Quad9 and Your Data
I’m the Executive Director of Quad9, and I want to address a few points about who we are and why we exist for the purpose of giving some background about what we do with your personal data. Let me get to the “TL;DR” summary: Ignore the trolls – we don’t share your personal data.
The longer form:
Quad9 does recursive DNS, and we integrate a blocklist on our secure IP addresses that prevents end users from reaching hosts that our partners have told us are malicious, or are phishing sites, or which are implicated in botnet services or other harmful activities. Our mission is to keep as many people on the Internet as safe as possible against these threats while giving good DNS performance and high privacy, and we take that job seriously. What we often hear is the question of “What’s your angle?” (For our non-English speakers: This is a term that means “How does what you are doing make you money in a way that isn’t obvious at first sight?”) The short answer is: We don’t have an angle. Quad9 is sponsored by a variety of organizations who have the same goals of security, privacy, and performance. They directly or indirectly see the benefits of keeping millions of people from being defrauded or hacked or worse – and they provide us with funding and support to further those same benefits.
Many other free DNS services (or ISPs) are doing things with your data that you might surprise you – building demographic profiles on users, selling household browsing habits, or creating data to correlate with other marketing streams. Quad9 is different – we’re not a business selling harvested data. We’re not even a business. We’re a nonprofit and have no motive to sell data and no way to hide it because we’re a public entity. We have one thing we do – free DNS. Not marketing, not advertising, not demographics, not surveillance, not web hosting, not extracting dollars from end users. We agree that anything that seems too good to be true should be examined closely, and it’s clear that Quad9 needs to better illustrate why you should trust us and what we do with your data. So let me go into that in a bit more detail.
The key component that I want to ensure is stated up front is one of our core tenets: “Quad9 does not store client IP information to disk, nor is client IP data ever transmitted out of the POP in which it is received.(*)”
Construction of Quad9 Organization
Quad9 is a US-based 501(c)(3) nonprofit corporation that is not managed or governed by anyone other than itself. We have three major sponsors at the time of this posting: Packet Clearing House (PCH), IBM, and the Global Cyber Alliance (GCA). GCA has helped us with introducing and connecting the project to threat intelligence (referred to afterward as “TI”) providers, with marketing and communications, and also with the development of some of the ingestion tools for TI data. Packet Clearing House operates the network on which our services are delivered, and IBM provided the 22.214.171.124/24 donation to the project, as well as being a supporter and one of our TI providers.
Each of these founding sponsors has put significant resources towards the project in the form of assets, capital, and staffing. However, these sponsors receive no special dispensation in the form of access to private data – in fact, we’ve burned quite a bit of time in duplicate efforts and creating “ethical screens” at a technical and policy level to keep private data from being possibly bridged during any of the work that we’ve done.
In the last year or two of project development, it would have been far easier to give access to people to perform simple debugging and tuning than to keep the strict “no-access” rules that we have in place, even on just simple things like the website design work. We have gone well out of our way to ensure that a future audit of our systems or procedures would not show any shortcomings with regard to inappropriate sharing of end-user data. At no time has anyone on the GCA, IBM, or PCH staff had access to personally identifiable information (PII) data from our servers, which means none of their partners have access either.
The TI providers we work with do receive notifications about when their blocklist items are being hit, but that “ping” they receive contains no PII. This stripped-down data we send to the TI providers is instrumental in their ability to improve and understand the threat data they send to us, and this, in turn, makes our protective abilities even more useful. We do share other aggregated data (again, no personal data) with some partners or researchers for the express purposes of improving security and performance of the DNS. This aggregated data is highly summarized, and it would be extremely difficult to reverse-engineer any useful user-specific data. There will be an upcoming blog post on exactly the data and format fields we send to those TI providers, and to the fairly rigorous ways even that aggregate data is made effective while not being exported out of our network – stay tuned.
Who Sponsors Quad9, and Why?
The Global Cyber Alliance (GCA) is a nonprofit whose initial requirements for a secure DNS-based platform were the genesis of what became Quad9. Their charter is to effectively protect as many people as possible from cybercrime by eradicating cyber risk. GCA, in turn, is sponsored by several agencies whose focus is on the lawful use of the Internet, who entrusted GCA with funding technical projects that make a difference in cybersecurity with the best return on investment. We think that is admirable, and sponsorship of these types of projects should be increased, and not just because we are an eventual beneficiary. The belief of these organizations is that large portions of the public in their constituencies are at serious risk of cybercrime, and any ability to block a portion of those criminal activities is a win for everyone, not just the citizens in their jurisdictions. Giving free defense against malware/phishing/C&C/exploits is an obvious thing to do to help combat cybercrime, and DNS is a quick way to get to the most number of people and has the side benefit of not just being usable by the people in their local geography but by the whole world. This is fantastic news – really, how many state or national dollars do you see going to help efforts that try to prevent crime from occurring? Especially cybercrime? And are “actually effective?” The “bang for the buck” on Quad9 as a protection for citizens is why those organizations participate. There is no backchannel of any PII out of the project other than generalized performance statistics. There has never been any discussion of it. There is no intention of that happening. GCA receives a result which is in line with their charter: a safer Internet and statistics to prove it.
