In an attempt to improve the reliability, security and confidentiality of the Domain Name System (DNS), the European Commission (EC) published a call for proposals in January 2022 for the development of a Europe-based recursive DNS resolver service infrastructure through a proposed system that will be called ‘DNS4EU’.
The DNS is an important part of the global Internet infrastructure. It is seen as the proverbial phone book of the Internet, created to simplify the mapping of Internet protocol (IP) addresses to labels or user-friendly domain names, so if someone wishes to go to a particular website, like Google, they only need to remember the website name (google.com), rather than the IP addresses where the website is hosted (e.g. 216.58.206.174). DNS resolvers are located strategically around the world in order to make the process of this translation between domain names and IP addresses much faster.
The proposed DNS4EU system is intended as a regional solution to address the growing incidence of DNS outages. In October 2021, Meta‘s DNS outage left millions around the world unable to connect and communicate on various services including Whatsapp, Facebook, and Instagram. Because a limited number of infrastructure providers, mostly based in North America, carry out the majority of DNS operations for the world, the failure of just one company’s DNS operations can have a disproportionate and devastating impact on peoples’ ability to work, use government services, access information, and communicate with others. With the creation of a DNS resolver within the European Union, there would be an additional system that could store the data needed to translate websites to their exact IP addresses and reduce the impact of outages similar to the Meta incident.
Prioritising data security, accountability and freedom of expression
The DNS4EU proposal also highlighted that the system is expected to be compliant with the Hypertext Transfer Protocol Secure (HTTPS) protocol to secure communications, the Domain Name System Security Extension (DNSSEC) protocol to authenticate domain name lookup responses, and the DNS over TLS (DoT) DoT and DNS over HTTPS (DoH) protocols to encrypt DNS queries. ARTICLE 19 has previously explained the benefits of implementing these standards across the DNS to strengthen privacy and freedom of expression. In its 2020 Data Strategy, the EC set out its intention that the DNS4EU will create a ‘single market’ for data that prioritises data security for all stakeholders.
However, DNS4EU as currently proposed gives the potential power to the entity managing the proposed system to determine what is ‘malware’ and ‘phishing’ and block them (based on the call for proposals). These powers are overbroad and, if unchecked, potentially set up a slippery slope, as currently there is no mandatory guarantee that the operator of DNS4EU will be accountable to Internet users and notify them whenever blocking or suspending, nor there is guarantee that Internet users would have an opportunity to appeal these decisions.
Moreover, the call for proposals seems to assume that the operator of DNS4EU would be obliged to filter websites leading to illegal content as a result of court orders. While the focus of the proposal is on filtering that only targets illegal content, the way DNS resolvers work makes it impossible to ensure that only illegal content is blocked. In fact, to comply with the court’s order, the only recourse available to DNS resolvers is to block access to an entire domain name – basically, the entire website. It is not proportionate to block access to an entire website for infringing content found on a single page or file, and as such it violates the rights to freedom of expression and to access to information, which are protected by, among others, the EU Charter of Fundamental Rights.
Imposing liabilities on DNS service providers to block and filter certain types of content has far-reaching implications. As ARTICLE 19 has previously outlined, blocking and filtering systems are not only ineffective but unlawful under international human rights law unless they are narrowly targeted and comply with principles of legitimacy, necessity and proportionality. DNS operators are not neutral actors when it comes to content moderation; their policies and practices can have a fundamental impact on peoples’ ability to access and share content online. However, given the crude and limited measures at their disposal, imposing liability on DNS operators to combat illegal content and ‘DNS abuse’ can lead to disproportionate blocking and filtering regimes. As we often see, these types of systems either over-censor content that is legal, or fail to flag content that is illegal. This is why it is crucial that, while attempting to set the gold standard for DNS operations under this emerging EU framework, the DNS4EU system contains the necessary guarantees and safeguards to avoid or mitigate those risks.
