June 23, 2023
Dear Distinguished Members of the French Assembly and Senate,
The undersigned appreciate the opportunity to contribute input on the French Republic’s draft bill to regulate and secure the digital space and its draft Military Planning Law (LPM) 2024–2030. We write as individuals in our personal capacities who have devoted their careers and lives to building a safer, more reliable, and more inclusive Internet. We want to share our concerns that the bills, as drafted, pose grave risks for global Internet security and freedom of expression.
At a time when cybercrime costs European businesses an estimated €180 to 290 billion annually and threatens citizens’ access to essential public services like education and healthcare, these bills confer expansive powers upon the National Information Systems Security Authority (ANSSI) and other government entities. These include new authorities to force DNS resolvers and browsers to block domains deemed malicious, redirect users to government sites, require software publishers to disclose vulnerabilities, demand non-identifying traffic data from electronic communications operators on-demand, and even to install data collection tools on privately-owned networks and in data centers.
The intent of these bills is explicitly to provide cybersecurity authorities like ANSSI new tools to combat the spread of ransomware and threat of cyber espionage against French organizations. We are deeply concerned that these measures will do little to address the underlying cyber risks our societies face, while inadvertently creating or exacerbating other sources of risk. Further, for a democracy like France to ratify such sweeping authorities might set a troubling precedent that could inspire similar measures in democratic and non-democratic jurisdictions alike — with global implications for security and online freedom.
Impacts to the Domain Name System
These proposals may have far-reaching impacts on the Domain Name System (DNS), and by extension, the Internet accessible to users around the world. The DNS was launched in the early 1980s as a trusted, content-neutral infrastructure to help users navigate to their desired services on the Internet reliably and quickly. DNS servers translate domain names into numerical IP addresses and tell user devices where to locate them in much the same way that you might look up a phone number in a phone book. The DNS facilitates every network transaction between users and online content providers, and is one of the most critical components of the Internet’s global infrastructure.
Many public and private organizations rely on DNS filtering as a security control to block traffic from illegal or malicious websites. Some governments even offer “protected DNS” services that allow private companies, typically critical industries and infrastructure, to opt-in to DNS filtering administered by national defense agencies. But these protections have always remained voluntary due to the extraterritorial implications and immense potential for government overreach.
The same DNS blocking infrastructure designed to combat online fraud, ransomware, and botnet attacks could just as easily be adapted to suppress internal dissent, censor outside information, and surveil dissidents and journalists. A number of authoritarian governments already conduct broad Internet censorship under the auspices of cybersecurity, including through tools such as DNS blocking.
More than a decade ago, experts within the ICANN community warned that blocking or filtering at the DNS level is not only ineffective, it is “fraught with unanticipated consequences.” DNS blocking does not remove illegal or malicious content from the Internet. It simply prevents DNS servers from directing users to it. Motivated users can easily bypass DNS blocking by changing their DNS provider to one that isn’t performing DNS blocking (including less reputable services), by running their own DNS resolver, by going directly to the IP address without using the DNS, or by simply using a virtual private network (VPN) to activate a different DNS resolver.
In response to cases of state censorship and widespread abuse of DNS services offered by ISPs over the previous two decades, a number of companies launched their own “open” DNS resolvers available to users worldwide. Today about 21% of French users rely on an open DNS resolver. Under the proposed legislation, they too would be forced to comply with DNS blocking or shut down. Past DNS blocking campaigns also created a market for the proliferation of independent DNS providers committed to helping users bypass local laws — many of which were run by threat actors who subjected users to malicious content or surveillance. It’s worth considering how the proposed measures may actually undermine security by driving users away from legitimate infrastructures.
Another possible consequence is the risk of a “race to the bottom,” in which each government has effective veto power over the online content visible to global Internet users. Article 32 of the LPM and Article 6 of the Digital Bill do not distinguish between DNS services provided by ISPs, which are typically limited to a specific geography, and open DNS resolvers, which provide universal resolution services regardless of user location.
To comply with these proposals, open DNS resolvers would apparently be forced to apply removals globally. Few (other than the cyber criminals) might object to ANSSI forcing DNS resolvers to block access to a malware hosting site with global effect. But consider a hypothetical scenario in which an authoritarian regime were to demand, under its own domestic laws, that open resolvers globally block the domain of a news organization for reporting on human rights abuses in their country. French Internet users (along with users worldwide) would be deprived of access to that information. The situation would become untenable, and more users would seek out risky infrastructure to bypass the filters.
This is far from a hypothetical. At this very moment a coalition of nations is seeking to amend the Budapest Convention, a 2001 agreement governing international cooperation to combat digital crimes, to push for a far more expansive definition of “cybercrime” — one that arguably infringes on freedom of expression.
Several alternatives exist which would avoid the concerning implications mentioned above. Domestic Internet Service Providers (ISPs) have a number of tools at their disposal to block infrastructure deemed malicious by French authorities. This includes blocking HTTP/HTTPS connections to the offending site, and blocking the IP addresses. The impacts of these methods would necessarily be limited to within French territory and thus would avoid the extraterritorial impacts mentioned. Furthermore, French authorities could work with the registry and registrar for the infringing domain to be taken down and to request relevant information on the infringer in compliance with existing French criminal law. There are established procedures for copyright holders for making such requests. Domain seizure is a far more effective and proportionate measure. It stops the problem at its source rather than piecemeal via domain resolvers and browsers.
