Google Public DNS and FUD
by Jason Berberich
Yesterday Google announced the release of Google Public DNS, the company's free domain name resolution service (if you're unfamiliar with DNS, it's the system that translates the human-friendly google.com domain to the computer-friendly 74.125.53.100). This news came as a surprise to everyone, and has generated a ton of coverage by technology bloggers and journalists as a result. Unfortunately, lots of it is utter crap, and gets the story all wrong while instead propagating endless fear, uncertainty, and doubt.
Claim #1: Google is EEEEVVVIIILLL!!
Google's critics were quick to jump on this story as proof that, despite its code of conduct, the company is engaged in some evil games. The attacks come down to a few different themes:
- Google is trying to further embed itself into the fabric of the internet
- Google is going to data mine the DNS records and use that information to show you lots of ads
- Google already knows everything about you, but now it's going to know everything about you
Here are a few examples. Kris Smith at TechStartups:
Google Public DNS is a data mining opportunity for Google that goes above and beyond Analytics JavaScript, cookies, RSS and hosting your profile. This is a big deal. Every request made to a site that uses this service will have to pass through their DNS servers. Let’s just say that this will be bajillions of records with lots of data associated with them. To be honest, this product has to be about one of the scariest things that I have read about in the last decade. Google already sits on mountains of data about usage, traffic patterns, search, documents, phone calls, publisher content creation from its immediate publication and I’m missing about half a dozen other things.
Ryan Singel at Wired's Threat Level:
Maybe this is Google trying to show ISPs how to do it right. But instead, the news just feels like Google inserting itself into one more layer of the net — just because it can. Now I can use Google DNS to look up Google.com on my Google Chrome browser running on a Google Chrome OS. And Google DNS will get me to Gmail and Google Books and Google Voice and maybe soon it will even tell my browser where my Google Toothbrush is. And it will do so faster and better than Comcast’s DNS could. We get it, Google. You are smart. You can do anything better than anyone else (except say social networking and online video). We get it already. But you are starting to get annoying, and you won’t be running my DNS anytime soon, no matter how nice your privacy promises are. It’s still called the internet, not the Googlenet.
These arguments ignore a few very important facts, however:
- You have to explicitly opt-in to Google's DNS service by manually changing your network settings on your computer
- Google's privacy policy for this service makes it extremely clear that it doesn't permanently store any personally identifiable information. Your IP address - the only piece of data it could tie back to you - is deleted within 24-48 hours.
Claim #2: Google is Taking on OpenDNS and Other Providers!!
This argument was more prevalent for a couple of reasons:
- It's common for tech writers to frame everything as a battle since it's exciting and everyone loves a good fight (Mac vs PC, iPhone vs Android, Microsoft vs Linux/open source, etc.)
- Google can't introduce any new product without stepping on someone's toes
DNS had been a forgotten commodity for years until a few years ago when OpenDNS offered a faster service than most ISP-run DNS servers along with content filtering and other capabilities. It's by far the biggest player in the market (I'm currently a happy user of OpenDNS). So when Google announced its free DNS service, some people automatically took it as an attack on them. OpenDNS's own David Ulevitch:
Google claims that this service is better because it has no ads or redirection. But you have to remember they are also the largest advertising and redirection company on the Internet. To think that Google’s DNS service is for the benefit of the Internet would be naive. They know there is value in controlling more of your Internet experience and I would expect them to explore that fully. And of course, we always have protected user privacy and have never sold our DNS data.
And, blogger Jesse Stay decided to take the battle theme to its logical conclusion and declared DNS the new browser war:
Now that you see the potential for controlling the network, you realize that on the "open web", he who controls the network controls the entire internet. That’s powerful from a monetization and marketing, and especially advertising standpoint (which Google has a vested interest in). When one company controls DNS, that company has the potential to control those that connect through that DNS. Now what happens when Google makes this "Public DNS" the default DNS for its users of the Chrome OS? Now, not only will Google have an edge in the desktop market, but they also now have an edge on the internet itself. I predict DNS will become the new Browser War. Now that we have the players in the window to the internet (IE, Firefox/Mozilla, Chrome, Safari), the competition is now shifting to the internet itself, and who controls the actual browsing experience for the user. You’ll see players like Microsoft and maybe Apple, and maybe even Facebook enter this race. Let’s hope Google continues to follow its model, "Do no evil" as they approach this. I hope they build open architectures allowing users to control their data and control the experience rather than Google itself. I hope Google stays competitive, rather than knocking services like OpenDNS out of service. I hope they find ways to work with others as they do this. There’s a new "war" a-brewing and we’ve moved beyond the browser to who controls the web itself. Does Google get first-mover advantage?
Wow. Talk about reading a lot into Google's announcement. Jesse is making some pretty big mental leaps to arrive at those conclusions. Bringing this back to reality, there is zero chance of Microsoft, Apple, or Facebook(!) spending the cash and effort to roll their own DNS services. Zero. There is no war here. The battle is for what will run in the browser.
It's All About Speed.
Google Public DNS is, quite simply, all about making the web faster. In Google's eyes, a faster web experience is a better experience that will lead to more time spend online, more viewed pages, and ultimately, more ad revenue for itself. Kottke nails this.
