Safeguarding Podcast – It’s all about Privacy, DoH!

By Neil Fairbrother

In this safeguarding podcast, Fred Langford CTO of the Internet Watch Foundation takes us through the impact on child safety of some encryption for privacy technology called DNS over HTTPS (DoH). What is it, how does it work, why should we care and will it actually achieve more safety. We also try to figure out some of the unintended consequences of implementing DoH, and even the ISO’s OSI 7 Layer model makes an appearance.

http://traffic.libsyn.com/safetonetfoundation/SafeToNet_Foundation_podcast_-_its_all_about_Privacy_DoH.mp3

There’s a lightly edited for readability transcript below for those that can’t use podcasts, or for those that simply prefer to read.

Neil Fairbrother

Welcome to another edition of the SafeToNet Foundation safeguarding podcast where we talk about all things to do with safeguarding children in the online digital context.

The online digital context comprises three areas, technology, law, and ethics and culture with child safeguarding right in the centre of that Venn diagram and it encompasses all stakeholders between the child using a smartphone and the content or person online they are interacting with.

Today we are focusing on the first of those areas, technology, and how one technology in particular could affect children online, but fear not if you don’t know your bits from your bytes as today’s guest will help us make sense of it all. Fred Langford, the Chief Technology Officer of the Internet Watch Foundation, welcome to the podcast.

Fred, can you remind us who the IWF is and also can you tell us what your role there is?

Fred Langford

Yeah, sure. The IWF is the UK reporting organization for child sexual abuse material or suspected child sexual abuse material on the internet. So it’s a point for the public to be able to report any content they’re concerned about, but it also enables the IWF to be able to use that as intelligence to be able to go out and actively seek this content online with an aim of identifying it, categorizing it, tracing its location, and removing it from the internet.

My role there as Chief Technical Officer and Deputy Chief Executive is to oversee all technology that’s internal and external to the organization, be that policy or practical implementation as well as responsibility for the hotline function. So we have a team of 13 analysts who categorize this content every day. So we have to make sure that their welfare is kept front of mind as well.

Neil Fairbrother

Yes, it’s a tough job that they do, your analysts. Now let’s just be clear, if a member of the public stumbles across some child sexual abuse material online or child pornography as some people call it, what should they do?

Fred Langford

I would say that they should report to the IWF. So we will make the judgment if they’re not sure, we understand that members of the public might not be sure whether or not this actually fails UK law, so if in doubt reports it to the IWF. So we have a reporting page on www.iwf.org.uk and all we ask is that somebody copies the URL of the content that they suspect is a child sexual abuse material and send it to the IWF.

Now you can do this anonymously or leave your contact details if you want to receive feedback on your report and what happens then is that report comes into a bespoke report management system within the IWF and it’s allocated to an analyst and we will take the action from that point. So the first point the analyst would do is just look at the image, load the image as anybody else would, and look at the content itself and see if it fails UK law. If it does, they would trace the location of that content regardless of where it is in the world and take appropriate action.

If it was in a country that already has a hotline as part of the In Hope network, which is the international network of hotlines, we would input that report into a system that manages the distribution of reports from that way. If it wasn’t in a country that has an In Hope hotline, we would then probably take a law enforcement route if possible. But if we can’t find the law enforcement contacts in that country, we’ll go straight to the hosting provider to request they remove the content.

Neil Fairbrother

Okay. And should a member of the public be worried if they have inadvertently clicked on a link or been sent some attachment in an email, for example, that they weren’t expecting? Should they be worried if they have reported it and should they then delete it?

Fred Langford

I mean, there’s always grades of what somebody is doing and I can’t try and second guess what somebody’s motivations are, but if somebody is innocently stumbled across content, which does happen what they should do is after they’ve reported it to the IWF, I recommend that they leave their contact details because then we can send a notification with a reference number on it if anything happens.

But what they should do then is if they have loaded the image or saved the page, they need to delete that page and not visit it again. And the reason being that some people feel like that they should go back and check to see if the content has been removed. Every time somebody goes back there, they’re obviously risking themselves from prosecution because it’s possible that by continually clicking on an image or video that they could be incriminating themselves.

So I would say just report the URL, leave your details, and then don’t visit that page again. Or preferably until you’ve received feedback that that image has been removed, don’t go to that site again, just in case. But I can’t say that they are immune from prosecution because it would depend what else they’ve been doing on that particular device, but if it’s just the one image, it’s not proportionate for the police to take action and they would they would usually be immune from prosecution as long as they’ve done the right thing.

