Apple, Cloudflare Join Forces To Encrypt DNS

from the long-overdue dept

Each time you visit a website, your browser interacts with a domain name system (DNS) resolver that converts web addresses to an IP address understood by the machines along your path. Historically however this traffic exchange isn't encrypted, making it possible for your broadband provider or another third party to monitor your browsing data based on your DNS queries. DNS inventors in the 80s didn't really bet on a future where all DNS queries would be tracked, monetized, or weaponized by third parties.

Experts for a while have been arguing (including here at the Techdirt Greenhouse policy project) that it's important that we start encrypting these pathways to bring a little more security and privacy to the equation. Companies like Mozilla have been at the forefront of implementing "DNS over HTTPS," a significant security upgrade to DNS that encrypts and obscures your domain requests, making it more difficult (though not impossible) to see which websites a user is visiting. Recently, even Comcast (a company that's no stranger to monetizing your online habits) joined Mozilla's efforts to take the idea mainstream.

But even DNS over HTTPS (DoH) doesn't fully thwart DNS resolvers from seeing your browsing activity. Enter a new joint effort from Cloudflare and Apple, who say they have joined forces to back a new internet protocol dubbed ODOH, based in turn on existing research out of Princeton (pdf). Cloudflare explains how it works this way:

"ODoH is an emerging protocol being developed at the IETF. ODoH works by adding a layer of public key encryption, as well as a network proxy between clients and DoH servers such as 1.1.1.1. The combination of these two added elements guarantees that only the user has access to both the DNS messages and their own IP address at the same time."

The changes shouldn't add any perceptible latency to browsing speed, but should notably improve user and overall internet security. A good thing in a country that still doesn't seem to think even a modern, simply privacy law for the internet era is necessary to protect the security of the internet and public safety. But as Zack Whitacre at TechCrunch notes, steps still need to be taken to ensure no single party controls both the DNS resolver and proxy:

"A key component of ODoH working properly is ensuring that the proxy and the DNS resolver never “collude,” in that the two are never controlled by the same entity, otherwise the “separation of knowledge is broken,” Sullivan said. That means having to rely on companies offering to run proxies."

Cloudflare told TechCrunch that several partner organizations are already running proxies, allowing for folks to give the system an early spin if they use Cloudflare's security-focused 1.1.1.1 DNS resolver. Everybody else will need to wait until the new protocol comes standard as part of your OS or browser, which depends on how long it takes for the Internet Engineering Task Force to finalize the proposal. That could take months or years, but in a world where your every waking online movement is increasingly tracked and monetized, it should be a welcome shift whenever it finally drops.

Filed Under: dns, dns over https, doh, encrypted dns, odoh
Companies: apple, cloudflare

Mozilla: ISPs Are Lying About Encrypted DNS, Should Have Privacy Practices Investigated

from the ill-communication dept

In a bid to avoid losing access to the cash cow that is your daily browsing data, ISPs like Comcast have been lying about Google and Mozilla's quest to encrypt DNS data. The effort would effectively let Chrome and Mozilla users opt in to DNS encryption -- making your browser data more secure from spying and monetization -- assuming your DNS provider supports it. Needless to day, telecom giants that have made billions of dollars monetizing your every online behavior for decades now (and routinely lying about it) don't much like that.

As a result, Comcast, AT&T, and others have been trying to demonize the Google and Mozilla efforts any way they can, from insisting the move constitutes an antitrust violation on Google's part (it doesn't), to saying it's a threat to national security (it's not), to suggesting it even poses a risk to 5G deployments (nah).

Mozilla this week came out with a letter not only taking aim at those claims, but urging Congress to investigate telecom's long history of privacy problems:

"Our recent experience in rolling out DNS over HTTPs (DoH)—an important privacy and security protection for consumers—has raised questions about how ISPs collect and use sensitive user data in their gatekeeper role over internet usage," the letter, signed by Marshall Erwin, senior director of trust and security and Mozilla, reads. "With this in mind, a congressional examination of ISP practices may uncover valuable insights, educate the public, and help guide continuing efforts to draft consumer privacy legislation."

While there's obviously plenty of perfectly legitimate criticism of Silicon Valley giants like Facebook and Google, we've been noting how telecom lobbyists have been quietly co-opting this backlash to help the telecom sector. So far you'd have to view these efforts as successful; while the government hyperventilates about Facebook and whether it should be broken up and heavily regulated, telecom has convinced lawmakers to effectively obliterate all oversight of telecom, despite the sector having historically been every bit as terrible as Facebook on the subjects of privacy, consumer rights, and competition.