Although the call is not clear on how content moderation will be carried out technically within the DNS4EU, it is vital that EU policymakers and potential operators take into account the fact that content moderation at the DNS level differs from that at the platform level. At both the content and infrastructure layers content might be flagged based on keywords. Specifically at the content layer, once content is flagged, the reviewer might be able, for instance, to compare previous publications by a particular author and is able to note that such a person has created, for example, a protest website or parody account and thus has no malicious intent with their post or be able to infer elements of illegality. In other words, the reviewer is able to assess the context, which might be key to determine the legality or illegality of a piece of content.
On the other hand, at the infrastructure level, for example, once a domain registration is flagged using a keyword, such as ‘COVID’, it is the entire domain that would be suspended or banned by Internet Registries and Registrars. Registrants might lack opportunities to explain themselves on the intended use of the domain name that they attempted to register and had this request suspended or blocked, though this would depend on the system that the EC would put in place.
EU and content moderation at the DNS level
The DNS4EU proposal extends the focus on content moderation beyond the realm of social media platforms to include infrastructure providers that run DNS operations. We note that this is just the latest instance in a series of EU policy and legislative proposals that would increase the liability on infrastructure-level providers to moderate and censor content:
- The Digital Services Act (DSA), proposed by the European Commision in December 2020 and currently being discussed in the Trilogue by the EU Institutions, fails to explicitly outline whether DNS operators fall in the category of intermediary services or information society services or both and also fails to explicitly clarify to what extent the DSA aims to hold DNS operators accountable for content-related issues in the course of their daily operations. Lastly, this failure in clarity does not take into account the technical difficulties of blocking out a single webpage or file as opposed to an entire domain name. The DSA therefore marks a significant departure from current practice, as DNS service providers and other Internet intermediaries are typically explicitly not held responsible through national policy or regulation for content-related issues in the course of their daily operations. We note that this draft proposal is not in force yet as there is still room for language revision ahead of Trilogue negotiations between the European Commission (EC), the Council of the European Union, and the European Parliament.
- The proposed Network and Information Security (NIS) 2 Directive, currently under discussion at the European Parliament, explicitly mentions the obligation of DNS operators to “…prevent and combat Domain Name System abuse…” under recital 60, without defining what DNS abuse is. ARTICLE 19 has previously highlighted the dangers of using the term ‘DNS abuse’ without clear definitions. We note that this proposal is not in force yet as there is still room for modifications before the European Parliament and the Council find an agreement on the final text.
- The proposed Directive on the resilience of critical entities (CER Directive), which is part of the New EU Cyber Strategy, plans to impose obligations similar to the NIS 2 Directive – although it explicitly provides exceptions for operators of root name servers. The latter are 12 organisations that basically serve as operators of an address book containing 1) information of generic top level domains – such as .com, .info, and .org; 2) country code top level domains – two-letter codes for each country, such as .ke for Kenya or .za for South Africa and 3) internationalised top level domains – generally equivalents of country code top level domain names written in the countries’ local character sets.
The way forward
To make sure that the forthcoming DNS4EU system properly respects the rights to freedom of expression and access to information in the EU, legislators and policymakers should at least include the following:
- Make human rights impact assessment part of the entire process. Before the tender is awarded to develop the DNS4EU system, the EC should complete an assessment of its potential impacts on the fundamental rights as protected by the EU Charter. The EC should also require that the actors who will develop the DNS4EU system include human rights impact assessment in the design, development and deployment of the system. This impact assessment should be carried out by an independent agency with expertise on fundamental rights and knowledge of DNS operations. This would ensure a strong evaluation that takes into account the particular technical capabilities of DNS resolvers.
- Provide clarity on the role and responsibilities of the data controller and data processors within the DNS4EU. The EC should ensure that the development and deployment of the DNS4EU system duly respects the General Data Protection Regulation (GDPR), clarifies the obligations of each party and provides adequate transparency obligations regarding the control each party would have on DNS4EU operations.
- Require court orders for suspension or blocking. The EC should mandate that any suspension or blocking operated by the DNS4EU operators is compliant with international human rights standards and it is only performed following a court order.
- Set clear policies on redress mechanisms. The call does not clearly state how domain registrants would appeal decisions where their domains are blocked or suspended without court orders. The EC should ensure that the design stage includes clarification of how notice, appeal, and redress should be provided for in the DNS4EU system. These design decisions should be subject to public consultation before development and implementation phases begin.