Comcast, one of the largest and most reviled internet service providers in the country, has reportedly been lobbying against efforts by companies like Mozilla and Google to switch on or test, respectively, a tool for encrypting your browser history, thereby making it trickier for ISPs to snoop on it.
Motherboard obtained a presentation that was reportedly presented to policymakers that makes some startling—albeit largely misleading—claims about the companies’ intentions for encrypting DNS data your browser history using the network protocol DNS-over-HTTPS (DoH). In short, a DNS server will translate a domain name to an IP address to show you whatever site you’re trying to access. But because this process is generally unencrypted, it can potentially expose where you’re headed on the web to those who know how to look. And that, of course, includes ISPs.
In a screenshot of the lobbying presentation, Comcast claims that should Google and Mozilla activate DoH, “this feature would by default route all DNS traffic from Chrome and Android users to Google Public DNS, thus centralizing a majority of worldwide DNS data with Google.” The document further claims that this “unilateral centralization of DNS raises serious policy issues relating to cybersecurity, privacy, antitrust, national security and law enforcement, network performance and service quality (including 5G), and others.” Basically, the slide lists a whole host of boogie man buzzwords seemingly intended to scare the shit out of policymakers.
Among other claims in the lobbying document, the presentation also asserts that if Google encrypts browser data, “ISPs and other enterprises will be precluded from seeing and resolving their users’ DNS.” But multiple parties who spoke with Motherboard say that is not the case. Indeed, Google states in a September blog post about its plans for implementing DNS-over-HTTPS (aka DoH) in Chrome 79 that the experiment will be carried out “in collaboration with DNS providers who already support DoH, with the goal of improving our mutual users’ security and privacy by upgrading them to the DoH version of their current DNS service.” Google reiterated its goals in a statement sent to Gizmodo.
“Google has no plans to centralize or change people’s DNS providers to Google by default. Any claim that we are trying to become the centralized encrypted DNS provider is inaccurate,” a Google spokesperson said. Rather, the company said that it’s “experimenting,” as it noted in the September blog, with new methods for ensuring “online privacy and security while maintaining existing content filtering and parental controls.” In any event, Google stressed that its DoH experiment won’t be enabled the “vast majority” of its users. Folks can also opt-out of the experiment by disabling the Chrome flag here: chrome://flags/#dns-over-https.
Mozilla, for its part, only plans to enable the protocol for a small percentage of its users—roughly 5 percent—before it pauses to assess the impact. If the feedback is good and there are no major issues, the company will introduce a wider rollout with the goal of reaching 100 percent of its U.S. users. Like Google, Mozilla said that the lobbying deck was “inaccurate.”
“DoH is really intended to make it harder for DNS providers to collect or monetize that data or build a profile about users,” the company’s senior director of trust and safety Marshall Erwin told Gizmodo by phone. “Unsurprisingly, that’s not something that ISPs are excited about. Hopefully, this is adding a protection, in some cases from your local ISP that might be seeking to build a profile about you. So as a result, we’ve seen a pretty massive lobbying effort to try to prevent us from deploying those protections.”
There are legitimate concerns about the implementation for DoH, such as that it could allow browsing to sites otherwise blocked by an ISP and parental controls, raising concerns among critics about child safety or other illicit activity. According to a Google spokesperson, however, the company’s “proposal for DoH enables secure connections and does not change a user’s DNS, so all existing filters and controls remain intact. Furthermore, there is no change to how DNS providers work with law enforcement in accordance with court orders.”
Comcast did not immediately return a request for comment. It did, however, publish a lengthy blog post following Motherboard’s story claiming that it doesn’t track where users go on the internet or “sell information that identifies who you are to anyone,” including a user’s “location data when you use our Xfinity Mobile service.”
But it does, to be sure, use your data. The company added: “We study our network data to assess how the network is performing, understand trends, stay ahead of capacity demands, and build, test, and improve our products and services. We do that with only a small sample of network data that is aggregated and never identifiable to any customer.”
Plus, while Comcast says that it deletes DNS queries it collects, Comcast says that it does so “every 24 hours except in very specific cases where we need to research a security or network performance issue, protect against security threats, or comply with a valid legal request.” Comcast does, however, claim it doesn’t sell that information or use it for marketing or advertising.
Comcast’s response to Motherboard’s reporting, however, did not stop with a mere blog post. According to a follow-up report, the company engaged in a PR cleanup that can charitably be described as aggressive. According to the site, Comcast sent it to four Motherboard writers, reporters at other publications, and at least eight other individuals who tweeted a link to the story. Just Comcast having a normal one in response to a report on its own apparent lobbying efforts.