Comcast Slides Reveal It's Lobbying Against Plans to Encrypt Browser Data: Report

Illustration for article titled Comcast Slides Reveal Its Lobbying Against Plans to Encrypt Browser Data: Report
Photo: Getty

Comcast, one of the largest and most reviled internet service providers in the country, has reportedly been lobbying against efforts by companies like Mozilla and Google to switch on or test, respectively, a tool for encrypting your browser history, thereby making it trickier for ISPs to snoop on it.

Advertisement

Motherboard obtained a presentation that was reportedly presented to policymakers that makes some startling—albeit largely misleading—claims about the companies’ intentions for encrypting DNS data your browser history using the network protocol DNS-over-HTTPS (DoH). In short, a DNS server will translate a domain name to an IP address to show you whatever site you’re trying to access. But because this process is generally unencrypted, it can potentially expose where you’re headed on the web to those who know how to look. And that, of course, includes ISPs.

In a screenshot of the lobbying presentation, Comcast claims that should Google and Mozilla activate DoH, “this feature would by default route all DNS traffic from Chrome and Android users to Google Public DNS, thus centralizing a majority of worldwide DNS data with Google.” The document further claims that this “unilateral centralization of DNS raises serious policy issues relating to cybersecurity, privacy, antitrust, national security and law enforcement, network performance and service quality (including 5G), and others.” Basically, the slide lists a whole host of boogie man buzzwords seemingly intended to scare the shit out of policymakers.

Advertisement

Among other claims in the lobbying document, the presentation also asserts that if Google encrypts browser data, “ISPs and other enterprises will be precluded from seeing and resolving their users’ DNS.” But multiple parties who spoke with Motherboard say that is not the case. Indeed, Google states in a September blog post about its plans for implementing DNS-over-HTTPS (aka DoH) in Chrome 79 that the experiment will be carried out “in collaboration with DNS providers who already support DoH, with the goal of improving our mutual users’ security and privacy by upgrading them to the DoH version of their current DNS service.” Google reiterated its goals in a statement sent to Gizmodo.

“Google has no plans to centralize or change people’s DNS providers to Google by default. Any claim that we are trying to become the centralized encrypted DNS provider is inaccurate,” a Google spokesperson said. Rather, the company said that it’s “experimenting,” as it noted in the September blog, with new methods for ensuring “online privacy and security while maintaining existing content filtering and parental controls.” In any event, Google stressed that its DoH experiment won’t be enabled the “vast majority” of its users. Folks can also opt-out of the experiment by disabling the Chrome flag here: chrome://flags/#dns-over-https.

Mozilla, for its part, only plans to enable the protocol for a small percentage of its users—roughly 5 percent—before it pauses to assess the impact. If the feedback is good and there are no major issues, the company will introduce a wider rollout with the goal of reaching 100 percent of its U.S. users. Like Google, Mozilla said that the lobbying deck was “inaccurate.”

“DoH is really intended to make it harder for DNS providers to collect or monetize that data or build a profile about users,” the company’s senior director of trust and safety Marshall Erwin told Gizmodo by phone. “Unsurprisingly, that’s not something that ISPs are excited about. Hopefully, this is adding a protection, in some cases from your local ISP that might be seeking to build a profile about you. So as a result, we’ve seen a pretty massive lobbying effort to try to prevent us from deploying those protections.”

Advertisement

There are legitimate concerns about the implementation for DoH, such as that it could allow browsing to sites otherwise blocked by an ISP and parental controls, raising concerns among critics about child safety or other illicit activity. According to a Google spokesperson, however, the company’s “proposal for DoH enables secure connections and does not change a user’s DNS, so all existing filters and controls remain intact. Furthermore, there is no change to how DNS providers work with law enforcement in accordance with court orders.”

Comcast did not immediately return a request for comment. It did, however, publish a lengthy blog post following Motherboard’s story claiming that it doesn’t track where users go on the internet or “sell information that identifies who you are to anyone,” including a user’s “location data when you use our Xfinity Mobile service.”

Advertisement

But it does, to be sure, use your data. The company added: “We study our network data to assess how the network is performing, understand trends, stay ahead of capacity demands, and build, test, and improve our products and services. We do that with only a small sample of network data that is aggregated and never identifiable to any customer.”

Plus, while Comcast says that it deletes DNS queries it collects, Comcast says that it does so “every 24 hours except in very specific cases where we need to research a security or network performance issue, protect against security threats, or comply with a valid legal request.” Comcast does, however, claim it doesn’t sell that information or use it for marketing or advertising.

Advertisement

Comcast’s response to Motherboard’s reporting, however, did not stop with a mere blog post. According to a follow-up report, the company engaged in a PR cleanup that can charitably be described as aggressive. According to the site, Comcast sent it to four Motherboard writers, reporters at other publications, and at least eight other individuals who tweeted a link to the story. Just Comcast having a normal one in response to a report on its own apparent lobbying efforts.

Share This Story

Get our newsletter

DISCUSSION

actualrootwyrm
Spamfeller Loves Nazi Clicks

Nobody in this shitshow is telling the truth. Least of all Mozilla and Google, who are making the internet an even more insecure and dangerous place with this bullshit. (And none of you commenters know shit about DNS or DOCSIS. So sit the fuck down, shut the fuck up, hold the fuck on.)

