On Monday Mozilla, which makes the Firefox web browser, wrote to members of Congress to urge them to more closely scrutinize the data collection policies of internet service providers. The move comes after Motherboard reported Comcast is lobbying against particular implementations of encrypting browsing data, meaning the ISP would not be able to see what sites customers are visiting.
Mozilla's push is the latest in a burgeoning debate over DNS-over-HTTPS (DoH), with Mozilla deciding to encrypt it's users browsing data by default, and Google's Chrome soon enabling DoH by default if possible for a particular user.
"Our recent experience in rolling out DNS over HTTPs (DoH)—an important privacy and security protection for consumers—has raised questions about how ISPs collect and use sensitive user data in their gatekeeper role over internet usage," the letter, signed by Marshall Erwin, senior director of trust and security and Mozilla, reads. "With this in mind, a congressional examination of ISP practices may uncover valuable insights, educate the public, and help guide continuing efforts to draft consumer privacy legislation."
The letter is addressed to chairman and woman and ranking members of several committees that oversee technology, commerce, and consumer protection.
Do you know anything else about ISPs and their use of data? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
Mozilla is in the process of rolling out DoH that is on by default in the Firefox browser with the help of internet infrastructure company Cloudflare, which will handle the actual encryption of the data. Google, meanwhile, is not planning to force users to use Google's own DNS encrypting service, but instead plans to set up Chrome to use DoH connections if a user's DNS service, such as the one used by their ISP, supports it.
A Comcast lobbying presentation published by Motherboard ignored these facts, and instead tried to mislead lawmakers into believing Google was centralizing the encryption of DNS data, putting it squarely in the hands of the tech giant.
"What this deck is attempting to do is take advantage of a lot of anti-Google sentiment that exists right now, build on top of that an inaccurate account of exactly what we are doing to stop that deployment," Erwin previously told Motherboard after reviewing sections of the slide deck.
With that misrepresentation in mind and other lobbying efforts on behalf of ISPs, including a letter to Congress from major telecommunications associations, Mozilla writes, "our work on DoH has prompted a campaign to forestall these privacy and security protections."
Comcast confirmed it is testing DoH as well as DNS-over-TLS (DoT) itself. This would mean Comcast itself would encrypt and decrypt the browsing data. A Comcast spokesperson also pointed to a blog post the company published after Motherboard's earlier reporting, which says, "We don't sell information that identifies who you are to anyone."
"We believe that more information regarding ISP practices could be useful to the Committee as it continues its deliberations on this front, and we encourage the Committee to publicly probe current ISP data collection and use policies," Mozilla's letter concludes.
Update: This piece has been updated to clarify Comcast's role in encrypting and decrypting DNS traffic.
Subscribe to our new cybersecurity podcast, CYBER.