Congress Eyes Google’s Chrome Encryption Plans

By Jack M. Germain
Oct 1, 2019 3:18 AM PT

Google’s plans to test an encrypted Internet domain name service (DNS) protocol later this month reportedly have spurred some members of Congress to consider opening an antitrust investigation. They are concerned that the new technology could give Google an edge over competitors by making it harder for them to access consumer data.

Google is experimenting with new ways to enhance online privacy and security while maintaining existing content filtering and parental controls in its Chrome Web browser, Chrome Product Manager Kenji Baheux explained in an online post last month.

Investigators for the House Judiciary Committee subsequently sent Google a written request seeking details on the company’s intentions regarding adoption of the new Internet protocol. House investigators also wanted to know if Google planned to use the data it would collect or process through the new protocol for any commercial purposes.

Google’s parent company, Alphabet, has said its goal is to improve Internet security.

Google’s proposal enables secure connections and does not change a user’s DNS, so all existing filters and controls remain intact, a Google spokesperson said in comments provided to TechNewsWorld by company rep Scott Westover.

“Furthermore, there is no change to how DNS providers work with law enforcement in accordance with court orders,” the spokesperson continued. “Google has no plans to centralize or change people’s DNS providers to Google by default. Any claim that we are trying to become the centralized encrypted DNS provider is inaccurate.”

The new technology will improve user security and privacy, according to Google. Its browser changes will leave consumers in charge of who shares their Internet surfing data.

The new protocol would enable encryption of Internet traffic, which in turn could help prevent hackers from snooping on websites, and from spoofing or faking a site.

The Plan at a Glance

Google plans to test the new protocols this month with about 1 percent of its Chrome browsers users. That will be the first step toward more widespread adoption of the new technology.

The process is an experiment to validate Google’s implementation of DNS-over-HTTPS (DoH) in the Chrome 78 browser release. Chrome users can opt out of the experiment by disabling the flag at chrome://flags/#dns-over-https.

The new protocol is supposed to bring the key security and privacy benefits of HTTPS to DNS. Web browsers rely on DNS to determine which server is hosting a given website.

This experiment will be done in collaboration with DNS providers who already support DoH. The process involves checking if the user’s current DNS provider is among a list of DoH-compatible providers, and upgrading to the equivalent DoH service from the same provider. If the DNS provider is not in the list, Chrome will continue to operate normally.

Google selected the participating providers for their strong support on privacy and security. The selection considered the readiness of the providers’ DoH services and agreement to participate in the experiment.

Google will run the experiment on all supported platforms except Linux and iOS for a fraction of Chrome users. On Android 9 and above, Chrome may use the associated DoH provider if the user has specified a DNS-over-TLS provider in the private DNS settings. Chrome will fall back to the system private DNS upon error.

Google will preserve the user experience, it said, by keeping the DNS provider as-is and upgrading only to the provider’s equivalent DoH service. That means malware protection and parental control features offered by the DNS provider will continue to work.

Mounting Opposition

Cable and wireless companies worry the new standard could alter the Internet’s competitive landscape. They worry about the encryption process shutting them out and denying access to user data if Web browser applications move wholesale to the new standard. Many ISPs do not yet support the DoH standard.

Service providers also worry that Google may compel its Chrome browser users to switch to Google services that support the protocol, although Google said it had no intention of doing that.

Some opponents of the new technology have expressed concern that encrypting DNS could complicate government agencies’ efforts to monitor Internet traffic. Another concern is that the new process could prevent service providers that do not support the new standard from observing user behavior from their data-gathering efforts.

The new standard has great potential to improve Internet privacy, according to the Electronic Frontier Foundation, but there is also the worrisome possibility that it could erode the decentralized nature of the Internet.

If more service providers supported the new DNS standard, consumers would have more choice. That would solve the potential problems, according to the EFF.

The EFF considers unencrypted DNS to be “the last big security gap on the Internet,” noted Charles King, principal analyst at Pund-IT.

“Implementing encryption could significantly reduce the number of successful spoofing attacks that injure both consumers and businesses,” he told techNewsWorld.

