Privacy Policy link?


#1

I can’t find it. The brief privacy statement on the 1.1.1.1 homepage is very loose, I’d prefer to see the legalese, especially the loopholes in language there that allow you to pledge privacy as long as the data isn’t sold (“Here three-letter agency, have some free data!”, “Here business partner, have some free data!”). Ditto on the logging promise.

It just feels a bit odd to advertise this as a privacy-centric service, but to not publish any full policy on privacy/terms of use.


#2

Hm? :thinking:

The below is very extensive from my point of view:

“Cloudflare will not retain or sell or transfer to any third party (except as described in the section below and as may be required by law) any personal information, IP addresses or other user identifiers from the DNS queries sent to the Cloudflare Resolver;”

If your three-letter-agency has a Judicial decision, they will sure get the requested information. As long as
it is still saved by Cloudflare. And according to the policy, that’s not for a long time…

“Aside from APNIC, Cloudflare will not share your data with any third party.”


#3

That’s under the API section, can you confirm this covers general usage? There’s no privacy policy linked from the front page (I thought I was clear on that?).


#4

Regarding the missing link on the 1.1.1.1 page you are right.

But since they are writing about “DNS requests” general usage is covered by this. From my point of view. Plus that I cannot find any API specific terms in this statement.

You should use the DNS provider you trust most.
Since CloudFlare supports DoH (encrypted DNS requests) it’s a plus for me. Anyway, I didn’t start using 1.1.1.1 because there is actually no management option to block domains with predefined filters or manually. (youth protection).

I am sure @ryan or other staff members can forward this to the responsible team to add the link to the privacy statement.


#5

I’ll see if I can get privacy info linked from the landing page. Thanks for the suggestion!


#6

If CloudFlare is sharing data with APNIC, doesn’t that rather weaken the privacy claims? What are APNIC doing with the data? I think this should be clarified.


#7

It’s outlined in the passage just above that sentence.

"Cloudflare has agreed to provide APNIC with access to some of the data that Cloudflare collects through the Cloudflare Resolver. Specifically, APNIC will be permitted to access query names, query types, resolver location and other metadata via a Cloudflare API, that will allow APNIC to study topics like the volume of DDoS attacks launched on the Internet and adoption of IPv6.

In return for access to the Cloudflare Resolver data, APNIC has agreed to use such data solely for non-profit operational research. APNIC has also agreed not to use the data in any manner that would allow it to associate any individual with a DNS query, or publish any studies containing any references to particular query names or individual behavior. As part of Cloudflare’s commitment to privacy, Cloudflare will not provide APNIC with any access to the IP address or port associated with a client.

Aside from APNIC, Cloudflare will not share your data with any third party."


#8

That were my thaughts too. According to the Privacy Statement in the development section:

[…]APNIC has agreed to use such data solely for non-profit operational research. APNIC has also agreed not to use the data in any manner that would allow it to associate any individual with a DNS query, or publish any studies containing any references to particular query names or individual behavior. As part of Cloudflare’s commitment to privacy, Cloudflare will not provide APNIC with any access to the IP address or port associated with a client. […]

“study”

I am was a little bit concerned as well. But since APNIC is owner of the 1.0.0.0/16 network a commitment with them was necessary. Also, APNIC resides in Brisbane and not somewhere in China. So is see them neutral.

There’s someone on the Internet you will have to trust. And RIPE, APNIC and Co “just” assign networks to companies. Nothing else. I for myself don’t trust the dnswatch guys. Why? Well:
Who’s behind it?
Are there really no logs?

DNS watch is powered by a german media agency (ooops). Maybe the’ve just built th website. Who knows…

Not saying they are bad or doing ugly things at all! But this is something that makes me concerned as well.

CloudFlare made an extensive statement of what is logged and what data is shared or not.