This is something I raised in a subsequent email to them. I really like for example how Hashicorp does this: Subprocessors
I think their policy is a bit bare bones and could do with improvements.
You could really argue that about any provider who uses any third party whether it be Azure, AWS or some other platform. If that is the new criteria we should just ban any service that doesn’t own their own servers and not single out GCP specifically.
That will basically mean we’re left with very few services/reliable services and will be throwing out a huge amount of products which actually do work well.
Every service will comply with legal requests to some degree. That is the cost of continuing business arrangements. Singling out GCP because of legal requests really doesn’t address that problem and just seems like a misguided degoogle bent.
There is also no way to ensure that doesn’t happen besides throwing all your traffic in an encrypted tunnel and routing it somewhere else. If you’re worried about legal requests and the stream of traffic is persistent, I would not necessarily rely on a VPN provider to keep that confidentiality. They are also susceptible to bribes and other forms of coercion.
There is really no substitute to using Tor for a threat model where you have sustained government interest. Encrypted DNS was never really designed to give you strong confidentiality as there are plenty of other ways in which your usage can and will leak. The point of encrypting queries is stop outside manipulation and snooping at a network level, not thwart legal requests or targeted interest. Also with DNS you often don’t have much of choice about which route those queries take as any provider of size uses anycast addresses.
I don’t think NextDNS is anywhere near a “Skiff”. If you remember Skiff was quite new and pushed their addition to numerous sites very aggressively. Almost as if they were trying to inflate their user count knowing full well that the Notion deal was going to happen.
Conversely NextDNS is not new and they haven’t asked to be mentioned anywhere that I can see. NextDNS does partner with Mozilla and other companies which do care about privacy so that has to mean something. I have sent them another email (maybe the last one went to junk).
That’s unfortunate, I have unfortunately noticed a theme with quite a few of your replies which have an element of argument from authority, without actual counter points other than “trust me, I know stuff”. In your previous reply you said:
I can’t see how you’d be bound by a NDA on an agreement you didn’t accept.
This is perhaps something that will require extra research. Are you talking about this? or something else?
We are looking to partner with national and pan‑European hosting providers, threat intelligence providers, CERTs and financial sponsors — talk to us at partners@dns0.eu.
CERTs (Computer Emergency Response Team), and “threat intelligence providers” in pan-European really can only mean one thing, and that is they want more data about threats in Europe for their Zero program.