Comcast:

  • Captures all DNS queries regardless of what servers are used, using a DOCSIS devIf filter, as is standard practice in the industry.
  • Probably sends them to appliances from Akamai (formerly Xerocole) who packages the data up into zip codes for resale (because any more granularity is super illegal for MSOs, not that zip isn’t granular enough to ID you.)
  • Does in fact delete everything every 24 hours on a rolling schedule because of disk space. Not security or privacy. Which, really doesn’t matter. They do clean up at least and your data is safe. But it’s dishonest.
  • Has a habit like all MSOs of redirecting NXRECORDS (that is: domains and servers that don’t exist, like “www.yaoho.com”) to the criminals at Search Guide Inc. and their shitty fake search engine. Which, ironically, isn’t that fucking bad because at least it’s only non-existent records.

Mozilla:

  • Lies through their teeth about being able to turn it off easily - their canary domain uses DNSSEC maliciously so that nobody can just fake an NXRECORD as required. Anyone running Active Directory DNS? Can’t period because of that malicious DNSSEC use.
  • Lies through their teeth about how it’s “better for privacy.” No it’s not. They’re sending all queries to avowed Nazi and terrorist supporters CloudFlare. You don’t get a choice. And CloudFlare’s privacy statement? Says you have none.
  • Spends all their time helping CloudFlare lie about how they would never sell your very sensitive personal information. Nothing about how their privacy policy is completely toothless and does in fact allow them to collect and use your data for whatever they like.
  • Deliberately will NOT obey system-level settings OR permit the use of any DoH/DoT servers that are not CloudFlare. Period. Doesn’t matter what you think you did. The only way to break that behavior is to literally hijack CloudFlare’s ASN.
  • Blithely ignore and refuse to comment on the proven fact that CloudFlare does not just offer an opt-in filtering service, but has engaged in the manipulation of DNS records well beyond redirecting NXRECORDS to a shitty search engine like Comcast.

Google:

  • DO I EVEN FUCKING NEED TO?
  • Seriously. You think Google lets you use your own DNS servers or respects system settings in any way? HAHAHA NO.
  • All your DNS data is belong to Google who will be actively packaging and selling it with your name and address on it to anyone who comes calling.
  • Also they’ll be using that to target ads even more aggressively and in greater detail, because now they know EVERY website you visit, ESPECIALLY the ones in ‘incognito’ mode.
  • Turning it off? Yeah. Good luck with that. It’s actually buried deep behind three menus, and will switch back to ‘on’ with every update. Chrome updates several times a month.
  • Google is a domain registrar. Do you think for one second they aren’t going to abuse that power further? That they aren’t going to abuse control of DNS - a fundamentally decentralized system by design - to consolidate their power? Fuck yes they are and will. And target one will probably be AWS R53.

ALL of these people are making the Internet a vastly more insecure place. DNS is, by design, decentralized. You register a domain, you configure your authoritative name servers anywhere in the world you want, and the absolutely neutral (by actual legal charter) ROOT-SERVERS.NET points the world to servers you control. That’s the oversimplified version of it, but it’s not inaccurate. (I would know. I’ve been doing this at scale nearly 30 years here.)

When the FBI seizes a domain for child pornography, they don’t tell your ISP or even ROOT-SERVERS.NET that they need to redirect the domain to XYZ. They get a court order that hands the authoritative domain registration over to them. They then point the domain to their authoritative servers, which then point you to the splash page. It’s why regimes that try to use DNS blocking for censorship find out real fast that it doesn’t fucking work and why Egypt was covered in ‘8.8.8.8' graffiti. DNS as it sits, is a highly resilient, highly distributed system that is incredibly resistant to ham-handed censorship and dictatorial control.

If somebody sticks a resolver in the way that blocks a domain falsely, well, change resolvers. There’s thousands of open ones on the Internet - many NOT run by the scum at CF and Google. (e.g. Quad9, run by IBM and PCH, a security focused open recursing resolver.) But Mozilla and Google are both working very had to prevent you from being able to do that ever again. DoH/DoT isn’t about security, and it breaks the very fundamentals of DNS without actually securing anything at all. By taking away your ability to choose a different resolver, they are seizing control of vast swaths of the Internet. They can now censor sites based on their personal preferences.

And when you query CF’s DNS servers? That query STILL has to go to somebody else’s resolver, over the open Internet, as UDP 53 traffic, unencrypted. And because of an extension called ‘ECN,’ it also contains the /24 network your IP is in. Which is required for Geocasting services like CF, Akamai, Steam, etc. A /24 is not anonymizing enough - that’s only 254 IPs. I can narrow a /24 down to a small section of town even in the suburbs. In a place like New York? I’m just missing your apartment number, and with context? Not even that.

So yeah. Comcast is being shitty and deceptive. But they aren’t wrong. Mozilla and Google are not here to help privacy - they’re here to destroy it. They’re not here to give you control - they’re here to seize control of the Internet. And they need to be stopped.

(Full disclosure: I am a DNS expert with close to 30 years of experience at scale, and I am working on a commercial service for enterprises to improve security through DNS. However, I have been working on this since before DoH/DoT was even proposed. Yes, DNS has weaknesses. Giving control to two dishonest megacorporations is not going to fix them.)