Neil Fairbrother

Okay. All right, well that’s reassuring to know. Thank you for that. Now, I know technology can be a daunting subject for many people, particularly when it comes to internet-types of technology, which is arcane at the best of times. But before we start to unpick some of that terminology and how it works, where are we with online child safety in general do you think? Only this week we’ve had reports from the BBC, for example, about young teenagers and even preteens being tricked into producing sexualized images. Hasn’t all of this got out of control?

Fred Langford

Oh, well, it’s definitely growing. I always say that we’re not actually at baseline yet. If you look at the global population, not everybody is online and because of the nature of the internet obviously is global. So somebody accessing content could be in any country, anywhere in the world. They could be uploading it from say, I don’t know, India to servers in the Netherlands and somebody could be accessing that from Brazil and they could be administrating the site from Japan. So until everybody is online and we’ve got that baseline, we don’t really know what the extent of the problem actually is.

Now, that said, the general situation around safeguarding at the moment is that the UK government is looking at bringing in a Regulator. And in fact there’s been some news stories just today about that being announced in April this year as part of, I think it was the College of Psychiatrists who are raising concerns about access to data from social media companies to be able to carry out research into the potential [of social media] to damage mental health.

And so the government are, the UK government particularly, are pushing for this. The European Union, they’re looking at some of the legislation that underpins what action takes place at the moment, in the future.

So there is a carrier liability issue. So if somebody is hosting this material under the Electronic Commerce Directive of the European Union, it’s a requirement that once they have been notified of the content, they need to act expeditiously to remove it. Now expeditiously could mean one thing for one organization that’s got a big resource to be able to tackle this, to another organization that’s one or two people trying to run a hosting provider. The idea is that actually they will have a look at that legislation to be able to decide whether or not the carriers do have the liability for the content on their platforms.

And this is something that we discussed before the podcast, about the US are looking into this as well and it comes from a similar piece of legislation to do with Backpage in the US which was about the liability of Backpage to facilitate child trafficking and Backpage at the time…

Neil Fairbrother

Sorry, Backpage is?

Fred Langford

Backpage is a site, it was very US centric, like Craig’s list. In the UK you could usually look at the likes of Gumtree and these sorts of sites. It’s linking people in to be able to sell goods and services direct to each other.

Well Backpage were implicated in knowing that this sort of behaviour, that child trafficking was taking place on their site, and they called the Carrier Liability immunity into play. And they were challenged and the law was changed in the US which meant they did have Carrier Liability because they had knowledge of this and they hadn’t taken action.

And off the back of that, I know that US law makers are considering what are the next steps to try and hold some of the companies to account. That said, some companies are doing a great job, some companies need to step up to the mark. So I think it’s the same with these things, usually there’s a scale of activity taking place in the internet industry. Some are providing a best practice approach and some really need to need to up their game.

Neil Fairbrother

Okay. Now you mentioned the EU and in two weeks’ time, at the current time of recording, in two weeks’ time, we are supposed to be leaving, whatever that might mean. Will we still be beholden to EU laws, rules and regulations in the context of safeguarding?

Fred Langford

Well I don’t think we will in the longer term. I think in the short term, yes, nothing’s going to change, which like you say, we don’t know what the details are of the agreement and how we’re going to be exited in a few weeks’ time.

But yes, it’s definitely going to have an impact I think because collectively the EU states are quite a voice when it comes to sometimes trying to raise issues in the US which I know it sounds like it’s not a million miles away, the internet’s small, but actually in cultural understanding of what the internet is there to do I think we’re quite a way apart as in Europe and the West coast of the US.

So a lot of the debate in the West coast of the US is all around privacy and it’s come from the Snowden revelations and what was taking place there, whereas in the European Union, quite a lot of the debate is around users’ control of their own data, and at the moment we don’t really have these married, should we say. And collectively as EU States, we could put some pressure on some of the West coast companies to rethink their approach, and I think with the UK breaking out, it’s a little bit uncertain at the moment what influence we will have.

And I think this will be key to the sort of allied States, “Five Eyes” as they would be called in sort of a military or inter-governmental parlance, which would be the US, Canada, UK, Australia and New Zealand, working together to devise policies that will be able to work across a changing landscape, is probably the best way of describing it.

