First came Google, Microsoft, Mozilla, Cloudflare, and others IT giants. Now Apple has announced at this year’s annual WWDC developer event that they are joining the encrypted DNS trend. Here we take a look at how this change impacts consumer security and privacy, especially in the context of telecoms and internet service providers.
What is encrypted DNS about?
Encrypted DNS, whether via DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT), is in theory aimed to improve consumer privacy. The ideas arise especially out of the context of scandals around US telecoms providers selling user data to governments, police, bounty hunters, and more unsavory predators.
Domain Name Service (DNS) requests are how your browser/apps ask the internet on your behalf where to find the online services you are using. Most of the internet is now encrypted via HTTPS, so normally nobody except the online services themselves are able to see the exact contents of what you are browsing and doing online.
That said, if I can watch your DNS requests, I know exactly which websites and services you are using. Basic metadata is more than enough for very intrusive surveillance, as you can see in this humorous (fake) report to the British government by a 1770s data scientist.
For example, if I can watch your DNS requests, while I may not know exactly which pornographic video you watched, I know which pornographic services you used (it doesn’t matter whether you access it via a browser or via a specific app).
While I may not know your exact health problems, I do know that you are looking at mental or reproductive health services.
While I may not know exactly what you are saying to journalists or to regulatory agencies, I do know you are talking to or researching them and could be a whistleblower.
The idea behind both DoH and DoT is to encrypt these DNS requests, specifically in a way that hides them from the network you are connecting to.
This has obvious advantages if you are living under a repressive regime who are spying on their whole population’s internet traffic in order to target harassment of certain vulnerable groups, or if your internet service provider is selling your data to nasty people, or even if you working for an abusive employer. Unfortunately, widespread injustices mean that a lot more people than many might think are at heightened cyber security risk from this kind of threat.
Like many privacy technologies, DoH and DoT are not inherently better (or worse) for an ordinary person’s privacy than the alternative.
Instead, these technologies move the privacy problem from one (presumably untrusted) provider, in this case an ethically challenged network provider, to another (hopefully more trusted) provider. The DoH or DoT provider still sees all your DNS requests – the hope is that they behave ethically, and do not try to monetize or otherwise snoop on, store, and sell your requests.
DoH and DoT are no exception. Companies are not providing these expensive services out of the goodness of their hearts. There are reasonable arguments to be made for whether an unethical ISP or a surveillance economyContinue reading