Firefox has a new, acronym-filled, privacy feature, and a message for third parties that harvest browsing data: ‘FU’
Mozilla, the Internet nonprofit group known for its Firefox web browser, announced Tuesday morning it is starting to encrypt website lookups by default for Americans. The new policy, designed to prevent companies and hackers from capturing people’s online browsing behavior for sales—or, in the case of the interlopers, subversion—has another effect: sticking it to a large swath of the tech industry.
“We’re basically saying FU to attackers on the network and 3rd parties who have access to data that ties your computer to the sites you visit,” Firefox said in a tweet announcing the feature.
Mozilla’s changes take aim at a core piece of Internet infrastructure called “domain name service,” or DNS, which most people use every day, mostly without realizing. The servers in the DNS system act effectively as directories for websites, making network connections as though they were facilitated by an automated, invisible telephone book.
Generally, when people connect to websites, the queries transmit “in the clear,” plain for all network participants to see—even if the connection gets encrypted thereafter. Companies like AT&T, Comcast, Verizon, and others can typically see which websites you’re visiting, even if they can’t view the particular webpages you browse.
By encrypting website lookups, Mozilla is shoring up what it deems to be a security hole in the Internet’s backbone. Called “DNS over HTTPS,” where the latter acronym refers to an Internet traffic encryption scheme, Mozilla’s change shields this data from view. (Look to the URL bar for HTTPS, a now-common sight there.)
And while this may seem like an esoteric battle over technical details, it’s actually a tooth-and-nail struggle over privacy, security, and, most of all, power. Many Internet service providers are displeased by the change. Although several telecom trade groups, such as ACA Connects (formerly the American Cable Association) either declined to comment for this story or did not respond by press time, the organizations have made their stance known previously.
For instance, in a September 19 letter, several telecom trade groups urged Congress to investigate Google, a major Mozilla funder, for pursuing a similar policy that intends to encrypt website lookups in its Chrome web browser and Android operating system. The groups argue that the changes will consolidate power to Google, at the expense of other companies.
Unlike Mozilla, Google says it does not plan to switch people’s DNS provider—the company will merely enforce encrypted lookups for people whose providers support the feature. Google can still track people’s web browsing data through other means, like as identifying browser “cookies,” and continue to use its access to that data to bolster its advertising business.
Mozilla, for its part, is using DNS via HTTPS to position its Firefox browser as more secure and private—and in turn gain a larger share of browser users. The nonprofit says it is working with two partners: Cloudflare and NextDNS, both tech firms based in California. Google and other cybersecurity companies provide DNS services of their own.
Marshall Erwin, Mozilla’s director of trust and security, told Fortune the organization has found few friends in the telecom crowd. “We tried to work with ISPs,” Erwin said, referring to Internet service providers. “These are large monolithic organizations that have really struggled, in our experience, to say they agree to this strict set of policies.”
To work with Mozilla, its stipulations involve, among other things, rigid data retention and transparency policies. Since starting work on the project two years ago, the organization has asked prospective participants to discard people’s website query information after 24 hours and to regularly disclose the number of subpoenas they receive from law enforcement agencies.
Last summer, Britain’s top telecom trade group, the Internet Service Providers Association, labeled Mozilla an “Internet villain” for seeking to extend encryption to website lookups, arguing that it would undermine Internet safety standards in the U.K., where ISPs are responsible for filtering restricted websites. Mozilla is rolling out its encrypted lookups feature by default only to Americans, while it has conversations with regulators in Europe and elsewhere, it says.
More must-read stories from Fortune:
—Apple corrects for coronavirus to keep next iPhones on track
—Did the ‘techlash’ kill Alphabet’s city of the future?
—How technology is changing how we volunteer
—Oracle and Google will face off in tech’s trial of the century
—A.I. is transforming the job interview—and everything after
Catch up with Data Sheet, Fortune’s daily digest on the business of tech.