Internet giant Comcast is lobbying U.S. lawmakers against plans to encrypt web traffic that would make it harder for internet service providers (ISPs) to determine your browsing history, according to a lobbying presentation obtained by Motherboard.
The plan, which Google intends to implement soon, would enforce the encryption of DNS data made using Chrome, meaning the sites you visit. Privacy activists have praised Google's move. But ISPs are pushing back as part of a wider lobbying effort against encrypted DNS, according to the presentation. Technologists and activists say this encryption would make it harder for ISPs to leverage data for things such as targeted advertising, as well as block some forms of censorship by authoritarian regimes.
Mozilla, which makes Firefox, is also planning a version of this encryption.
"The slides overall are extremely misleading and inaccurate, and frankly I would be somewhat embarrassed if my team had provided that slide deck to policy makers," Marshall Erwin, senior director of trust and safety at Mozilla, told Motherboard in a phone call after reviewing sections of the slide deck.
"We are trying to essentially shift the power to collect and monetize peoples' data away from ISPs and providing users with control and a set of default protections," he added, regarding Mozilla's changes.
In the presentation, Comcast paints this type of encryption as something that will fundamentally change the internet and will centralize power under Google.
"The unilateral centralization of DNS raises serious policy issues relating to cybersecurity, privacy, antitrust, national security and law enforcement, network performance and service quality (including 5G), and other areas," Comcast said in the presentation.
"Congress should demand that Google pause and answer key questions," a section of the presentation reads. "Why is Google in such a rush?" reads another.
Google recently announced it would soon start testing the enforcement of DNS over HTTPS, or DoH. A DNS request is essentially a record of which website someone visited. Generally speaking, with DoH those requests would be harder to read for anyone intercepting the request, such as a hacker on the same Wi-Fi network, a government agency sitting on the wire, or the user's ISP.
"As part of our long standing commitment to making the web safer to use, we will be conducting an experiment to validate our implementation of DNS-over-HTTPS (aka DoH) in Chrome 78," Kenji Baheux, Chrome Product Manager, wrote in a blog post in September.
The Comcast document, which has been presented to policy makers, says that encrypting browsing data "will cause radical disruption." It also mentions raising issues for law enforcement; the slide deck does not, however, point out that DNS providers who respond to law enforcement requests can still provide relevant information to authorities.
But much of the deck pushes one fundamental premise: that Google is centralizing DNS with its DoH, creating a monopoly over the data and its security.
"If Google encrypts and centralizes DNS, ISPs and other enterprises will be precluded from seeing and resolving their users’ DNS," the presentation says.
Do you know anything else about ISPs and their use of data? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
That's not accurate, though. Google isn't actually forcing Chrome users to only use Google's DNS service, and so it is not centralizing the data. Google is instead configuring Chrome to use DoH connections by default if a user's DNS service supports it. A DNS service helps a web browser translate web domains into actual IP addresses to visit. Typically, ISPs will do this for customers, but Google, Cloudflare, and other cybersecurity companies also run their own DNS servers that people can use.
"One of the important points to highlight is that Google has no publicly announced plans to override the user’s configured DNS resolver as part of their implementation of DoH," Max Hunter, engineering director at the Electronic Frontier Foundation (EFF) wrote in an email. "If Google did override the OS-configured resolver with their own, EFF would be very concerned about the potential for turnkey surveillance and censorship that level of DNS centralization would bring."
“Google has no plans to centralize or change people’s DNS providers to Google by default. Any claim that we are trying to become the centralized encrypted DNS provider is inaccurate," a Google spokesperson told Motherboard in a statement.
"We're currently experimenting with new ways to enhance online privacy and security while maintaining existing content filtering and parental controls. Our proposal for DoH enables secure connections and does not change a user’s DNS, so all existing filters and controls remain intact. Furthermore, there is no change to how DNS providers work with law enforcement in accordance with court orders," the Google spokesperson added.
Even the maintainers of competing web browsers aren't buying Comcast's arguments.
"What this deck is attempting to do is take advantage of a lot of anti-Google sentiment that exists right now, build on top of that an inaccurate account of exactly what we are doing to stop that deployment," Erwin from Mozilla added.
Mozilla's own plan for DoH differs somewhat to Google's. Erwin explained that Mozilla is in the process of rolling out DoH by default to a 5 percent slice of randomly selected users, with the plan to expand DoH across its user base. Mozilla is doing that in partnership with Cloudflare, which acts as the DNS resolver.
"The real one truthful point in this ISP lobbying effort is that DoH does represent a fundamental shift in the way the web works; and that's deliberate, on our part," Erwin said.
Ellen Canale, director of corporate communications at Mozilla, wrote in an email, "This is part of a pretty aggressive campaign we've seen from the ISPs to protect their control over DNS traffic and the tracking opportunities it provides them."
Last month, multiple trade groups that represent ISPs' interests wrote a letter to lawmakers urging them to call upon Google to not implement DoH. Hunter shared a copy of a letter EFF sent to Congress along with other organizations in response to the trade bodies' letter.
"Congress should support systemic adoption of DoH in order to close up one of the largest privacy gaps remaining on the Internet while furthering the cause of Internet freedom in many parts of the world in dire need of it," the EFF letter, also signed by Consumer Reports and the National Consumers League, reads.
"The slides overall are extremely misleading and inaccurate, and frankly I would be somewhat embarrassed if my team had provided that slide deck to policy makers."
Comcast, for its part, stressed it does not sell customers' browsing data.
"Where our Xfinity Internet customers go on the Internet is their business, not ours. We do not track the websites or apps our customers’ use through their broadband connections. Because we don’t track that information, we don’t use it to build a profile about our customers and have never sold that information to anyone," a spokesperson wrote in an emailed statement.
"We are supporters of encrypting DNS and want to make sure that it is implemented in a careful, collaborative manner for the benefit of Internet customers to ensure that important parental controls, cybersecurity protections and network security features are not broken in the process," the spokesperson said in a second statement. "We believe that engagement by Google and Mozilla with other players in the Internet ecosystem would lead to a collaborative, industry-wide solution that protects everyone—just as has happened with other significant changes to Internet architecture. Any unilateral action that limits customer choice will not work."
Of course, it's worth noting that, in 2017, ISPs lobbied Congress to make it possible to sell your browsing data without your consent.
"Either, they are doing something with this data today that is not transparent to users, or they are working incredibly hard to protect a future business model," Erwin said.
Motherboard has embedded the full lobby slide deck below.
Subscribe to our new cybersecurity podcast, CYBER.