Neil Fairbrother

Okay. So the technology that we’re going to talk about today is something known as DNS over HTTPS or DoH for short. Let’s start this discussion by looking at the two main parts, DNS or first of all, and then HTTPS. What is DNS?

Fred Langford

Well, if you think of DNS as the “phone book” for the internet. It’s when somebody types in an address, BBC.co.uk, to have a look at the news, the machines behind this to pull the content in, don’t use the easily-human readable format, but what they need to do is turn that address into an IP address. It’s called an Internet Protocol address.

And it does that by sending out a request to a machine, a server, which traditionally has been hosted by your internet service provider. So the request will go from your browser to say “I want to go to bbc.co.uk. Where can I find that? What’s the phone number? What’s the IP address?” And it sends this request to the server, like I say traditionally hosted by your internet service provider. It [the ISP] will say, “Okay, here’s the address that you need to go to”. It sends that back to your browser and your browser then goes off and does the communication directly with that server.

I mean that’s a very simplified version. So if you think of it as just, “I want to know where X is, what’s the numerical address for this?” And the machine will come back and tell you what that numerical address is and then, seamlessly to the user, as it should work, it would return the page that you’re after.

Neil Fairbrother

Okay. And DNS stands for Domain Name Server, so I guess the clue’s in the name there. Now the technologists, when they talk about this kind of thing, talk about “local” versus “remote” DNS resolution and “DNS resolvers”. What is all that about? What does resolver, resolution, mean?

Fred Langford

Yes, well the Resolver is that machine that’s providing the number for you. So the Resolvers can sit in various places depending on the architecture that your internet service provider has implemented. So the Local Resolver actually could be your router in your house. That’s the thing with the flashing lights there that gets sent out when you when you sign up to an ISP. So that could retain some of this information very locally. Usually it would go through to your internet service provider to be able to find. That would be called a Local Resolver either way, because it’s local to your network, it’s all contained within a self-contained network.

If it’s a remote DNS server, it would send that straight through, out of your internet service providers’ “cloud”, if you think about the way that people draw these networks, and it would go to another machine in another location and where that is, it could vary. It could be anywhere in the world.

Neil Fairbrother

Now DNS turns out to be a pretty ancient technology as far as modern digital technology is concerned. It’s over 30 years old and it makes a lot of use of what’s known as “clear text”. What is clear text?

Fred Langford

Clear text means that there’s no obfuscation or encryption taking place. So this request just goes out in clear text. So what that means is it’s open to potential attack, because somebody could monitor what’s taking place in a network and decide that actually that’s a good point of attack to be able to “spoof” the site you’re going to.

So what we mean by “spoofing” is you send off the request and usually we’d send back the correct IP address. What actually could happen if someone could intercept that traffic and instead of sending back the correct number for you to go to, it would send you a fake address to go to. And on that site could have a fake website that, to all intents and purposes, the user thinks is real. But actually what it’s doing is monitoring all of your activity on that site and also could download some malware to your machine to be able to log what you’re doing and access your personal information.

Neil Fairbrother

OK so that fake site might be a fake bank?

Fred Langford

Yes a fake payment site or fake banking site.

Neil Fairbrother

You log in with your details, they capture all your details and the next thing you know, your real bank account is empty.

Fred Langford

Yes. And we’ve had even larger attacks whereby some of the larger service providers have had all of their DNS traffic redirected. So as somebody is trying to send it to one machine, it’s sending it all through a separate route, so ultimately could end up in the right place, but what it means is that he can monitor everybody’s request that’s going to that. So that would be a more of an attack on what’s happening on that particular platform to be able to try and grab their intellectual property and to be able to duplicate it and hopefully take business from that company.

Neil Fairbrother

Okay. So what is HTTPS?

Fred Langford

HyperText Transport Protocol, but Secure. So the S… so what this means is that the traffic sent between your laptop or your PC, your device to that server that’s providing the information, the website, is encrypted so nobody can eavesdrop. They can’t see what’s going on in between.

Now we will probably be getting into what this means for when you join the two together. But at the moment the actual request is sent in clear text for that address and then when it comes back to your machine, it then opens this encrypted connection. And that’s what HTTPS is.

So if you think in the simplest terms, everybody remember, check that that lock sign shows that it’s locked. So that’s HTTPS.

Neil Fairbrother

So this in the browser bar where you might have the URL or the website address of your bank and you can actually see it saying HTTPS:// www.barclays.com and this little image of a padlock there as well?