As a result there are a few lawmakers (Marsha Blackburn comes quickly to mind) who claim to be utterly incensed at Facebook's behavior, but have chosen to give telecom a free pass. Mozilla's letter urges Congress to, you know, stop doing that if they want to be taken seriously:

"We believe that more information regarding ISP practices could be useful to the Committee as it continues its deliberations on this front, and we encourage the Committee to publicly probe current ISP data collection and use policies."

As we look to craft what the privacy standards and guidelines of tomorrow look like, it's another reminder of how focusing too exclusively on the missteps of Silicon Valley giants obscures the fact that these problems aren't just exclusive to "big tech." Mozilla's spot on when it notes that privacy solutions that don't consider telecom aren't much of a solution in the first place.

Filed Under: congress, dns over https, doh, encrypted dns, privacy, security
Companies: at&t, comcast, google, mozilla, verizon

Comcast Insists It's An Innocent Little Daisy On Consumer Privacy

from the zero-credibility-left dept

Both Mozilla and Google have begun pushing encrypted DNS via their respective browsers, making it more difficult for outsiders to monitor and/or monetize your daily browsing habits. Not too surprisingly the broadband industry, which has a long, proud history of covertly collecting and selling this data, isn't particularly happy about this evolution. With the help of unskeptical news outlets, telecom lobbyists have been trying to convince the government that what Mozilla and Google are up to is somehow nefarious, going so far as to (incorrectly) claim the move is even an antitrust violation.

Last week, Motherboard published Comcast documents highlighting how Comcast has been also trying to convince gullible lawmakers that the move to encrypt DNS traffic somehow poses a threat to national security and the sacred DC tech policy pixie dust that is 5G:

"The unilateral centralization of DNS raises serious policy issues relating to cybersecurity, privacy, antitrust, national security and law enforcement, network performance and service quality (including 5G), and other areas," Comcast said in the presentation. "Congress should demand that Google pause and answer key questions," a section of the presentation reads. "Why is Google in such a rush?" reads another.

But Comcast's claims are false. Neither Google nor Mozilla are forcing their browser users to do anything. Users are simply being presented with the option to encrypt their DNS traffic -- if their current DNS provider supports it. The move would not switch users to Google's DNS servers by default, either, so the centralization claim is false. In short, you'll be surprised to learn, Comcast is lying about what the proposal will do. Why? It makes it harder for the telecom sector to spy on -- and monetize -- your daily browsing behavior.

In the wake of the leak, Comcast published a new blog post attempting to frame itself as an innocent little daisy on consumer privacy issues, going well afield to pretend that it doesn't actually monetize its users data:

"We play an important role as an Internet Service Provider in connecting you to whatever you want to do online. Whether you’re browsing the Internet or managing your connected home, we’re always working to protect your privacy and keep your information secure. We’re in the business of giving you a great Internet experience with products and services like xFi’s parental and WiFi control features; we are not in the business of selling your information."

The blog post is painfully careful with word choice as the company attempts to pretend it doesn't monetize user data. For example throughout the post Comcast carefully insists it doesn't track the websites you visit "through your broadband connection," though it's possible to track that same data at the heart of Comcast's network (technically not "your connection"). Similarly, Comcast insists it "deletes the DNS queries generated by our Internet customers every 24 hours," even though 24 hours remains plenty of time to monetize that data. And the company insists it doesn't "sell information that identifies who you are to anyone" -- an obvious nod to the fact that Comcast anonymizes this data first before selling it (researchers have long noted this data isn't really anonymous).

As Comcast attempts to vilify efforts to secure DNS, it's attempting to lean on privacy credibility it doesn't actually have. If Comcast's such a big fan of privacy, why did it lobby ferociously to eliminate modest and popular FCC broadband privacy rules in 2016? Comcast has also expressed interest in charging users more money to protect their privacy, in effect making privacy a luxury option. Privacy has long been the last thing on the mind of most major telecom players, who've historically seen zero real oversight as they repeatedly lie about what they do with subscriber data.

Even if Comcast was being honest here (which researchers, Google, Mozilla, and consumer groups all say they're not), between the privacy and net neutrality fights, the company has made it abundantly clear it no longer has serious credibility on policy issues. Meaning that even if Comcast engineers had legitimate concerns with how encrypted DNS is being implemented, the company's repeated policy falsehoods have ensured nobody's going to be believing them anytime soon.

Filed Under: dns over https, doh, encrypted dns, isps, privacy
Companies: comcast

Telcos And Rupert Murdoch Pushing Nonsense Story That Google Helping Keep Your Internet Activity More Private Is An Antitrust Violation

from the oh-really-now? dept

There are all sorts of reasons and ways to hate on big internet companies these days, but as we've warned, some of them are in conflict with one another -- though that doesn't seem to stop those who keep pushing the narrative forward from blindly repeating them anyway. The latest is a positively bonkers article in the Wall Street Journal arguing that Google's (somewhat middle of the road) support for DNS over HTTPS (DoH) is potentially an antitrust violation worthy of Congressional action.

