ISPs Lied to Congress About Encrypted DNS

By Jon Brodkin, Nov 4, 2019 | Orgiginal Ars Technica article here.

A Firefox logo is seen outside Mozilla's office in San Francisco.

ISPs lobby against DNS encryption, but Mozilla tells Congress not to trust them as they just spread confusion

Mozilla is urging Congress to reject the broadband industry’s lobbying campaign against encrypted DNS in Firefox and Chrome.

The Internet providers’ fight against this privacy feature raises questions about how they use broadband customers’ Web-browsing data, Mozilla wrote in a letter sent today to the chairs and ranking members of three House of Representatives committees. Mozilla also said that Internet providers have been giving inaccurate information to lawmakers and urged Congress to "publicly probe current ISP data collection and use policies."

DNS over HTTPS helps keep eavesdroppers from seeing what DNS lookups your browser is making. This can make it more difficult for ISPs or other third parties to monitor what websites you visit.

"Unsurprisingly, our work on DoH [DNS over HTTPS] has prompted a campaign to forestall these privacy and security protections, as demonstrated by the recent letter to Congress from major telecommunications associations. That letter contained a number of factual inaccuracies," Mozilla Senior Director of Trust and Security Marshall Erwin wrote.


Further Reading

  • Link to Why big ISPs aren’t happy about Google’s plans for encrypted DNS
  • Link to Comcast fights Google’s encrypted-DNS plan but promises not to spy on users]


This part of Erwin’s letter referred to an Ars article in which we examined the ISPs’ claims, which center largely around Google’s plans for Chrome. The broadband industry claimed that Google plans to automatically switch Chrome users to its own DNS service, but that’s not what Google says it is doing. Google’s publicly announced plan is to "check if the user’s current DNS provider is among a list of DoH-compatible providers, and upgrade to the equivalent DoH service from the same provider." If the user-selected DNS service is not on that list, Chrome would make no changes for that user.

ISPs complain about “a plan that doesn’t exist”

Mozilla actually is planning to switch Firefox users to a different DNS provider by default, specifically Cloudflare’s encrypted DNS service. But ISPs are apparently less concerned about Firefox than Chrome because of Firefox’s smaller market share.

In addition to the broadband-industry letter to Congress, Comcast has been giving members of Congress a lobbying presentation that claims the encrypted-DNS plan would "centraliz[e] a majority of worldwide DNS data with Google" and "give one provider control of Internet traffic routing and vast amounts of new data about consumers and competitors." Comcast and other ISPs are urging Congress to intervene.

But a number of the arguments ISPs made to lawmakers are "premised on a plan that doesn’t exist," Erwin told Ars last week, referring to the ISPs’ claims about Google.

"The focus of the lobbying effort has been on using Google as a boogeyman, given a lot of the antitrust concerns that exist today, to drive a lot of uncertainty about the potential implications of DNS over HTTPS," Erwin said.

Mozilla’s letter to Congress said the ISP lobbying against encrypted DNS amounts to telecom associations "explicitly arguing that ISPs need to be in a position to collect and monetize users’ data. This is inconsistent with arguments made just two years earlier regarding whether privacy rules were needed to govern ISP data use."

Mozilla was referring to ISPs lobbying Congress to kill broadband privacy rules in 2017. The federal government’s decision to eliminate privacy rules at the broadband industry’s request means that home and mobile Internet providers are not prohibited from using customers’ browsing histories to sell targeted ads or from sharing customers’ browsing histories with third parties.

Mozilla Cites ISPs’ History of Abusing Data

ISPs have consistently claimed such rules aren’t necessary because they aren’t violating users’ privacy. But their objections to DNS over HTTPS "has raised questions about how ISPs collect and use sensitive user data in their gatekeeper role over Internet usage," Mozilla told Congress. Mozilla said it believes the privacy upgrade has "become necessary to protect users in light of the extensive record of ISP abuse of personal data."

That ISP abuse includes mobile providers selling real-time location data "to third parties without user knowledge or meaningful consent;" ISPs such as Comcast "manipulat[ing] DNS to serve advertisements to consumers;" Verizon’s use of "supercookies" to track Internet activity; and AT&T charging customers an extra $29 per month to avoid "the collection and monetization of their browsing history for targeted ads," Mozilla told Congress.

Web users are tracked by Google, Facebook, and other advertising companies, of course. ISPs, though, have "privileged access" to users’ browsing histories because they act as the gateway to the Internet, Erwin said to Ars.

There is already "remarkably sophisticated micro-targeting across the Web," and "we don’t want to see that business model duplicated in the middle of the network," he said. "We think it’s just a mistake to use DNS for those purposes."

Mozilla’s Plan for Firefox

When Mozilla’s plan is implemented, Firefox users will be automatically switched to a DNS provider that uses encrypted DNS and has a strong privacy policy. So far, Cloudflare is the only such provider that Mozilla is working with. Erwin said Cloudflare’s privacy policy is "best in class" but said Mozilla is trying to bring on other "trusted" providers to give users a choice of which encrypted DNS service to use.

Mozilla is rolling encrypted DNS out to a small percentage of its user base for testing and intends to deploy it to all users in the US later on. The browser will notify users when encrypted DNS is turned on and provide a method for opting out, Erwin said. Users who don’t want to wait can already opt in to DNS over HTTPS by following these instructions.

"We think the default approach is the right one because consumers don’t have the technical sophistication or even the time to make an opt-in decision on something like this," Erwin told Ars. "We think it’s the appropriate role for the browser to set a strong privacy default."

Firefox won’t automatically enable encrypted DNS in some cases, however. When Firefox detects parental controls, it will leave the user’s existing DNS service in place, Erwin said. Firefox will also leave the existing DNS service in place for certain business users.

"Firefox will detect whether enterprise policies have been set on the device and will disable DoH in those circumstances. If an enterprise policy explicitly enables DoH, which we think would be awesome, we will also respect that," Mozilla said in an announcement in September.

Mozilla answers other questions about how DNS over HTTPS will work in Firefox in this FAQ.

Mozilla has established specific policy requirements that DNS providers have to meet to earn a spot in Firefox’s encrypted-DNS program. For example, DNS resolvers must delete data that could identify users within 24 hours and only use that data "for the purpose of operating the service." Providers also "must not retain, sell, or transfer to any third party (except as may be required by law) any personal information, IP addresses or other user identifiers, or user query patterns from the DNS queries sent from the Firefox browser."

Mozilla’s policy also forbids blocking or filtering content except when authorized by users or required by law. Mozilla further requires a public privacy notice that details the DNS provider’s data-retention practices as well as annual transparency reports that document how the DNS provider "will handle law enforcement requests for user data and that documents the types and number of requests received and answered, except to the extent such disclosure is prohibited by law."

Mozilla’s letter to Congress said that "ISPs often do not maintain privacy notices for their DNS services," so "it is unclear what data is being retained, how it is being used, or who it is being shared with." (Comcast said last month that it does not track its broadband users’ Web-browsing histories and that it deletes DNS queries generated by its Internet customers every 24 hours.)

Because there’s so little regulation of broadband providers’ privacy practices, Mozilla says it is up to browser makers to protect users. "Our approach with DoH attempts to close part of this regulatory gap through technology and strong legal protections for user privacy," Erwin wrote in the letter to Congress. But he urged Congress to act, too, writing that "to truly protect privacy, a combination of technical and regulatory solutions must be put in place."