He also said, in August 2018 via tweet, that Cloudflare has a strong privacy policy. So which Bill Woodcock should we believe? How do you go from saying that, to quoting material from 2016 and 2018 to make a point that Cloudflare isn’t adhering to their privacy policy? You either believe the Cloudflare privacy policy or you don’t.
Ok, so, to be clear, I'm super jet-lagged, and I don't claim to make a lot of sense or be entirely consistent over time.
That said, I think I'm trying to convey something more nuanced than you're reading.
I think you're trying to figure out whether I believe that Cloudflare is adhering to their stated privacy policy, or not adhering to their stated privacy policy.
What I'm saying is that I don't have any relevant knowledge that would allow me to make a determination on that, and that as someone without any special knowledge, it doesn't behoove me to have an opinion, because the opinion wouldn't be one of any particular value.
I do have a few strong opinions, that I'm willing to stand behind and operationalize:
First, that people are entitled to understand and control the use of their personal information. That's what the GDPR says, and if Europeans get that benefit enshrined in law, I think everyone else should get that benefit as well. Because it's the right thing to do.
Second, that collecting data because it's there and disk is cheap is a bad idea. Because eventually it will make its way into the hands of someone who will put it to uses you cannot anticipate, and some of those uses will be bad. I can enumerate dozens of ways that thoughtless data collection can become problematic, and each of you probably can as well, if you think about it. There's just no good reason to go down that path in the first place.
So, again, from my point of view this isn't about Cloudflare, that's just what you guys asked about. And Google, but Google is less interesting, because their situation is a lot less complex. From my point of view, the interesting thing here is how users can achieve the greatest degree of security and privacy. That's both an engineering puzzle and a policy one, and it's endlessly fascinating to me.
I think running one's own caching resolver is a necessary piece. I think QNAME minimization is a necessary piece. I think link encryption is a necessary piece. I wish we didn't have to take for granted that DNSSEC validation doesn't happen locally on the client, but for now, we pretty much do. Which is unfortunate. That puts DNSSEC validation out at the resolver. Cloudflare and Google have both now added DNSSEC validation, which is great. So now you need to make sure that you're actually talking to a validating resolver, which turns out to be more difficult that you might assume... DANE authentication of the resolver isn't quite there yet, which means you're dependent on a self-signed or a CA cert. Self-signed without DANE causes problems in the form of pesky interruptive questions for the user, which brings us down to a CA cert. Which we can't trust, because of "domain validation." So there's a serious unsolved problem. Also, we can't restrict what certs the client will accept, for most client OSes. And it turns out that we can't even restrict what DNS server the client will use, for the publicly-distributed versions of iOS and Android. iOS is a lot safer than Android, but it still doesn't compartmentalize DNS queries during captive portal traversal, which is a huge, huge security fail, which I've been bugging Apple product security about for eleven years, now. I'd hoped that MDM would let me lock down some of these things, but no, it turns out that it doesn't. Which brings us back to moving the DNSSEC validation back into the client. Anything else has way too many externalities.
So, lots of interesting problems to solve in there. That's a lot of what I spend my time on.