Narrowed Focus

The DNS encryption conflict ultimately is about surveillance, broadly writ. ISPs want to monitor what users do and get in on the advertising game and dollars, according to Arle Lommel, senior analyst at CSA Research If your browsing habits are less transparent, they are less effective in this arena.

“At the same time, the inability of ISPs, browser companies and site owners to protect customers from scams that redirect them from legitimate sites to the online equivalent of dark alleyways is a real problem,” he told TechNewsWorld.

The extent to which Internet users can escape from that problem and from ISP surveillance at the same time might influence how many of them opt to take advantage of encryption. In this case Google suffers from the same problems as ISPs, so it is in the company’s interest to try to solve these security issues, Lommel said.

Matter of Trust

Government agencies enjoy cozy relationships with some ISPs regarding surveillance, while tech companies have been a bit more resistant. Ultimately it becomes a question of which organizations consumers trust with their data, Lommel suggested.

Government agencies — both in the U.S. and abroad — would prefer to keep the taps open. However, tech companies have their own trust issues.

“Governments are increasingly assertive against them, even in cases where nobody has demonstrated actual harm,” Lommel said.

A Big Leap

Antitrust concerns seem a bit of a stretch in this case, in Lommel’s view. However, governments increasingly have turned to antitrust regulation as their Swiss Army knife to ensure that tech companies comply with their demands.

“So it is not surprising to see it pop up here,” he said. “The challenge is that Google is responding to a real problem in a rational way that also happens to benefit it against ISPs.”

Even though it is not clear that Google’s moves are nefarious at all, governments will be suspicious, and they have shown increasing readiness to try to curb tech companies to fit political agendas, Lommel observed.

Antitrust Impact

The new DoH protocol plan would help surveillance efforts if Google chose to cooperate. It would be pooling the data so authorities would not have to negotiate with individual ISPs to get it, noted Marty Puranik, CEO of Atlantic.Net.

“Antitrust investigation could alter those plans, because Google is extending its reach and creating a monopolistic environment by preventing not only competitors access to this data source, but making it available to themselves,” he told TechNewsWorld.

The longer-term challenge is that Google, like other tech giants, is extending its monopoly into new space and preventing new technology firms from emerging, Puranik pointed out.

“Ultimately, we end up in a dark ages of sorts, because only a few companies have access to data that can be pieced together to provide new services,” he said, “so we are limited to only be as innovative as these companies deem fit.”

Defusing vs. Confusing

Google’s plans can affect other businesses as well as government surveillance efforts, King said. The largest impact probably would be felt by ISPs, since encrypting DNS would hobble or prevent them from capturing the browsing data they use for targeted advertising.

“That is likely why they have petitioned their allies in Congress to investigate Google though they are couching it in terms of antitrust concerns,” King speculated.

It is unclear whether or how Google’s plans — and those of Mozilla which intends to launch a similar effort — would impede government surveillance. If a government agency’s interest was backed by a warrant, Google probably would be able to comply, he said.

If Google agreed not to use the encryption process commercially, it could defuse the controversy and reduce the impact of the investigation. The company also might use congressional hearings to ask why ISPs do not use DNS encryption themselves, King suggested, in referencing the EFF’s ideal approach.

A Similar Plan

Mozilla’s Firefox made DNS over HTTPS available this summer. Mozilla is using Cloudflare’s 1.1.1.1. service, which promises not to store DNS logs for more than 24 hours, noted Terence Jackson, chief information security officer at Thycotic.

“Google is a marketing and advertising juggernaut. By making them a central route for DNS traffic, this could also introduce other security and privacy concerns while seemingly eliminating others,” he told TechNewsWorld.

Users would have to opt in to use this feature. As consumers demand higher levels of privacy online, this could be just the beginning of what is to come, Jackson said.

Google’s Chrome browser has more than a 50 percent market share, Jackson said, citing an August report.

DNS over HTTPS provides greater privacy and protection from attacks such as DNS Poisoning, DNS Hijacking and DNS Spoofing, he added.

“It also prevents ISPs from monitoring DNS queries,” Jackson pointed out. “DNS queries would be routed through Google’s servers, and it would be up to them to turn the logs over if requested during an investigation.”


Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open source technologies. He has written numerous reviews of Linux distros and other open source software.
Email Jack.

Share this Story: