Over a decade ago, a ton of tech companies (including Google) coordinated a “blackout the Internet” day of protest against U.S. legislation that would have required them to alter DNS to fight piracy. Interesting that now that France actually does it, they say they will comply.
In the last decade Tech has become part of the establishment. They are one of the dominant controlling forces.
The blackout was _not_ about preserving free speech, or any other moral high road. It was purely about control. Tech hadn’t yet cemented their position as a dominant player and didn’t want to cede the control they had.
Now that they’ve embedded themselves in the ruling class they don’t care as much because they already have control.
Tech has always been part of the establishment, funded by capital trying to solve capital's problems. The only part of tech that really deviates from this is the free software community, which has always been hostile to capital. The blackout day emerged from people, not the industry, and people have changed.
idunno, I remember when everything cool I found on the internet was on a .edu domain, because that's almost all there was. But yeah, capitalist tech has always been part of the establishment. A lot of the good stuff comes from non-profit-related motivations, fortunately.
I remember how I used to call a BBS rather than go to the internet because there was much more than just universities and their research - took a long time until there wasn't a reason to call the BBS, around the point when all the people moved their content.
This is the right line of thinking. My interpretation is slightly different - I think the tech companies have run afoul of various norms when it comes to things like the privacy of customers, anti-trust, taxation, etc. Because they are now reliant on these unethical ways of holding onto economic power or growing their economic power, they need to not get into trouble with governments. This means playing nice with them so that they do not become subject to legislation that will rein them in.
> For better or worse, if you do business in <x> you follow <x>'s laws or GTFO.
That does rather imply that the laws are worthless. Obviously there is going to be someone who doesn't do business in France and operates a public DNS server that doesn't censor anything.
Regardless of that, I would challenge your premise. You can violate an unjust law and risk the consequences. And if you get the PR right, there may not even be any consequences:
But to your point, this is one of the reasons it's important to get these laws off the books and keep them off the books. Once you have the law, the government gets to choose the test case. You know perfectly well they'll be using it against dissidents and false positives tomorrow, but the test case is going to be some loathsome terrorists or a commercial piracy operation with no shades of grey, and then that's the case that sets the precedent.
> Obviously there is going to be someone who doesn't do business in France and operates a public DNS server that doesn't censor anything.
and so when the rights holders notice enough people pirating using dns resolvers they can't force to do anything via the french courts, they'll probably just take it up with the french ISPs and ask for IP blocks of these resolvers. And I'd guess they may already be trying to IP block various piracy sites.
Will be interesting to see them play whack-a-mole. I wonder if at some point France will just start maintaining national blocklists, that if you want to run an ISP or reply to DNS queries from France, you are legally obligated to follow (or get blocked yourself); from the article, it sounds like the current law is significantly short of that so the whack-a-mole will continue.
Italy has the system you're thinking of. It's called Piracy Shield. Upon receiving a blocking request from the government through the automated system developed for this purpose, all ISPs are required to block the domain or IP within 30 minutes or else their CEOs could be criminally charged and go to jail.
Does it work in practice? The Russian censorship machine has only reached these kinds of reaction times in the last year or so, and they had to boil the frog for a decade to achieve that.
What? The tech ( dns in this case) is as neutral as you can get, these are french courts ordering the block, and the dns technicians are controlled by american corps. Dns just executes the orders of the corp, which in turn obeys the local courts.
Tech is under corp in the chain or command, which in turn is under national law.
Chinese state employees physically manage the computers. Apple abandoned the encryption technology it used elsewhere after China would not allow it. And the digital keys that unlock information on those computers are stored in the data centers they’re meant to secure.
Google never left China, they literally just moved to a new building on the other side of the road (in Zhongguancun, Beijing). They even “left a couple of boxes there”[1].
Google in China is virtually a different company than the US - laptops and desktops issued by Google in the US will automatically erase their disks if they detect they're in one of a few countries (Iran, China, Russia, NK, etc.) and there is an entirely separate flow for workers there since GMail and the corporate intranet are inaccessible.
This is why I can never take their current alleged passion for privacy fully seriously. Sure, I do appreciate some of the features they're coming out with, but I don't trust them to not eventually drop this marketing angle and pull rugs when it's no longer profitable
Considering that it is run by a duplicitous Uncle Scrooge it is exactly what is going to happen.
If the App Store golden goose get taken over (by DMA and similar legislation) they will lose a significant share of their revenue growth and it seems that this is simply unacceptable to current Apple leadership.
The iPhone is losing its luster and competitors are coming with extremely competitive devices at much cheaper prices, even at the most premium end there is not much of an edge, the product has been perfectly commoditized. Pursuing luxury will inexorably make it a smaller and smaller share of the market every year passing.
The iPad and the Mac are pretty small share of the revenue too, by pursuing luxury Apple has put itself into the same corner, repeating previous mistake Steve Jobs warned against in an interview (while working at Next).
I don't see how they reconciliate their need for growth without fucking over their users at some point on the privacy bullshit. It's not as if they don't have a long history of doing that. There is one thing that is clear about Apple as a company: it loves money much more than its customers; in a way that makes regular companies look like boy scouts...
Yep. Net neutrality, my left foot. MAANG are all about participating in PRISM, monopolizing access, and choosing who can and can't speak because they compromise a for-profit, oligopolic, technocratic cartel.
Piracy is simply Terrible, it's chopping the dear copyright holders off at the knees, they are frequently having to go on food stamps, and it's unclear how they'll continue on.
/s
Fighting online piracy: First world, or even zeroth world problem.
It's not loke the pirates are saying "hmm, should I pay exorbitant rates for this or should I pirate it?"
