The Narrative: European DNS policy, Apple & competition, Ukrainian cyber incidents, new IGP paper

Europe’s industrial policy for recursive DNS

The European Commission’s 2020 Data Strategy is intended “to make the EU a leader in a data-driven society [by] creating a single market for data.” As part of its misguided “digital sovereignty” effort, the plan budgeted an initial 14 million Euro for a recursive European DNS resolver service infrastructure (DNS4EU) (a “European Cloud” was also in the plan, but we won’t cover that here). To justify the need for DNS4EU, the Commission cited cybersecurity, competition, and privacy/data protection. The EC has now published its Call for Proposals for the service. Some requirements like conforming to “the latest” Internet standards like HTTPS and DNSSEC, as well as encrypted DNS like DoT and DoH, are predictable. But we’re perplexed by some other requirements. For example, the service must provide “opt-in paid premium services for enhanced security” like legal/compliance filtering or monitoring and “there shall be no monetization of personal data.” Sounds good, but both features are offered today (sometimes for free) by some current providers. And the reality is that DNS query data underlies $ billions in services produced across multiple sectors (e.g., content delivery, network security, and yes, digital advertising). Even nominal supporters of the policy, like a manager of Europe-based managed DNS provider Open-Exchange, recognize that.

Apple’s privacy initiatives vs. competition concerns

Apple has publicly branded its products and services as more privacy-protective than its major platform rivals. But those efforts are facing increasing resistance from business and government interests due to alleged competition policy concerns. For instance, mobile network operators in Europe and the US are voicing their displeasure with Apple by blocking its recently launched Private Relay service, which inhibits monitoring users’ DNS query and IP address data by using proxy servers controlled by different organizations. European mobile operators have argued to regulators that the technology impacts “network management,” and “undermines digital sovereignty.” They also say they expect Apple to be classified a “digital gatekeeper” under the EU Digital Markets Act, and flatly admitted that cutting off the data “could prevent operators from competing with the company.” Another example is Apple’s App Tracking Transparency (ATT) initiative, which requires app developers to get users’ consent to track their activity across different apps. According to Apple, this feature is threatened by Sens Klobuchar and Grassleys’ recently-introduced American Innovation and Choice Online Act (AICOA) bill that has Google, Amazon, Facebook and Apple in its sights. AICOA seems like a solution in search of a problem. Viewing these platforms as dominant gatekeepers fails to appreciate the multiple areas in which they compete to meet users’ demands. In fact, Apple’s enclosure of the identifier data underlying tracking on its platform has taken significant share from Facebook in the digital advertising market. Apple, so far, is not a major player in digital advertising, instead choosing to sell privacy benefits to users instead.

Cyber Incidents in Ukraine 

Last week hackers posted politically charged messages on numerous Ukrainian websites. Most reporting focused on the defacement of government websites, but Microsoft security specialists observed destructive malware disguised as ransomware, which they named WhisperGate, in systems spanning multiple government, non-profit, and information technology organizations, all based in Ukraine. Hackers established access to government systems late last summer but the wiper’s components were compiled a few days before they were discovered by Microsoft last week. Two government agencies were impacted by WhisperGate, and as both government agencies were also targeted in the defacement incident, investigators believe both operations were coordinated. While no conclusive links have been publicly shared that attribute the incidents to a specific actor or country, Russia is a prime suspect in the attack. 

These incidents merit close attention, for two reasons: 

First, some security experts view these incidents as an escalation on Russia’s part to apply pressure on the West, and want to term them as “hybrid” or cyber warfare. Aggressive cyber operations are advantageous as they can be used in a targeted, painful way ‘before bullets and missiles fly’, but can both be walked back easily from and denied at least at the surface level. Even if we were to believe that the Russian government is leveraging its persistence in Ukrainian systems, there were no reported casualties or serious harm due to the incidents. Both the defacement and malware may cause economic or reputational damage but are far from armed attacks. As pointed out by Lukasz Olejnik, a cybersecurity researcher, if a state actor is behind these incidents, they may be violations of state sovereignty or international law, but we should not be labeling it warfare. 

Second, the US and Russia were, for the first time since the early 2010s, actually cooperating on cybercrime and addressing ransomware attacks on US organizations that originated from actors in Russia over the last few months. The Russian counterpart to the FBI (the FSB) was making arrests of ransomware actors, by some measures ransomware attacks  were slowing down, and both industry and civil society were benefiting. It is possible that the latest Ukraine attacks, on the heels of the REvil arrests, are provocations on Putin’s part. But it is also eye opening that the US can pursue bilateral efforts to address transnational problems that directly impact American organizations (literally millions of dollars), or it can engage in saber-rattling, with ambiguous support from European allies, seeking to contain a perceived Russian threat to Ukraine. Those two seem incompatible, and one approach needs to change.

New IGP White Paper on Multistakeholder Initiatives in Content Governance

Can multistakeholder governance make platforms’ content moderation decisions better? The term “multistakeholder” (MS) is now claimed as a legitimizing feature of various international, Internet-related policy development entities. While support for MS governance is generally a good thing, it also means that the term can be applied loosely or even deceptively. Last week IGP released a new white paper that develops criteria that facilitates assessment of multistakeholder initiatives. It then applies those criteria to 3 recent initiatives related to content governance that lay claim to being multistakeholder: the Christchurch Call and its Advisory Network, the Facebook Oversight Board, and the Global Internet Forum to Counter Terrorism (GIFCT). The analysis makes it possible to assess what multistakeholderism really means in a particular organization.