The DoH encryption front of the war on security is continuing to stay heated. Mozilla is accusing ISPs of lying to congress about the technology.
When it comes to the debate on encryption, much of the attention is focused on the battle between Facebook and various governments around the world. In fact, our last update on that story discussed how Democrats are asking Attorney General William Barr to stop opposing encryption. The battle lines on that front are certainly important and worth keeping an eye on, however, this isn’t the only front this way on encryption is being fought on.
Another big front is government branches taking on the Mozilla DoH (DNS over HTTPS) encryption. We picked up the story in June of this year where Mozilla had already spearheaded the initiative to bring users better encryption. At the time, government spy agencies were already attacking the initiative. In September, the Electronic Frontier foundation (EFF) picked up on the story, praising the initiative as a way of better securing the privacy of users. In fact, it is suggested that this initiative patches one of the biggest privacy weaknesses in web browsing.
Then, in late October, news broke that suggests that big US ISPs are also behind the push to put an end to DoH encryption. A leaked Comcast slideshow destined for congress urges lawmakers to put an end to such encryption. Many point out that the motivation to stop this is likely revolving around ISPs pushing tracking and advertising onto their customers. DoH encryption stands to thwart such an effort, so it may be at least one motivating factor why ISPs are trying to put a stop to it.
Now, it seems that Mozilla is firing back. From Naked Security:
Mozilla says it’s not surprising that the work it’s been doing on DoH has prompted the ISPs to try to throw up roadblocks. One such was a letter sent to Congress by Big Telecom associations in September that, Mozilla said, was full of “factual inaccuracies.”
In September, Ars picked apart the ISPs’ claims, which were mostly about Google’s DoH experiment with Chrome. The ISPs claimed, wrongly, that Google plans to automatically switch Chrome users to its own DNS service.
It’s not. Its plan is: “check if the user’s current DNS provider is among a list of DoH-compatible providers, and upgrade to the equivalent DoH service from the same provider.” If the user-selected DNS service isn’t on that list, Chrome wouldn’t bump that user and instead would just leave their setup as is.
Mozilla’s default DNS provider is Cloudflare, but given its small market share, that apparently isn’t much of a concern to the ISPs.
Mozilla Senior Director of Trust and Security Marshall Erwin, who authored Mozilla’s letter to Congress, told Ars that the arguments ISPs made to lawmakers – specifically, their claims about Google’s plans – are “premised on a plan that doesn’t exist.” The intent is to sow fear, he said
The article also points to an open letter to lawmakers from Mozilla. The letter reads, in part:
We are writing to express our concern about the privacy and security practices of internet service providers (ISPs), particularly as they relate to the domain name services (DNS) provided to American consumers. Our recent experience in rolling out DNS over HTTPs (DoH) – an important privacy and security protection for consumers – has raised questions about how ISPs collect and use sensitive user data in their gate keeper role over internet usage. With this in mind, a congressional examination of ISP practices may uncover valuable insights, educate the public, and help guide continuing efforts to draft consumer privacy legislation.
Unsurprisingly, our work on DoH has prompted a campaign to forestall these privacy and security protections, as demonstrated by the recent letter to Congress from major telecommunications associations. That letter contained a number of factual inaccuracies. These have been examined in detail by others and as such will not be given an in-depth treatment here. Nonetheless, it is important to highlight the underlying premise of that letter: telecommunications associations are explicitly arguing that ISPs need to be in a position to collect and monetize users’ data. This is inconsistent with arguments made just two years earlier regarding whether privacy rules were needed to govern ISP data use.
If anything, this latest development demonstrates just how heated this encryption debate front is. It also continues to shift the focus away from governmental branches trying to undermine DoH encryption to showing how commercial interests are trying to undermine DoH encryption. It also continues to show that one side feels that the other side is financially motivated to win on this front as well.
We’ll continue to monitor this story for any further developments as they arise.
Drew Wilson on Twitter: @icecube85 and Facebook.