UK Concerns over Encrypted DNS

The UK ISP BT has become the first of the major broadband providers to trial their own DNS over HTTPS resolver, which encrypts Domain Name System (DNS) requests.

This is response to Firefox offering its own choice of encrypted DNS resolver that would effectively evade BT's current unencrypted DNS resolver which allows the UK government to monitor and log people's internet use, block websites that are considered 'harmful'; snitch people up to the police for politically incorrrect comments; and snitch people up to copyright trolls over dodgy file sharing.

However BT's new service will allow people to continue using website blocking for parental control whilst being a lot safer from 3rd party snoopers on their networks.

BT have made the following statement about its experimental new service:

BT are currently investigating roadmap options to uplift our broadband DNS platform to support improvements in DNS security -- DNSSEC, DNS over TLS (DoT) and DNS over HTTPS (DoH). To aid this activity and in particular gain operation deployment insights, we have enabled an experimental DoH trial capability.

We are initially experimenting with an open resolver, but our plan is to move a closed resolver only available to BT customers.

The BT DoH trial recursive resolver can be reached at https://doh.bt.com/dns-query/

Web browser risk to child safety

We are deeply concerned that a new form of encryption being introduced to our web browsers will have terrible consequences for child protection.

The new system 204 known as DNS over HTTPS -- would have the effect of undermining the work of the Internet Watch Foundation (IWF); yet Mozilla, provider of the Firefox browser, has decided to introduce it, and others may follow.

The amount of abusive content online is huge and not declining. Last year, the IWF removed more than 105,000 web pages showing the sexual abuse of children. While the UK has an excellent record in eliminating the hosting of such illegal content, there is still a significant demand from UK internet users: the National Crime Agency estimates there are 144,000 internet users on some of the worst dark-web child sexual abuse sites.

To fight this, the IWF provides a URL block list that allows internet service providers to block internet users from accessing known child sexual abuse content until it is taken down by the host country. The deployment of the new encryption system in its proposed form could render this service obsolete, exposing millions of people to the worst imagery of children being sexually abused, and the victims of said abuse to countless sets of eyes.

Advances in protecting users' data must not come at the expense of children. We urge the secretary of state for digital, culture, media and sport to address this issue in the government's upcoming legislation on online harms.

• Sarah Champion MP;
• Tom Watson MP;
• Carolyn Harris MP;
• Tom Brake MP;
• Stephen Timms MP;
• Ian Lucas MP;
• Tim Loughton MP;
• Giles Watling MP;
• Madeleine Moon MP;
• Vicky Ford MP;
• Rosie Cooper MP;
• Baroness Howe;
• Lord Knight;
• Baroness Thornton;
• Baroness Walmsley;
• Lord Maginnis;
• Baroness Benjamin;
• Lord Harris of Haringey

The IWF service is continually being rolled out as an argument against DoH but I am starting to wonder if it is still relevant. Given the universal revulsion against child sex abuse then I'd suspect that little of it would now be located on the open internet. Surely it would be hiding away in hard to find places like the dark web, that are unlikely to stumbled on by normal people. And of course those using the dark web aren't using ISP DNS servers anyway.

In reality the point of using DoH is to evade government attempts to block legal porn sites. If they weren't intending to block legal sites then surely people would be happy to use the ISP DNS including the IWF service.

The Internet Services Providers' Association has announced the finalists for what its members consider as the 2019 Internet Hero and Villain.

The Internet Hero nominations this year include those campaigning to improve trust and confidence online; mapping out the UK's evolving broadband landscape; and working on global internet governance issues. While, the Villain nominees take in the impact of new technical standards on existing online protections, the balance between freedom of expression and copyright online and the global telecoms supply chain.

This year's nominations for the 2019 Internet Heroes and Villains in full are:

ISPA Internet Hero

• Sir Tim Berners-Lee -- for spearheading the Contract for the Web campaign to rebuild trust and protect the open and free nature of the Internet in the 30 th anniversary of the World Wide Web
• Andrew Ferguson OBE, Editor, Thinkbroadband - for providing independent analysis and valuable data on the UK broadband market since the year 2000
• Oscar Tapp-Scotting & Paul Blaker, Global Internet Governance Team, DCMS -- for leading the UK Government's efforts to ensure a balanced and proportionate agenda at the International Telecommunications Union Conference

ISPA Internet Villain

• Mozilla -- for their proposed approach to introduce DNS-over-HTTPS in such a way as to bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK
• Article 13 Copyright Directive -- for threatening freedom of expression online by requiring content recognition technologies across platforms
• President Donald Trump -- for causing a huge amount of uncertainty across the complex, global telecommunications supply chain in the course of trying to protect national security

The winners of this year's Heroes and Villains will be chosen by the ISPA Council, and will be announced at the ISPA Awards Ceremony on 11th July in London

Update: Villainous ISPs decide that colluding with censors and snoopers is bad PR

10th July 2019. See article from ispa.org.uk and article from techdirt.com

The villains of ISPA have withdrawn their nomination of the heroic Mozilla as an internet villain. ISPA writes:

Last week ISPA included Mozilla in our list of Internet Villain nominees for our upcoming annual awards.

