The UK Internet Service Providers Association (ISPA) has provocatively shortlisted Mozilla for the sort of award that, on the face of it at least, no tech company should be keen to win – ‘2019’s Internet Villain’.
Mozilla’s claim to infamy? From ISPA’s point of view, it’s Firefox’s imminent inclusion of DNS over HTTPS (DoH) – a technology many experts endorse as the biggest jump for internet privacy since the expansion of HTTPS itself.
The problem, according to the ISPA press release, is that the arrival of this technology in the Firefox browser used by millions will make it possible to:
Bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK.
The point of DoH (and the related DNS over TLS, or DoT) is to encrypt DNS requests, which makes it impossible, or at least very difficult, for entities such as ISPs or governments to monitor which websites people are visiting. And because the DNS requests are sent inside encrypted HTTPS requests they’re also indistinguishable from other web traffic, so they can’t be blocked without blocking all web traffic.
To privacy enthusiasts, this is good because neither ISPs nor governments have any business knowing which domains users happen to frequent.
For ISPs, by contrast, DoH hands them several headaches, including how to fulfil their legal obligation in the UK to store a year’s worth of each subscriber’s internet visits in case the government wants to study them later for evidence of criminal activity.
Years in the making, this is a collision foretold. One side (Mozilla and Cloudflare, the latter providing the DoH resolution that supports the whole endeavor) thinks that internet privacy is an immutable principle that demands a technical solution, the other (governments, police and at least one anti-child abuse campaign group) think that privacy carries risks that must always be qualified through intervention.
Privacy conundrum
The arguments against DoH are technically involved but focus on one central objection.
For ISPs to block undesirable websites (child abuse, terrorism, copyright infringement, etc) they must filter traffic using a domain blacklist. Anything that successfully hides the domains people are visiting makes that approach redundant.
However, as has been pointed out, this layer of filtering can already be bypassed by visiting domains ISPs haven’t added to their blacklists, including ones hosted on the dark web that are only accessible using a browser like Tor.
Then there’s the small problem of VPNs, which not only hide DNS from surveillance but can also hide the user’s geolocation, with the result that they are also a simple way to beat the UK’s forthcoming and contentious law requiring age verification for anyone visiting a porn site (which DoH itself has no effect on, despite claims to the contrary).
The direction of travel is unmistakable – the ways for web users to hide their web habits are growing in number and becoming more affordable, including by using simpler domain shielding tools such as Cloudflare’s 1.1.1.1 app (which will soon be bundled into a full VPN called Warp) or Google’s equivalent, Intra.
DoH inside Firefox, then, is simply a technology that turns this kind of privacy into something anyone can access without having to do anything.
The danger in the publicity-seeking approach chosen by ISPA is it ends up becoming a victim of the ‘Streisand effect’ – by complaining about it, ISPA may be encouraging the very thing it’s setting out to deter.
The reverse effect applies to Mozilla, which, privately, may not be too upset at being called out for implementing DoH, a technology it has not only strongly advocated but which has powerful backing of the Internet Engineering Task Force (IETF) in the form of RFC 8484.
Arguably, spying on which domains people visit was always an easy fix to impress politicians that dodged a lot of messier but more effective ways to track bad people in a targeted way.
If the ISPA and its members want to find a way out of this hole, they could do worse than invest time explaining the new realities to disappointed, frustrated lawmakers.