Fred Langford

Yes.

Neil Fairbrother

If you are on what you think is a banking site and it just says HTTP, then either you need to change your bank or you are on a fictitious bank site?.

Fred Langford

Absolutely. And you could also be on a fictitious bank site with HTTPS. So I mean from a security aspect, you should click on that lock anyway because that when you click on the lock, it will show you the information of the certificate. The way HTTPS works is you apply for a certificate, a secure certificate, to show the integrity of your organization, to a trusted certifying body, and they provide that certificate to you to be able to say, yes, this is who we say we are. But actually that in itself can also be spoofed.

Neil Fairbrother

Okay. So now comes the big moment. DNS over HTTPS or as it’s technically known, RFC 8484. We probably already guessed what this might be, but can you explain it to us? What is DNS over HTTPS now?

Fred Langford

Yes, absolutely. So if you sort of merge the two technologies together, you can see that the DNS request is sending clear text and that’s a risk for cybersecurity attacks on individuals and organizations. So the solution to that is like you say, RFC 8484, is to encrypt that traffic. So the request goes straight to a server and it’s encrypted as it would be on HTTPS traffic, so it’s invisible to somebody who’s trying to intercept your traffic on the network.

The downside of DoH from a safeguarding perspective is that it removes the visibility from ISPs who are not running their own DoH servers, from being able to see what is taking place on their next.

Neil Fairbrother

Yes, indeed. So DNS over HTTPS or DoH for short, it not only encrypts your DNS traffic as you said, but it also hides it amongst other web traffic. So the lookups that you make, the searches that you make for a website, your search queries, they are then indistinguishable from other web traffic that’s coming in and out of your internet connection, so they can’t be filtered. Now this is a bit of a problem for the IWF in terms of what you described at the outset, because a lot of what you do requires filtering lists of DNS information.

Fred Langford

Yes, it does. I mean as always, there’s a little bit more technology behind it. So the way it hides the traffic is, different internet protocols run on what are called port numbers and HTTPS runs on a particular port number and DNS traditionally would run on another port number.

So if you think that usual HTTP traffic is port 80. Now, it doesn’t mean very much to most people. All it means is if you think of it like a postal system, the traffic turns up at the server and it says, who am I here for? And so port 80’s, just saying (it’s like a pigeon hole you would see in a teacher staff room I suppose is the best way of saying it) put that in that port. If it comes from HTTPS, it’s port 443, put it in that one, but no one can see what that is, that’s sealed.

So it sends this traffic backwards and forwards and like we say, it means that it could potentially cause problems for the IWF because we provide a URL list of live sites hosting child sexual abuse material hosted outside the UK, ones that we’ve sent a notice to but as yet the content’s not been removed. And currently what happens is, as that request goes to an internet service provider, if it’s on one of these suspect sites, it would redirect that traffic at that point. It would say, hang on a minute, this site’s got something illegal on it, let’s redirect that traffic to a second machine, which would look at the exact page and filters.

So it’s a combination. It needs that DNS look up to be able to redirect the traffic, but at the second stage of filtering, what it does is it looks at the absolute detailed URL so we don’t have any “collateral damage”. Rather than blocking the whole site, if the site is being abused by one person, it may be that there’s one illegal image on the site that’s got hundreds of thousands of images on there, that are perfectly legal. We wouldn’t want to issue a notice for the whole site to be removed, we just want that page to be blocked and have the content removed from there.

So yes, it causes problems for the deployment of IWF datasets by ISPs.

Neil Fairbrother

Okay. So this then in turn might cause a problem for children who have been abused?

Fred Langford

Yes. Because what it means is that it leaves the potential for many more people to accidentally stumble on content that they would usually be blocked for. So if somebody has been a victim of abuse, we are aware from talking to survivors of abuse that the revictimization of knowing that people are still able to see their abuse out on the internet, is obviously very troubling. So the more checks and interventions that we can put in is going to help the revictimization of those victims.

So if the filtering solutions can be bypassed, obviously it leaves a great deal of anxiety and angst for that victim to think that more people are going to potentially stumble across that material. And what is the outcome of that? Does it mean that more people are going to start seeking their abuse in the future?

So it means that if somebody got a predisposition to have an interest in this sort of content, they may never realize that if they never stumbled across the content. If they hit content accidentally, it may awaken something that they previously wouldn’t have been able to realize. And so there are a number of risks associated with not being able to filter known content from being viewed.

