Tuesday, June 26, 2007

Parsing Privacy Policies: Is OpenDNS logging data forever?

OpenDNS is an alternative DNS system. It is a for-profit company which makes most of its money through Google advertisements displayed to users when they enter invalid hostnames.

OpenDNS is the frequent darling of the security press. The very same journalists frequently pummel Google (and rightly so) for their lackluster approach to customer privacy.

Last month, OpenDNS's CEO started throwing dirt at Google for their pretty shameful keyword hijacking advertisement deal with Dell and others.

In a separate matter, Google recently adjusted its logging policy (although not nearly enough), after getting smacked around in a PR dust-up initiated by Privacy International. Given the fact that David Ulevitch and OpenDNS were willing to take such an admirable public stand against Google, I decided to look into OpenDNS's own privacy and logging policies - to see how they themselves fare against the Big G.

The most relevant portions of OpenDNS's privacy policy include:

OpenDNS's DNS service collects non-personally-identifying information such as the date and time of each DNS request and the domain name requested.

OpenDNS also collects potentially personally-identifying information like Internet Protocol (IP) addresses of website visitors and IP addresses from which DNS requests are made. For its DNS services, OpenDNS is storing IP addresses temporarily to monitor and improve our quality of service.

In addition, we may combine non-personally-identifiable information with personally-identifiable information in a manner that enables us to attribute website and DNS service usage to an individual customer's computer or network.

Other than to its employees, contractors and affiliated organizations, as described above, OpenDNS discloses potentially personally-identifying and personally-identifying information only when required to do so by law, court order, or when OpenDNS believes in good faith that disclosure is reasonably necessary to protect the property or rights of OpenDNS, third parties or the public at large.

What does this mean?

OpenDNS is logging information on all DNS requests received by their servers. They log the IP address that initiated each request. Thus, OpenDNS knows and stores the fact that at 11:10PM on Friday the 22nd of June, someone at the network address of some-user-in-washington-dc.comcast.com visited www.thepiratebay.org

OpenDNS logs data on every single unique domain name that you visit. They know that you have visited www.ilikeburritos.com and sometimes.ilikeburritos.com, but they don't have any info on which specific webpages in those domains that you visit. This is still a huge amount of information - more, possibly, than Google knows.

OpenDNS keeps this information for a "temporary," yet undefined period of time. Unlike Google, who promise to anonymize the data after a set period of time, it does not look like OpenDNS makes any attempt to anonymize any of their logs.

It does not look like OpenDNS has any kind of public log deletion policy, and thus they could still be storing log data years after the queries were sent to their servers.

This information could be requested by law enforcement, the RIAA, or an angry spouse in a divorce case. These would all be legal instances in which the courts could compel OpenDNS to reveal data on customers. The only way to avoid having 8 year old DNS requests showing up in a custody dispute would be for OpenDNS to announce and enforce a data logging and log deletion policy.

What can you do?

While OpenDNS is not perfect, they are probably still better than your average mega-corporate ISP. Some ISPs already seem to be selling data on which websites customers visit. Likewise, AT&T has quite thoroughly sold its customers out to the RIAA and MPAA.

Instead, the best thing to do is to write to Dave Ulevitch/OpenDNS (david [at]opendns [dot] com) and ask him to revise/create a data deletion and anonymization policy.


David Ulevitch said...

We are absolutely, unquestionably and unequivocally uninterested in collecting personally identifiable information on you.

That specifically includes anything like a log record that has the tuple of "timestamp + src_addr + query."

The author of this post gets one thing absolutely right, the best thing to do is talk to us. I think the author of this post did talk to me, and knows we're in the process of updating our policy.

To be explicit -- we will never disclose or sell ANY personally identifiable data to ANY third party.

As for the RIAA, they can bite me. :-) As for law enforcement, they won't come talk to us when they already have "lawful intercept" rights on your ISPs network.

I'm putting together a reply on our blog now. I think we're sending our changes to the privacy policy and Terms of Service to the lawyers tomorrow and it should be posted by Friday.

Anonymous said...

"To be explicit -- we will never disclose or sell ANY personally identifiable data to ANY third party."

You can not guarantee that. You can be compelled via civil tort discovery and criminal subpoena to release any and all publicly identifiable information you stored live or via backup mediums.

Anonymous said...

The following excerpts from the current OpenDNS privacy policy are worrysome to me.

1. "when a website visitor searches on OpenDNS, the IP address and query are shared with OpenDNS's advertising partners"
I'm not clear on exactly what this means, since there's no search feature on the OpenDNS site that I see. If searching means use of the popular web search engines (google etc), that's creepy.

2. "This policy does not apply to the practices of third parties that OpenDNS does not own or control, or to individuals that OpenDNS does not employ or manage"
If this doesn't apply to their advertising partners, again creepy.

Anonymous said...

I had an account with OpenDNS, but after reading their privacy policies, I wrote to them, and had them delete my account. Now I use them anonymously. However, if you have an account with them, there is an option there for you to delete/purge your info in your settings. You can do this as many times a day as you want. Now after reading this, I may stop using them all together, as I find it quite disturbing. All this time I was under the impression of it being more "secure" than my ISP. I liked the fact that pages are cached, therefore if you got no results, or your ISP dns went down, with OpenDNS you could still obtain results. Now, I too, just find this "creepy"

Anonymous said...

I don't buy what OpenDNS posted here either. Their privacy statement even says they still store "backups" of the logs, which means they store them. There is absolutely no excuse to justify any business storing things like this. Except to cater to big brother.

Here is a part of their privacy statement Notice where they claim they remove the IP after 2 days, then goes on to say "except for".... the stored logs.

"For its DNS services, OpenDNS temporarily stores logs to monitor and improve our quality of service, and to collect high-level aggregate Statistics. For customers without an account, OpenDNS generally removes the IP address from its logs within 2 business days, except for backup or archival copies which are not generally accessed in the normal course of business."

Anonymous said...

Your ISP can filter, capture and store all of your DNS queries (as with all unencrypted date you are sending/receiving) anyway, no matter whether the queries as such are directed at their own DNS servers or not. As such, an argument considering the switching of the DNS service provider away from your ISP only for privacy reasons appears to be entirely futile.