The real competition is alternatives: "should I bother pirating this or just go do some other activity."
Bottom line: In most cases it's actually free marketing, and has a net positive effect for the copyright holders. The continual attempts to aggressively clamp down really says a lot about the mentality of the Big Market Forces, *iaa, *aa, and now MS and Elgoog. Even when it's good fertilizer for their perpetual evergreen money tree, they still flip out.
It's all about profit protectionism of the moats around streaming to enforce the arbitrary extraction of gotcha capitalism subscription fees from as many people as possible for as much as possible.
It was not about standing up against IP juggernauts in the interest of users, but in the interest of themselves -- it was tech companies flexing their strength to show that cooperation with tech companies was required, and that they are open to cooperation in other ways too.
Hilarious how the article mentions the domain names at the end. It's like Google showing links of DMCA-striken lists, so you can easily find out the actual places to pirate.
> It's like Google showing links of DMCA-striken lists
Used to be like that. Now they have renamed “Chilling Effects” to “Lumen Database” and require submitting an email address to view each individual complaint.
What if I'd want to warn users that the list really only encompasses sports related domains? Genuinely want to follow the etiquette here, but I like being useful.
Quad9 is based in Germany which isn't much better than France for this kind of thing. They have already been ordered to implement DNS-level censorship in other cases.
Also, the phrasing in both, but especially the HN title made me think Cloudflare chose to do something, but it turns out the French court is forcing all of them.
I'm surprised you're so keen on having big tech companies intentionally ignore court orders and just break the law. Like, it's obviously something none of us should want.
There's a really bad equilibrium where every country (or at least every country big enough to have BigTech workers in their country) figures out they can globally censor the internet by using the assets and people of those companies as leverage. Then we would have Americans having their internet censored by every foreign power except China and Russia, where BigTech have largely left.
And it would all be done under the color of local law.
It's not required that they do so in order to implement a France only block. They just geolocate the requesting IP, and give different answers based on that. Same as Netflix or any other provider geo blocking there content, with the same workarounds.
But also, in answer to your question, sort of, yes. 1.1.1.1 is any cast so that users will be routed to a server geographically near them. So then 1.1.1.1 a user gets in the US is quite literally a different one than a user in France will get.
The venn diagram of people who are technically savvy enough to be able to alter their dns records and people who can and will use a VPN to work around an ip geolocation block is almost a single circle.
There is actually no evidence this is the case, and there is evidence it is the opposite - that the less voters support something, the more likely it is to pass.
Obviously the claim exists within the space of bills that somebody actually wants. The premise is that things major industries or politically connected plutocrats want get passed over the interests of the general public for all of the usual reasons, not that things nobody wants get passed without explanation.
The voters decide who is part of the "ruling class". If the voters choose representatives who only pass laws which benefit themselves, then that is a choice the voters made. If the voters are unsatisfied with their choice, they can change their mind in the next vote.
(Read: The status quo is the status quo because most people are prefer the status quo.)
Elon Musk never passed a law. The representatives chosen by the voters did. These representatives do not magically enter the government; they are selected by the voters. The voters freely decide wether they wish to have representatives who pass laws which are benefitial to Elon Musk.
> The voters freely decide wether they wish to have representatives who pass laws which are benefitial to Elon Musk.
No, the voters at best select a bundle of stances for/against various things. Effectively this means you have no input except for maybe one or two issues you care most about. In practice you do not even get to do that as your representatives are not bound to what they promised to get you to elect them.
You are free to run as a candidate, even if you are not a well-connected person. (But of course, the voters will choose to not vote for you.)
> Effectively this means you have no input except for maybe one or two issues you care most about.
You are free to vote for someone who fully represents your opinions (yourself). But noone else will vote for that person. Democracy is about making compromises; the government is an average of people's opinions.
> In practice you do not even get to do that as your representatives are not bound to what they promised to get you to elect them.
This is true. But if a candidate lies to you, you can vote for a different candidate in the next election. Repeatedly reelecting liars is a choice voters make voluntarily.
The reason for bad laws is not that democracy doesn't work. The reason is that democracy does work, and other people keep having the wrong opinions ;)
By what means? Picking one of various parties that all colluded on the laws? Perhaps one that promises to oppose it but then does the opposite? Let's not pretend that voting of all things is an effective means to enact change on specific issues in a representative democracy.
One answers is that this case isn't actually a bad law. This appears to be blatant organized piracy. What's odious about copyright laws? This also appears to be pretty much the gold standard of due process. It's not like somebody submitting automated DMCA requests on videos with silent audio tracks or something. It's a court order for these specific domains, which would have been carefully curated and has been quite literally litigated.
The other answer is that you really don't want big corporations to be ignoring laws they don't like, because odds are pretty good that your list of bad laws doesn't match theirs. Countries have sovereignty. If a company doesn't want to obey those laws, they should not operate in that country. If the law really were bad, the way you'd actually fix this is by the democratic process. That's up to the voters, not foreign corporations.
> One answers is that this case isn't actually a bad law.
It's censoring DNS. That's a bad precedent. The technical capacity to do it shouldn't exist because otherwise it will be used for every other form of censorship, and deprive democratic countries of any moral or technical authority to object when authoritarian countries want to do it.
It will also be ineffective, leading for calls to make it effective, but the only way to do that is totalitarianism. There is no good that comes from setting out on that road.
> The other answer is that you really don't want big corporations to be ignoring laws they don't like, because odds are pretty good that your list of bad laws doesn't match theirs.