Neil Fairbrother

Okay. Now we’re going to delve a little bit deeper into some of how this stuff works. The International Standards Organization a number of years ago produced their very well-known Open Standards Interconnect Seven Layer model. The ISO OSI Seven Layer model.

DNS, which we’ve talked about, has always been in Layer Three of the Seven Layer model, in the Network layer. But this technology, DoH, takes that DNS function and puts it into Layer seven, which is the Application level.

Now this might sound a bit arcane, but there are implications for all of us because it means that the application provider is now responsible for the DNS lookup and not the network provider. If the application provider turns out to be a dishonest person, a bad actor or organization, could this not then lead to more harm, and more undetectable harm?

Fred Langford

Absolutely. It’s something we’re aware of from ongoing discussions around DoH implementation that at the moment we’ve been spending a lot of time talking to internet service providers to try and work out how we can come up with a mutual solution that means that they can still redirect and filter traffic, but it still provides that security and integrity of the data for the majority of users who aren’t seeking this sort of content.

They [ISPs] are potentially being taken out of this area, but because it’s moving to the application level and with apps, people using apps, it does mean that applications on mobile devices or fixed devices can program their own DNS. So even if we work with all the internet service providers, all of the browser manufacturers, because really this is who’s developed or pushed for this standard to be put in place. That’s, that’s fine. That will work with at the moment around 80% of what we’re trying to tackle here. But with applications, yes, there’s always an opportunity that somebody could develop an application that is going to tunnel through and it would be invisible to the IWF until somebody either notified us that there was a problem on that particular application. But what we could do would be limited.

Neil Fairbrother

So this will have an impact on children I think because we all rely on app stores to curate apps and there are different degrees of testing by the app store operators. So Apple and Google will curate apps and check for quality to make sure that an app isn’t actually malware or spyware or something along those lines. How will they be able to check that the app isn’t going to hijack a DNS lookup for nefarious means?

Fred Langford

Well, at the moment I don’t think they can. I think one of the requirements they could put on their app store is that they need to be transparent about the DNS and how it’s being managed. I would have to go in and check the Apple and Google Play store requirements.

But at the moment, because it is an RFC…

Neil Fairbrother

… this is a “Request For Comment”. This is the technical nomenclature for this kind of thing.

Fred Langford

Yes that’s right. And so because it is a legitimate agreed technical standard, they wouldn’t actually be breaking any rules or regulations so it would potentially only be something that Apple and Google could put in as an advisory requirement and so what they can do on the apps is limited. The solutions that we’re working towards at the moment is really to be able to get more people to set up their own DoH servers.

So there are limited number of providers at the moment, although they’re growing exponentially, they exploded exponentially as I’m sure you understand, because there’s potential revenue to be made here. And so really it’s about trying to get the internet service providers to set up their own DoH servers.

Now this is working very well in the UK; rest of the world, I don’t think this is even a topic that has been debated in the majority of the globe. So I think that people will be caught out, I suppose, in other countries whereby if a policy or legislation or government wants to do something, they may find that actually they’ve missed the boat, that the technical standards already been implemented and it’s much more difficult to try and roll anything back than it is to get it in the beginning.

Neil Fairbrother

Genie out of the bottle syndrome. Now ISPs often provide “parental controls”, which prevent children from seeing inappropriate content and these are mostly based on the current DNS implementation, using all of that clear text that we spoke about earlier. If the clear text lookups are then encrypted in DNS over HTTPS, does that do away with these parental controls? Do these parental control features work in a DNS over HTTP world?

Fred Langford

Well, initially they wouldn’t have in the UK. I mean, it depends on how parental controls are put in. Because in the UK that’s very much managed at the network level, like you were saying on the stack [the OSO 7 layer model], it meant that they could intervene on DNS knowing that that customer has requested that parental controls, or by default the parental controls, had been turned on.

Actually because of this change in proposed implementation in the UK, the parental controls shouldn’t be affected now, because most of the ISPs haven’t yet rolled this out and the browser providers haven’t rolled it out as default in the UK, there’s been no impact just yet.

Now in the US I’m aware that a number of the parental control providers actually require the customer, the individual, the end user, to buy into it. So this is the question around “default on” or “default off” and then somebody chooses because there’s different ways that you could potentially manage that.

