Scary stuff

Google, Internet governance, Privacy, Regulation, Self-regulation, Uncategorized 5 Minutes

Over 90% of households in the UK receive their domestic broadband service via one of the “Big Four” ISPs. Each supplies customers with a set of family filters to restrict access to content considered unsuitable for children. These filters are widely used.

100% of mobile phone networks do something similar as do a growing number of providers of WiFi in public places, meaning spaces where one could reasonably expect children to be present on a regular basis e.g. in Starbucks and McDonald’s.

And by the way in all three environments child sex abuse material is also blocked courtesy of a list of addresses generated by the Internet Watch Foundation (IWF).

All of this is now under threat, not just in the UK but globally. Why? Because an obscure body called the Internet Engineering Task Force (IETF) has developed a new protocol, a new standard, called “DNS over HTTPS”  (DoH).  DoH is intended to be incorporated into web browsers.

Mozilla (owners of Firefox) have already implemented DoH and are looking to launch it as a default. Google have also implemented it within Chrome but, at least for now, individuals who want to use it must sort it out for themselves.

What is DoH?

At the moment if you type in a web address on any internet enabled device or in an App, in effect what happens is your ISP, mobile operator, WiFi provider or the App developer, checks if there is any reason why it shouldn’t let you go there e.g. because it is an address on an IWF blocking list, or it is a site or service restricted by the family filter. Normally this happens on the relevant company’s DNS server or on the home router.

With DoH all of the addresses will be hidden in the browser.  Your usual DNS server will not be able to see them. They will be invisible to your family software. The IWF blocking list becomes inoperable. I believe DoH implementation has the same effect on much or all malware protection software used to prevent viruses and other harms.

But while the addresses are rendered invisible to your current defences, they will not  be invisible to the browser company.  The browser retains full visibility of all consumer web searches and tracking data – while simultaneously denying the same to their competitors.

Overnight and at a stroke a wide range of vulnerabilities will be visited upon an unsuspecting, unprepared, non-geeky public, including millions and millions of children. You couldn’t make it up. But Silicon Valley just did.

With the obvious exception of public WiFi, it has always been possible for individuals to opt out of using family filters or other types of protective software. There has generally always been an option for individuals to choose alternative DNS servers. But something on the scale now being contemplated, and the  manner of its implementation, particularly if introduced by default, takes us to a whole other place, and not in a good way.

Why is this happening?

The protection of journalists and dissidents are frequently mentioned as the major justification for the IETF creating DoH. Such nobility is raising a few cynical and suspicious eyebrows. See above for the reasons why.

In essence what is being said is “the network is the enemy”. The web itself is inherently unsafe from a privacy point of view. There are several different “listening points” or points of interception and bad actors are exploiting these weaknesses in ways which flout universally recognised human rights standards or established privacy laws.

There is no doubt certain governments have blocked access to content they don’t like or, through their security services, have gained access to user information through snooping.  A number of commercial concerns have consistently shown a cavalier attitude  towards their users’ data. But is this the right or the only answer?

Here’s the thing

I attended an IETF meeting once and did, for a while, try to keep up with the mountain of emails, messages, phone conferences and discussion papers it generated.  However, unless you are a full-time geek, which normally means you are employed by a high-tech company or you hope to be, or maybe you are an academic with an interest, you will have neither the time nor the right level of technical knowledge to engage in a meaningful way.

I went to that particular meeting because it was clear to me there were social policy implications arising from the new protocol the IETF sub group was then developing. Unfortunately, almost everyone in the room said they had no brief to consider such matters. Their bosses sent them because the new protocol would massively expand their ability to make money. They just wanted to get it done. It wasn’t quite a case of “we are only following orders” but it was close.

It is happening now

Last Tuesday Mozilla released a paper in which they announced (para 1) they had implemented DoH and“would like to deploy it  by default for our users.” They tell us (para 3) the implementation“may” be different in different regions.

In para 4 we learn users in default on areas will be informed and be allowed to turn off DoH, but I cannot be alone in wondering how easy and transparent such a process is likely to be, say, in the very homes that run family software to protect their children?

Mozilla will certainly face a challenge in terms of GDPR compliance with the rules about securing genuine, informed consent.

Will we be forced back to a world where filters have to be set device by device?

The arrogance

We all know the use of encryption is on the rise but while it is one thing for Apple to refuse to co-operate with the FBI by helping them crack the encryption on a known terrorist’s iPhone, isn’t it a matter of an altogether different order of magnitude for private companies to take to themselves the right to decide to put everyone out of sight forever?

Nowhere in the world is the right to privacy absolute. Technology companies are deciding to make it so. The arrogance is breathtaking. Where arrogance leads hubris soon follows.

Privacy rights were not a gift from the gods

The human rights laws being prayed in aid as a reason for creating  DoH were not a gift from the gods. They did not magically appear from nowhere. They were forged and adopted by politicians drawn from Governments and Legislatures around the world  (I’ll just repeat that –  by politicians drawn from Governments and Legislatures around the world), led by visionaries who were intent on embedding liberal democratic values in a  framework of international standards.

What was made by human hand can be unmade.

Does anyone seriously believe when these laws were created or the standards adopted the politicians involved seriously intended to help criminals or put children at risk? Did they happily contemplate the possibility they would  be delegating to profit-driven tech companies the right to make far-reaching decisions of this kind? I don’t think so.

It might not be long before today’s politicians drawn from the same Governments and Legislatures might be forced to come together to rethink the whole thing. Nobody  envisaged we could end up with such absurd results. It is already happening nationally and DoH by default is exactly the sort of thing that will give it a major boost internationally.

We live in democracies, not technocracies.

Published by John Carr

John Carr is one of the world's leading authorities on children's and young people's use of digital technologies. He is Senior Technical Adviser to Bangkok-based global NGO ECPAT International and is Secretary of the UK's Children's Charities' Coalition on Internet Safety. John is now or has formerly been an Adviser to the Council of Europe, the UN (ITU), UNODC, the EU and UNICEF. John has advised many of the world's largest technology companies on online child safety. John's skill as a writer has also been widely recognised. http://johncarrcv.blogspot.com

Published