Ignoring the law doesn't get them out of paying the penalty, but penalties are meant to be sane, not some Hollywood accounting nonsense where one person watching one illicit stream of a sporting event causes the event organizers six billion dollars in damages. Then if Cloudflare wants to say "yeah, we're not doing that" and just pay the $100,000 dollar fine, it's clear that they're standing on principle -- they're paying $100,000 in exchange for ostensibly nothing -- and there is nothing wrong with that. The purpose of the penalty is to deter the underlying wrongdoing, not to deter civil disobedience. Anyone should be able to say "I am going to suffer the consequences of this because my principles are worth more than the fine" without having some authoritarians ratchet up the penalty to infinity.
> Countries have sovereignty.
Democratic countries have checks and balances. One of the checks and balances is that if you pass a law people don't respect, they don't respect it. Then you have to choose between punishing not the evildoers, but the principled idealists -- or repealing the law.
France uses a sane legal system based on civil law, so precedents rarely matter. In this case the Sports Code says that piracy is bad and operators can be requested to block piracy websites if they're used and "harm" rights holders. That doesn't mean that tomorrow in a random case not related to sports piracy a judge can refer to that law and order censoring of other DNS entries.
Precedents aren't just in courts. People see something being done and then they want to do it too. If the law requires this then people who want to build systems that make it impossible would be in violation, which deters those systems from being built for the people who really need them.
Making a petition to change the laws sounds like a great way of achieving nothing. It will certainly not mean you get to ignore the court orders.
Shutting down public DNS in France would be an option (a garbage option that nobody would actually choose in this case and that'd solve nothing, but an option nonetheless). That's not what dmitrygr was asking for though. They want big tech companies to ignore legitimate court orders to protect some scummy football pirate sites.
Is a non-French company obligated to obey a French court order? I can probably name a few countries where most US companies won't enforce the court order from them
They have paying customers in France/they operate their business in France for a profit. Just because their headquarters aren’t there doesn’t make it a non-French related business.
Also, the country (france) is ordering the "poisoning", these american companies just comply with local regulations.
Heavily biased article.
Remember that dns/ip systems are decentralized at the national precisely so that countries have sovereignity.
The editorial line would have us believe that france is committing a free speech crime or overturning internet infrastructure, while in actuality they are exherting their national rights.
This is literally just a framing issue. Note first that people generally believe in universal human rights, e.g. states shouldn't be allowed to do horrible things (e.g. genocide) just because they would be asserting their national rights.
Further the action of a single state often influences other states, as is especially true when it comes to the internet which is global by nature.
The example is there to establish the principle – once you accept that sovereignty has limitations it's then just a question of which limitations you think are legitimate and which aren't. I think censoring pirate websites kind of isn't.
It’s a slippery slope. Once you start losing rights, how low can you go? Historically, governments will go very low. A bad election (which is a real risk now in France) and there you have a facist state.
That said genocide is categorically different than blocking websites. Slippery slope is well regarded as a fallacy.
I did mention that states can choose to go to war though. It is within reasonable realm that the US may overturn the orders of a French court when operating in their country, but it is an act of war. It is something you would do to prevent genocide, but not to allow frenchies to watch sports without paying.
Respect might not be the right word, but during their meteoric rise to popularity in the past decade they have consistently shouted “we don’t moderate content, we’re just a dumb pipe, don’t take this up with us take it up with the publisher!”
In the past 3 years or so they have repeatedly proven that to be a lie; they weren’t able to have their cake and eat it too. But their old reputation still sticks around amongst people who don’t follow the space that closely.
One of the interesting technical questions is how these vendors will choose to reflect the forbidden DNS entries in protocols like DoH where they have a choice. For example a reasonable thing for a DoH server to say when asked a DNS question it has been forbidden to answer truthfully, is HTTP 451 Unavailable for Legal Reasons.
That would be a layer/protocol violation. The HTTP status codes used in DoH are used to discuss the semantics of the DNS query itself, unrelated to the DNS response. For example an NXDOMAIN response is still a 200, not a 404.
The only provider here who is stated to have said they will be complying is Google, right? So not only is singling out cloudflare incorrect, the title itself is incorrect. “French court orders Cloudflare, Google, and Cisco to poison DNS to stop piracy block circumvention” is the correct title for the article contents, possibly with an addendum of Google saying it will comply.
It is times like this that I recommend technically inclined people to try setting up your own dns resolver and see how minimal impact a few/handful of milliseconds on first access has on the internet experience. Practically all popular domains also uses some form of anycast network, so the benefit of a single large shared resolver that caches the dns answers has steadily decreased each year.
Just make sure its not configured to be a public resolver, and only allow local network or whitelisted addresses.
Setting up your own recursive DNS resolver to circumvent ISP blocks is pointless unless you do so on a VPS or something, because otherwise, your ISP will just hijack the recursive queries it makes. And DNSSEC doesn't help if the ISP just wants to block you from learning the real IP.
> your ISP will just hijack the recursive queries it makes
This level of deep packet inspection and injection is not what ISPs commonly do in my experience. At this point, it is much easier to just block the service's IP addresses than deep-inspect DNS traffic and match the query identifier and stuff to inject a false response. Why spend that engineering time when people will just fix the DNS server and can access the site directly? Might as well force people to set up a full tunnel (such as a VPN) to bypass the block, if your ISP or court order shows this level of motivation anyway.
Insofar as I've experienced these things: fetching the mapping yourself, from a server not operated by your ISP, will circumvent DNS blocks your ISP was ordered to put in place.
Currently I've got live access to one such blocking mechanism:
$ dig +short thepiratebay.org
195.121.82.125
$ dig +short +trace thepiratebay.org | tail -1
A 162.159.137.6 from server 172.64.35.164 in 5 ms.
