[jlivingood]

> Comcast sniffs / records / tracks their user's DNS traffic

Actually not only does Comcast say they don't do that (https://www.xfinity.com/privacy/policy/dns) but now has signed a contract to this effect as well, thereby meeting the same level of commitment as the other TRR operators. This means IMO that Mozilla is doing a good job leading the industry on DNS privacy and convincing many of the merits of a strong pro-privacy philosophy.

(disclosure: I work for Comcast and have been working on encrypted DNS)

[jlgaddis]

> Actually not only does Comcast say they don't do that...

Just like they said they didn't forcibly reset BitTorrent connections (until they did).

Just like they said they didn't silently institute bandwidth caps (until they did).

Just like they said they didn't hijack NXDOMAIN responses (until they did).

Just like they said they didn't intercept plain-text HTTP connections and inject their own traffic into them (until they did).

---

With all due respect, I have personally had contracts with Comcast in the past and have experienced firsthand how well they honor those -- and I am certainly not the only one!

Surely you can understand why, to me and many others, their little agreement with Mozilla doesn't really mean a damn thing?

---

(I know that none of this is your fault and it's obviously nothing personal! I'm sure you're a smart, decent person but I'm also sure that you are well aware of your employer's reputation, their past "misdeeds", and, of course, the generally unfavorable opinion that many, many customers have of them.)

[virtuallynathan]

After the NXDomain redirection stuff, they invested a ton in doing DNS right, deploying DNSSEC and Anycast. They are a major participant in the IETF, DNS OARC, and many other industry working groups, if you attend these things, go talk to the Comcast folks!

Their limited use of HTTP interception is a published RFC, and I've thought about ways to get around this, and for the use cases they use it for, it seems like the only viable option.

I knew a few of folks who were involved in the BT RST thing, the whole org learned a lot from that, and internal opinions changed.

[tptacek]

Why does it matter, at all, that Comcast documented their traffic interception system in an RFC?

[roblabla]

> With all due respect, I have personally had contracts with Comcast in the past and have experienced firsthand how well they honor those -- and I am certainly not the only one!

Consumer contracts? Because Mozilla having a business contract with Comcast is certainly not the same as you having a consumer contract - Mozilla has the resources to drag Comcast to court should they be found to ignore the agreement.

[nerdponx]

This is a wildly bad take in my opinion.

Comcast has proven themselves to be uninterested in adhering to their contractual obligations. You bet your ass they are 1) figuring out how to work around their contract with Mozilla without attracting legal attention, and 2) making contingency plans for winning any resulting lawsuit.

[wrkronmiller]

IANAL but I'm not even sure there would be a lawsuit, based on this policy document linked from the article: https://wiki.mozilla.org/Security/DOH-resolver-policy#Enforc...

It looks like the punishment for violating mozilla policies would simply be to remove Comcast from the trusted provider group...maybe. Not very impressive.

[nvr219]

> Mozilla has the resources to drag Comcast to court

They do not. Look at Mozilla's 1099 for proof.

[muizelaar]

Mozilla took Verizon to court.

[partdavid]

Link? When was this? I'm only aware of Verizon suing Mozilla in 2017.

[muizelaar]

https://blog.mozilla.org/blog/2017/12/05/mozilla-files-cross...

[pbhjpbhj]

Where can we read the contract?

[wrkronmiller]

The policy linked by the article is here: https://wiki.mozilla.org/Security/DOH-resolver-policy#Enforc...

[pwdisswordfish2]

This just leads to a wiki page listing two TRR's, where someone admits that whatever "privacy policies" TRR's provide are not "contracts". Then someone replies that "there are legal contracts between Mozilla and those two listed providers". That does not mean those contracts relate to protecting user privacy. If you dig, there will be nothing there. There is nothing in any contract to protect any user. Neither Mozilla nor TRR's are "on the hook" for protecting user privacy. What I mean by that is that if some user's privacy is breached, there is absolutely zero liability accruing to Mozilla or TRR's.

https://wiki.mozilla.org/index.php?title=User_talk:Wthayer&a...

You, the end-user, will not get to see Mozilla's contracts. Policies are not contracts.

