When ISPA, a organization that considers itself the voice of the UK Internet Industry, nominated Mozilla for its 2019 Internet Villain Award, it unleashed a barrage of complaints. This led it to withdraw not just the nomination but also the entire category. 

As in previous years there were three nominees in the Internet Villain Category, just as there were in the Internet Hero one. They were: 

• Mozilla – for their proposed approach to introduce DNS-over-HTTPS in such a way as to bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK
  
  
• Article 13 Copyright Directive – for threatening freedom of expression online by requiring ‘content recognition technologies’ across platforms 
  
  
• President Donald Trump – for causing a huge amount of uncertainty across the complex, global telecommunications supply chain in the course of trying to protect national security

While the category is supposed to be controversial, the reaction to Mozilla's inclusion took IPSA by surprise. Announcing its decision to set aside the nomination, the organization stated:

In the 21 years the event has been running it is probably fair to say that no other nomination has generated such strong opinion. We have previously given the award to the Home Secretary for pushing surveillance legislation, leaders of regimes limiting freedom of speech and ambulance-chasing copyright lawyers. The villain category is intended to draw attention to an important issue in a light-hearted manner, but this year has clearly sent the wrong message, one that doesn’t reflect ISPA’s genuine desire to engage in a constructive dialogue.

Some, including Mozilla itself, were surprised as well as shocked to discover than rather than being in line for a Hero award, as might be expected of an organization that sees its mission is being to keep the web open and accessible for everyone. Instead Mozilla was facing infamy for its proposed implementation of  DoH - DNS-over-HTTPs. This is designed to improve privacy for web users by encrypting online queries so that an intermediary on the network cannot intercept them and determine which sites requesters intend to visit.

Encrypting DNS requests, will makes it impossible, or at least very difficult, for entities such as ISPs or governments to monitor which websites people are visiting, and will therefore protect lawbreakers. And because the DNS requests are sent inside encrypted HTTPS requests they’re also indistinguishable from other web traffic, so they can’t be blocked without blocking all web traffic.

To privacy enthusiasts, this is good because neither ISPs nor governments have any business knowing which domains users happen to frequent while ISPs, by contrast face the problem of  how to fulfill their legal obligation in the UK to store a year’s worth of each subscriber’s internet visits in case the government wants to study them later for evidence of criminal activity.

Mozilla attempted to defend itself saying:

Despite claims to the contrary, a more private DNS would not prevent the use of content filtering or parental controls in the UK. DNS-over-HTTPS would offer real security benefits to UK citizens.

Even though the awards event went ahead without the Internet Villain category, ISPA still wants to oppose Mozilla's implementation of DoH and spelled out the reasons for doing so:

Any implementation of DoH (or equally any other flavour of encrypted DNS) should be capable of achieving the expected privacy and security benefits, while at the same time being mindful of the complex internet eco system, as well as the different user relationship and trust models that are in play.

1. 1. User choice: An application switching to DoH should ensure that this switch does not undermine choices that have been previously made by the user. For example, if parents have decided to filter an internet connection in their home via network or local level DNS controls, these choices should not simply be ignored by the application.
   2. User consent: ...the decision to switch resolvers should be made by a user who is fully informed about the implications of switching resolvers, and fully capable of expressing consent. Furthermore, DoH discovery and selection should allow users to change their resolver selections as they wish.
   3. Data protection: ... DoH resolver fully complies with the local data protection requirements.
   4. Security: ... the selected DoH provider is capable of replicating existing security policies and capabilities such as malware protection that are currently in place
   5. Online safety: ....capable of replicating the online safety policies that are currently in place for that user.
   6. User and access-network-operator support: If DoH doesn’t work or is slow, a customer’s internet access will be affected. The customer will contact their ISP, not the DoH provider, but the ISP won’t be able to fix things for them. As a minimum, any application switching to DoH should ensure that the selected resolver should provide a 24/7 user call centre reachable via low-cost/local rate telephony and an online support capability. Support for fault-diagnosis and resolution between ISP, resolver and users should also be provided.

There are numerous other areas that we could go into, e.g. how DoH affects enterprise networks, or content caching, and the points raised in this post are only an initial outline. 

While Mozilla pointed out that it isn't planning to enable DoH by default in the UK as it is expected to become part of Firefox it may be difficult to avoid. 

More Information

ISPA withdraws Mozilla Internet Villain Nomination and Category

Related Articles

Mozilla Privacy Study Vindicates Tracking Protection

EU Copyright Directive Article 13 Now Worse Than Ever 

Why Article 13 Must Be Stopped

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info