The +trace option makes dig trace the delegations from root server ("who is .org?") until authoritative answer ("who is piratebay.org?"), basically this makes it a recursive resolver whereas in the default case it just asks your configured nameserver.
The first IP address is a block page (accessible from outside the network, if anyone wants to take a look), the second one of the real IP addresses
> At this point, it is much easier to just block the service's IP addresses than deep-inspect DNS traffic and match the query identifier and stuff to inject a false response. Why spend that engineering time when people will just fix the DNS server and can access the site directly?
Because IP addresses can change frequently, and also because if a site is behind a CDN, that would cause a lot of collateral damage.
> The first IP address is a block page (accessible from outside the network, if anyone wants to take a look), the second one of the real IP addresses
Okay, so your ISP's particular blocking mechanism doesn't hijack recursive queries. But others do.
Could you give a example of such ISP? I have seen ISP block all DNS traffic beyond to their own server, but those have been fairly locked networks like hotel wifi. It is much cheaper, safer, and less fragile to just block everything and force customers to the isp own servers. DPI and traffic injection carries risk of false positives and minor engineering mistakes can create large support costs, and would really only be beneficial if the intention is to hide the fact of the block.
(There’s lots of smaller providers, but lots operated by governments, ccTLD administrators, and other major organizations)
I only bring this up because the idea that the major providers “are” the internet is the only reason this is a possible and a problem in the first place.
I personally have zero interest in streaming soccer games, but the process involved here does leave me wondering just how resilient 1.1.1.1/9.9.9.9 (which I use with https-dns-proxy because I basically don't trust the business side of my local telco/cable monopolies as far as I can throw them) really are in practice. I'm starting to feel like someone should bring back ORSN and throw some (cryptocurrency-free, old-school cypherpunk) Merkle tree or DHT magic on top of it or something.
I mean, there are already issues with 1.1.1.1 where archive.is/.vn/etc sites don't work. I know this is due to that site's admin specifically blocking cloudflare, but it already happens. The real answer is to run your own recursive DNS resolver. It's not for the complete technical novice but it's the same amount of work as setting up pihole and requires the same amount of low-spec hardware. I don't think this is out of reach for anyone who is already using a non-default DNS, since with the reconfigured images available it really isn't too much of a lift.
Repressive governments have a history of legal orders telling Google to block protestors from accessing twitter.com but Google always refuses to comply. So their new policy of complying isn't about legality. France is a big market. Perhaps it's about money.
The entire ad revenue market (desktop + mobile + social + ....) in France, in 2023, was 5.8 billion dollars (The spread in public sources data seems to be 5.0billion-6.2 billion, so i just took the high side)
1. Google made over $240 billion in ad revenue in 2023, so even if it had 100% of all ads revenue in France, France would only account for 2.5% of Google's revenue.
2. However, Google's share in France is nowhere close to 100%. Search + Display overall is currently sitting at 20-25% of the french ad revenue above (same sources). Let's assume Google has 100% market share in France in those areas.
Then France would account for about 1.25 billion dollars of revenue for google, or about 0.5 percent of Google's revenue. Which is not a lot.
But it's still something.
Or it would be, except:
3. France has fined Google 224 million so far in 2024.
Google's margins are around 25%. So that 1.25 billion of revenue produces around 312.5 million of profit. Maybe less
Of which they've been fined 224 million :)
If Google gets fined in France again this year, it would probably be operating at a loss.
Uh, there's nothing in your link about a government ordering Google to block Twitter? Since you say this is a common occurence, I'm guessing it'll be easy for you to find a source that actually supports your claim.
I think the main point is that it's trivial for people to circumvent the DNS level block by simply finding new DNS servers (in this case something other than local ISPs, Google, CF etc... still many out there) by asking others or simple googling here and there, and in extreme cases, at a physical level as in the article.
If it is what public DNS providers do, then they should get a bad reputation and then people should not use them. People can make their own, and/or to just use IP addresses directly (or other methods) if they know what they are from other sources. You can also use the hosts file.
Or just footybite.cc will become footybite1.cc, then footybite2.cc... so on. The people writing these laws are seemingly clueless about the internet. Or perhaps, the lawyers just don't care as they are getting paid.
There are almost certainly aggregate sites that will share the new domains, messages boards, social media, instant messaging, etc. Word of the new domains will travel very quickly.
Hell, they could setup their own public DNS outside of France and suggest users use that. Users already switched from local/ISP DNS to Cloudflare / Google because of the previous law so that is not a big hurdle (ignoring the obvious security problem - many users won't care they just want to watch the game).
My point though is that these laws will be very easy to bypass just like most anti piracy laws before it. Note that The Pirate Bay is still up and running.
> Users already switched from local/ISP DNS to Cloudflare / Google because of the previous law so that is not a big hurdle (ignoring the obvious security problem - many users won't care they just want to watch the game).
In many cases it was browsers changing the used resolver behind the users back contrary to OS-wide settings.
Twitter and Wikipedia as a source to locate the actual dns address worked for the pirate bay back in the day, I assume if nothing else piracy sites would not be afraid to just use raw ip addresses.
The problem is that if everyone does that, DNS no longer scales; or it should be done smartly with only recursing censored answers. And then it will escalate with IP-level blocking of root servers or NS servers of censored websites.
I’ve always been curious why dns is a go-to for oppressing unwanted websites. Is it truly difficult to block at an IP level? There would be collateral damage in doing so, but it wouldn’t take long for most VPS providers to dump piracy sites if the alternate is their entire network block being dropped.
