A Little-Known Privacy Battle Is Being Waged Over Encrypting the Nuts and Bolts of the Internet
An important fight is brewing over the nuts and bolts of the Internet that has significant implications for the privacy and security of all Internet users. The fight has already pitted Google and Cloudflare against American telecommunications companies, which are lobbying Congress to complain about the search giant. The fight is complicated, but at its core are questions about control over data, centralized power, and who should bear privacy risks. We believe that everyone deserves to be able to use the Internet without being subject to mass surveillance.
This particular fight centers over a new layer of encryption that Internet technologists (including one of us) have developed to further protect the privacy and security of Internet users. The ACLU is increasingly engaged with these kinds of battles over technical standards that shape Internet infrastructure in important ways — determining, for example, whether that infrastructure facilitates the violation of privacy and centralization of power, or autonomy and secure communication for all. These fights usually take place far outside of the limelight, but the brewing fight between the telecoms and providers like Google and Cloudflare is getting more attention than most.
To understand what is at stake requires explaining a little about how the Internet works — specifically about something that people online use every day: the Domain Name System (DNS). If you enter “aclu.org” into your browser, your computer reaches out to a server known as a DNS “resolver,” which tells your computer the IP address that it needs to download a web page. The DNS server then tells your browser that the web site with that name can be found at the IP address 220.127.116.11. Obviously, for humans, that’s a lot harder to remember than “aclu.org,” but your browser needs the IP address to reach our site.
Where does your computer find that DNS resolver? One of the strengths of the Domain Name System is that there are many DNS resolvers that can give you the same answer. You can manually direct a computer, router, or application to talk to a specific DNS resolver, but if you’re like most people, then your devices default to using whatever resolver your Internet service provider (ISP) offers, or to the resolver recommended by the WiFi or other network you’re connected to.
There are two major problems with the DNS, however.
The first is that whoever operates the DNS resolver gets to see the names of all the web sites that you visit (and potentially other Internet metadata as well). These days, that’s a valuable set of information, and a significant privacy problem. The second is that our communications with DNS servers have long been carried out in unencrypted plaintext. That means that your Internet activity is visible not only to whoever operates your DNS resolver, but also to anyone in the network who passes along the data that is exchanged between you and the DNS server. This not only creates privacy problems, but also security problems as it opens up avenues for hostile hackers to phish people, trick people into unknowingly visiting spoof web sites, or deliver malware or ads.
The first problem is to some extent unavoidable, but we can mitigate it in two ways: a) people should connect to DNS resolvers run by entities that are not in the businesses of collecting, storing, and monetizing people’s online activities; and b) make sure that there is a large diversity of actively used DNS resolvers, so that our information is not all centralized in one place.
The second problem — the lack of encryption — has been solved by new standards that use encryption to protect your data as it flows between your device and a DNS resolver. Such “private DNS” techniques, however, are relatively recent standards, and are offered only by some DNS resolvers.
That is where the telecoms’ complaint to Congress comes in. Google has proposed programming its Chrome browser and its Android operating system to automatically default to using Private DNS whenever a user’s existing DNS resolver supports it. That would certainly be a good thing. But the telecoms are also accusing Google of planning to route all Chrome and Android DNS traffic (a substantial portion of the world’s DNS queries) to Google’s own (private) DNS resolvers, thereby leading to a dangerous centralization of DNS lookups.
But contrary to the telecoms’ claims, Google’s stated plans do not actually involve centralizing DNS lookups to a specific resolver. Rather, they intend to automatically upgrade existing cleartext DNS traffic to private DNS when the user’s existing resolver is known to offer a secure channel. The nonprofit Mozilla Foundation, maker of the Firefox browser, has, however, announced that it plans to route DNS traffic generated by some future Firefox browsers to the resolvers run by a single entity, the company Cloudflare. Th. Firefox has been scrupulous in only doing this under a strict privacy agreement with Cloudflare, but users under different legal jurisdictions from Cloudflare might not appreciate their data ending up at this service provider, despite the privacy agreement.
Critics have pointed out that the telecoms are hardly being good Samaritans by pushing back against private DNS here. After the major ISPs successfully pushed the Trump administration and Congress to roll back ISP privacy protections, the telecoms have continued gearing up to try to make money by spying on their customers’ Internet usage. One of their big worries appears to be that they’ll lose out on their money-making surveillance if their customers are induced to shift to DNS servers that are not run by them and that are encrypted so they can’t spy on them.
Rather than hindering the deployment of private DNS and its resultant gains to end user privacy, the ISPs should upgrade the resolvers they already operate to also offer private DNS. If an ISP is a good steward of user data, then they should make it easy for people to use their services securely. They should be advocating for, not against, private DNS.
The ISPs are not wrong, however, in pointing out that centralization of DNS lookups would be a bad thing — including for privacy. We wouldn’t want one company having access to a list of all the people who visited narcotics.com, for example, or a list of all the sites that a particular person has visited. (In 2017, President Trump signed a measure removing privacy protections that prohibited ISPs from doing just this kind of spying; those need to be restored.)
We want private DNS to become the standard, available to all, and we want a diversity of DNS resolvers so that lookups and the information they reveal don’t become centralized — especially in the hands of any company bent on monetizing personal information. The way to fix centralization is through diversity, not by preserving the spying ability of ISPs.
There are tensions between these goals that will need to be solved along the way. Asking all users to make technical choices about which DNS resolver their devices and applications use is probably not the way to go — yet if particular private resolvers are selected globally by default by major players, that risks centralizing DNS queries around a few companies and undercutting the distributed nature of the Internet.
These tensions are resolvable, however. Among other things, we need more user-interface research to improve the experience of choosing among diverse DNS resolvers, and better systems for making reasonable, non-centralized choices for users who don’t have the time or interest to choose for themselves. Ultimately, the important thing is that policymakers, people who work in the tech community, and other interested Internet users should all push for the dual goals of making private DNS the standard and ensuring a diversity of DNS resolvers.
Private DNS protocols can help protect privacy online, and an increasing amount of software is capable of taking advantage of them, or will be soon. But it doesn’t stop there. There is a larger journey toward a more private and secure Internet that is underway. Diverse private DNS resolvers are one step in that journey, but there are others that also need to be taken (such as protecting DNS traffic between resolvers and “authoritative” DNS servers and minimizing metadata leakage in other Internet protocols). Piece by piece, we’re making the Internet more privacy-friendly and more secure.