Mozilla has asked American politicians to probe the data-collecting policies of US broadband giants, claiming the ISPs made false statements to derail DNS-over-HTTPS so that they can continue to snoop on subscribers' internet activities.
DNS-over-HTTPS (DoH) is a recently-ish developed technique to transmit domain-name queries – by which human-readable domain names like theregister.com get mapped to computer-friendly IP addresses like 22.214.171.124 – to a DNS server over an encrypted HTTPS connection rather than the unprotected old-fashioned way in plaintext. This wrapper of security ensures that the DNS service provider can answer the query while preventing eavesdroppers on the network from snooping on or tampering with the requests.
Mozilla and Google recently made DoH available in their respective browsers. So ISPs, worried about being denied user valuable data, are pushing back. In a letter [PDF] last month to members of US Congress, telecom industry groups urged lawmakers to look into Google's implementation of DNS. And the House Judiciary Committee has reportedly begun doing so, based on antitrust concerns. Meanwhile, Comcast privately lobbied in Washington DC against DoH.
A week ago, Google tried to dispel what it characterized as misconceptions about its DoH implementation. The Chocolate Factory insisted that it isn't forcing people to switch to its own DNS service, Google Public DNS, and that existing content controls won't be affected.
Rather than being so conciliatory Mozilla has opted to go on the offensive, urging lawmakers to look into why ISPs are lobbying against DoH.
"Right now these companies have access to a stream of a user’s browsing history," said Marshall Erwin, senior director of trust and security at Mozilla, on Friday. "This is particularly concerning in light of the rollback of the broadband privacy rules, which removed guardrails for how ISPs can use your data. The same ISPs are now fighting to prevent the deployment of DoH."
Erwin points to the 2017 Congressional repeal of the Broadband Privacy Order as a reason for current industry interest in user data. That rule change opened a privacy gap by removing a requirement that service providers had to seek permission to share and sell customer data.
Chrome devs tell world that DNS over HTTPS won't open the floodgates of hellREAD MORE
In his letter [PDF] to lawmakers, Erwin said the telecom groups' letter contains "a number of factual inaccuracies" – challenged [PDF] by advocacy groups supportive of DoH – and asked legislators to examine telecom industry data practices to understand what's happening to customer data.
Erwin cites a long history of ISP privacy abuses, including the sale of real-time location data, manipulation of DNS to serve ads, and the use of supercookies for user tracking, as justification for greater industry scrutiny.
"Telecommunications associations are explicitly arguing that ISPs need to be in a position to collect and monetize users’ data," Erwin said. "This is inconsistent with arguments made just two years earlier regarding whether privacy rules were needed to govern ISP data use."
Mozilla's goal, he said, is to prevent browsing activity from being intercepted, manipulated, and collected. Telecom providers like AT&T, Comcast, and Verizon, he suggests, have other ideas. ®