There seems to be some common misunderstandings about "policies" and tech companies are exploiting them. There is nothing legally binding in a policy and in the case the company deviates from the policy, there is no way for an affected user to "enforce" the policy she thought was being adhered to. This is of course assuming anyone outside the company actually discovers that a policy is being violated. Usually policy violations are non-detectable from outside the company.

[pwdisswordfish2]

When pigs fly!

Can you imagine Mozilla CEO depleting her own compensation in order to sue a company the size of Comcast? What exactly are the claimed damages in this hypothetical lawsuit? The damages to Mozilla are _____ ? (This PR piece in Ars suggests the deal is solely to protect users. No financial details.) How about the damages suffered by users? (Whoops, they are not parties to the agreement.)

Quite the vivid imagination!

Maybe the "white knight" narrative really does work on some people.

[smichel17]

Hypothetically, I imagine they'd sue for damage to their brand. Mozilla has been pushing Firefox as the privacy browser, and if Comcast were to break the deal it would hurt users' trust in Mozilla. I agree it is unclear what the consideration from each party is, though.

[pwdisswordfish2]

Comcast does not appear to be using the Mozilla brand. Am I missing something?

[smichel17]

"We, Mozilla, are a privacy-first company. Firefox is powered by DNS services that respect your privacy. You can trust that your browsing history is safe with us."

> "BREAKING: Firefox default DNS provider tracks what sites you visit"

^damage to reputation

[bscphil]

On top of that, I'm totally mystified by what would cause this sudden change of heart from Comcast. Why do they want to provide this "service" to users, if they supposedly don't get anything out of it? If they're not profiting off the data, why not just let Firefox users connect to Cloudflare for DNS, as they're already doing to access 50% of the popular sites out there?

Why fight Mozilla to let them provide a service which is only going to cost them money to run?

[hellcow]

Respectfully, Comcast has an ATROCIOUS privacy record. Full stop. A quick search came up with [1] [2] [3].

Your employer actively and repeatedly abuses the privacy and trust of its customers. It also lobbies for damaging policies.

I do not trust Comcast. Firefox associating itself with Comcast makes me trust Firefox significantly less.

[1] https://oag.ca.gov/news/press-releases/attorney-general-kama...

[2] https://www.king5.com/article/news/local/comcast-fined-9-mil...

[3] https://consumerist.com/2016/04/01/comcast-says-fcc-privacy-...

[metaphor]

> Your employer... It also lobbies for damaging policies.

To be sure, jlivingood isn't just some enterprise grunt with an opinion, but VP of Technology Policy & Standards.

[godelski]

Do you have a link for this? This is a pretty big difference in disclosure.

[hellcow]

https://blog.mozilla.org/blog/2020/06/25/comcasts-xfinity-in...

Compare the username to the "Vice President, Technology Policy and Standards at Comcast Cable" in this blog post.

[godelski]

Thanks!

To save people the click.

User name in question: jlivingood

> Jason Livingood, Vice President, Technology Policy and Standards at Comcast Cable.

[LeifCarrotson]

It is entirely possible for one group (or incentive) within Comcast's organization to work towards that goal, and another group or incentive within Comcast to work against it.

Some things that make me trust this claim:

- That privacy policy

- That contract

- Association with trustworthy brands like Mozilla

- Work on encrypted DNS

- Consumer trust could theoretically be financially valuable to them

- Basic morals of Comcast employees

Some things that make me distrust it:

- Cultivated an infamous litany of consumer abuses

- Lobbied for regulations to harm consumers

- Engaged in regulatory capture with the FTC/FCC

- Have continually profited from their abusive business practices, and continue to profit in spite of atrocious levels of consumer trust

I believe that Comcast only wants to respect user privacy insofar as it helps them maintain a facade of trustworthiness and retain customers. If they ever get the opportunity to back out of that privacy-conscious posturing and turn it into money, I think history has proven that the winner of those two internal groups is clearly going to be the money side not the moral side.

[boopmaster]

I am a Comcast employee myself, but these opinions are my own:

I appreciate your comment as you clearly and accurately frame that good people work there, Comcast earned its reputation with its actions, and that there may be competing interests / morals at play.

