Mozilla, internet villain

Issue 32/2019

Last week the United Kingdom's Internet Services Providers’ Association (ISPA), a Trade Association lobby group, released its finalists for internet 'hero' and 'villain' of the year, listing Mozilla - creator of the Firefox web browser - as one of three finalists in the villain category. After some serious backlash, it subsequently withdrew both Mozilla's nomination and the villain category altogether.

Let's take a quick look at why Mozilla, "a non-profit organization that promotes openness, innovation and participation on the Internet", might have been nominated. But first, the other contenders.

Joining Mozilla as finalists for internet villain of the year was the European Union's Article 13 Copyright Directive, "for threatening freedom of expression online", and President Donald Trump, "for causing a huge amount of uncertainty across the complex, global telecommunications supply chain in the course of trying to protect national security".

I actually took little issue with those two, which are both deserving for the reasons cited, although I might have nominated Peter Dutton for Australia's ill-conceived encryption bill instead of the EU's Article 13. But Mozilla? It was listed because of its plan to allow Firefox to use DNS over HTTPS (DoH, a relatively new method to encrypt DNS requests directly in the browser):

"...in such a way as to bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK."

Right. It might as well have rephrased that to:

"...in such a way as to bypass the UK government's censorship and undermine our members' ability to monetise consumer browsing activity."

For those unaware, DNS requests are the last bastion of the old internet yet to undergo a cryptographic revolution. DNS requests - that is, requests to a public directory that translates domain names (e.g. finelybalanced.com) into corresponding IP addresses (e.g. 123.123.123.123) - are sent in plain text and so can be used by internet service providers to monitor people's browsing history.

https://finelybalanced.com/images/isp-dns-leak.png

This can happen even if you're using a VPN (as shown in the image above) unless you've manually changed your DNS server or enabled what is called "DNS leak protection", which routes all DNS queries to the provider through the encrypted VPN tunnel.

As you might expect, the whole plain-text DNS data collection process can be quite lucrative to ISPs when that data are on-sold to advertisers or any other organisation that might be interested in people's digital footprints.

Work to fix the DNS privacy hole has been under way for some time. For example, Cloudflare, Google and Quad9 have all been pushing for DNS over TLS (DoT), a similar technology to DoH but one which uses its own unique port, 853.

However, the advantage of DoH is that requests are effectively buried in the rest of the internet's encrypted traffic on port 443, making it indistinguishable from the vast majority of data that flow across the internet every day. This is how many VPNs operate in places such as China, where conventional VPN ports are blocked as part of its "great firewall". Without DNS leaks and with everything funnelled through port 443, the only way to censor people would be to effectively turn the internet off (and yes, that happens more than you think). Being able to properly encrypt data, including something as seemingly simple as browsing history, can literally be a matter of life and death for some people.

Essentially Mozilla should be praised, not condemned, for trying to improve privacy on the internet by allowing people to enable DoH directly in their browser. The real villains are those such as the ISPA and its political lackeys, whose constant attacks on encryption are nothing but a blatant attempt by lobbyists to keep the gravy train flowing, all under the opaque guise of national security (kudos to UK provider Andrews & Arnold for donating the equivalent of an ISPA membership fee to Mozilla).

Mozilla's Firefox 68 was released last week. If you use Chrome or one of Microsoft's god-awful browsers, consider giving it a whirl. You can enable DoH by going to Preferences -> General -> Network Settings -> Enable DNS over HTTPS.

Enjoy the rest of this week's issue. Cheers,

— Justin


The bits


Google's creepiness

What a week for Google. First it was revealed that, like Amazon, the things Google Home devices record are listened to by humans (as I've said many times, that's how "artificial intelligence" - as the term is being improperly used, anyway - works). Worse, it was recording private conversations without first being "triggered" by the user.

Then we have more "business as usual" news, such as Google making your private photos semi-public and oh yeah, it's also "helping China’s authoritarian government conduct mass surveillance against its citizens". Do no evil, right...

Learn more:


China

That didn't take long: Huawei is back in business. Maybe not for 5G in the countries that banned it for "national security", but all of its consumer devices should be fine (which are more of a threat to national security than Huawei's network infrastructure).

Learn more:



Image of the week

View source

Trained a Neural Net


This week's data breaches



That's all for now. If you enjoyed this issue, feel free to share it via email


Issue 32/2019: Mozilla, internet villain was compiled by Dr Justin Pyvis and delivered on 16 July, 2019. Feel free to send feedback, suggestions for future issues, ideas, insults, or pretty much anything that crosses your mind to his Keybase or Twitter account.