Hacker News new | ask | show | jobs
by manjalyc 2177 days ago
This is a breakdown of some issues many people have with Google's Privacy Policy for their DNS.

Temporarily Logs (2 days):

- Google logs the IP address of every device sending a DNS query.

- For DNS-over-HTTPS, logs Content-Type & Accept HTTP headers

Permanently Logs:

- Client's autonomous system number

- User's geolocation within 1 km^2 and 1000 people.

- Timestamp

- Requested Domain Name

- Request Domain type

- Transport Protocol

- EDNS version, option

- and a few more, essentially everything but your IP address.

This is enough permanent information to successfully identify the vast majority of people even if they never permanently log your IP - and that's just by itself, not including if you use other google services. Other services such as Cloudflare DNS or OpenDNS provide a higher degree of privacy and can even be faster than Google's DNS.

Google's DNS policy: https://developers.google.com/speed/public-dns/privacy

Cloudflare's DNS policy: https://developers.cloudflare.com/1.1.1.1/privacy/public-dns...

OpenDNS's policy: https://umbrella.cisco.com/blog/privacy-policy-update
1 comments
mda 2177 days ago
"This is enough permanent information to successfully identify the vast majority of people even if they never permanently log your IP"

How? I don't think this is true. You also reworded and omitted stuff from the disclaimer.

link
manjalyc 2177 days ago
Could you please point to what I've reworded that you believe is misleading or misconstrued, I will happily edit my comment and fix it - I have more or less directly quoted within context. I have omitted stuff because I didn't feel the need to include the whole privacy policy in a comment (which is why I linked it) but nothing I felt was misleading. If there is a critical point you feel I should include, let me know and I will add it.

As for this not being enough information to identify someone, it really is. Lets assume you use Google's DNS and no google tools, block all trackers, etc. (which the vast majority of people do not do). Lets say the authorities grab your computer, and somehow have access to Google DNS data (CLOUD Act) and want to see what you did online. They can already filter down DNS queries to 1000 people (and thats assuming all 1000 people use google dns, which again they do not). They can figure out what software performed queries based on EDNS data. Timestamps further filter down the dataset if you have a general idea of a person's schedule. With ECS they can further narrow down by service provider. All of sudden those 1000 autonomous ids have been significantly narrowed down using just general techniques, if you're targeting a person you will almost certainly be able to use the rest of the data to tie an ID to machine. If you use other google services or even just visit sites with google analytics that ID is even easier to compromise. Every piece of data collected is a piece of data that can be used to identify you, that's the price of convenience.

EDIT: Would like to mention even the act of an machine going offline, which will occur if an authority confiscates your machine will narrow down IDs as now you only have to look for IDs that stopped communicating with Google's DNS at time of confiscation.

link