The SEI helps advance software engineering principles and practices and serves as a national resource in software engineering, computer security, and process improvement. The SEI works closely with defense and government organizations, industry, and academia to continually improve software-intensive systems. Its core purpose is to help organizations improve their software engineering capabilities and develop or acquire the right software, defect free, within budget and on time, every time.
This paper was presented at Securing and Trusting Internet Names 2012 (Teddington, UK). There are two distinct problems in determining the impact of passive DNS (pDNS) on end-user privacy. One is whether or not pDNS would allow the observer to reconstruct an individual end-user’s DNS behavior. The other is if DNS behavior constitutes personally identifiable information (PII) or is otherwise legally protected. This paper develops a framework to discuss both aspects of the privacy issue. From the technical point of view, DNS sensor architecture is analyzed and a statistical model is developed to describe the sensor’s ability to violate end-user privacy. To the other end, a review of various jurisdictions’ privacy legislation is presented and analyzed in the context of DNS as a system and pDNS as a collection mechanism. In general, we find that pDNS, properly configured, does not violate end-user privacy.