ISPs in the UK are required to censor a wide swathe of content: what began as a strictly limited, opt-in ban on depictions of the sexual abuse of children has been steadily expanded to a mandatory ban on "extreme" pornography, "terrorist content," copyright and trademark infringement, and then there's the on-again/off-again ban on all porn sites unless they keep a record of the identity of each user and the porn they request..
Much of the internet's underlying infrastructure is janky, out-dated, insecure, and an invitation to crime, privacy invasions, DDoS attacks and espionage. Consider NTP, the Network Time Protocol (which is used to synchronize clocks across the internet); until recently, this was an insecure, badly maintained mess that was exploited to create devastating Denial of Service attacks.
Similarly insecure and problematic is DNS, the Domain Name Service, which converts human-readable domain names like boingboing.net into IP addresses like 184.108.40.206. DNS doesn't have cryptographic protections, making it vulnerable to surveillance (anyone on the same network as you can see which domains you're looking up), spoofing (malicious actors can serve you the wrong address in response to your queries, sending you to malware sites or raiding your bank account), and censorship (selectively blocking or redirecting blacklisted domains).
But every feature is somebody's bug, and for governments and corporations who want to censor the internet, this fundamental insecurity is what makes it possible to effect internet censorship on the cheap. After all, laws that demand technically impossible things are unlikely to be enforced, so when a country like the UK makes sweeping internet censorship rules, their viability depends on whether there are easy means for ISPs to enforce them (enforcement also benefit from industry concentration: when there are only a handful of ISPs, it's possible to audit all of them to ensure they are complying — if there were thousands of network providers, it would be impossible to do so).
Since the first UK internet censorship orders, ISPs have relied on DNS censorship to comply with their legal duties. This has always been a relatively weak measure: as the Turkish state discovered during the Gezi uprising, people can easily switch their DNS providers to ones outside of the country (in Turkey, activists spraypainted "DNS: 220.127.116.11" on walls to help their fellow protesters get outside of the national firewall and its block on Twitter). ISPs can institute firewall-level bans on DNS connections to third-party DNS providers, but then they're in an arms race with their own customers and things tend to get pretty gnarly.
Enter Mozilla, which has announced that it will start testing DNS-over-HTTPS, a secure upgrade to DNS that makes it impossible for third parties to see which websites you're visiting, and thus to use DNS to selectively interdict your access to sites for any purpose, be it complying with government regulations or defrauding you.
This move has prompted condemnation from the UK ISP Association, the Internet Watch Foundation (which once ordered ISPS to block Wikipedia in the UK, and GCHQ, the spy agency. They complain that secure DNS allows people in the UK to "bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK."
They are 100% correct in their assessment of the relationship that secure internet connections have to blocking orders: the two are incompatible. That's because, at a technical level, there is no difference between a security system that makes you secure from "good guys" (cops who want to stop you from looking at terrorist recruiting videos) and "bad guys" (criminals who want to steal your identity, blackmail you, or stalk you). Making a system that protects you from surveillance and censorship by criminals also protects you from being spied on by your ISP or GCHQ.
It's an illustration of a vital aspect of "security": there is no such thing as security in the abstract, any security measure is always in relation to some threat. Some security measures that make it easier for the state to spy on its enemies are also a security vulnerabilities that help crooks spy on potential victims.
It's not really any different to the apps that let parents spy on their kids, but also put all their kids' data out there in the cloud for criminals, paedophiles, and bullies to harvest and use against their kids.
Cloudflare operates a DNS-over-HTTPS-compatible public DNS server at 18.104.22.168, which you can access from any compatible browser.
Andrews and Arnold — the best ISP in the UK — has
Under U.K. law, websites can be blocked for facilitating the infringement of copyrighted or trademarked material or if they are deemed to contain terrorist material or child abuse imagery. In encrypting DNS queries, it's claimed that it will make it more difficult for internet providers to filter their subscribers' internet access.
The ISPA isn't alone. U.K. spy agency GCHQ and the Internet Watch Foundation, which maintains the U.K.'s internet blocklist, have criticized the move to roll out encrypted DNS features to the browser.
The ISPA's nomination quickly drew ire from the security community. Amid a backlash on social media, the ISPA doubled down on its position. "Bringing in DNS-over-HTTPS by default would be harmful for online safety, cybersecurity and consumer choice," but said it encourages "further debate."
Internet group brands Mozilla 'internet villain' for supporting DNS privacy feature [Zack Whittaker/Techcrunch]