DNS over HTTPS (DoH): Human rights, markets, and governance
11 Nov 2020 16:10h - 17:40h
Event report
The moderator of the session, Mr Brenden Kuerbis (Reasearch Scientist, Georgia Institute of Technology), set the stage for discussion on DNS-over-HTTPS (DoH) protocol, which is intended to improve the integrity and confidentiality of DNS queries. This new protocol opens up questions about economic and political implications for technology and market centralisation when we speak about firms that provide DNS resolution, as well as complementary products and services. From a governance perspective, encrypted DNS data is transferred to other actors that have extraterritorial effects on policies and impacts on domestic regulatory compliance.
First, Mr Barry Leiba (Appliations and Real-Time (ART) Area Directior, Internet Engineering Task Force (IETF)) developer of the DoH protocol, gave an overview of the protocol basics. He highlighted the current concerns on the protocol:
- Problem with implementation and deployment
- Browsers and apps have not generally roller their DNS resolution
- Recursive resolvers lack support
- Introduction of privacy issues raises more privacy issues
- With the possibility to choose the resolver, there come other problems: who decides which resolver to trust, where can necessary filtering be done, who gets the queries data, etc.?
Leiba shared the results of the SSAC protocol study. It showed that parents and schools are interested in DNS-based filtering of objectionable content; Internet service providers (ISPs) are concerned about network management and compliance with local regulations; activists are worried about privacy and tracking.
Mr Andrei Robachevsky (Senior Director, Technology Programmes, Internet Society) added the context of Internet Society impact assessment toolkit to the discussion of DoH. The Internet way of thinking is based on several building blocks that are not tailored to a specific application but can support each other. DoH could be one of them, but as with any power tool, there are cases where its benefits are not clear, or trade-offs become significant and need to be considered. Then Robachevsky contemplated on possible scenarios of DoH deployment. The centralised model may set the trend of reducing the number of co-operating players in the provisioning of DNS and therefore reducing the incentive for broad collaboration. Finally, this trend can threaten the very DNS as a global and consistent naming system. There is a potential for erosion of the global and consistent mapping of names to DNS addresses to the application of service provider specific world governance. The governance of the space could change dramatically by putting control in the hands of vendors instead of the technical community.
A different angle of DoH as a new chapter in the debate on network neutrality was presented by Ms Olga Makarova (Head of Internet and Data Services, MTS). The main goal of DoH is not just protection of personal data. ‘This looks like a great and very smart marketing plot by both ISPs and OTT providers in an attempt to attract customers and get the marketshare’. Makarova envisioned new battles within DoH providers and ISPs in the USA in the near future. As for Russia, they keep looking at how things will evolve to get prepared before the deployment. ‘Any attempt to enter our market bypassing the local law can lead to the blocking of service by the state’. In the end, she shared results of MTS experiment with DNS-over-TLS protocol in the European part of Russia that showed the traffic doubled due to just 13% of DoT requests, and there is a need to change the DNS resolvers’ infrastructure.
Mr Amod Malviya (Cofounder and Engineer, UDAAN) went on to talk about the decentralised nature of the Internet and the obstructions that have largely allowed different operating layers of the Internet. ‘DNS has been particularly contentious because it is a leaky obstruction between infrastructure and network layers.’ We need to approach all of the discussion from the perspective of how we structure the Internet in a way that it continues to be resilient, continues to have a goal of decentralisation and continues to make data obstructions. With the smartphone era, app-developing organisations are getting more impact on this. ‘To counter this, we need to make sure the infrastructure services exist in the upper layers where the application development is happening, that something like DoH fits in very nicely.’
The rights-base perspective was provided by Ms Joey Salazar (Senior Programme Officer, ARTICLE19). She stressed that censorship remains a key issue concerning freedom of expression and access to information. Ever since it was designed, regulating bodies have consistently deployed different techniques over the years in order to filter, control, and regulate Internet traffic through the DNS. ‘We think a multistakeholder approach is vital to first define clear mechanisms for implementation, for measurement and deployment and then for the access to content through strong legal protections that enabled users’ rights and that protect their data across different regulatory frameworks.’ As for the consolidation concern, Salazar proposed to enable providers to develop a list of services and platforms both in browsers and operating systems which, in turn, would make DoH less centralised.
The final intervention was from Ms Alissa Starzak (Head of Policy, Cloudflare) that users never thought about the information that might be available to others when they browse online. That is why Cloudflare launched the public resolver and partnered with those who shared their view about the privacy of DNS data. ‘We made commitments about our use of the resolver data and said, we wouldn’t share client access or other personal data. We made commitments about logs which didn’t include personal data and would be purged within 25 hours. We made a point of saying we wouldn’t sell data or use it for targeting ads’, she said.
Further the speakers discussed other issues related to DoH:
- If actors gain or lose power to use the DNS data as a tool for security and policy enforcement are there alternatives?
- Is governing DoH to meet requirements of national DNS blocking regimes the least invasive method in the face of other options like laws restricting DoH entirely?
- What does the dominant role of apps on the mobile platforms mean for DoH potentially?
- Governance challenges and the interplay between organisational, national, and extraterritorial policy influence