My data or yours?
Many articles have been published on who can do what with personal data. Some focus on particular applications or services. In the recent discussion of the availability of DNS over HTTPS, many have questioned whether software manufacturers should be responsible for default settings which protect users privacy rather expecting users to understand the technology and take responsibility themselves. DNS via HTTPS bypasses local DNS servers at Internet service providers and forwards requests to a central DNS resolver that can be located anywhere in the world. This has an important implication for privacy, as DNS requests are shielded from local internet service providers, which may not be considered as trustworthy. At the moment opinion is much divided as to whether users should be left to make this decisions themselves and whether users have enough technical knowledge to make an informed decision.
A current survey by Sophos is a fitting read here. The survey which was conducted by Techconsult in February 2019 showed that many end users feared criminal misuse of their data but did not intend to limit their internet usage. When asked what they fear most in relation to the processing of their personal data by Internet companies, 31 percent of survey participants responded that their most serious concern is criminal misuse of their data. This finding was also confirmed by the German broadcaster ARD in their current Deutschlandtrend survey: 61 percent of respondents were very concerned or concerned that their personal data could be misused online. In the Sophos survey, 44.5 percent of respondents clearly indicated that they expect transparency over how their personal data is used. A clear majority (64 percent) want to be able to decide how their personal data is used. Similarly, 62.5 percent of respondents want a clear and simple way of erasing personal data themselves. Control over personal data is seemingly a critical issue for the majority of people.
Anyone who has read the article on Heise's investigation of Office 365 will clearly understand why users should be able to decide what happens with their personal data. The investigation found that Office 365 records a wealth of information on how the applications are used and forwards this information to Microsoft. This already occurs before the user has given their consent and is potentially a violation of the GDPR. The operating system privacy settings that control user consent to collecting telemetric data are ignored. Most users probably don't have any illusions about how their data is collected when they use a Microsoft product, however as the findings above show, most people would like to be asked first and have a way of deleting their data when it is no longer needed. Microsoft does say how content and user pseudonyms can be deleted but it does not mention metadata in its documentation.
Should end users be worried about DNS via HTTPS and Office365 or are other snooping risks more relevant? At the very least, users need to be aware that many organizations even government authorities are collecting masses of personal data. Although current draft legislation by the German Ministry of the Interior that would grant the Federal Government greater surveillance and monitoring powers is likely to face rejection, it is likely that these powers will be sought in other places. And after the Facebook and Cambridge Analytica affair, we should certainly be worried about what big companies are doing with our personal data. One thing is clear: The best privacy protection is not giving data away in the first place. And DNS over HTTPS is really not that complicated. Firefox users only need to enable the option under connection settings.