“Mozilla aren’t villains after all” – ISPs back down after public outcry

A few short days ago, we wrote up the news that Mozilla was up for an internet award…

…for cybervillainy!

We didn’t see that one coming, but it’s no lie: the UK Internet Service Providers Association (ISPA) shortlisted Mozilla for the dishonourable title of 2019 Internet Villain.

The other two entries on the villains’ list were US President DJ Trump, and the Article 13 Copyright Directive.

But why finger Mozilla, of all internet organisations, as a bunch of cyber-rogues?

Was it because Mozilla takes money from a well-known, wealthy and powerful search engine and online advertising company to help bankroll its own browser?

Was it Mozilla’s acquisition of Pocket, after which the organisation assured us it wasn’t “adding ads” but instead providing “sponsored content”?

Neither of these, apparently.

Seems it was all down to Mozilla’s enthusiastic adoption of a system called DNS-over-HTTPS.

DNS, as you probably know, is the global service that converts names like example.com into network numbers like 203.0.113.42, and HTTPS is the protocol that puts the padlock in your browser’s address bar.

Put them together and you have DNS-over-HTTPS: it’s a way of encrypting and authenticating your network lookups while you’re online.

Instead of everyone in the coffeeshop being able to sniff out the names of the online services you’re interested in, and perhaps also modifying the DNS results on the way back to misdirect you into harm’s way…

…your DNS list of “sites of interest” remains private, which in turns keeps you more secure against snooping, surveillance and sneaky substitutions.

In other words, DNS-over-HTTPS offers improved privacy, better resistance to unauthorised surveillance, and safer browsing.

If I unlawfully sniff out your DNS traffic so I know where you went, I’m violating your privacy. Merely by knowing where you surfed, without getting any details of what you actually surfed, I can infer an awful lot about you. I can probably piece together your daily routine, both at work and at home; figure out your likes and fears; learn which companies you do business with; guess which bank you use, the shops you frequent, the clubs you belong to, the hobbies you enjoy, the medical surgery you’re registered with, the sports teams you support; and much more.

Surely some mistake?

My immediate personal reaction to this “Villainy Award” nomination was to jump to the conclusion that Mozilla had accidentally ended up on the wrong list.

Surely, I thought, Mozilla should be in there with the 2019 Internet Heros nominees, which included Sir Tim Berners Lee, praised for his effort to “to rebuild trust and protect the open and free nature of the internet”?

As I wrote earlier this week:

In a world with GDPR – a regulation that was inspired in great part by the clear and present danger of over-aggressive data collection followed by poor data protection – then the encryption and authentication of DNS traffic is more important than ever.

It’s bizarre to recommend that people use secure browsers and check for the HTTPS padlock while at the same time demanding that they navigate around the internet in a way that is wide open to snooping and deliberate misdirection.

Having a secure browser with insecure DNS is like locking the cockpit door to protect aeroplane pilots during flight, but choosing a random passenger do the pre-flight clearance with air traffic control and insisting that the pilots trust the results.

I may have mixed my metaphors a bit there, but the ISPA’s announcement was bizarre enough to be baffling, and that’s my excuse – my mind was boggled.

OK, so there are various technical reasons why you might be against DNS-over-HTTPS, or at least why you might want to tackle DNS encryption in a different way.

For example, there are long-standing, lower-level protocols that already exist for securing DNS, so maybe we should finally be trying to make one of the existing alternatives stick instead.

But the ISPA’s reason for considering Mozilla villainous seems to have boiled down almost entirely to one issue: encrypting DNS queries at all.

Mozilla would suddenly make the internet too secure! Too private! Too safe! Too well-protected from busybodies, snoops and crooks!

Horror of horrors!

British ISPs would no longer be able to collect and collate the high-level internet browsing habits of all their innocent users just in case the data ever came in handy for busting ACTUAL CROOKS!

Danger, Will Robinson!

Aluta continua

Well, it seems that the voice of the people – a global outpouring of internet bafflement similar to my own comment above – has finally won the day.

The ISPA has now officially and publicly backed down and taken Mozilla off the Internet Villainy shortlist.

Sure, the ISPA’s statement isn’t an apology; the announcement includes a strongly-worded caveat running to six numbered points; and it all ends with the sanctimonious-sounding declaration that “there are numerous other areas that we could go into”…

…but, mercifully, they don’t.

The de-nomination also tries to persuade us all that “the villain category is intended to draw attention to an important issue in a light-hearted manner, but this year has clearly sent the wrong message.”

Clearly.

That’s all I’m saying.