I can’t predict the future to say what wins out, but I feel like there are competing interests at play internal to the org. There are the business/markets, and then there is technology, products and experience pieces too.

an aside: I am somewhat disappointed to see a HN thread so populated with groupthink “Comcast is bad!” I’d expect that on theVerge comment board or YouTube comments. sigh

Anyways, I hear that the wake up call was probably about the time that the time warner merger fell through. I haven’t worked for them that long. It takes time to shift an org as large as Comcast to come to terms with the public’s resentment. I can say that, in my experience on the inside, the fundamental attitudes are very consumer friendly. I’m on the tech/product side of the house and we just want to make great stuff. Reliable, scalable entertainment and home automation kind of things, ya know? Comcast strives to be an admired company. So yeah, guess its work is cut out for it! Everything is designed today with accessibility and privacy at the outset. There’s a massive amount of truly brilliant engineers, developers, QA folks etc. working there. Not saying your distrust in Comcast wasn’t earned, however I believe conditions are not what they once were, thus some negative sentiments may be outdated today.

[rapnie]

I am sure there are some good people working at your company, and you may be one of them. But that is not really relevant here. It is the actions of the enterprise as a whole that count.

> I am somewhat disappointed to see a HN thread so populated with groupthink “Comcast is bad!”.

What I see in many comments is specific reference to cases where Comcast betrayed the public's trust. You can call it groupthink, but I get the impression the bad rep is well-earned.

Trust leaves on horseback, and comes back on foot. More work to do to convince those who doubt you. Happy to hear you are working on that.

[zenexer]

> an aside: I am somewhat disappointed to see a HN thread so populated with groupthink “Comcast is bad!” I’d expect that on theVerge comment board or YouTube comments. sigh

Is this really surprising? You do go on to acknowledge the “public resentment.” In the tech industry—HN’s specialty—Comcast certainly seems to be widely regarded as an evil beast with no conscience.

That’s an entirely anecdotal observation, but many of the comments in this HN thread are not: they frequently link to evidence, while Comcast employees chime in to say, “internally, it’s not like that anymore.” It’s great to hear that’s what it looks like on the inside, but given Comcast’s history and HN’s general skepticism, that’s going to be a hard sell without solid evidence.

[luma]

Comcast has had a pretty poor track record w/r/t their statements of what they do or don't do versus reality, and this goes back well over a decade (see: denials of Sandvine deployment).

I personally was impacted by this behavior after having my internet service deactivated due to going over bandwidth caps (which reportedly didn't yet exist) and it was one of the most Kafka-esque corporate experiences in my life. My internet was being deactivated because I violated a policy which they repeatedly stated didn't exist. Several months later those caps actually became policy.

I ask this with all sincerity: why should we believe Comcast?

[pbhjpbhj]

Given your disclosure presumably you know if it's true or not.

It's a weird way to phrase "I work on this, we don't capture any information about customers site visits" or "I work on this we don't capture any information about domain lookups" or whatever.

When a customer gets a contract with Comcast are you saying the contract includes that Comcast will not filter/log their domain lookups in any way?

To others: what's the penalty of they breech that contract? Do they actual have anything at risk?

In UK ISPs couldn't make such a contract as the gov obliges DNS filtering of some domains, AIUI.

[tialaramex]

UK ISPs could offer to operate a Mozilla TRR DoH server for two reasons:

1. The deal major "as seen on TV" ISPs struck was that they would offer a configurable child protection style filtering to their users. Mozilla permits users to opt in to filtering, you just aren't allowed to filter by default, so an ISP provided DoH server which can be configured explicitly to filter would meet this requirement. NextDNS offers this, yet is in Mozilla's programme. If you just pick NextDNS from the drop-down in Firefox you get no filtering, if you sign up and pay them (or take the free offer) you get filtering of your choice, and DoH, with instructions on how to tell your Firefox about this (basically paste a per-user URL into a preferences window, the nice thing about DoH compared to plain DNS or even DoT is that in a URL your user identifier will be encrypted, improving privacy)

2. The government did not legislate a requirement. They've been burned before on the difference between public appeals to think of the children (generally broadly accepted by the populace, no legal fallout) and censorship laws (likely to be destroyed in the courts because it turns out people don't like being told what to read). All those famous ISPs chose to voluntarily censor the Internet (mustn't let kids see porn) and then since they had the capability to censor courts told them to also obey Hollywood's instructions (no Pirate Bay either).