More likely the opposite. A site which is legal in the US or elsewhere but not in the EU would then have fewer options for finding a convenient host, even though it's perfectly legal in the country where it actually operates, because the EU would be exerting extrajurisdictional pressure on hosts by blocking all of their other customers. Those customers would then prefer a host large enough to resist that pressure, which is Cloudflare, because a country that tried to block them would break the internet in their country. And then Cloudflare would improve their reputation among customers by resisting an attempt to DoS a site which is legal where it operates.
Meanwhile it would do nothing to put the site offline regardless because there are more hosting companies than there are atoms in the universe and many of them serve primarily local clientele and wouldn't really care if they got blocked in a country where their customers aren't. They'd have to be blocking the majority of the total IPv4 address space before the site ran out of somewhere to move.
In Italy we gave rights to a private company to tell all ISPs what sites should be blocked by ip. Eventually, other websites go down when some cloudflare ip gets blocked
"A French court has ordered Google, Cloudflare, and Cisco to poison their DNS resolvers to prevent circumvention of blocking measures, targeting around 117 pirate sports streaming domains."
Most if not all of these domains probably use Cloudflare as their authoritative DNS servers because they are using Cloudflare CDN. Why not just ask Cloudflare to "poison" those RRs. No need to issue orders to a selection of cache operators.
Because those are not under the French government's jurisdiction unlike responses served to French users. Many of the used TLDs are even explicitly under other countries' governance.
I’d just add the IPs to my LMHOSTS file (Windows) if I really wanted to watch sports badly enough. I mean, I was doing that back in the day for local development anyway.
Theft is theft, don't matter if it's irl or online. As a developer who periodically witnesses users spending hours trying to circumvent 1 dollar payments I think that the time has come for the piracy culture to end. And I used to do piracy too
Copyright infringement is not theft -- false comparison.
Also, have you considered how likely the people who are trying to get around your payment would be to pay up if they didn't find a way? If what you say about how long they try is true, I'd say the chance is extremely close to 0%.
That's the dirty secret of the anti-piracy campaigns of rightsholders. The "lost sales" narrative is a load of made-up horseradish, and they know it.
There are many such local laws limitations that big techs have to bow to (that smaller obscure companies choose not to). For example, Google won't offer its VPN service as part of Google One in India. Whereas, proton/mullvad works just fine.
Is there some decentralized anti-censorship technology that can prevent this type of action, where ISPs and DNS providers and other points of centralization are forced to implement things on behalf of other parties (like Canal+ or a government)?
1. Recursively lookup DNS, so domains will have to be blocked at the registrar level, since DNS is unencrypted, it can be blocked at ISP level as well.
2. Use a protocol alternative to DNS, a good mature example is GNS. It aims to replace DNS, with a built from group up, modernish protocol. Using a DHT and public-key cryptography.
3. There are "block chain" solutions to the whole domain problem, look at Handshake, ENS etc.
No matter how decentralized something is, ultimately you need to have a server and cables connecting it to the internet located somewhere. That somewhere will be within some legal entity or sovereign's jurisdiction which you must answer to and comply with.
As long as the protocol is easy to detect and block.
If whatever technology that is being used is so intertwined into the base of all use cases (including totally legal) and legal vs. illegal is practically indistinguishable at scale, then decentralization cannot be blocked without physically blocking all the legal use cases too: sure they can "cut cables" but it will have much more greater consequences as they have just cut cables connecting all the legal activity too.
I mean, this is literally a case of killing off the general infrastructure to stop illegal activities.
DNS can be used for both legal and illegal purposes, and the French courts authorized dropping nukes on them to stop illegal activities with no damns given to the legal because the laws cited provided no such safeguards or reservations.
Decentralized and global consensus are contradictory properties, in order to have an otherwise arbitrary ASCII string resolve to a particular machine EVERYWHERE, you need a central authority to say who's who.
If you just want to prevent other central authorities (e.g. France) from barging in on the existing central authorities your computer expects to get answers from (e.g. ICANN, Verisign etc) there are plenty of projects for semiuncensoring DNS in a distributed way. But nobody is stopping, say, the US from doing to ICANN or Verisign what France is doing to CloudFlare and Google.
The ethereum block chain is centralized - it may not have a geographical location, but there's still only one of it. In a global partition there become zero of it (only two incorrect fragments), not two of it.
Other people have even argued that blockchains are states - as in governments, not as in distributed state replication protocols.
AFAIK pihole still relies on an external recursive resolver (at least by default), so you'd still be subject to whatever blocks your ISP/cloudflare/google imposes.
They could, but it would be weird. They use anycast for their DNS, so it will land on the French server before they know what the query is. There isn't really a way to tell a client, "no go to another server with the same IP address". But also they still want all the other French traffic to go to the French servers for performance reasons, so they wouldn't want to send all French traffic outside the country.
Childishness aside, this is a dumb idea because it's going to piss off more users than appease. Most don't care about the struggle for internet freedom or whatever, and just want their sites to work. For them blocking legitimate sites a sign that their ISP is broken, especially when their friends/colleges report that it's working fine on their connections. Moreover blocking illegal streaming sites is court sanctioned whereas blocking the plaintiff's sites is not, and likely expose them to getting sued for tortious interference or similar.
I'm not sure how that's any less childish/tortious interference. At the end of the day you're still unilaterally deciding to interfere with some company's website.
Rampant? Read the article before commenting, they are talking about 800 people in the whole of France.
It's clearly not about severity, but about control. They would try the overreach even if there is no damage to be found (like using ridiculous "this is the money we lost" calculations).
>Rampant? Read the article before commenting, they are talking about 800 people in the whole of France.
800 is the figure given by google's attorney for people that would be affected by the block enforced by public DNS servers, not the total amount of "rampant piracy" that's going on.
