Google and Mozilla Fight With Internet Providers Over a New Protocol That Makes Browsing More Private and Secure
On Monday, the Mozilla Foundation, makers of the Firefox browser, sent a letter to leading members of several House committees accusing trade organizations representing internet service providers including AT&T and Verizon of misleading Congress over a new internet protocol known as “DNS Over HTTPS,” or DoH (pronounced “dough”). The protocol, introduced in 2018, would limit ISP’s ability to gather data on their customers’ browsing history.
Mozilla’s letter comes in response to American ISPs lobbying legislators with the apparent goal of slowing DoH’s deployment. In a letter sent to legislators in September, USTelecom, CTIA, and the Internet and Television Association, trade groups representing ISPs, claimed that Google’s implementation of DoH in the Chrome browser would give the search giant “greater control over user data across networks and devices around the world.” The letter urged Congress to “seek detailed information” from Google on the matter. Shortly after, congressional antitrust investigators requested more information from the search giant.
The extent of ISP lobbying on the issue became clearer on Oct. 23, when Vice published a leaked slide deck that Comcast has reportedly been showing to legislators. The slides claim that DoH in Chrome would “by default route all DNS traffic from Chrome and Android users to Google Public DNS.” This echoes the claim in the September letter that Google planned to “make Google the encrypted DNS lookup provider by default.”
But Google says this claim is false. “Google has no plans to centralize or change people’s DNS providers to Google by default,” the search company said in a statement. “Any claim that we are trying to become the centralized encrypted DNS provider is inaccurate.”
Mozilla, meanwhile, says it is moving to implement DoH specifically to hamper ISPs’ ability to monetize and “abuse” their users’ data. Marshall Erwin, Mozilla’s senior director of trust and security, says ISP lobbying efforts, including false claims, are intended to “create fear, uncertainty, and doubt” in legislative discussions of DoH. “This is an effort to set Google up as a boogeyman to take advantage of the antitrust atmosphere that exists today.”
“The push [from ISPs] has been to encourage entities to slow down,” says Alissa Starzack, head of public policy for Cloudflare. “If you have congressional bodies investigating, that means people aren’t going to move forward as quickly.” Starzack also echoed Mozilla’s assessment of the ISP lobbying: “It doesn’t actually represent the fact of what Google is doing, which raises questions, frankly, about why there’s a lobbying effort at all.”
Google slowing the rollout of DoH would mean continued security risks for the roughly 65% of internet users who use Chrome. Firefox has a market share of under 5%.
In response to Google and Mozilla’s pushback, the Internet and Television Association told Fortune that “at the time of [our] letter and during the early discussions about this issue, Google hadn’t publicly stated its plan to not implement DoH by default. Since then, Google has publicly clarified their plans.”
The ISP groups’ letter is dated September 19th, more than a week after Google detailed its plan to use only users’ existing DNS providers.
CTIA did not reply to a request for comment, and USTelecom declined to comment.
Why DNS needs to be fixed
Implementing DNS over HTTPS would be, according to many experts, an important security upgrade to the way web browsers find data over the internet.
Currently, when a browser user inputs a text web address, such as www.Fortune.com, the browser sends a request to a domain name lookup service. That service, also known as a resolver, translates the text address into a numerical internet protocol address. That in turn allows your browser to find the server hosting the website and retrieve site data to your device.
But the DNS protocol is three decades old, and DNS requests have long been fairly insecure by default. That not only allows internet service providers to monitor user activity, but also makes users more vulnerable to malicious spying, hacks, or government-mandated filtering.
The DNS over HTTPS standard is intended to make browsing more private and secure by sending DNS lookup requests using the encrypted HTTPS protocol, which is already widely used to securely transmit world wide web data.
According to Ernesto Falcon of the Electronic Frontier Foundation, DoH is “the next stage of upgrading the internet,” and could even reduce internet censorship by authoritarian regimes. But for most users, the upgrade to DoH will have no noticeable impact on the web browsing experience.
Contrary to claims made by ISPs, Google is only activating DoH for a small fraction of the users whose existing DNS lookup service already supports the new standard—roughly 1% of all Chrome users, according to Google. Users will also be able to opt out of using DoH.
Mozilla is going considerably further in its plans for DoH. The company will activate DoH by default for all US Firefox users, according to Erwin, over the coming months. It initially plans to send all users to a DNS lookup service operated by the security firm Cloudflare, which has met transparency standards meant to guarantee that traffic data will not be stored or sold. However, Erwin says Mozilla hopes to expand the number of DNS lookup providers available to Firefox users over time, and users will be able to select a provider of their choice, or opt out of DoH altogether.
Meanwhile, ISPs have expressed worries over how encrypting DNS may interfere with certain kinds of filtering, including parental controls and corporate internet filters. Erwin says Mozilla takes these concerns seriously, but says new Firefox features will automatically disable DoH if it detects such controls.
Erwin says the motivation of ISPs’ lobbying effort is clear: “What it essentially shows is that ISPs want to collect and monetize this data.”
Mozilla argued in its Monday letter that ISPs have already acted on that desire. The letter cited cases of ISPs hijacking some DNS requests to show users advertising, and mobile providers allegedly selling user location data.
In 2017, ISPs successfully pushed for the rollback of FCC consumer data protections. During those proceedings, ISPs argued that they should have the same rights to collect user data as internet portals like Google and Facebook.
The EFF’s Falcon agrees with Mozilla that ISPs’ stance on DoH is a continuation of their efforts to capture and monetize user data. “It makes little sense otherwise for them to oppose the technology.”
More must-read stories from Fortune:
—Uber’s business service ramps up to attract more ‘sticky’ customers
—The mobile price wars are on. Here’s how much you can save
—L.A. threatens to ban Uber-owned scooter service
—China’s 5G is ahead of schedule, on a spectrum the U.S. can’t match
—Europe is starting to declare its cloud independence
Catch up with Data Sheet, Fortune’s daily digest on the business of tech.