UK Concerns over Encrypted DNS

Web browser risk to child safety

We are deeply concerned that a new form of encryption being introduced to our web browsers will have terrible consequences for child protection.

The new system 204 known as DNS over HTTPS -- would have the effect of undermining the work of the Internet Watch Foundation (IWF); yet Mozilla, provider of the Firefox browser, has decided to introduce it, and others may follow.

The amount of abusive content online is huge and not declining. Last year, the IWF removed more than 105,000 web pages showing the sexual abuse of children. While the UK has an excellent record in eliminating the hosting of such illegal content, there is still a significant demand from UK internet users: the National Crime Agency estimates there are 144,000 internet users on some of the worst dark-web child sexual abuse sites.

To fight this, the IWF provides a URL block list that allows internet service providers to block internet users from accessing known child sexual abuse content until it is taken down by the host country. The deployment of the new encryption system in its proposed form could render this service obsolete, exposing millions of people to the worst imagery of children being sexually abused, and the victims of said abuse to countless sets of eyes.

Advances in protecting users' data must not come at the expense of children. We urge the secretary of state for digital, culture, media and sport to address this issue in the government's upcoming legislation on online harms.

• Sarah Champion MP;
• Tom Watson MP;
• Carolyn Harris MP;
• Tom Brake MP;
• Stephen Timms MP;
• Ian Lucas MP;
• Tim Loughton MP;
• Giles Watling MP;
• Madeleine Moon MP;
• Vicky Ford MP;
• Rosie Cooper MP;
• Baroness Howe;
• Lord Knight;
• Baroness Thornton;
• Baroness Walmsley;
• Lord Maginnis;
• Baroness Benjamin;
• Lord Harris of Haringey

The IWF service is continually being rolled out as an argument against DoH but I am starting to wonder if it is still relevant. Given the universal revulsion against child sex abuse then I'd suspect that little of it would now be located on the open internet. Surely it would be hiding away in hard to find places like the dark web, that are unlikely to stumbled on by normal people. And of course those using the dark web aren't using ISP DNS servers anyway.

In reality the point of using DoH is to evade government attempts to block legal porn sites. If they weren't intending to block legal sites then surely people would be happy to use the ISP DNS including the IWF service.

Here at the IWF, we've created life-changing technology and data sets helping people who were sexually abused as children and whose images appear online. The IWF URL List , or more commonly, the block list, is a list of live webpages that show children being sexually abused, a list used by the internet industry to block millions of criminal images from ever reaching the public eye.

It's a crucial service, protecting children, and people of all ages in their homes and places of work. It stops horrifying videos from being stumbled across accidentally, and it thwarts some predators who visit the net to watch such abuse.

But now its effectiveness is in jeopardy. That block list which has for years stood between exploited children and their repeated victimisation faces a challenge called DNS over HTTPS which could soon render it obsolete.

It could expose millions of internet users across the globe - and of any age -- to the risk of glimpsing the most terrible content.

So how does it work? DNS stands for Domain Name System and it's the phonebook by which you look something up on the internet. But the new privacy technology could hide user requests, bypass filters like parental controls, and make globally-criminal material freely accessible. What's more, this is being fast-tracked, by some, into service as a default which could make the IWF list and all kinds of other protections defunct.

At the IWF, we don't want to demonise technology. Everyone's data should be secure from unnecessary snooping and encryption itself is not a bad thing. But the IWF is all about protecting victims and we say that the way in which DNS over HTTPS is being implemented is the problem.

If it was set as the default on the browsers used by most of us in the UK, it would have a catastrophic impact. It would make the horrific images we've spent all these years blocking suddenly highly accessible. All the years of work for children's protection could be completely undermined -- not just busting the IWF's block list but swerving filters, bypassing parental controls, and dodging some counter terrorism efforts as well.

From the IWF's perspective, this is far more than just a privacy or a tech issue, it's all about putting the safety of children at the top of the agenda, not the bottom. We want to see a duty of care placed upon DNS providers so they are obliged to act for child safety and cannot sacrifice protection for improved customer privacy.

The authorities have admitted for the first time they will be unable to enforce the porn block law if browsers such as Firefox and Chrome roll out DNS over HTTPS encryption.

The acknowledgement comes as senior representatives of ISPs privately told Daily Star Online they believe the porn block law could be delayed.

Earlier this month, this publication revealed Mozilla Firefox is thought to be pushing ahead with the roll out of DNS encryption, despite government concerns they and ISPs will be unable to see what website we are looking at and block them.

Speaking at the Internet Service Providers Association's Annual Conference last week, Mark Hoe, from the government's National Cyber Security Centre (NCSC), said they would not be able to block websites that violate the porn block and enforce the new law. He said:

The age verification -- although those are not directly affected [by DNS encryption] it does effect enforcement of access to non-compliant websites.

So, whereas we had previously envisaged that ISPs would be able to block access to non-compliant sites, [those] using DNS filtering techniques don't provide a way around that.

Hoe said that the browsers were responding to legitimate concerns after the Daily Star reported Google Chrome was thought to have changed its stance on the roll out of encrypted DNS.

However, industry insiders still think Firefox will press ahead, potentially leading to people who want to avoid the ban switching to their browser.

In an official statement, a government spokesman told Daily Star Online the law would come into force in a couple of months, as planned, but without explaining how it will enforce it.

Meanwhile a survey reveals three quarters of Brit parents are worried the porn block could leave them open to ID theft because they will be forced to hand over details to get age verified. AgeChecked surveyed 1,500 UK parents and found 73% would be apprehensive about giving personal information as verification online, for fear of how the data would be used.