An important fight is brewing over the nuts and bolts of the
Internet that has significant implications for the privacy and security of all Internet
users. The fight has already pitted Google and Cloudflare against American
telecommunications companies, which are lobbying
Congress
to complain about the search giant. The fight is complicated, but at its core
are questions about control over data, centralized power, and who should bear
privacy risks. We believe that everyone deserves to be able to use the Internet
without being subject to mass surveillance.
This particular fight centers over a new layer of encryption
that Internet technologists (including one of us) have developed
to further protect the privacy and security of Internet users. The ACLU is
increasingly engaged with these
kinds of battles over technical standards that shape Internet
infrastructure in important ways — determining, for example, whether that
infrastructure facilitates the violation of privacy and centralization of
power, or autonomy and secure communication for all. These fights usually take
place far outside of the limelight, but the brewing fight between the telecoms
and providers like Google and Cloudflare is getting more attention than most.
To understand what is at stake requires explaining a little about how the Internet works — specifically about something that people online use every day: the Domain Name System (DNS). If you enter “aclu.org” into your browser, your computer reaches out to a server known as a DNS “resolver,” which tells your computer the IP address that it needs to download a web page. The DNS server then tells your browser that the web site with that name can be found at the IP address 151.101.58.217. Obviously, for humans, that’s a lot harder to remember than “aclu.org,” but your browser needs the IP address to reach our site.
Where does your computer find that DNS resolver? One of the strengths of the Domain Name System is that there are many DNS resolvers that can give you the same answer. You can manually direct a computer, router, or application to talk to a specific DNS resolver, but if you’re like most people, then your devices default to using whatever resolver your Internet service provider (ISP) offers, or to the resolver recommended by the WiFi or other network you’re connected to.
There are two major problems with the DNS, however.
The first is that whoever operates the DNS resolver gets to
see the names of all the web sites that you visit (and potentially other Internet metadata
as well). These days, that’s a valuable set of information, and a significant
privacy problem. The second is that our communications with DNS servers have
long been carried out in unencrypted plaintext. That means that your Internet
activity is visible not only to whoever operates your DNS resolver, but also to
anyone in the network who passes along the data that is exchanged between you
and the DNS server. This not only creates privacy problems, but also security problems as it
opens up avenues for hostile hackers to phish people, trick people into
unknowingly visiting spoof web sites, or deliver malware or ads.
The first problem is to some extent unavoidable, but we can
mitigate it in two ways: a) people should connect to DNS resolvers run by
entities that are not in the businesses of collecting, storing, and monetizing
people’s online activities; and b) make sure that there is a large diversity of
actively used DNS resolvers, so that our information is not all centralized in
one place.
The second problem — the lack of encryption — has been
solved by new standards
that use encryption to protect your data as it flows between your device and a
DNS resolver. Such “private DNS” techniques, however, are relatively recent
standards, and are offered only by some DNS resolvers.
That is where the telecoms’ complaint to Congress comes in.
Google has proposed programming its Chrome browser and its Android operating
system to automatically
default to using Private DNS whenever a user’s existing DNS resolver
supports it. That would certainly be a good thing. But the telecoms are also
accusing Google of planning to route all Chrome and Android DNS traffic (a
substantial portion of the world’s DNS queries) to Google’s own (private) DNS
resolvers, thereby leading to a dangerous centralization of DNS lookups.
But contrary to the telecoms’
claims, Google’s stated plans do
not actually involve centralizing DNS lookups to a specific resolver. Rather,
they intend to automatically upgrade existing cleartext DNS traffic to private
DNS when the user’s existing resolver is known to offer a secure channel. The
nonprofit Mozilla Foundation, maker of the Firefox browser, has, however, announced
that it plans to route DNS traffic generated by some future Firefox browsers to
the resolvers run by a single entity, the company Cloudflare. Th.
Firefox has been scrupulous in only doing this under a strict
privacy agreement with Cloudflare, but users under different legal jurisdictions
from Cloudflare might not appreciate their data ending up at this service
provider, despite the privacy agreement.
Critics have pointed
out that the telecoms are hardly being good Samaritans by pushing back
against private DNS here. After the major ISPs successfully pushed the Trump
administration and Congress to roll
back ISP privacy protections, the telecoms have continued gearing up to try
to make money by spying on their customers’ Internet usage. One of their big
worries appears to be that they’ll lose out on their money-making surveillance
if their customers are induced to shift to DNS servers that are not run by them
and that are encrypted so they can’t spy on them.
Rather than hindering the deployment of private DNS and its
resultant gains to end user privacy, the ISPs should upgrade the resolvers they
already operate to also offer private DNS. If an ISP is a good steward of user
data, then they should make it easy for people to use their services securely.
They should be advocating for, not against, private DNS.
The ISPs are not wrong, however, in pointing out that
centralization of DNS lookups would be a bad thing — including for privacy. We
wouldn’t want one company having access to a list of all the people who visited
narcotics.com, for example, or a list of all the
sites that a particular person has visited. (In 2017, President Trump signed a
measure removing
privacy protections that prohibited ISPs from doing just this kind of
spying; those need to be restored.)
We want private DNS to become the standard, available to
all, and we want a diversity of DNS resolvers so that lookups and the
information they reveal don’t become centralized — especially in the hands of
any company bent on monetizing personal information. The way to fix
centralization is through diversity, not by preserving the spying ability of
ISPs.
There are tensions between these goals that will need to be
solved along the way. Asking all users to make technical choices about which
DNS resolver their devices and applications use is probably not the way to go —
yet if particular private resolvers are selected globally by default by major
players, that risks centralizing DNS queries around a few companies and
undercutting the distributed nature of the Internet.
These tensions are resolvable, however. Among other things,
we need more user-interface research to improve the experience of choosing
among diverse DNS resolvers, and better systems for making reasonable,
non-centralized choices for users who don’t have the time or interest to choose
for themselves. Ultimately, the important thing is that policymakers, people
who work in the tech community, and other interested Internet users should all
push for the dual goals of making private DNS the standard and ensuring a
diversity of DNS resolvers.
Private DNS protocols can help protect privacy online, and
an increasing amount of software is capable of taking advantage of them, or will
be soon. But it doesn’t stop there. There is a larger journey toward a more
private and secure Internet that is underway. Diverse private DNS resolvers are
one step in that journey, but there are others that also need to be taken (such
as protecting DNS traffic between
resolvers and “authoritative” DNS servers and minimizing metadata leakage
in other Internet protocols). Piece by piece, we’re making the Internet
more privacy-friendly and more secure.