Home
 » ISP News » 
Sponsored Links

ISPA Pulls UK Internet Villain Category Over Mozilla DoH Fallout

Wednesday, Jul 10th, 2019 (8:16 am) - Score 2,183

One embarrassment too many. The UK Internet Service Providers Association (ISPA) has, at the 11th hour, decided to scrap the “Internet Villain” category from their annual industry awards event, which came after a global backlash over their decision to nominate Mozilla due to their DNS-over-HTTPS (DoH) push.

The decision to stick Mozilla (Firefox, Thunderbird etc.) under the villain category for their DNS-over-HTTPS (DoH) solution (see here and here for context) did not, as anybody familiar with the situation might rightfully expect, go down particularly well around the world.

Admittedly big broadband ISPs and politicians are concerned that large scale third-party deployments of DoH, which encrypts DNS requests using the now common HTTPS protocol for websites (i.e. turning IP addresses into human readable domain names like ISPreview.co.uk and back again), could disrupt their ability to censor, track and control related internet services.

The above position is however a particularly narrow way of looking at the technology, not least because at its core DoH is all about protecting user privacy and making internet connections more secure (much like HTTPS has done for websites). As a result DoH (as well as its older sibling DoT) is often praised and widely supported by the wider internet community.

Mozilla is by no means alone in pushing DoH but they found themselves being somewhat singled out by the ISPA because of their proposal to enable the feature by default within Firefox (this has yet to happen), which is something that has proven contentious (i.e. who controls the DoH server in the USA? Do you trust them more than your UK ISP? etc.). This might also break a number of general ISP account management features.

Predictably this move triggered a huge backlash, which might have been avoided had the ISPA also nominated Mozilla for the Hero category to provide some balance. Initially the ISPA defended their position but at the 11th hour they’ve opted to avoid an embarrassing situation by scrapping the entire category, which is a shame since both of the other two nominations (Trump and Article 13 in the EU Copyright Directive) were widely accepted.

ISPA Statement on the 2019 Internet Villain Category

In the 21 years the event has been running it is probably fair to say that no other nomination has generated such strong opinion. We have previously given the award to the Home Secretary for pushing surveillance legislation, leaders of regimes limiting freedom of speech and ambulance-chasing copyright lawyers.

The villain category is intended to draw attention to an important issue in a light-hearted manner, but this year has clearly sent the wrong message, one that doesn’t reflect ISPA’s genuine desire to engage in a constructive dialogue. ISPA is therefore withdrawing the Mozilla nomination and Internet Villain category this year.

While we are withdrawing the nomination, we still believe that it is important to properly scrutinise the implementation plans for DoH. Below we set out our position in more detail and we will continue to develop this position and engage with our members, browser and app companies, DNS resolvers and vendors, policymakers and the wider Internet community on this issue.

Any implementation of DoH (or equally any other flavour of encrypted DNS) should be capable of achieving the expected privacy and security benefits, while at the same time being mindful of the complex internet eco system, as well as the different user relationship and trust models that are in play.

User choice: An application switching to DoH should ensure that this switch does not undermine choices that have been previously made by the user. For example, if parents have decided to filter an internet connection in their home via network or local level DNS controls, these choices should not simply be ignored by the application.

User consent: Any application switching to DoH should ensure that the decision to switch resolvers is made by a user who is:

a/ fully informed about the implications of switching resolvers, and
b/ fully capable of expressing consent, e.g. relevant admin rights need to be protected and decisions should be made by main account holders

Furthermore, DoH discovery and selection should allow users to change their resolver selections as they wish too, e.g. they may wish to revisit selections when new resolvers become available.

Data protection: Any application switching to DoH should ensure that a DoH resolver fully complies with the local data protection requirements.

Security: Any application switching to DoH should ensure that the selected DoH provider is capable of replicating existing security policies and capabilities such as malware protection that are currently in place for that user.

Online safety: Any application switching to DoH should ensure that the selected resolver should be capable of replicating the online safety policies that are currently in place for that user.

User and access-network-operator support: If DoH doesn’t work or is slow, a customer’s internet access will be affected. The customer will contact their ISP, not the DoH provider, but the ISP won’t be able to fix things for them. As a minimum, any application switching to DoH should ensure that the selected resolver should provide a 24/7 user call centre reachable via low-cost/local rate telephony and an online support capability. Support for fault-diagnosis and resolution between ISP, resolver and users should also be provided.

There are numerous other areas that we could go into, e.g. how DoH affects enterprise networks, or content caching, and the points raised in this post are only an initial outline. We recognise that things have started moving at Internet Engineering Task Force level, for example, and look forward to engaging in a constructive discussion.

One irony of this episode is that many more people have now become familiar with DoH and as a result take-up has rocketed over the past couple of weeks, which might not be the sort of outcome that bigger ISPs would like to see (it’s that pesky user choice thing again).

However it’s important not to paint all providers with the same brush, particularly smaller providers where DNS choice is less contentious (i.e. fewer things for it to break). One such provider, AAISP, even made a £2,940 donation to the Mozilla Foundation: “The amount was chosen because that is what our fee for ISPA membership would have been, were we a member,” said the ISP.

In fairness we do think there is a debate here around the issue of enabling DoH by default in third-party apps (it’s usually best to give people the option but not to force it upon them), although DoH itself is more often than not a welcome improvement.

Mark-Jackson
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook and .
Search ISP News
Search ISP Listings
Search ISP Reviews
Comments
10 Responses
  1. Avatar photo Phil says:

    The issue is they are enabling it by default and using their own servers. Whilst the data is transferred encrypted, it will still be readable and collectable by Mozilla. It also can break things.