If you look back to some of Google's recent announcements, this makes perfect sense. The Chrome browser is all about speed, as is the Chrome OS. Their JavaScript compiler and experimental SPDY protocol too, are designed to reduce page load times. The company is also instructing web professionals to focus on performance, as it might become a factor in how sites rank in search results.
So, I don't see this as some nefarious plan to spy on users and gain control of the internet (again, Google's DNS is completely opt-in). Instead, I'm once again impressed at how Google has aligned its own interests with those of the web as a whole. Sure, a faster, standards-based internet might result in more income for Google, but it ultimately creates a better browsing experience for everyone, even if they don't use all of Google's tools and services.
Possibly related posts:
Comments
“Google deletes IP address within 24 to 48 hours.”
Heres how this could work in the real world.
Law enforcement, or DEA, sends Google a preservation order, save all DNS query information on either IP or gmail account name.
Subpoena follows, says give me all information you have saved.
Normal ISP response: We don’t log DNS queries, sorry, this request is not possible to be fulfilled. Law enforcement accepts that, goes away.
Law enforcement to google: We know you have capability to log DNS queries, please log all DNS queries on (person, ip, uid).
Google complies.
This delightful scenario used to be impossible to fulfill, because most ISP have no capacity to log all resolver queries or to preserve the ones they have routinely.
In my line of work, I see law enforcement subpoena. Five years ago, it was unheard of to be asked for DNS logs. Lately, we have started seeing this be asked, maybe in the past year.
Someone’s putting the nifty idea in law enforcements head that DNS logs are retrievable under subpoena. Who is causing that I wonder, it sure isn’t the old style DNS resolver hosting ISP, the ones with no logs.
You can call it FUD and dismiss it all you want, but please be aware, I do this for a living, I regularly see DEA, FBI, NSA and Secret Service subpoena. I would have access to DNS logs if my employer had any to offer. I would in that case routinely make them available to law enforcement were they to ask, because that is the law.
Google subpoena compliance cannot be any different, as far as I’m aware.
So to me the logical assumption is google keeps logs and then recycles them, but law enforcement could (does?) ask them to preserve logs on someone, and they would do so, it would not be a difficult ask, and it would be the same as google handing over your gmail contents, the contents of your searches by uid, any other data they had on you, your profile information, etc.
I would assume they have a whole department that already is doing this, and DNS is just one more data point google assembles on people and therefore has available if law enforcement comes calling.
So thats fine right, as long as you’re innocent you have nothing to hide. Where have I heard that before. I have in my line of work seen mostly subpoena that look completely legit, matters such as fraud, stuff like computer theft, that make total sense to want to have every scrap of evidence you can.
Most subpoena.
Then there’s the ones by the DEA, or the NSA, the ones that until a year ago we weren’t even allowed to mention without penalty of law. NSA / PATRIOT queries are still around, probably an all time high because Law Enforcement has gotten better at its job, and now there’s more information for them to go out and fish through, such as google DNS queries presumably.
Compared to routine subpoena, the spooky subpoena are still a minority, they their use is growing. By Spooky, I mean the ones that don’t have to get signed off on by a judge, the ones that have no case ID, the ones that basically an agency of the federal government says “give me everything you have” and you have no right but to comply. Ten years ago, these were all but non existent. PATRIOT and DHS changed that, and now the DEA has gotten involved too.
So if you want the DEA to have access to your google resolver queries…
keep cheering for google to handle local DNS.
All the pieces are in place, whether they’re being used or not in this manner, all my post is just speculation. But it is speculation by someone that regularly sees federal subpoena, who has access to ISP records, and who does this for a living.
You fanboys do.. whatever it is you do … but if you blindly assume google is not facilitating evil, then you need to go refresh yourselves with the concept of “the banality of evil.” Most evil is not a dark warlord or evil mastermind. Most evil is boring, routine, bureaucratic, and everyone just doing their jobs.
Thats what google’s facilitating. A whole new batch o banal evil.
Unless they specifically have a way to ignore law enforcement, or their lawyers have worked a way for them to circumvent the same laws we have to follow. I guess thats possible. Haven’t seen anything like that though. My assumption from observing google is they would routinely comply with the law, just like any other corporation, once they were handed legal paper that said they had to.
Paul:
Thanks for the thoughtful comment. It gives me a lot to consider and reconsider. I don’t have first-hand experience with subpoenas like you, but I’ve heard plenty of stories that give cause to worry.
I just wonder about the specific digs against Google. If the complaint is the sheer amount of data it collects that is potentially available via subpoena, then yes, I think that’s a completely valid argument. But otherwise, I haven’t seen or heard anything that causes me to worry about what they’re privately doing with my data or that they’ll be more eager to respond to a subpoena request than anyone else.
According to the OpenDNS privacy policy, they “generally” remove IP addresses within two days, but make no such guarantees for backup/archive tapes. As a user of OpenDNS for the last several years, that gives me more cause for concern that Google’s privacy policy for Public DNS. But, add that to Gmail, search history, etc., and I think it becomes a much bigger issue.
As for ISPs not recording DNS requests — really? I have no reason to doubt what you said, I just find it surprising that they don’t. Do you think they’ll start collecting that data now that Google apparently finds some value in aggregating it?
Paranoid much, PaulB?