The UK Internet Service Providers Association (ISPA) has provocatively shortlisted Mozilla for the sort of award that, on the face of it at least, no tech company should be keen to win – ‘2019’s Internet Villain’.
Mozilla’s claim to infamy? From ISPA’s point of view, it’s Firefox’s imminent inclusion of DNS over HTTPS (DoH) – a technology many experts endorse as the biggest jump for internet privacy since the expansion of HTTPS itself.
The problem, according to the ISPA press release, is that the arrival of this technology in the Firefox browser used by millions will make it possible to:
Bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK.
The point of DoH (and the related DNS over TLS, or DoT) is to encrypt DNS requests, which makes it impossible, or at least very difficult, for entities such as ISPs or governments to monitor which websites people are visiting. And because the DNS requests are sent inside encrypted HTTPS requests they’re also indistinguishable from other web traffic, so they can’t be blocked without blocking all web traffic.
To privacy enthusiasts, this is good because neither ISPs nor governments have any business knowing which domains users happen to frequent.
For ISPs, by contrast, DoH hands them several headaches, including how to fulfil their legal obligation in the UK to store a year’s worth of each subscriber’s internet visits in case the government wants to study them later for evidence of criminal activity.
Years in the making, this is a collision foretold. One side (Mozilla and Cloudflare, the latter providing the DoH resolution that supports the whole endeavor) thinks that internet privacy is an immutable principle that demands a technical solution, the other (governments, police and at least one anti-child abuse campaign group) think that privacy carries risks that must always be qualified through intervention.
Privacy conundrum
The arguments against DoH are technically involved but focus on one central objection.
For ISPs to block undesirable websites (child abuse, terrorism, copyright infringement, etc) they must filter traffic using a domain blacklist. Anything that successfully hides the domains people are visiting makes that approach redundant.
However, as has been pointed out, this layer of filtering can already be bypassed by visiting domains ISPs haven’t added to their blacklists, including ones hosted on the dark web that are only accessible using a browser like Tor.
Then there’s the small problem of VPNs, which not only hide DNS from surveillance but can also hide the user’s geolocation, with the result that they are also a simple way to beat the UK’s forthcoming and contentious law requiring age verification for anyone visiting a porn site (which DoH itself has no effect on, despite claims to the contrary).
The direction of travel is unmistakable – the ways for web users to hide their web habits are growing in number and becoming more affordable, including by using simpler domain shielding tools such as Cloudflare’s 1.1.1.1 app (which will soon be bundled into a full VPN called Warp) or Google’s equivalent, Intra.
DoH inside Firefox, then, is simply a technology that turns this kind of privacy into something anyone can access without having to do anything.
The danger in the publicity-seeking approach chosen by ISPA is it ends up becoming a victim of the ‘Streisand effect’ – by complaining about it, ISPA may be encouraging the very thing it’s setting out to deter.
The reverse effect applies to Mozilla, which, privately, may not be too upset at being called out for implementing DoH, a technology it has not only strongly advocated but which has powerful backing of the Internet Engineering Task Force (IETF) in the form of RFC 8484.
Arguably, spying on which domains people visit was always an easy fix to impress politicians that dodged a lot of messier but more effective ways to track bad people in a targeted way.
If the ISPA and its members want to find a way out of this hole, they could do worse than invest time explaining the new realities to disappointed, frustrated lawmakers.
Simon McAllister
Leave poor Mozilla alone! There are plenty of alternative/non-browser based methods to perform the same bypassing (or privacy enforcement). Using ‘domain name’ based blocklists was not the right way for ISP’s to implement these blocks. It makes an easy job for them only, of course. But it’s quite obviously not effective enough. So yet another example of how government wrongly thought that this would be an end-all situation.
Also, a stab-in-the-dark here; I bet they’re just as peeved because they can’t sniff and sell our browsing/activity data….
Mahhn
Is the ISPA going to give the (fake) prestigious “1984” award to China? with a short lecture on how they plan to win it next year….
Bob Gostischa (@bob3160)
Privacy is the foundation of security. You can’t really have one without the other.
anon
Once again Mozilla earns my love and respect.
Suck eggs corporate america!
Mahhn
lol, you missed the first line “The UK Internet Service Providers Association (ISPA)”
John C.
“Corporate America” to refer to a British trade organization: curiouser and curiouser!
JohnL
My router supports DNS over TLS (also DNSSEC) so I turned the former on. Was a bit slow with Quad9 but seems okay with CloudFare, Although I’d rather use Quad9 as it filters out nasty sites. I like the idea that there isn’t a list on a computer at my ISP that has all the Banking sites I visit on it… not much of an information leak, but every little helps.
I wonder if ISPs will add a clause forbidding DNS security in their Ts and Cs and some point? They don’t ban VPNs, but who knows. Perhaps depends on how common it gets.
juanocampog
thanks I actually didn’t fully get what the fuss was about in other publishings until I read your article, thanks for making it clear for us.
Mike2
Oh dear, our friendly government cannot now spy on all and sundry because Mozilla has come up with a means of preventing them from doing so. Shame!
As Simon McAllister says there are probably commercial ramifications as well, otherwise why would ISP’s have recorded our browsing habits before they were forced to? Hopefully this and other advances will make the net truly private.
zkdr
Nice. UK can kiss it. The internet should be unmonitored. Use router-specific whitelists or blacklists if you want to protect your kids. And if you want to prevent cybercrime, go to the ISP to see what an IP is assigned to for suspicious websites and take it from there.