In the 21 years the event has been running it is probably fair to say that no other nomination has generated such strong opinion. We have previously given the award to the Home Secretary for pushing surveillance legislation, leaders of regimes limiting freedom of speech and ambulance-chasing copyright lawyers. The villain category is intended to draw attention to an important issue in a light-hearted manner, but this year has clearly sent the wrong message, one that doesn't reflect ISPA's genuine desire to engage in a constructive dialogue. ISPA is therefore withdrawing the Mozilla nomination and Internet Villain category this year.

TechDirt noted that the ISPA nomination was kindly advertising Mozilla's Firefox option for DNS over HTTPS:

ISPA nominated Mozilla for the organization's meaningless internet villain awards for, at least according to ISPA, undermining internet safety standards in the UK:

Of course Mozilla is doing nothing of the sort. DNS over HTTPS not only creates a more secure internet that's harder to filter and spy on, it actually improves overall DNS performance, making everything a bit faster. Just because this doesn't coalesce with the UK's routinely idiotic and clumsy efforts to censor the internet, that doesn't somehow magically make it a bad idea.

Of course, many were quick to note that ISPA's silly little PR stunt had the opposite effect than intended. It not only advertised that Mozilla was doing a good thing, it advertised DNS over HTTPS to folks who hadn't heard of it previously. Matthew Prince P (@eastdakota) tweeted:

Given the number of people who've enabled DNS-over-HTTPS in the last 48 hours, it's clear @ISPAUK doesn't understand or appreciate @mmasnick's so-called "Streisand Effect."

Here at the IWF, we've created life-changing technology and data sets helping people who were sexually abused as children and whose images appear online. The IWF URL List , or more commonly, the block list, is a list of live webpages that show children being sexually abused, a list used by the internet industry to block millions of criminal images from ever reaching the public eye.

It's a crucial service, protecting children, and people of all ages in their homes and places of work. It stops horrifying videos from being stumbled across accidentally, and it thwarts some predators who visit the net to watch such abuse.

But now its effectiveness is in jeopardy. That block list which has for years stood between exploited children and their repeated victimisation faces a challenge called DNS over HTTPS which could soon render it obsolete.

It could expose millions of internet users across the globe - and of any age -- to the risk of glimpsing the most terrible content.

So how does it work? DNS stands for Domain Name System and it's the phonebook by which you look something up on the internet. But the new privacy technology could hide user requests, bypass filters like parental controls, and make globally-criminal material freely accessible. What's more, this is being fast-tracked, by some, into service as a default which could make the IWF list and all kinds of other protections defunct.

At the IWF, we don't want to demonise technology. Everyone's data should be secure from unnecessary snooping and encryption itself is not a bad thing. But the IWF is all about protecting victims and we say that the way in which DNS over HTTPS is being implemented is the problem.

If it was set as the default on the browsers used by most of us in the UK, it would have a catastrophic impact. It would make the horrific images we've spent all these years blocking suddenly highly accessible. All the years of work for children's protection could be completely undermined -- not just busting the IWF's block list but swerving filters, bypassing parental controls, and dodging some counter terrorism efforts as well.

From the IWF's perspective, this is far more than just a privacy or a tech issue, it's all about putting the safety of children at the top of the agenda, not the bottom. We want to see a duty of care placed upon DNS providers so they are obliged to act for child safety and cannot sacrifice protection for improved customer privacy.

The authorities have admitted for the first time they will be unable to enforce the porn block law if browsers such as Firefox and Chrome roll out DNS over HTTPS encryption.

The acknowledgement comes as senior representatives of ISPs privately told Daily Star Online they believe the porn block law could be delayed.

Earlier this month, this publication revealed Mozilla Firefox is thought to be pushing ahead with the roll out of DNS encryption, despite government concerns they and ISPs will be unable to see what website we are looking at and block them.

Speaking at the Internet Service Providers Association's Annual Conference last week, Mark Hoe, from the government's National Cyber Security Centre (NCSC), said they would not be able to block websites that violate the porn block and enforce the new law. He said:

The age verification -- although those are not directly affected [by DNS encryption] it does effect enforcement of access to non-compliant websites.

So, whereas we had previously envisaged that ISPs would be able to block access to non-compliant sites, [those] using DNS filtering techniques don't provide a way around that.

Hoe said that the browsers were responding to legitimate concerns after the Daily Star reported Google Chrome was thought to have changed its stance on the roll out of encrypted DNS.

However, industry insiders still think Firefox will press ahead, potentially leading to people who want to avoid the ban switching to their browser.

In an official statement, a government spokesman told Daily Star Online the law would come into force in a couple of months, as planned, but without explaining how it will enforce it.

Meanwhile a survey reveals three quarters of Brit parents are worried the porn block could leave them open to ID theft because they will be forced to hand over details to get age verified. AgeChecked surveyed 1,500 UK parents and found 73% would be apprehensive about giving personal information as verification online, for fear of how the data would be used.