Senators Wyden & Rubio Ask Google And Amazon To Bring Back Domain Fronting
from the it's-important dept
Earlier this year we wrote about the bad decisions by both Google and Amazon to end domain fronting. Domain fronting was a (somewhat accidental) way in which services could effectively hide certain traffic to make it quite difficult for, say, authoritarian regimes in Iran or China to block the traffic. For that reason, domain fronting was an important tool in keeping services like Signal's encrypted communications platform working for activists and dissidents in such places.
Amazon and Google claimed that they never intended to allow domain fronting, and that while it helped those services work in such places it might also lead to much broader blocks by those countries trying to get at the fronted communications. Now, in an interesting move, Senators Ron Wyden and Marco Rubio have sent both companies a letter asking them to reconsider.
Both your companies have benefited enormously from the free and open internet protected by the United States and its allies. Indeed, your previous role in facilitating these internet freedom tools by permitting domain fronting was neither a mistake nor a secret. Senior Google officials have publicly referenced traffic obfuscation with admiration and support. Moreover Google even contributed financial resources to advance research in the field. This technology was a central part of an internet freedom agenda that your companies (and the technology industry more broadly) promoted as a part of its public image.
Regrettably, your recent decision to ban the practice of domain fronting will prevents millions of people in some of the most repressive environments including China, Iran, Russia and Egypt from accessing a free and open internet. Dissidents, pro-democracy activists, and protesters living under authoritarian regimes need access to secure communications enabled by domain fronting techniques to stay safe and organize.
Governments with anti?democratic agendas may put signi?cant pressures on technology companies to help enable their censorship and surveillance of the internet. American technology companies, which have ?ourished in our free and open society, must join in the effort to resist such pressure. While this may seem like a reasonable business decision in the short term, it will ultimately do far more harm to your companies and the network of which you have been a core part.
The letter then presents two specific questions the Senators would like the companies to respond to:
1. What steps did your companies take, prior to prohibiting domain fronting, to determine whether it was possible to prohibit its use by malicious actors, while still permitting positive uses, including US. government-supported internet freedom tools?
2. After deciding to take action to limit the use of domain fronting, what efforts, if any, did your companies take to minimize the disruption to US. government-supported internet freedom tools and platforms relied on by human rights activists, journalists, members of faith communities and civil society groups? What steps have your companies taken, or do you plan to take, to mitigate the effect that your decision to end domain fronting has had on internet anti-censorship tools and platforms?
It's good to see these Senators speak out against both Google and Amazon on this move. Hopefully it leads both companies to reconsider their decision on this one.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: activists, authoritarian regimes, censorship, communications, domain fronting, marco rubio, ron wyden
Companies: amazon, google, signal
Reader Comments
The First Word
“Re: Re: Ron Wyden gets it
Based on Citizens United, we might need a constitutional amendment at this point. Start bugging your state representatives to do it.
Subscribe: RSS
View by: Time | Thread
The direction we are headed
It is disappointing, but understandable, that they left out the USofA. When is too soon to classify the US as repressive?
It will be too late at some point.
[ link to this | view in chronology ]
Ron Wyden gets it
It will be sad when he's gone and there's nobody there to speak for those of us who care about privacy, protections, rights, and freedoms. (Grandstanding aside.)
E
[ link to this | view in chronology ]
Re: Ron Wyden gets it
The first is hope. Hope that someone with integrity will run for office and disguise that integrity long enough to gain office.
The second is to change the system. Get rid of parties, get rid of money in politics (let anyone, not just the rich or connected run), change the way lobbying works. We cannot get rid of lobbying, but we can 'adjust' laws so that any money (any free lunch or flights or contributions, or considerations from third parties or...etc.) part of lobbying is considered bribery, and aggressively prosecuted (I know, chicken or egg).
I know I have been plugging that second choice for quite a while, but it really seems like the only way out. Now, how do we get there?
[ link to this | view in chronology ]
Re: Re: Ron Wyden gets it
Based on Citizens United, we might need a constitutional amendment at this point. Start bugging your state representatives to do it.
[ link to this | view in chronology ]
Re: Re: Re: Ron Wyden gets it
I am not so sure that an amendment is necessary. Look to the Election Commission where the concept of money is speech started. They could make the change. Getting them to do so is the problem. Politicians are happy with the current state of affairs and stack the Election Commission to continue the current status quo. But current politicians are dependent upon that 'free' money to get reelected, or their own personal bank accounts. And power has certain attractions, for the weak and maybe for everyone without the requisite level of integrity, and they face not being reelected.
The issue of a constitutional amendment bears the same problem. Those in office benefit from the current system, and it would take integrity and a personal commitment to democracy, as pure as a republic can get to pure democracy, to overcome the current situation. Even for those inclined, the strings pull from various directions.
