Mozilla says ISPs are lying to Congress about encrypted DNS

Mozilla on Friday posted a letter urging Congress to take the broadband industry’s lobbying against encrypted DNS within Firefox and Chrome with a grain of salt – they’re dropping “factual inaccuracies” about “a plan that doesn’t exist,” it says.

Both of the entities behind those browsers – Mozilla and Google – have been moving to embrace the privacy technology, which is called DNS over HTTPS (DoH). Also backed by Cloudflare, DoH is poised to make it a lot tougher for ISPs to conduct web surveillance; to hoover up web browsing activity and, say, sell it to third parties without people’s consent; or to modify DNS queries so they can do things like inject self-promoting ads into browsers when people connect to public Wi-Fi hotspots.

Those are just some of the ISP sins that Mozilla listed in its letter, which urged the chairs and ranking members of three House of Representatives committees to examine the privacy and security practices of ISPs, particularly with regards to the domain name services (DNS) ISPs provide to US consumers.

DoH isn’t a panacea – you can check out Paul Ducklin’s explanation of the issues it raises in the Naked Security podcast below – but it promises to at least seriously gum up tracking and monetization of data.

In September, Mozilla announced that it would turn on DoH by default for users of the Firefox browser’s desktop version in the US. Within days, Google issued a me-too, officially announcing its own DoH experiment in Chrome.

Unsurprisingly, the ISPs have sputtered, and not without some good reasons. For example, it’s been argued that law enforcement can do less surveillance if they can get at histories of what potentially sketchy IP addresses people have sniffed at X years ago. Things have gotten pretty testy: Mozilla has drawn flak from the UK Internet Service Providers Association (ISPA), which called it an ‘Internet Villain’ for helping to block internet filtering policies in the UK and interfering with the government’s internet filtering laws, particularly when it comes to age verification requirements to view porn.

(To help with cases such as that of the UK and its internet filtering requirements, Mozilla’s DoH by default can be turned off.)

Mozilla says it’s not surprising that the work it’s been doing on DoH has prompted the ISPs to try to throw up roadblocks. One such was a letter sent to Congress by Big Telecom associations in September that, Mozilla said, was full of “factual inaccuracies.”

In September, Ars picked apart the ISPs’ claims, which were mostly about Google’s DoH experiment with Chrome. The ISPs claimed, wrongly, that Google plans to automatically switch Chrome users to its own DNS service.

It’s not. Its plan is: “check if the user’s current DNS provider is among a list of DoH-compatible providers, and upgrade to the equivalent DoH service from the same provider.” If the user-selected DNS service isn’t on that list, Chrome wouldn’t bump that user and instead would just leave their setup as is.

Mozilla’s default DNS provider is Cloudflare, but given its small market share, that apparently isn’t much of a concern to the ISPs.

Mozilla Senior Director of Trust and Security Marshall Erwin, who authored Mozilla’s letter to Congress, told Ars that the arguments ISPs made to lawmakers – specifically, their claims about Google’s plans – are “premised on a plan that doesn’t exist.” The intent is to sow fear, he said:

The focus of the lobbying effort has been on using Google as a boogeyman, given a lot of the antitrust concerns that exist today, to drive a lot of uncertainty about the potential implications of DNS over HTTPS.

To soothe some of that fear and doubt, Mozilla has published this FAQ about DoH.

For more details about the complexities and issues behind the new privacy technology, please do listen in as Paul Ducklin explains it in this Naked Security podcast (DNS-over-HTTP section starts at 31’36”. Click-and-drag on the soundwaves below to skip ahead):