Concerns over DNS Blocking

June 23, 2023

Dear Distinguished Members of the French Assembly and Senate,

The intent of these bills is explicitly to provide cybersecurity authorities like ANSSI new tools to combat the spread of ransomware and threat of cyber espionage against French organizations. We are deeply concerned that these measures will do little to address the underlying cyber risks our societies face, while inadvertently creating or exacerbating other sources of risk. Further, for a democracy like France to ratify such sweeping authorities might set a troubling precedent that could inspire similar measures in democratic and non-democratic jurisdictions alike — with global implications for security and online freedom.

Impacts to the Domain Name System

Many public and private organizations rely on DNS filtering as a security control to block traffic from illegal or malicious websites. Some governments even offer “protected DNS” services that allow private companies, typically critical industries and infrastructure, to opt-in to DNS filtering administered by national defense agencies. But these protections have always remained voluntary due to the extraterritorial implications and immense potential for government overreach.

Another possible consequence is the risk of a “race to the bottom,” in which each government has effective veto power over the online content visible to global Internet users. Article 32 of the LPM and Article 6 of the Digital Bill do not distinguish between DNS services provided by ISPs, which are typically limited to a specific geography, and open DNS resolvers, which provide universal resolution services regardless of user location.

To comply with these proposals, open DNS resolvers would apparently be forced to apply removals globally. Few (other than the cyber criminals) might object to ANSSI forcing DNS resolvers to block access to a malware hosting site with global effect. But consider a hypothetical scenario in which an authoritarian regime were to demand, under its own domestic laws, that open resolvers globally block the domain of a news organization for reporting on human rights abuses in their country. French Internet users (along with users worldwide) would be deprived of access to that information. The situation would become untenable, and more users would seek out risky infrastructure to bypass the filters.

Several alternatives exist which would avoid the concerning implications mentioned above. Domestic Internet Service Providers (ISPs) have a number of tools at their disposal to block infrastructure deemed malicious by French authorities. This includes blocking HTTP/HTTPS connections to the offending site, and blocking the IP addresses. The impacts of these methods would necessarily be limited to within French territory and thus would avoid the extraterritorial impacts mentioned. Furthermore, French authorities could work with the registry and registrar for the infringing domain to be taken down and to request relevant information on the infringer in compliance with existing French criminal law. There are established procedures for copyright holders for making such requests. Domain seizure is a far more effective and proportionate measure. It stops the problem at its source rather than piecemeal via domain resolvers and browsers.

Impacts to Web Browsing

Article 6 of the Digital Bill also requires that web browsers block access to problematic websites, requiring browser providers to present warnings to users attempting to visit blocked sites. This is problematic for many of the same reasons as the DNS provisions.

Browser companies already have long-standing programs to warn users about malicious websites. There are a number of free, widely-used products that offer governments the ability to flag websites so that they may be blocked. The French government may be well-placed to identify phishing and scam sites affecting their citizens, and we recommend they work with the major browser providers to share such information.

As with the DNS provisions, overlaying a government-specific web filter onto browser technology may create a disturbing precedent where each national government can implement a veto over the content global web users can access.

Warrantless Surveillance

Moreover, such warrantless surveillance practices would contravene CJEU case law — notably the standard set in the Schrems II case outlining protections for EU citizens against warrantless or bulk surveillance activities. The proposed Article 35 not only would stand to violate fundamental human rights in France, but also jeopardize the EU’s recognition as a qualified state for the purposes of access to the redress mechanism supporting the EU-US Data Privacy Framework. Such action could compromise a fragile agreement and harm French citizen rights in the US as well as the economic fallout of disrupting EU-US data flows.

Aside from serious civil liberty and privacy law concerns, this approach is likely to impede critical infrastructure owners and operators from swiftly responding to a significant cyber incident. A major incident will require speed, information sharing, and cooperation to neutralize threats and restore services. In a crisis, the owners and operators of these services will be far better positioned to take rapid action on their own networks than government officials. Government officials, arriving on short notice, unfamiliar with the infrastructure and topography of the network, will likely cause confusion, deepen coordination challenges, and ultimately lead to a less effective response.

A better approach would be to ensure that ANSSI has the authority to achieve the desired outcome (e.g., blocking a threat or restoring services), allowing the provider to determine the most effective means of doing so. Once any incident has been neutralized, infrastructure owners and operators may respond to investigations by relevant authorities in accordance with applicable laws and relevant policies. In many cases, infrastructure owners and operators have implemented interfaces to centralize the handling of requests from authorized agencies, enabling smooth communication and engagement with French authorities seeking user data as part of criminal investigations arising from cybercrimes.

Premature Vulnerability Disclosure Risks

Article 34 requires software vendors to notify ANSSI of any “significant” vulnerabilities affecting their products, regardless of the state of patching of the vulnerability. This is a flawed approach that diverges from international standards and best practices on Coordinated Vulnerability Disclosure (CVD), and will make the Internet less safe for users.

When significant vulnerabilities are discovered, the vendor’s top priority is to deploy a mitigation that prevents loss or damage, and to reduce risks until that mitigation is deployed. The period prior to the release of a mitigation is very dangerous for Internet users — there are no defenses to an attack, so it is vital to restrict knowledge of that vulnerability until vulnerable users are provided actionable mitigation steps in the form of patches or configuration changes. CVD best practice is to restrict knowledge of sensitive vulnerability details to the parties necessary to develop mitigations. Requirements to share information about unmitigated vulnerabilities broadly with government agencies undermine cybersecurity by increasing the risk that the information will be exposed to adversaries before a mitigation is in place. Furthermore, this could lead to another race to the bottom where other governments legislate requirements to share sensitive vulnerability data as well. As an alternative, we recommend the French government instead focus on ensuring timely adoption of patching once mitigations are released. At a minimum, safeguards should be added to give companies reasonable time to mitigate the vulnerability before disclosure to the government, and to limit the purpose of disclosure to the government to ensure the disclosure is used solely to improve cyber defenses, and not for offensive purposes.

—

We share the French Government’s goal of building resilience against cyber threats and urge the legislature to work with technical experts to achieve these goals without placing the broader ecosystem and civil liberties at risk.

Thank you for your consideration, and we look forward to further discussions on ways to secure the open Internet.

Best regards,

Vinton G. Cerf, Internet Pioneer and Former Chairman of ICANN

Stephen D. Crocker, Internet Pioneer and Former Chairman of ICANN

Mirja Kühlewind, Internet Architecture Board Chair

Mallory Knodel, Internet Architecture Board Member and Chief Technologist at the Center for Democracy and Technology

Carl E. Landwehr, University of Michigan

Wes Hardaker, Internet Architecture Board Member and Senior Computer Scientist at the University of Southern California’s Information Sciences Institute

David Schinazi, Polytechnicien and Internet Architecture Board Member

Joseph Lorenzo Hall, PhD, Distinguished Technologist, Internet Society

Suresh Krishnan, Internet Architecture Board Member

Erik Kline, IETF Internet Area Director

Alexis Hancock, Electronic Frontier Foundation

Wendy Seltzer, Principal Identity Architect, Tucows

NOTE: Affiliations are listed for purposes of Identification only. Signatories are acting in their personal capacities.

Related posts:

I am happier without him. I thought of sending him a thank you card for divorcing me. But that would be a mean, petty thing to do. And we’re still sort of friends. Why rock the boat? These days, I…

Once you have decided to build a site in WordPress, the next question in your mind is which theme will i use for my site? Although, there are thousands of wordpress multipurpose themes and site…

Oftentimes traveling is being viewed as a gap filler between different life chapters — to bridge time between high school and university, between university and starting the first job, in between…