Now how do we get there, without violence?
[ link to this | view in chronology ]
Re: Re: Re: Ron Wyden gets it
[ link to this | view in chronology ]
Re: Re: Ron Wyden gets it
How?
Freedom of association explicitly allows the existence of political parties.
[ link to this | view in chronology ]
Re: Re: Re: Ron Wyden gets it
I can think of a couple of easy, immediate steps, though:
1) Remove the ability for someone to vote by party. Those checkboxes on ballots that let people just say "vote Republican" or "Vote Democrat" can go away.
2) On the Ballot, none of the candidates for anything can be listed alongside their party. It's similar the first paragraph, but this one's easy enough to implement. Ballot just has the names.
3) Candidates are listed on the ballot in alphabetical order, or random assignment.
This would remove a lot of the official recognizance of there being "two parties." People going to vote can no longer just vote by the party without thinking about it - if they do want to vote Republican or Democrat, they have to know which candidates are which.
Sure, in a Presidential election everyone will know which is which, but there's a lot of party-based voting for less heavily publicized positions as well.
[ link to this | view in chronology ]
Re: Re: Re: Re: Ron Wyden gets it
[ link to this | view in chronology ]
Re: Re: Re: Re: Ron Wyden gets it
Which basically just turns the parties into the biggest and best-funded PACs in the country. I'm not sure what would change.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Ron Wyden gets it
Mostly what I want is a wider-spread societal distaste for leaders of the whole nation who would dare subscribe to divisive politics. "Oh, that candidate identified as a Republican/Democrat/Green Party, he's an asshole."
A pipe dream - but on the other hand, I can just start treating every politician that way and see how people around me react.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Ron Wyden gets it
[ link to this | view in chronology ]
Re: Re: Re: Ron Wyden gets it
Remove the rules in Congress that purport a majority and minority standing. I have no problem with parties, so to speak. I have a problem with them having power greater than the electorate. Let them exist, take away any power they have to control candidates for election or to control legislation on a party basis.
This is not a new idea and we might listen to our first President as well as some who went before him. We have a long history of 'partisanship' where there should have been anti-partisanship, except for party loyalty, which leads to political support and reelection. I reccomend reading that Widipedia page to better understand what was thought about political parties when our nation was formed, Pay special attention to George Washington's farewell speech, after he had some experience with parties.
Political parties are not constitutionally demanded, and while the could continue to exist, there is ample opportunity to reduce, or better yet eliminate, their control over our system. The problem is how to get people with power (and likely addicted to) to give up their power, for the good of the nation.
[ link to this | view in chronology ]
Re: Re: Re: Re: Ron Wyden gets it
I'd add ranked-choice voting as an obvious way to reduce the power of the two major parties.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Ron Wyden gets it
That idea has the same problems as others I have espoused, how to get them implemented. Getting ones foot in the door (so to speak) and getting entrenched politicos to give up their 'power' is what is at issue.
Getting 'rid' of parties, to me, is the same as removing their power. Power not given from the Constitution. Letting like minded people talk to each other is not part of what I think about when considering the issue. Letting them take a 'majority' position in Congress and allow or not allow legislation to the floor for a vote (for example) is. Or putting a particular candidate up for election. Or to hold 'national conventions' that determine who is on the ballot. These and other things are what takes 'belonging' to a party beyond 'like people communicating with each other'. That control that seeped in, over time, and is wrong.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Ron Wyden gets it
In a smaller-scale election system, such as one for school board or city council, there are fewer people who need to be persuaded, so it's easier to meet with enough of them and explain the matter well enough to convince them on an individual basis.
Once the system is in use at that lower level, you have something to point to as a reference, in trying to convince people at the next level up - county elections, for example.
Then as the system expands at lower levels, use that as support to argue for implementing it at the state level.
Then once enough states are using it, use that as support to implement it for federal elections - which, by the way ranked-preference voting functions, would probably require eliminating the electoral college. (And therefore would require a constitutional amendment.)
That way, even if the attempt to push it up the stack fails (whether permanently or temporarily) at some point in the process, in some part(s) of the country, you still have some of the benefits of ranked-preference voting within those smaller scopes.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Ron Wyden gets it
Rather than congress trying to sell a bill that answers all questions (and lines all pockets), why not introduce bills that only do one thing and vote them up or down based solely upon its merits.
... and then there is corruption - with this in play, all bets are off.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Ron Wyden gets it
this sounds similar to single-subject rules found in many state constitutions. an amendment is also being worked on by a 527 superpac among others.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Ron Wyden gets it
[ link to this | view in chronology ]
Re: Re: Ron Wyden gets it
And once in they have to register interests including "gifts" received and from whom and there are rules about what they can accept.