* Domestic abuse is the victim's fault because they shouldn't have made their partner angry.
* The Chinese GFW is the fault of the people who criticized the government. They shouldn't criticize the government.
* Israel indiscriminately bombing Gaza is the fault of the Gazans who fought back the last time Israel did that.
* The Holocaust is the Jews' fault for not fleeing the country sooner.
>* Domestic abuse is the victim's fault because they shouldn't have made their partner angry. * The Chinese GFW is the fault of the people who criticized the government. They shouldn't criticize the government. * Israel indiscriminately bombing Gaza is the fault of the Gazans who fought back the last time Israel did that. * The Holocaust is the Jews' fault for not fleeing the country sooner.
Except in all those cases, you can vaguely make the case that the "victims" were in the right (eg. the right to be not physically assaulted). It's far more questionable to claim that people have the right to free live sports streaming.
Doesn't matter. Even if you have no right to be annoying, being annoying doesn't justify punching you in the face. Even if you have no right to kill 100 people, killing 100 people still doesn't justify killing 50000 people. Even if you have no right to watch sportsball, watching sportsball doesn't justify shutting down the Internet.
>Even if you have no right to be annoying, being annoying doesn't justify punching you in the face.
Being "annoying" however does justify you being escorted off the premises, which is probably closer to what's happening to those streaming sites than being "punched in the face".
>Even if you have no right to watch sportsball, watching sportsball doesn't justify shutting down the Internet.
Get a grip. Returning incorrect IPs for several known illegal stream websites is hardly "shutting down the Internet", any more than arresting a bunch of belligerent protesters is enacting a police state.
Your claim would make sense if they had no operations in France, but I highly doubt that's the case. If you operate in those countries, you have to comply with their laws. The fact that your company is incorporated elsewhere is irrelevant.
> rightsholders can demand “all proportionate measures likely to prevent or put an end to this infringement, against any person likely to contribute to remedying it.”
Rightsholder: "Let's see, life insurance payouts are €1M and we are losing at least €50M to these sites, so..."
This looks like such a non issue to be honest. Government branches should have technical and legal capabilities to block domestic and foreign hosts. Legitimate foreign service providers, should either comply with local government, cease operations in that country, or be prepared for war.
Over a decade ago, a ton of tech companies (including Google) coordinated a “blackout the Internet” day of protest against U.S. legislation that would have required them to alter DNS to fight piracy. Interesting that now that France actually does it, they say they will comply.
https://en.m.wikipedia.org/wiki/Protests_against_SOPA_and_PI...
In the last decade Tech has become part of the establishment. They are one of the dominant controlling forces.
The blackout was _not_ about preserving free speech, or any other moral high road. It was purely about control. Tech hadn’t yet cemented their position as a dominant player and didn’t want to cede the control they had.
Now that they’ve embedded themselves in the ruling class they don’t care as much because they already have control.
Tech has always been part of the establishment, funded by capital trying to solve capital's problems. The only part of tech that really deviates from this is the free software community, which has always been hostile to capital. The blackout day emerged from people, not the industry, and people have changed.
idunno, I remember when everything cool I found on the internet was on a .edu domain, because that's almost all there was. But yeah, capitalist tech has always been part of the establishment. A lot of the good stuff comes from non-profit-related motivations, fortunately.
I remember how I used to call a BBS rather than go to the internet because there was much more than just universities and their research - took a long time until there wasn't a reason to call the BBS, around the point when all the people moved their content.
I wouldn't really call "cool stuff on the internet" the tech industry, as much as I'd love to claim it.
> funded by capital trying to solve capital's problems
Is this parody?
Should we start against the trade unions and German barbarians next? (The latter to avenge Varus and recapture the Eagles.)
Parody?
It's obvious, and common sense.
A parody of what? I don't get the joke.
This is the right line of thinking. My interpretation is slightly different - I think the tech companies have run afoul of various norms when it comes to things like the privacy of customers, anti-trust, taxation, etc. Because they are now reliant on these unethical ways of holding onto economic power or growing their economic power, they need to not get into trouble with governments. This means playing nice with them so that they do not become subject to legislation that will rein them in.
There's also the nuance that while SOPA/PIPA were bills being legislated for potential passage, France is citing laws already in effect.
For better or worse, if you do business in <x> you follow <x>'s laws or GTFO.
> For better or worse, if you do business in <x> you follow <x>'s laws or GTFO.
That does rather imply that the laws are worthless. Obviously there is going to be someone who doesn't do business in France and operates a public DNS server that doesn't censor anything.
Regardless of that, I would challenge your premise. You can violate an unjust law and risk the consequences. And if you get the PR right, there may not even be any consequences:
https://en.wikipedia.org/wiki/Apple%E2%80%93FBI_encryption_d...
But to your point, this is one of the reasons it's important to get these laws off the books and keep them off the books. Once you have the law, the government gets to choose the test case. You know perfectly well they'll be using it against dissidents and false positives tomorrow, but the test case is going to be some loathsome terrorists or a commercial piracy operation with no shades of grey, and then that's the case that sets the precedent.
They should never be allowed the opportunity.
> Obviously there is going to be someone who doesn't do business in France and operates a public DNS server that doesn't censor anything.
and so when the rights holders notice enough people pirating using dns resolvers they can't force to do anything via the french courts, they'll probably just take it up with the french ISPs and ask for IP blocks of these resolvers. And I'd guess they may already be trying to IP block various piracy sites.
