Justin Kosslyn is the chief product manager at Jigsaw, a unit within Alphabet that uses technology to address global security issues.
Amid all the discussion today about online threats, from censorship to surveillance to cyberwar, we often spend more time on the symptoms than on the underlying chronic conditions. If we want to make people around the world safer from an oppressive, weaponized Internet, we need to get a bit nerdy and talk about Internet standards.
Most Internet censorship today is only possible because the Internet wasn’t designed to protect the privacy of your connections. It wasn’t private by design, so when censors came along, they pushed on an open door. Making Internet connections truly private and secure means updating the fundamental technical standards that govern the global internet.
Fortunately, the first step toward making global internet standards safer and more censorship-resistant is neither controversial nor particularly complicated. Put simply, we should make Internet protocols—the who, what, where of internet addresses—more private. Everyone from regulators to users has been asking for more privacy protections, and improving Internet standards is one foundational way of providing that.
Privacy makes selective censorship harder because censors no longer know the blow-by-blow details of what everyone is doing, so they can’t micromanage a person’s access to the Internet. Improving standards doesn’t take magic — just prototyping, debating, consensus-building, and implementing. The standards that govern the Internet are driven through organizations like the Internet Engineering Task Force.
Since 2015, technologists, facilitated by the IETF, have been considering proposals to enhance privacy for a key element of the Internet: the Domain Name System (DNS). It’s often described as the “address book of the Internet” and it was not designed to use encryption.
Unfortunately, every time you visit a website, your computer first consults the DNS system without any encryption, allowing censors and snoopers to know the name of every website you visit. A new standard is emerging to encrypt DNS lookups.
The standardization of encrypted DNS is just one way Internet standards could be improved. Another example can be seen at CloudFlare, one of the largest content delivery networks in the world. They recently announced support for an evolving standard — “encrypted SNI” — that would close another subtle privacy hole that often occurs when users visit websites hosted on cloud providers.
As a final example, the W3C (another Internet standards body) has been establishing a draft standard for Network Error Logging. This potentially helps address one of the trickiest challenges in tackling network interference: figuring out when interference is even happening. After all, if someone attempts to load a website but cannot access it, any number of things could have gone wrong, from a network glitch to network interference. Because no connection was ever established, the website owner may never even know that someone tried and failed to reach their site. Network Error Logging allows the user’s device to report a failed lookup to a neutral third party that is not blocked. Think of it as enabling ombudsmen when sites are blocked.
The standards we define for the Internet today will determine how the next generation of technologists and technology companies build the tools of the future.
If we don’t approach internet standards with a strong set of values that promote user privacy and freedom of expression, the standards will be set by people who do not share those values, and the overall integrity of the global open internet will inevitably suffer.
The internet may not have been initially designed to prevent censorship by protecting user privacy, but the protection of individual privacy ought to be the North Star guiding how we navigate the challenges of an evolving, global internet. If we’re serious about addressing those challenges, we need to start with improving standards.