A small ISP like Andrews & Arnold isn't censored. During sign-up it says "Do you need child friendly filtering as part of this product?" or something. If you click "Yes" it says sorry they don't want you as a customer, good bye and the sign-up process is over.

[pbhjpbhj]

I chose "oblige" carefully. Basically the ISPs AIUI/IIRC were given the option to voluntarily abide by a blocklist of domains - like thepiratebay - or have legislation made to force them to comply.

I'd heard A&A were an outlier here but didn't know they actively stopped users from choosing their service if they want filtering. That seems weirdly fascist: like a supermarket that won't let you choose not to have Coca Cola on your shopping list, if you don't want it you have to actively remove it yourself.

Porn, yes to some extent, but super-violence, torture, malware, gambling, prostitution, ... these are all things I choose to attempt not to pipe in to my home via OpenDNS/pihole/uBlock/direct instruction to local users!

[tialaramex]

I don't agree that choosing not to offer a product or service which is popular but which you believe is a terrible idea is "weirdly fascist".

I would suggest instead that demanding other people figure out whatever weird quirks you have and then cater to them under the guise of being "child friendly" is at best weirdly fascist.

And it seems you at least reluctantly agree this that can't work even if you wish A&A would try to do it anyway, since all the systems you listed involve you explicitly configuring what you want blocked, allowing you to take responsibility for the inevitable under/overblocking. This approach works fine† with A&A since it doesn't ask anything of them.

† Well, as "fine" as can be expected, no worse than at other providers.

[Paul-ish]

If Comcast sells DNS data now, they open themselves up to penalties from the both FTC and Mozilla. FTC because they enforce privacy policies, and Mozilla because of the contract they have.

I would say this Mozilla changing the overall ecosystem for the better.

[jlgaddis]

Do we know what the actual penalties are? I have trouble believing that they are of any substance.

Additionally, I think it's safe to say that Comcast has years and years of experience in finding "loopholes" and/or other "workarounds" in its agreements.

> I would say this Mozilla changing the overall ecosystem for the better.

You obviously have much more faith in Comcast than I do. Let's hope you're right.

[Forbo]

> Do we know what the actual penalties are? I have trouble believing that they are of any substance.

So long as the penalty is less than the value they derive from violating the agreement, they will abuse it.

[gsich]

No. And Mozilla can't verify it either.

[elliekelly]

The FTC has no teeth and no one at Comcast is losing any sleep over potential FTC penalties. Ajit Pai is more likely encourage meaningful enforcement of this agreement than anyone at the FTC. Which is to say, I don’t have much faith.

[rwha]

I imagine Comcast would not sell DNS data; far better to simply use it internally with, for example:

- NBC

- Telemundo

- USA Network

- SyFy

- Universal Pictures

- Sky Group

[catalogia]

What good is a contract between Mozilla and Comcast to me if Mozilla is unwilling to notice/care/sue when Comcast breaks that contract because Mozilla has a financial incentive to turn a blind eye?

[elliekelly]

That’s great that they’ve said they don’t publicly and that they’re now going to be contractually obligated not to... but that’s kind of irrelevant if they are actually sniffing, tracking, and/or recording user DNS traffic.

And the fact that Comcast doesn’t allow users to change the DNS settings of xfinity routers leads me to believe they have some monetary incentive to go in and disable that functionality in their equipment.

[xxpor]

The link provided only concerns logging of DNS requests on Comcast's DNS servers themselves. It doesn't say anything about recording packets to UDP port 53 in general. If Comcast were recording every packet I sent to 8.8.8.8 they wouldn't be breaking the letter of the policy.

[booi]

Hopefully this is exactly what DoH should be addressing.

[pwdisswordfish2]

Can users enforce that contract if it is breached? Maybe users should be named explicitly as third party beneficiaries.

Mozilla is a company and needs to compensate its CEO and staff. The CEO received $2,458,350 in 2018.^1 Everything Mozilla does cannot be solely for users' benefit. Mozilla, the people behind it, have their own financial interests.

1. https://assets.mozilla.net/annualreport/2018/mozilla-2018-fo...

[organsnyder]

You work(ed) on IPv6 as well, right? You get all the fun projects. :-)

[m463]

> Comcast sniffs / records / tracks their user's DNS traffic

what if the are your dns server?