on the net.
I really don't understand why those DNS services are so popular. All you need is list of 13 root DNS servers[1] (you only need one, but 13 for resiliency) and a recursive resolver and you can run your own caching server.
> We do not correlate or associate personal information in Google Public DNS logs with your information from use of any other Google service except for addressing security and abuse.
DNS queries aren’t considered personal information in the US. They’re considered metadata. So, they can correlate the queries according to this wording.
Also, the wording implies they can aggregate data, then use it for other purposes (like spying on competitive web sites, etc.)
Finally, it implies they are retained, which means law enforcement has access to the logs (in many cases, without a subpoena).
Temporarily Logs (2 days):
- Google logs the IP address of every device sending a DNS query.
- For DNS-over-HTTPS, logs Content-Type & Accept HTTP headers
Permanently Logs:
- Client's autonomous system number
- User's geolocation within 1 km^2 and 1000 people.
- Timestamp
- Requested Domain Name
- Request Domain type
- Transport Protocol
- EDNS version, option
- and a few more, essentially everything but your IP address.
This is enough permanent information to successfully identify the vast majority of people even if they never permanently log your IP - and that's just by itself, not including if you use other google services. Other services such as Cloudflare DNS or OpenDNS provide a higher degree of privacy and can even be faster than Google's DNS.
Google's DNS policy: https://developers.google.com/speed/public-dns/privacy
Cloudflare's DNS policy: https://developers.cloudflare.com/1.1.1.1/privacy/public-dns...
OpenDNS's policy: https://umbrella.cisco.com/blog/privacy-policy-update