DoHn't believe the hype! You are being lied to by data-hungry ISPs, Mozilla warns lawmakers

Resistance to DNS-over-HTTPS deserves investigation into info-gobbling habits

Mozilla has asked American politicians to probe the data-collecting policies of US broadband giants, claiming the ISPs made false statements to derail DNS-over-HTTPS so that they can continue to snoop on subscribers' internet activities.

DNS-over-HTTPS (DoH) is a recently-ish developed technique to transmit domain-name queries – by which human-readable domain names like get mapped to computer-friendly IP addresses like – to a DNS server over an encrypted HTTPS connection rather than the unprotected old-fashioned way in plaintext. This wrapper of security ensures that the DNS service provider can answer the query while preventing eavesdroppers on the network from snooping on or tampering with the requests.

Mozilla and Google recently made DoH available in their respective browsers. So ISPs, worried about being denied user valuable data, are pushing back. In a letter [PDF] last month to members of US Congress, telecom industry groups urged lawmakers to look into Google's implementation of DNS. And the House Judiciary Committee has reportedly begun doing so, based on antitrust concerns. Meanwhile, Comcast privately lobbied in Washington DC against DoH.

A week ago, Google tried to dispel what it characterized as misconceptions about its DoH implementation. The Chocolate Factory insisted that it isn't forcing people to switch to its own DNS service, Google Public DNS, and that existing content controls won't be affected.

Rather than being so conciliatory Mozilla has opted to go on the offensive, urging lawmakers to look into why ISPs are lobbying against DoH.

"Right now these companies have access to a stream of a user’s browsing history," said Marshall Erwin, senior director of trust and security at Mozilla, on Friday. "This is particularly concerning in light of the rollback of the broadband privacy rules, which removed guardrails for how ISPs can use your data. The same ISPs are now fighting to prevent the deployment of DoH."

Erwin points to the 2017 Congressional repeal of the Broadband Privacy Order as a reason for current industry interest in user data. That rule change opened a privacy gap by removing a requirement that service providers had to seek permission to share and sell customer data.


Chrome devs tell world that DNS over HTTPS won't open the floodgates of hell


In his letter [PDF] to lawmakers, Erwin said the telecom groups' letter contains "a number of factual inaccuracies" – challenged [PDF] by advocacy groups supportive of DoH – and asked legislators to examine telecom industry data practices to understand what's happening to customer data.

Erwin cites a long history of ISP privacy abuses, including the sale of real-time location data, manipulation of DNS to serve ads, and the use of supercookies for user tracking, as justification for greater industry scrutiny.

"Telecommunications associations are explicitly arguing that ISPs need to be in a position to collect and monetize users’ data," Erwin said. "This is inconsistent with arguments made just two years earlier regarding whether privacy rules were needed to govern ISP data use."

Mozilla's goal, he said, is to prevent browsing activity from being intercepted, manipulated, and collected. Telecom providers like AT&T, Comcast, and Verizon, he suggests, have other ideas. ®

Broader topics

Other stories you might like

  • DigitalOcean tries to take sting out of price hike with $4 VM
    Cloud biz says it is reacting to customer mix largely shifting from lone devs to SMEs

    DigitalOcean attempted to lessen the sting of higher prices this week by announcing a cut-rate instance aimed at developers and hobbyists.

    The $4-a-month droplet — what the infrastructure-as-a-service outfit calls its virtual machines — pairs a single virtual CPU with 512 MB of memory, 10 GB of SSD storage, and 500 GB a month in network bandwidth.

    The launch comes as DigitalOcean plans a sweeping price hike across much of its product portfolio, effective July 1. On the low-end, most instances will see pricing increase between $1 and $16 a month, but on the high-end, some products will see increases of as much as $120 in the case of DigitalOceans’ top-tier storage-optimized virtual machines.

    Continue reading
  • GPL legal battle: Vizio told by judge it will have to answer breach-of-contract claims
    Fine-print crucially deemed contractual agreement as well as copyright license in smartTV source-code case

    The Software Freedom Conservancy (SFC) has won a significant legal victory in its ongoing effort to force Vizio to publish the source code of its SmartCast TV software, which is said to contain GPLv2 and LGPLv2.1 copyleft-licensed components.

    SFC sued Vizio, claiming it was in breach of contract by failing to obey the terms of the GPLv2 and LGPLv2.1 licenses that require source code to be made public when certain conditions are met, and sought declaratory relief on behalf of Vizio TV owners. SFC wanted its breach-of-contract arguments to be heard by the Orange County Superior Court in California, though Vizio kicked the matter up to the district court level in central California where it hoped to avoid the contract issue and defend its corner using just federal copyright law.

    On Friday, Federal District Judge Josephine Staton sided with SFC and granted its motion to send its lawsuit back to superior court. To do so, Judge Staton had to decide whether or not the federal Copyright Act preempted the SFC's breach-of-contract allegations; in the end, she decided it didn't.

    Continue reading
  • US brings first-of-its-kind criminal charges of Bitcoin-based sanctions-busting
    Citizen allegedly moved $10m-plus in BTC into banned nation

    US prosecutors have accused an American citizen of illegally funneling more than $10 million in Bitcoin into an economically sanctioned country.

    It's said the resulting criminal charges of sanctions busting through the use of cryptocurrency are the first of their kind to be brought in the US.

    Under the United States' International Emergency Economic Powers Act (IEEA), it is illegal for a citizen or institution within the US to transfer funds, directly or indirectly, to a sanctioned country, such as Iran, Cuba, North Korea, or Russia. If there is evidence the IEEA was willfully violated, a criminal case should follow. If an individual or financial exchange was unwittingly involved in evading sanctions, they may be subject to civil action. 

    Continue reading

Biting the hand that feeds IT © 1998–2022