Mikaela
commented
5 years ago I was asking how do the DNSBLs work out of curiosity and @tomaw told me that they aren't aware of the queries doing anything more complicated than going to DNS server of the server sponsor and I understand this to mean that they go in plaintext.
IP address is considered as personal data by GDPR and judging by What information should I receive when I provide my personal data? I think the privacy policy should name the DNSBLs and DNS servers and possibly say that they are contacted over insecure connection.
I am not sure if GDPR would accept the insecure connection part though as encrypting DNS isn't that difficult to setup nowadays (thanks to dnscrypt-proxy and Unbound), but someone observing the network around freenode servers would already see the incoming connections without reading the DNS queries.
I thought stats A and stats n could also be used by normal users, but that doesn't seem to be the case.
jesopo
https://freenode.net/policies does not discuss technical measures used by freenode to prevent botnets, open proxies, and other undesirable activity. I suggest that we add wording covering, at a minimum:
As far as I know, none of the above is currently discussed anywhere on freenode's website, and some of them (e.g. sending IPs to DNSBLs, and any data retention of any of the above if applicable) may have GDPR consequences. It'd also be nice to have somewhere to point #freenode users when they ask about it, instead of re-iterating everything each time.
All of the above has been discussed publicly in #freenode in the past, so I figure it should all be fine to discuss on the website?