Will be interesting to see them play whack-a-mole. I wonder if at some point France will just start maintaining national blocklists, that if you want to run an ISP or reply to DNS queries from France, you are legally obligated to follow (or get blocked yourself); from the article, it sounds like the current law is significantly short of that so the whack-a-mole will continue.
Italy has the system you're thinking of. It's called Piracy Shield. Upon receiving a blocking request from the government through the automated system developed for this purpose, all ISPs are required to block the domain or IP within 30 minutes or else their CEOs could be criminally charged and go to jail.
Does it work in practice? The Russian censorship machine has only reached these kinds of reaction times in the last year or so, and they had to boil the frog for a decade to achieve that.
Things can change very quickly when CEOs are threatened with jail time. Maybe we should try it more often.
The correct link for that Wikipedia page is https://en.wikipedia.org/wiki/Apple%E2%80%93FBI_encryption_d... :-)
> For better or worse, if you do business in <x> you follow <x>'s laws or GTFO.
Except when <x> is ruled by <y>, in which case you impose a small fine as to not upset <y>.
Yeah! Like Uber, or AirBnB! wait, hold on.
If they had control they wouldn’t comply
What? The tech ( dns in this case) is as neutral as you can get, these are french courts ordering the block, and the dns technicians are controlled by american corps. Dns just executes the orders of the corp, which in turn obeys the local courts.
Tech is under corp in the chain or command, which in turn is under national law.
Gross lack of extra-technical nuance here.
Same with tech and China. They fold like paper without any protest:
https://www.nytimes.com/2021/05/17/technology/apple-china-ce...
Apple have repeatedly thrown their customers under the bus especially in China. At least Google had the courage to withdraw entirely.
Google never left China, they literally just moved to a new building on the other side of the road (in Zhongguancun, Beijing). They even “left a couple of boxes there”[1].
[1] Blum, Andrew, Tubes: A Journey to the Center of the Internet. New York, Ecco, 2012. https://archive.org/details/unset0000unse_p9b6
You can't even install the play store in China... Google hasn't been accessible there since in 15 years.
You can buy an iPhone there today, and Apple has agreements with China to hand over user data and has done so in the past.
> You can't even install the play store in China... Google hasn't been accessible there since in 15 years.
You and GP are both correct. Most Google services are not accessible in China but Google the company still has a significant presence there.
Apple has a datacenter in Gui’an New Area, Guiyang, Guizhou, China (run by GCBD[1]).
[1] https://www.apple.com/legal/internet-services/icloud/en/gcbd...
Google in China is virtually a different company than the US - laptops and desktops issued by Google in the US will automatically erase their disks if they detect they're in one of a few countries (Iran, China, Russia, NK, etc.) and there is an entirely separate flow for workers there since GMail and the corporate intranet are inaccessible.
This is why I can never take their current alleged passion for privacy fully seriously. Sure, I do appreciate some of the features they're coming out with, but I don't trust them to not eventually drop this marketing angle and pull rugs when it's no longer profitable
Considering that it is run by a duplicitous Uncle Scrooge it is exactly what is going to happen. If the App Store golden goose get taken over (by DMA and similar legislation) they will lose a significant share of their revenue growth and it seems that this is simply unacceptable to current Apple leadership.
The iPhone is losing its luster and competitors are coming with extremely competitive devices at much cheaper prices, even at the most premium end there is not much of an edge, the product has been perfectly commoditized. Pursuing luxury will inexorably make it a smaller and smaller share of the market every year passing. The iPad and the Mac are pretty small share of the revenue too, by pursuing luxury Apple has put itself into the same corner, repeating previous mistake Steve Jobs warned against in an interview (while working at Next).
I don't see how they reconciliate their need for growth without fucking over their users at some point on the privacy bullshit. It's not as if they don't have a long history of doing that. There is one thing that is clear about Apple as a company: it loves money much more than its customers; in a way that makes regular companies look like boy scouts...
Google employees had the courage to force Google to pretend to withdraw.
But rarely do they have the courage to quit their jobs or go on strike, when Google does the next anti privacy thing.
They tried it against Google's support of Israel and were immediately fired.
Becomes a question of how much you are willing to stand for. If being pro genocide is acceptable, then I guess staying is OK.
Google had zero courage and went fully under Putin and helped him to silence Russian opposition (Navalny) during the crucial pre-election time.
Telegram did the same, btw.
Apple leaving china does essentially nothing, the people there won’t get end to end encryption either way
I think these firms are all compromised. Poisoning dns is such a bad idea.
Yep. Net neutrality, my left foot. MAANG are all about participating in PRISM, monopolizing access, and choosing who can and can't speak because they compromise a for-profit, oligopolic, technocratic cartel.
Piracy is simply Terrible, it's chopping the dear copyright holders off at the knees, they are frequently having to go on food stamps, and it's unclear how they'll continue on.
/s
Fighting online piracy: First world, or even zeroth world problem.
It's not loke the pirates are saying "hmm, should I pay exorbitant rates for this or should I pirate it?"
The real competition is alternatives: "should I bother pirating this or just go do some other activity."
Bottom line: In most cases it's actually free marketing, and has a net positive effect for the copyright holders. The continual attempts to aggressively clamp down really says a lot about the mentality of the Big Market Forces, *iaa, *aa, and now MS and Elgoog. Even when it's good fertilizer for their perpetual evergreen money tree, they still flip out.
It's all about profit protectionism of the moats around streaming to enforce the arbitrary extraction of gotcha capitalism subscription fees from as many people as possible for as much as possible.
It was not about standing up against IP juggernauts in the interest of users, but in the interest of themselves -- it was tech companies flexing their strength to show that cooperation with tech companies was required, and that they are open to cooperation in other ways too.