I don't think you can ever get rid of parties but even here I would like people to think more and vote for persons (who may represent a party) that will best represent them and those persons should be able and willing to go against their party where conscience or local needs require it.
[ link to this | view in chronology ]
Re: Ron Wyden gets it
I agree that Wyden is very unusual in his combination of advocacy and technical literacy. But I like to think we'll have other advocates in his mold.
Ted Lieu in the House has a pretty good record on civil liberties, plus a BS in CompSci.
[ link to this | view in chronology ]
Re: Re: Ron Wyden gets it
[ link to this | view in chronology ]
Domain fronting is a security issue domstically.
https://gbhackers.com/domain-fronting-a-new-technique-for-hiding-malware-command-and-control -c2-traffic-within-a-content-delivery-network/
[ link to this | view in chronology ]
Re: Domain fronting is a security issue domstically.
[ link to this | view in chronology ]
Re: Re: Domain fronting is a security issue domstically.
[ link to this | view in chronology ]
Re: Re: Re: Domain fronting is a security issue domstically.
[ link to this | view in chronology ]
Re: Re: Re: Re: Domain fronting is a security issue domstically.
[ link to this | view in chronology ]
Re: Domain fronting is a security issue domstically.
Encryption can be used to protect the privacy of individuals from unreasonable search and seizure, but it is also used to hide information that aids criminals, including hiding illicit images and communications. Congress should not be telling Google and Apple to let encryption prevent us from finding and punishing criminals.
[ link to this | view in chronology ]
Re: Domain fronting is a security issue domstically.
Encryption's only going to improve. There's ongoing work to encrypt DNS lookups (DNS over HTTPS) and encrypt the hostname during TLS/HTTPS negotiation ("encrypted SNI").
[ link to this | view in chronology ]
So, Google to be used for societal good, NOT just gain money?
Your usual consistency: ZERO.
[ link to this | view in chronology ]
Re: So, Google to be used for societal good, NOT just gain money?
[ link to this | view in chronology ]
Re: Re: So, Google to be used for societal good, NOT just gain money?
[ link to this | view in chronology ]
Google and Amazon have developed a taste for authoritarian cock.
[ link to this | view in chronology ]
They are going to have to take turns with ol blue there.
[ link to this | view in chronology ]
I'm a bit confused here. Wyden and Rubio just asked AWS and Google Compute to become cops of all hosted content on their services.
This sounds a lot like asking for YouTube's ContentID on their hosted services.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Wyden and Rubio Together?
[ link to this | view in chronology ]
Re: Wyden and Rubio Together?
[ link to this | view in chronology ]
Would this "free and open internet" be before or after Google pays the $5 billion to an ally.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
To a sufficiently ignorant observer, any technology is...
A: That seems obviously impossible, and we don't remember taking any "steps" to verify that. Why? Do you know something we don't? Please, if you know a way to do it, tell us! If it works we'll admit you're better engineers than we are, and give you stock options and gold medals and your pictures will be on every front page. Seriously, why do you politicians keep asking this question, about every new tool we invent? The answer is that we don't see any way to do that, so will you please stop blaming us for all human evil, and telling us to look harder?
[ link to this | view in chronology ]
Re: tl;dr
We're not just talking about encryption here. Domain fronting relies on the CDN (in this case Google or Amazon) reading the destination -- a site on the same CDN -- from the HTTP header and redirecting to it.
The CDN -- let's say Google, for example -- knows where the traffic is coming from and where it's going; in fact, it's going to one of Google's customers.
Now, the traffic is encrypted, and Google doesn't know what's in it and what its ultimate destination is. That much is true. But as I understand it, the reflector knows where the traffic is going.
So Google has an option for an administrative fix: require any client running a reflector to agree to blacklist certain destinations. You couldn't stop all "bad guy" traffic, but you could block major "bad" sites. And it should be simple enough for Google to test whether its customers were complying.
The question is whether this would be desirable. Blocking major criminal sites would merely force people looking for criminal sites to less well-known ones (much as SESTA has pushed sex trafficking underground). And of course who gets to decide what sites to blacklist? Once Google introduces a blacklist mechanism, every oppressive regime is going to demand Google blacklist the sites it doesn't like, which would defeat the purpose.
I think I agree with you that there's no good solution to the "let the good guys in but keep the bad guys out" question. But I think that's more for political and administrative reasons than technical ones.
[ link to this | view in chronology ]
Re: Re: tl;dr
But everyone was just using Google and Amazon to bridge to Tor, tunneled over HTTPS, so there is literally no way to stop bad guys without breaking or blocking Tor, one of those USA-sanctioned internet freedom tools.
[ link to this | view in chronology ]