But to say that it’s resolved in the UK, I don’t think it is completely resolved. Now it may be resolved as far as browser use, but DoH is also going to affect hardware. So things like if you’re using something like Google Chrome or a Chrome book, if it was hard-programmed in to use DoH servers, that would be managed in a slightly different way than the browsers would.

So there’s definitely issues around this but to say it’s impacting on all parental controls, I don’t think it is, but it’s definitely got an impact on some, but again, it comes down to how each organization, each network provider, has configured their parental control software.

Neil Fairbrother

Okay. And presumably a similar argument applies to malware and botware filtering because that’s also performed by the DNS?

Fred Langford

Absolutely. And I think that’s probably more of a problem really because in the UK, the National Cyber Security Centre provides guidance and help to ISPs to be able to stop a botnet, command and control servers, IP addresses, these sorts of things. But without having that visibility on the network and working with ISPs to see what’s happening on networks, they may not be able to see how that particular piece of malware is behaving on a network and can take appropriate action to stop it. So I think that there is a lot more work to be done as far as this malware intervention.

Neil Fairbrother

Okay. Now today DNS lookups to my understanding anyway spread across hundreds of thousands of different servers and it’s relatively easy if you wanted to, to pick the service you want. But in the future the choice maybe really down to the major brands or manufacturers of which there are four. You’ve got Apple Safari, you’ve got Google Chrome, which you mentioned, you’ve got Firefox and you’ve got Microsoft Edge, I guess that’s replaced Explorer. And between those four, they control 90% of the world’s web traffic and they are all in the US, so they are all then subject to US legislation. How much control or influence would we have in the UK, particularly as a standalone island as opposed to being in the EU, over any legislation that may be passed in the US?

Fred Langford

Well, you’re absolutely right and very limited influence I would say, because of the things we discussed earlier that are playing out in the US around the privacy argument and Net Neutrality’s another thing about the neutrality of traffic on providers, we will have a limited amount of access.

It also causes problems if you think from a law enforcement perspective. So traditionally if they want to gain access to investigate somebody’s behaviour online, they would be able to go to that particular individual’s internet service provider and make a request, a formal request, for information on their activity to see which sorts of sites they’re going to. Well that’s not going to be possible anymore because it will be fully encrypted. So they will have to then put in a request, that request would have to be managed internationally and so the timeframes all of a sudden extend hugely.

So whereas previously they would be able to put in this request and probably get that information within a day, that could take weeks depending on how the request has been formulated. And that’s a real problem because if you have to act in very quick time to be able to safeguard a child, if somebody is at risk of life and limb, all of the sudden that request is going to potentially be a barrier to being able to safeguard somebody in a vulnerable position.

Neil Fairbrother

Okay. Now the EU Kids Online project run by Sonia Livingstone, just across the road from here at the LSE, created a table of online risks and one of those risks was commercial risk. Now you mentioned that these DoH service providers will be monetized, there will be commercial opportunities for them and they will be monetized using people’s data in a way that today, DNS service providers don’t, as well as making much more use of cookies for tracking purposes and “fingerprinting” where you are and what you’re up to. So will this result in an increased commercial risk to children?

Fred Langford

There is the potential for that, yes. So what I should have made clear at the beginning is whoever is running this DoH server has full visibility because all the traffic is encrypted from the moment it leaves the user’s device until it hits that server. So whoever’s controlling that DoH server can look at all the requests, hence why if there’s a legal request for access, they would have to go to that particular provider.

Now, as you’ve stated, at the moment the DNS architecture is distributed amongst thousands of organizations, usually your network provider, but you can choose, pick and choose who you want to go to. With it all being centralized, there is an opportunity to monetize that data and to be able to see who’s going where and how should you prioritize traffic. As an “over the top” provider, would it be better to partner with an organization that is getting a lot of reach to be able to advertise to those particular people?

Now the cookie debate is raging at the moment, again because of whether third party cookies, so those are ones that are put on your browser to track your movement by somebody separate to the site you’ve been on. And I think those days are number there. So Chrome, Google, have just come out and said they’re not going to allow third party cookies to be digested by their browser in the very near future. But that doesn’t mean that there are going to be no cookies, I just think it means the cookies will probably get much larger.

So the sorts of information they’re gathering for the site you’re visiting will probably be much more extensive. It does mean that you could potentially monetize all of these lookups. Now at the moment, the debate about whether or not that is the overarching aim, I would say is open. Those that are setting up the DoH servers are saying that there’s not enough revenue to be made, therefore, that’s not the business model they’re potentially looking at. But over time, as data sets grow on these particular DoH servers, that may change, then the opportunities will become apparent.

