- Apple and Cloudflare partnered up to develop a new DNS protocol that better protects user privacy, called Oblivious DNS over HTTPS, or ODoH.
- Tech columnist Jason Aten writes that this new standard will make it harder for internet service providers to collect data on user's browsing activity and potentially sell that data to advertisers.
- Many providers don't use DNS data for advertising purposes or sell it to third parties, but it's something they're allowed to do without your permission, as Congress voted in 2017.
- Besides better protecting users and what they do online, Aten argues that this new protocol also raises awareness around how our activity is tracked and monetized.
- Visit Business Insider's homepage for more stories.
Apple engineers recently worked with web security company Cloudflare to develop a new DNS protocol that better protects user privacy. Known as Oblivious DNS over HTTPS, or ODoH, the goal is to protect your browsing activity from the prying eyes of your internet service provider, or ISP.
Inspired by work done by researchers from Princeton, who published a 2019 paper called "Oblivious DNS: Practical Privacy for DNS Queries," four engineers developed the first version of the protocol for ODoH in October 2019. Those engineers included Eric Kinnear and Tommy Pauly from Apple, along with Christopher Wood from Cloudflare and Patrick McManus from Fastly, a cloud services platform.
According to Nick Sullivan, head of research at Cloudflare, their work grew out of conversations from the Internet Engineering Task Force (IETF), which is the main standards-setting body for the internet. Sullivan told Business Insider the purpose of ODoH is for users to have "fewer privacy concerns concerning their DNS data and browsing history."
DNS is the protocol that identifies websites on the internet — it literally stands for Domain Name Service. Cloudflare even describes it as the "phonebook for the internet." Every website online has an IP address, which is a series of numbers such as 1.2.3.4, or more often, 111.222.33.44.
Chances are, however, you're not going to remember the IP address of every website you want to visit, but you can remember www.businessinsider.com or www.google.com. When you navigate the internet, your browser sends a request to a DNS server, which parses the URL you entered and turns it into the IP address.
That means that the DNS server, usually run by your ISP, is able to identify all of your web activity and associate it with your account. If it wanted to, your ISP could then provide that information for sale to advertisers.
"In a world where everyone is spying on everything we do online, this protocol closes one surveillance vector," Bruce Schneier, a cybersecurity expert and member of the nonprofit Electronic Frontier Foundation's Board of Directors, told Business Insider. "Right now, your internet service provider is able to eavesdrop on your browsing habits. They can collect that data, and then use it or sell it as they see fit. With this protocol, your browsing is hidden from your ISP."
The standard Apple and Cloudflare have devised places a proxy between your browser and the DNS server. The information traveling to the proxy is encrypted, meaning it isn't capable of identifying your internet traffic. From there, it continues to the DNS server as usual, except that it only knows that the request came from the proxy, not which individual browser is making the request.
It's probably helpful to unpack what it really means when we talk about 'online privacy.'
I think that, to some extent, people associate the phrase with paranoia or something they don't really need to pay attention to.
Except, in the real world, almost everything you do online is being tracked by companies like Google, Facebook, and in some cases, your ISP. They aren't doing it because they're trying to be creepy — they're doing it because that's what makes targeted advertising possible. Understanding which websites you visit and what you do while you're there means that Facebook can show you an ad for the belt you're considering buying for your dad for Christmas.
Most people have some level of awareness of that because they see the ad. Facebook and Google aren't exactly transparent about it, but most people can figure out what's happening if they think it through. The problem is there are a lot of other players involved, all of whom are also trying to gather as much information as possible.
I think most people, if they really understood how much information tech companies like Google and Facebook had about them, would be sick to their stomach. Those companies have gotten very good at knowing what you like, what you're interested in, and what you do online.
Your ISP, on the other hand, doesn't have to use tracking code on websites since it's delivering those websites to your computer or smartphone. If you're using its DNS server, you're literally sending it information about what website you want to visit. It doesn't have to track you since you just told it what you were doing online.
And, let's face it, just about everything we do is online. Every time you type a website URL into your browser's address bar, it's a data point that can be used to create a profile on you. Imagine a list of the website addresses you visited on any given day. What would that information tell someone about you? What would they be able to learn about you?
ODoH, in theory, should make it harder for your ISP to keep track of your internet browsing activity.
At least, it should make it harder for it to know which websites you type into your browser, which would make it harder to sell that information to advertisers. That's an important point, considering Congress voted in 2017 to allow ISPs to do exactly that.
To be fair, not every ISP is building a profile on you based on what you do online. For example, Comcast says that it "does not use Comcast DNS data for marketing, advertising, or sales purposes, and does not sell this data to third parties for any purpose."
In other cases where it uses DNS information, Comcast says it only stores it for 24 hours, and does so in a way that it can't be identified with an individual user. Which is good, as long as you trust a multibillion-dollar corporation not to change its mind about something that could help it make an easy profit.
Sullivan pointed out that many DNS providers don't monetize user data. "ODoH makes the type of data collection that could lead DNS providers down that road impossible," Sullivan said.
"Furthermore, if a DNS provider is compromised, data about traditional DNS users may be exposed, but data about ODoH users will not be," he added.
That's kind of the point, really. Most people never think about how their information is tracked or used online. Most of us simply use apps, navigate the web, stream video, shop online, and share photos on social media without ever thinking about the sheer volume of information we're providing about ourselves.
Even more, we don't think about the companies scooping up all of that information in order to monetize it.
That means that there's little motivation for almost any company to make it easier for you to take back a little control over your privacy. Fortunately, in this case, Cloudflare and Apple are making that effort.
There are some risks, however. Chris Davis, founder of HYAS, a firm that specializes in pre-zero-day cybersecurity risk, pointed out that there are security implications. For example, "If you get hit with pretty much any type of modern malware, the first thing it does is call home to its C2 (command and control) infrastructure," he told Business Insider. "In nearly every instance, that is a domain name created by the bad guy. Cybersecurity companies leverage this to detect breaches." If that data is encrypted and anonymized, they won't be able to see it.
There's also a reasonable concern that it makes it harder to detect or prevent child trafficking or other illegal activities online. Neither of those concerns have been addressed at this time by the authors of the ODoH protocol.
Finally, it's worth mentioning that whether ODoH becomes the standard depends on whether it's adopted by web browsers and organizations that will run proxies. It also depends on whether DNS resolving services support the standard. Cloudflare says that it's supporting it for early adopters with its 1.1.1.1 DNS resolver.
Sullivan also said that Firefox has expressed an interest in exploring ODoH. "Oblivious DoH is a great addition to the secure DNS ecosystem," Eric Rescorla, Firefox's chief technology officer, told Business Insider. "We're excited to see it starting to take off and are looking forward to experimenting with it in Firefox."
It also seems likely that Apple would include the standard in its own Safari browser. Business Insider reached out to Apple, who declined to comment further.
The bottom line is that this is certainly good news for privacy. "Given the structure of the internet, the dumber the pipe our data goes through, the better for everyone," Enrique Dans, a professor of innovation at IE Business School in Spain, recently wrote on Medium. "Preventing our browsing habits from being picked up by an access provider or other stakeholder is one way to protect our privacy. The ODoH protocol is a practical approach to improving user privacy and means that even if you have no idea what encrypted DNS protocols means, you will be protected without compromising the performance or your use experience on the internet."
Maybe most importantly, it raises awareness of just how much of what we do online is tracked, monitored, collected, and shared for the purposes of monetizing our activity. In that sense, more information is a good thing.