    There are also a lot of DNS lookup providers wanting us to use them for our DNS lookups and all for free, why? Now at some point in time these providers will need to start making money, they can’t supply it for free forever, so how are they going to make money from it?

    People have the right to be suspicious, and Mozilla, redirecting data by default to their own servers, is highly suspicious as to what their motives really are.

    1. Avatar photo Joe says:

      Data doesn’t go to Mozilla:

      https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/privacy-policy/firefox/

      DNS is a trivial cost.

      “In fairness we do think there is a debate here around the issue of enabling DoH by default in third-party apps (it’s usually best to give people the option but not to force it upon them),”

      Mark Mozilla are on record as saying they won’t enable it in the UK by default (I disagree; they are doing it elsewhere in Europe but there we are)

      https://www.zdnet.com/article/mozilla-no-plans-to-enable-dns-over-https-by-default-in-the-uk/

      As to the demands of IPSA the top ones are non controversial the last few quite impractical.

      Its wholly unrealistic to ensure than each and every global resolver of DNS can replicate policies of ever nations preferred filtering. And as to requiring 24/7 support for the DNS resolver thats laughable.

    2. Mark-Jackson Mark Jackson says:

      @Joe. That was a general comment, not specifically at Mozilla. You have to consider how, for example, you might feel if devices made in China, Russia etc. (Smartphones, Laptops, Apps..) suddenly decided to shift all your DNS requests through their own “secure” DoH servers etc. DoH is good but consumer choice has to be respected.

    3. Avatar photo Joe says:

      @mark Yes I have no issues with that. Choice is king.I don’t see choice is a big issue most browsers allow search and DNS alterations at present so…the good ones will do the same with DoH

    4. Avatar photo SimonR says:

      Presumably the choice should be at system level though. Whilst DNS may possibly be changed at app level, the OS setting should be respected unless the app has a very clear reason for not doing so.

      I get that one might want a specific browser to use different settings (or similar), but ultimately it should be a global setting that everything adheres to unless specifically authorised otherwise.

      At least that’s my thinking at the moment 🙂

    5. Avatar photo Phil says:

      @Joe

      “Data doesn’t go to Mozilla” Semantics Joe. Cloudfare are acting on behalf of Mozilla, they collect and hold information including personally identifying information for 24 hours. For all we know each 24 hours Mozilla get all that data delivered to them.

      Cloudfare are also holding aggregated data, supposedly anonymised. They also state: “Cloudflare will not sell, license, sublicense, or grant any rights to your data to any other person or entity without ** Mozilla’s explicit written permission **.”

      So it is Mozilla pulling the strings and not Cloudfare, and Cloudfare are explicit in that their own privacy policy does not apply to DNS requests from Firefox. Mozilla are free to do what they want with the data collected, and can change their privacy policy at any time, as companies do.

      “DNS is a trivial cost.” Care to put some figures on the costs then?

    6. Avatar photo Joe says:

      Given Moz have are pretty all encompassing policy on data I think the alarm that they are secretly getting it all via cloudfare is a bit misplaced.

      https://www.mozilla.org/en-US/privacy/faq/

      Commercially to buy – a handfull of penny sweets per million queries per month. (so much depends on scale)

  2. Avatar photo t0m5k1 says:

    Encryption is not the enemy and should never be seen as one.

    Turning our metadata into a resell-able commodity is the enemy.

    Mass surveillance by default is a breach of privacy rights even if you take the “I have nothing to hide” stance unless you’re also complicit to allowing a government representative stand in your house making notes on everything you do.

    I use DoH/T everywhere I possibly can, I block all tracking adverts where possible. I use HTTPS/TLS where possible.

    If any company wants to resell our meta-data we should be told of this and be provided with a cut/share of the trade or be able to opt out. Those offering free products on the premise that by agreeing to T & C’s that allow them to slurp your data should be forced to be upfront about this and provide opt out mechanisms from the start of sign up especially with companies like Google.

  3. Avatar photo Phil says:

    “I get that one might want a specific browser to use different settings (or similar), but ultimately it should be a global setting that everything adheres to unless specifically authorised otherwise.”

    Exactly, this would break several things on my home network as I have DNS settings hard configured in my router for various reasons, and the same goes for many corporations.

    As it stands I use my own DNS Resolver so no one collects data from me regarding DNS requests, not that I have anything to hide, its just I can do it (pfSense), but of course I’m the few.

  4. Avatar photo Jigsy says:

    At least the ISPAUK were kind enough to show what a joke they are over this.

Comments are closed

Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £24.00
132Mbps
Gift: None
Plusnet UK ISP Logo
Plusnet £27.99
145Mbps
Gift: None
Zen Internet UK ISP Logo
Zen Internet £28.00 - 35.00
100Mbps
Gift: None
Sky Broadband UK ISP Logo
100Mbps
Gift: None
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £15.00
150Mbps
Gift: None
YouFibre UK ISP Logo
YouFibre £19.99
150Mbps
Gift: None
Community Fibre UK ISP Logo
150Mbps
Gift: None
BeFibre UK ISP Logo
BeFibre £21.00
150Mbps
Gift: £25 Love2Shop Card
Hey! Broadband UK ISP Logo
150Mbps
Gift: None
Large Availability | View All
The Top 15 Category Tags
  1. FTTP (5444)
  2. BT (3497)
  3. Politics (2513)
  4. Openreach (2285)
  5. Business (2242)
  6. Building Digital UK (2227)
  7. FTTC (2040)
  8. Mobile Broadband (1954)
  9. Statistics (1770)
  10. 4G (1648)
  11. Virgin Media (1603)
  12. Ofcom Regulation (1446)
  13. Wireless Internet (1384)
  14. Fibre Optic (1384)
  15. FTTH (1380)
Promotion
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact
Mastodon