ISPs Lying About DoH

It must be tough to be an Internet Service Provider today. I’m not sure there are many people who are actually like their ISP, and it’s usually because of the shady business practices they do in almost every city.

I was looking forward to Google Fiber as a break from local stranglehold of Spectrum and AT&T, but then Google went and tore up Louisville’s streets and abruptly left town. So I’m still currently stuck with Spectrum.

I don’t hate the service they provide, but it would be a lot easier to ignore (or even like) them if they didn’t constantly fight against their customer’s best interests.

ISPs Fighting Against Privacy

Now, it looks like the entire broadband industry is fighting against some privacy features that have been put forward by both Google’s Chrome and Mozilla’s Firefox internet browser’s.

Both Mozilla and Google are looking at implementing DoH (DNS over HTTPS). A standard which would give users much more privacy from their ISP.

For most people, your Internet provider can see most (or all) of your DNS (Domain Name Server) requests. This means that your ISP can see everything that you do online. It doesn’t matter what website you visit, if you have cookies enabled, or if you use private browsing – if you’re using your home internet, your home ISP can tell everything that you’re doing online.

Needless to say, this kind of information – if sold – can be quite valuable to lots of advertisers. DoH sends the DNS requests over HTTPS (instead of HTTP), which provides additional security and encryption to prevent ISPs from monitoring your Internet habits as easily.

Of course, ISPs claim that DoH is unnecessary and that it would centralize DNS traffic with Google. This is not true.

A Mozilla representative has said that Mozilla’s plan would not centralize DNS traffic with Google, and that Mozilla actually has a very thorough plan to vet its DoH providers. Google, also, would not automatically collect user’s DNS queries, but instead: “will check if the user’s current DNS provider is among a list of DoH-compatible providers, and upgrade to the equivalent DoH service from the same provider. If the DNS provider isn’t in the list, Chrome will continue to operate as it does today.”

ISPs, of course, want to maintain the status quo. This might be okay if the status quo had them respecting user’s data, but there is a long history of ISP abuse. From an Ars Technica article on this subject:

That ISP abuse includes mobile providers selling real-time location data “to third parties without user knowledge or meaningful consent;” ISPs such as Comcast “manipulat[ing] DNS to serve advertisements to consumers;” Verizon’s use of “supercookies” to track Internet activity; and AT&T charging customers an extra $29 per month to avoid “the collection and monetization of their browsing history for targeted ads,” Mozilla told Congress.

No surprise that although both Google and Mozilla are looking at implementing this privacy feature, Mozilla’s approach is a bit more thorough. Mozilla has an entire FAQ page dedicated to this feature, which has strict requirements, such as:

  • User-identifiable data must be deleted after 24 hours
  • The DoH provider “must not retain, sell, or transfer to any third party” any personally identifiable information.
  • Blocking or filtering content (except where required by law or requested by users) is not allowed.
  • There are also transparency requirements for how the DoH provider handles law enforcement requests and the provider’s data retention practices.

While it’s true that this kind of thing won’t stop Facebook (or Google) from tracking you across the web, any law or regulation that improves user’s privacy is welcome at this stage.

The fact that ISPs are claiming such a law is unnecessary, but are also fighting hard to stop it, should tell you all you need to know about how important this kind of privacy regulation is.

Read the whole article at Ars Technica.