Neil Fairbrother

Okay. We are running out of time so we have to rapidly move on. In terms of content in a DNS world, the DNS content filters are mandated by the law of the country you are in. But in a DNS over HTTPS world, they’re are mandated by the laws of the country where the remote resolver is located over which we in the UK have little to no control, as we said just a few moments ago. How does this stack up with the stated aim of the UK government to make the UK the safest place, certainly for children, to be online? Doesn’t it scupper the aims and objectives of the Online Harms white paper.

Fred Langford

I think it could, but it all depends on the scope of the Online Harms white paper, which isn’t completely clear yet until we’ve seen the proposals from the government. So should that scope include DoH providers? So the Online Harms white paper is very much about a Duty of Care. So if you think that you have care to UK citizens. So if DoH providers are included in the scope and they are providing that service to UK citizens, therefore they would fall within the scope of the Duty of Care. So they would still have a Duty of Care to make sure that anybody in the UK is protected. Now, like I say, that’s unclear at the moment. So if DoH providers are outside of the scope, yes, there’s a potential.

And there’s also, I mean there are other problems around the copyrights groups and so in the past it was very much around debates around Pirate Bay and the sorts of sites that were providing access to copyright material, which usually do have a court order attached to them, which is you must block all of this site using DNS. Now that is going to be something that won’t be possible anymore. The rights holders are looking into how they can tackle that themselves.

But I think what it really needs is a bit of a shift of mindset. So for the last decade or so, using DNS to be able to filter is always been the solution. But all that’s happened really is who has control over that data is shifted. So it’s how can you bring those organizations into the overarching scope to be able to make sure that they are still accountable.

The IWF and myself, we’re calling for equivalency because we want the equivalent amount of protection to children and users as well, because of the potential for them to be inadvertently criminalized for looking at content that they would have been blocked from viewing previously. We expect that the government will probably look at this and say, anybody who is providing a service falls within scope.

Neil Fairbrother

Okay. So we’re ending up with what I see is a marginal gain for privacy by encrypting our DNS lookups set against a range of other issues, all of which have yet to be resolved, which may result in overall less safety for children.

Fred Langford

Yes, I think you’re absolutely right. And this is something that the IWF been pushing the standards bodies [for]. The international standards bodies for technology don’t have a policy consideration. So they will look at these Requests for Comments, which are effectively papers that are submitted and then on a consensus led basis are agreed by committees that really were set up in the early days of the internet and it’s fairly opaque who’s involved. You need a lot of money to be able to keep up to date with them. But that said, there was no policy consideration.

So when RFC 8484 was developed, nobody thought, “How is this going to impact children?” “How is this going to impact any of the efforts from terrorism?” “How is this going to impact on all the other myriad of vulnerabilities that happen online?”

And I think what’s happened, it’s been a bit of an awakening for those bodies as well, because many of the techies that are involved in these conversations are raising this as a serious issue. They’re saying don’t want to develop a standard that’s going to damage kids, but inadvertently because of the process that’s been in place for a number of years, that’s exactly what they’re doing.

So the pressure’s really been put on the Internet Engineering Task Force, the IETF, that manage all of these RFCs to actually do something about it and to change that policy consideration.

The issue now is the speed of change in these organizations. They are global organizations, consensus led, which generally mean the speed of changes is very, very slow.

Neil Fairbrother

Which is counterintuitive, because we always say technology moves really quickly. But it sounds like that they’re beginning to adopt in principle, if not in name, Safety by Design.

Fred Langford

Yes. I think they are, they’re having to because of the sorts of demands that are coming from their members. So the ISPs the application level providers, they’re all saying, please put something in that means that we can debate these because the technology should not be developed to damage the users. The whole idea is that technology facilitates the good that the internet can bring.

So really without having the considerations of the “what ifs”, what if we develop this, what is going to be the impact without having that function within any of these organizations, they are going to find themselves coming up against the state actors who want to protect their citizens.

Neil Fairbrother

Fred, on that note, we’re going to have to end it. So thank you so much for coming in ethics. Fascinating discussion. I could talk about this with you all day, I think. But we’re going to have to leave it there.

Fred Langford

It’s my pleasure. Thank you very much.