There’s a problem coming and this problem is the unintended consequence of a well-intentioned development to protect privacy. This problem will mean that it will be much harder if not impossible to block and takedown illegal imagery of child sexual abuse online.
To understand this conundrum, it’s necessary to get into the weeds of the way the internet works.
Humans aren’t good at numbers, we much prefer names. Machines are poor at using names and prefer numbers. In the modern increasingly machine-driven era, we use yet more machines to help us out with this. How many telephone numbers do you actually know, these days? We call other people using “call by name”, leaving the detailed drudgery of numbers up to the machines to sort out.
And some numbers aren’t even real numbers. For example, if you dial 0800 123456… 0800 isn’t a real telephone number at all, it is in fact a “trigger” to let the telephone network know not to send you, the calling party, the bill for the call but to send the bill to the called party – hence you get a “free phone call”. Machines in the network translate this 0800 123456 into the actual telephone number so that your call can be connected to the real world destination.
The internet and the World Wide Web that sits on top of it both use numbers too. But we navigate the online world by using names, specifically we’ll use a “domain name” to get to a website, such as safetonetfoundation.org. There is a structure to the Domain Name System (DNS); the .org part of safetonetfoundation.org is referred to as a “generic top level domain” (gTLD) and safetonetfoundation is a “secondary domain”.
All clear so far?
But the browser doesn’t use these names. Browsers navigate using IP (Internet Protocol) addresses. Each device connected to the internet has a unique number or “IP address” that is used as its “postal address”. Your browser uses DNS to convert the domain name you’ve types (safetonetfoundation.org) into a computer-friendly IP address, so the computer can download the webpage you’re looking for.
A webpage is a file made up of HyperText Markup Language, also known as HTML. The process by which this is downloaded to your browser is called HyperText Transport Protocol, or HTTP. You might recognise HTTP from the browser you use.
In the last few years, a new secure version of HTTP has been deployed any many websites now use this technology. HTTPS (HyperText Transfer Protocol Secure) creates a secure link between a website and your browser which means that even if the connection from you to the website passes through multiple systems (which is almost certainly will), no one can read the contents – your credit card details for example.
The weakness of this system though lies with the original search for “safetonetfoundation.org”. If you haven’t been there before, then your browser doesn’t have a local store of what the IP address is and will need to use the internet equivalent of a telephone directory on a remote server to find the IP address of safetonetfoundation.org.
And this request is still unencrypted, even if in this example, safetonetfoundation.org uses HTTPS (which it does). This means that this part of your online communications is at risk. Your ISP can work out which sites you’re visiting and by using your own IP address with other information can work out who you are.
Not only can your ISP do this, but men in black hats can intercept your messages in the network, and use a “spoofer” to substitute the IP address you want with a different one to send you to a scam site.
Strawberries and cream are a perfect combination aren’t they? Sometimes pairing things up results in a heavenly heady mix of delight and you might be thinking, why not use the HTTPS protocol for sending the DNS request in the first place? Why not indeed? Because this is what is starting to happen.
And this is the problem.
DNS over HTTPS, or DoH, is a real thing that is being at least proposed if not trialled for rollout by Google and others. But here’s the catch. The “plain text” DNS requests are used by the Internet Watch Foundation (IWF) to compile lists of URLs that contain child sex abuse images and video. These lists are then distributed to telecoms companies and ISPs to block people from accessing this damaging and illegal material. This is one of the fundamental tools used in the global fight against the distribution and downloading of the worst kind of content imaginable.
But if you encrypt those then no one can read them to compile a list of URLs that need to be blocked, meaning there will be a catastrophic impact on the ability to block illegal child sexual abuse content through ISPs, even though DNS over HTTPS makes communications more secure.
As Homer Simpson would say: “DoH!”