Impacts to Web Browsing
Article 6 of the Digital Bill also requires that web browsers block access to problematic websites, requiring browser providers to present warnings to users attempting to visit blocked sites. This is problematic for many of the same reasons as the DNS provisions.
Browser companies already have long-standing programs to warn users about malicious websites. There are a number of free, widely-used products that offer governments the ability to flag websites so that they may be blocked. The French government may be well-placed to identify phishing and scam sites affecting their citizens, and we recommend they work with the major browser providers to share such information.
As with the DNS provisions, overlaying a government-specific web filter onto browser technology may create a disturbing precedent where each national government can implement a veto over the content global web users can access.
The proposed Article 35 of the Military Planning Law gives ANSSI the authority to install “technical markers” — hardware and software enabling the collection of user data on the networks of electronic communications operators and data center operators. This provision would grant ANSSI the authority to install surveillance capabilities in private data centers without due process, posing a grave risk to the civil liberties of both French and global Internet users. This appears to be in conflict not only with EU law but also with the OECD Declaration on Government Access to Personal Data Held by Private Sector Entities, which seeks to ensure that “government access should be carried out in a manner that is not excessive in relation to the legitimate aims and in accordance with legal standards of necessity, proportionality, reasonableness and other standards that protect against the risk of misuse and abuse, as set out in and interpreted within the country’s legal framework.”
Moreover, such warrantless surveillance practices would contravene CJEU case law — notably the standard set in the Schrems II case outlining protections for EU citizens against warrantless or bulk surveillance activities. The proposed Article 35 not only would stand to violate fundamental human rights in France, but also jeopardize the EU’s recognition as a qualified state for the purposes of access to the redress mechanism supporting the EU-US Data Privacy Framework. Such action could compromise a fragile agreement and harm French citizen rights in the US as well as the economic fallout of disrupting EU-US data flows.
Aside from serious civil liberty and privacy law concerns, this approach is likely to impede critical infrastructure owners and operators from swiftly responding to a significant cyber incident. A major incident will require speed, information sharing, and cooperation to neutralize threats and restore services. In a crisis, the owners and operators of these services will be far better positioned to take rapid action on their own networks than government officials. Government officials, arriving on short notice, unfamiliar with the infrastructure and topography of the network, will likely cause confusion, deepen coordination challenges, and ultimately lead to a less effective response.
A better approach would be to ensure that ANSSI has the authority to achieve the desired outcome (e.g., blocking a threat or restoring services), allowing the provider to determine the most effective means of doing so. Once any incident has been neutralized, infrastructure owners and operators may respond to investigations by relevant authorities in accordance with applicable laws and relevant policies. In many cases, infrastructure owners and operators have implemented interfaces to centralize the handling of requests from authorized agencies, enabling smooth communication and engagement with French authorities seeking user data as part of criminal investigations arising from cybercrimes.
Premature Vulnerability Disclosure Risks
Article 34 requires software vendors to notify ANSSI of any “significant” vulnerabilities affecting their products, regardless of the state of patching of the vulnerability. This is a flawed approach that diverges from international standards and best practices on Coordinated Vulnerability Disclosure (CVD), and will make the Internet less safe for users.
When significant vulnerabilities are discovered, the vendor’s top priority is to deploy a mitigation that prevents loss or damage, and to reduce risks until that mitigation is deployed. The period prior to the release of a mitigation is very dangerous for Internet users — there are no defenses to an attack, so it is vital to restrict knowledge of that vulnerability until vulnerable users are provided actionable mitigation steps in the form of patches or configuration changes. CVD best practice is to restrict knowledge of sensitive vulnerability details to the parties necessary to develop mitigations. Requirements to share information about unmitigated vulnerabilities broadly with government agencies undermine cybersecurity by increasing the risk that the information will be exposed to adversaries before a mitigation is in place. Furthermore, this could lead to another race to the bottom where other governments legislate requirements to share sensitive vulnerability data as well. As an alternative, we recommend the French government instead focus on ensuring timely adoption of patching once mitigations are released. At a minimum, safeguards should be added to give companies reasonable time to mitigate the vulnerability before disclosure to the government, and to limit the purpose of disclosure to the government to ensure the disclosure is used solely to improve cyber defenses, and not for offensive purposes.
We share the French Government’s goal of building resilience against cyber threats and urge the legislature to work with technical experts to achieve these goals without placing the broader ecosystem and civil liberties at risk.
Thank you for your consideration, and we look forward to further discussions on ways to secure the open Internet.
Vinton G. Cerf, Internet Pioneer and Former Chairman of ICANN
Stephen D. Crocker, Internet Pioneer and Former Chairman of ICANN
Mirja Kühlewind, Internet Architecture Board Chair
Mallory Knodel, Internet Architecture Board Member and Chief Technologist at the Center for Democracy and Technology
Carl E. Landwehr, University of Michigan
Wes Hardaker, Internet Architecture Board Member and Senior Computer Scientist at the University of Southern California’s Information Sciences Institute
David Schinazi, Polytechnicien and Internet Architecture Board Member
Joseph Lorenzo Hall, PhD, Distinguished Technologist, Internet Society
Suresh Krishnan, Internet Architecture Board Member
Erik Kline, IETF Internet Area Director
Alexis Hancock, Electronic Frontier Foundation
Wendy Seltzer, Principal Identity Architect, Tucows
NOTE: Affiliations are listed for purposes of Identification only. Signatories are acting in their personal capacities.