• by Wendy Davis  @wendyndavis, November 4, 2019

A new initiative to encrypt domain names will help prevent internet service providers like Comcast and AT&T from using subscribers' personal data for commercial purposes, browser developer Mozilla told Congress Monday.

Mozilla, along with Google, has announced plans to start encrypting domain names. Mozilla's Firefox browser will use the protocol known as DoH (for DNS over HTTPS) by default, while Google's Chrome will only do so if users have explicitly configured their computers to use a domain-name system provider that supports encryption -- such as Cloudflare, OpenDNS and Google's own DNS service (Google Public DNS). 

DNS, often described as a phone book for the web, translates domain names into Internet Protocol addresses. Encrypting domain names can prevent outside companies or individuals from intercepting traffic.

Encryption will also “make it harder to spy on or tamper with users' browsing activity and will protect users from DNS providers -- including ISPs -- that can monetize personal data,” Marshall Erwin, Mozilla's senior director of trust and security, writes.

“We believe that such proactive measures have become necessary to protect users in light of the extensive record of ISP abuse of personal data,” Erwin adds.

He lists several examples, including wireless carriers' disclosures of consumers' geolocation data to third parties, and Verizon's use of “supercookies” to track mobile users for ad-targeting purposes.

Broadband providers recentlycomplained to Congress about Google's plans to start using the new protocol, arguing the move would leave Google with control over more data.

Organizations representing providers said they were “concerned about the potential for default, centralized resolution of DNS queries, and the collection of the majority of worldwide DNS data by a single, global internet company.”

(Google has said its plans were mischaracterized by broadband organizations, and that it has no intention of centralizing the web, or changing people's existing DNS providers to Google by default. “Any claim that we are trying to become the centralized encrypted DNS provider is inaccurate,” a company spokesperson said last month.)

Mozilla is now telling lawmakers that the broadband industry's letter not only contains inaccuracies, but reflects the view that they should be able to draw on subscribers' web-surfing data for commercial purposes.

“It is important to highlight the underlying premise of that letter: telecommunications associations are explicitly arguing that ISPs need to be in a position to collect and monetize users’ data,” Erwin writes.

The company is urging Congress to investigate broadband providers' privacy practices as part of its efforts to craft a federal privacy law.

In 2016, the Federal Communications Commission passed privacy regulations that would have required broadband providers to obtain consumers' opt-in consent before drawing on their web-browsing activity for advertising. Those rules were revoked by Congress in 2017.

The repeal of those rules created a gap in privacy protection, Mozilla says.

“That gap still exists today,” Erwin writes. “Our approach with DoH attempts to close part of this regulatory gap through technology and strong legal protections for user privacy.”