So next up: Why does IBM participate? We approached IBM during the spin-up of the Quad9 nonprofit since they had one of the few unused single-digit IPv4 addresses. We also approached several other such holders at the same time, but our contact with IBM was well-timed and enthusiastically received. It turns out they wanted to create an open, free offering for their security service, though they had also considered the issue that no matter what their good intentions were, there would always be a suspicion that their service was somehow being utilized in a way that end-users might think was imbalanced (aka: commercialized unexpectedly). When we told them that this would be an effort in combination with other organizations who had similar goals (but different contributions) and that the entity would be a nonprofit which had independent governance, they jumped at the chance to be involved. They were quite ready and willing to participate in what they saw would be a neutral third-party effort to promote better Internet security, and they have been a fantastic partner. What does IBM get out of this arrangement? They get to have their name on the project as one of the founding sponsors of what will be one of the leading worldwide, first-defense cybersecurity efforts (they really do “get it” as far as doing this for the good of the Internet). They also get to improve their threat analytics with the data that is returned on the threats that they provide to the blocklist feed, just like our other TI providers. Their sponsorship does not grant them access to raw data streams, and any of the summary information we send to them is entirely stripped of personal data, just like any other TI provider. Again, personal information is entirely removed at the edges of the network and is never written to disk or transmitted out of the POP and would require significant work to build back into our analytics platform.
And what about the last sponsor, Packet Clearing House (PCH)? PCH has been doing worldwide anycast DNS or other DNS services for more than 25 years. Currently, there are more than 110 nations whose Country Code TLD (CCTLD) data is hosted on PCH systems. Two of the thirteen root nameservers have significant parts of their networks operating on the PCH network infrastructure. PCH operates in more than 160 physical locations worldwide, mostly in IX datacenters. Pretty much everyone on the planet has used or directly benefited from PCH systems within the last 24 hours if they’ve even been active on the Internet, even if only in some minor way. This implies a massive amount of trust in PCH to do the “right thing” in running DNS on a worldwide scale, and that trust has not been misplaced. PCH operates DNSSEC signing regimens and trains organizations on DNSSEC, as well as advising network infrastructure and national governments on cybersecurity policy and interconnection strategies.
Quad9 is not PCH, but I left PCH and went directly into managing Quad9 so the DNA of trust and integrity is strongly shared between the two organizations. So Quad9 is not PCH, but nor is Quad9 IBM. Nor is Quad9 the Global Cyber Alliance. Quad9 is not any of those three major sponsors. It is expressly a standalone organization so that none of the three can make demands that the Quad9 Board of Directors would disagree with. We created Quad9 for the purpose of countering any hint of favoritism or leakage of information – it is not governed or controlled or influenced inappropriately by any corporation or nation. Quad9’s goals are “protection, privacy, and performance” – protection against cyber risks, the privacy of end-user data, and performance equal to or better than what is offered in existing alternatives.
Third Party Trust Certification
One of the things that we have been actively pursuing is certification and audit by third-party organizations who are well-known for being trusted and neutral evaluators of technology firms to prove what we say. We’re looking specifically for EU-based organizations who are willing to do a security and process audit on our systems to prove that we are doing what we say we’re doing. We specifically want EU-based, because our systems are designed with GDPR goals in mind and because European data privacy laws are well-documented. We’re trying to provide “lowest common denominator” audit-ability where “lowest” means “most strict.” We’ve asked a number of other organizations (for example, EFF) for that type of certification, but their policies typically try to avoid seeming to be behind any one effort. Their policies are totally reasonable and we understand but so far are disappointed in finding an audit partner.
We face a challenge with GDPR (link to https://www.eugdpr.org/gdpr-faqs.html) but not the challenge that most organizations face. We wish to be certified as GDPR compliant by the fact that we store and transmit no personal data at all within the specifications of the pending law. So trying to get someone to certify that GDPR doesn’t discuss non-storage of data has been a challenge. It’s a question none of the auditing organizations can quite understand as a requirement.
Even so, we’re trying to work with any of the certification agencies to see if we can obtain GDPR certification or documentation of compliance before the May deadline. Note that certification is different from compliance – we believe that we are compliant with GDPR requirements, but we would like to have the validated audit of our methods and official recognition of those methods. We are open to suggestions from our community as to how we can solve this. Please send a message to firstname.lastname@example.org if you have a contact that can help.
What we do is just what it appears to be. By using our DNS service: your data is not being resold, your security is being improved, and performance is our goal. We hope that we can keep your trust and make the DNS better for everyone.
(*) Yes, there is a very limited exception to this. If we are under attack, for a reasonable value of “attack” in a DNS-based cybersecurity model, we reserve the right to transmit origin IP address data and abusive queries to a central system to be redistributed to other field systems for the specific purpose of creating filters or other protective regimens. We define “client IP address” as PII in association with DNS QNAME data.