This is (1) utter nonsense and (2) driven by telcos looking to undermine consumer privacy. So if you're a pro-privacy Google hater, you might want to at least reconsider supporting this particular line of attack. If you are unaware, under the current DNS system, you still leak some key metadata every time you visit a site to your DNS provider (which is usually, but not always, your broadband/internet access provider). It used to be that those providers could collect even more, page-level, information, but that is less and less true as more and more of the web itself is encrypted with HTTPS. DoH is an attempt to encrypt the last bit of info that leaks when you surf -- the metadata about the top level domains you are visiting. Mozilla has been strongly pushing support for DoH, and will plan to move most public Firefox users to DoH in the relatively near future. Google, on the other hand, is supportive of the standard, but has shown no inclination to adopt it nearly as widely as Mozilla.

Either way, done correctly, DoH protects your privacy and stops the fairly large metadata loophole that has allowed DNS providers (generally your telco/broadband provider) from being able to snoop on everywhere you surf. There are some reasonable concerns that if browsers automatically force users to use specific DNS resolvers for DoH that it could, potentially, lead to more control/centralization of both those servers, but as EFF points out in the link above, that's mitigated by more ISPs simply adopting DoH themselves.

The problem, of course, is that the biggest telcos, such as AT&T, Verizon, and Comcast don't want to stop spying on you and all of your internet habits. And, so, rather than adopting DoH, they're trying to undermine DoH entirely by pretending that Google's lukewarm interest in supporting DoH is, itself, an antitrust violation. What's kind of incredible, however, is just how open they are about this plan, and that's it's entirely about preventing the big broadband providers from spying on your traffic:

“Because the majority of world-wide internet traffic…runs through the Chrome browser or the Android operating system, Google could become the overwhelmingly predominant DNS lookup provider,” a coalition of internet service providers said in a Sept. 19 letter to lawmakers. “Google would acquire greater control over user data across networks and devices around the world. This could inhibit competitors and possibly foreclose competition in advertising and other industries.”

They urged lawmakers to call on Google not to impose the new standard as a default standard in Chrome and Android.

Google, for it's part, reiterated (as it has in the past) that it has no plans to force users into using its own DNS offerings. While the Wall Street Journal report at least quotes some pushback on this claim, it still seems to present this mostly as a credible antitrust concern, when the reality is that it's clearly an attempt by big broadband players to play an antitrust card to (1) attack Google and (2) to prevent Google from helping consumers better protect their own internet privacy.

There are, of course, plenty of legitimate concerns that people have about Google's own privacy practices. But pushing people towards DoH is a good thing. A few months back we saw UK ISPs laughably attack Mozilla's plans to support DoH by calling the company an "internet villain" claiming that better protecting your privacy would undermine "internet safety standards." To be clear: this is nonsense. What they mean is, like with other forms of encryption, it might make a very tiny number of criminals marginally harder to track down. But, on the flip side, it will massively protect everyone else's privacy from overly snoop happy broadband providers.

We've noted for a while how hypocritical it is for people to focus on "antitrust" and "privacy" claims about the big internet companies, while ignoring the much larger problems on both fronts regarding broadband companies. Similarly, we've talked about how many of the attacks on "big tech" are quietly driven by the big broadband players quietly fanning the flames. But this story combines all of that. It's the big broadband players/telcos pushing a totally bogus monopoly story against Google (which makes no sense at all if you understand the details, and which wouldn't even be a potential monopoly concern at all if those very same broadband companies adopted DoH themselves), in order to stop Google from better protecting your privacy -- so that the broadband providers can better snoop on you.

And, a side note: Rupert Mudoch's Wall Street Journal has been one of the worst in pushing these misleading anti-Google/Facebook stories over the last few months, which is, again, no surprise at all, as it's been revealed before that Murdoch has been eager to attack Google and Facebook and has no problem using the Wall Street Journal to do so. While this story at least includes some balance, the entire narrative arc of it seems to follow the telcos talking points -- and it's notable that while it briefly quotes a section of the telcos letter to Congress, it fails to post the entire letter. I wonder why...

Either way, this kind of thing undermines any serious discussion of either privacy or competition online, by mixing up and conflating an attempt to better protect privacy, and pretending it's an antitrust violation.

Filed Under: antitrust, competition, dns over https, doh, privacy, rupert murdoch, snooping, telcos
Companies: google, mozilla