Technically, google did it right (using the "censored" error code: https://datatracker.ietf.org/doc/html/rfc8914#name-extended-...):
Technically interesting but unless browsers start showing the error to the user about 0% of affected users will benefit from this.
Hilarious how the article mentions the domain names at the end. It's like Google showing links of DMCA-striken lists, so you can easily find out the actual places to pirate.
> It's like Google showing links of DMCA-striken lists
Used to be like that. Now they have renamed “Chilling Effects” to “Lumen Database” and require submitting an email address to view each individual complaint.
It still shows the domains for me, which is super useful, since I just go to the domain directly and then search again there
Will read the article now thank you
This kind of comment is best left on reddit to keep the signal-to-noise ratio on HN as high as possible.
Just hit that upvote button instead. :)
Where do comments calling something Reddit-tier go?
>Please don't post comments saying that HN is turning into Reddit.
https://news.ycombinator.com/newsguidelines.html
What if I'd want to warn users that the list really only encompasses sports related domains? Genuinely want to follow the etiquette here, but I like being useful.
Yes, censorship by establishment makes public curious. Often it is best PR of those sites.
Streisand effect.
But these names aren't resolvable (through compliant resolvers), while the transparency links would be.
They aren't resolvable with the listed in the article DNS providers, which makes it easy to find the other ones such as Quad9.
Quad9 is based in Germany which isn't much better than France for this kind of thing. They have already been ordered to implement DNS-level censorship in other cases.
9.9.9.9
only in France
The title on the website is “Google, Cloudflare & Cisco Will Poison DNS to Stop Piracy Block Circumvention”.
Curious why Cloudflare has been singled out in the submission title?
Same concern here.
Also, the phrasing in both, but especially the HN title made me think Cloudflare chose to do something, but it turns out the French court is forcing all of them.
They could fight and choose not to. They could ignore this and choose not to. They deserve our judgement for that
They did fight it in court. They lost.
I'm surprised you're so keen on having big tech companies intentionally ignore court orders and just break the law. Like, it's obviously something none of us should want.
There's a really bad equilibrium where every country (or at least every country big enough to have BigTech workers in their country) figures out they can globally censor the internet by using the assets and people of those companies as leverage. Then we would have Americans having their internet censored by every foreign power except China and Russia, where BigTech have largely left.
And it would all be done under the color of local law.
I see nothing in this article suggesting that the court order is for a global block, rather than a regional one. Do you have a source for that?
Does Cloudflare operate different 1.1.1.1s for each country?
It's not required that they do so in order to implement a France only block. They just geolocate the requesting IP, and give different answers based on that. Same as Netflix or any other provider geo blocking there content, with the same workarounds.
But also, in answer to your question, sort of, yes. 1.1.1.1 is any cast so that users will be routed to a server geographically near them. So then 1.1.1.1 a user gets in the US is quite literally a different one than a user in France will get.
The venn diagram of people who are technically savvy enough to be able to alter their dns records and people who can and will use a VPN to work around an ip geolocation block is almost a single circle.
Google tried to make that argument in first, but was unsuccessful.
Why should we not want this when the law is bad? The government should face pushback from all sides when attempting something odious.
It's a democratic country. The voters decide if the laws their government passes are bad or not.
There is actually no evidence this is the case, and there is evidence it is the opposite - that the less voters support something, the more likely it is to pass.
This claim appears blatantly false.
If being unpopular makes a law more likely to pass, then surely the French government tars and feathers all French children every other week.
No, they don't, since the voters would prevent that by voting for a different government.
Obviously the claim exists within the space of bills that somebody actually wants. The premise is that things major industries or politically connected plutocrats want get passed over the interests of the general public for all of the usual reasons, not that things nobody wants get passed without explanation.
That law was never proposed. Only laws that are beneficial to the ruling class get proposed.
The voters decide who is part of the "ruling class". If the voters choose representatives who only pass laws which benefit themselves, then that is a choice the voters made. If the voters are unsatisfied with their choice, they can change their mind in the next vote.
(Read: The status quo is the status quo because most people are prefer the status quo.)
I wasn't aware I ever voted for Elon Musk to have money.
Elon Musk never passed a law. The representatives chosen by the voters did. These representatives do not magically enter the government; they are selected by the voters. The voters freely decide wether they wish to have representatives who pass laws which are benefitial to Elon Musk.
> they are selected by the voters
From a small in-group of well connected people.
> The voters freely decide wether they wish to have representatives who pass laws which are benefitial to Elon Musk.
No, the voters at best select a bundle of stances for/against various things. Effectively this means you have no input except for maybe one or two issues you care most about. In practice you do not even get to do that as your representatives are not bound to what they promised to get you to elect them.
> From a small in-group of well connected people.
You are free to run as a candidate, even if you are not a well-connected person. (But of course, the voters will choose to not vote for you.)
> Effectively this means you have no input except for maybe one or two issues you care most about.
You are free to vote for someone who fully represents your opinions (yourself). But noone else will vote for that person. Democracy is about making compromises; the government is an average of people's opinions.
> In practice you do not even get to do that as your representatives are not bound to what they promised to get you to elect them.
This is true. But if a candidate lies to you, you can vote for a different candidate in the next election. Repeatedly reelecting liars is a choice voters make voluntarily.
The reason for bad laws is not that democracy doesn't work. The reason is that democracy does work, and other people keep having the wrong opinions ;)
By what means? Picking one of various parties that all colluded on the laws? Perhaps one that promises to oppose it but then does the opposite? Let's not pretend that voting of all things is an effective means to enact change on specific issues in a representative democracy.
One answers is that this case isn't actually a bad law. This appears to be blatant organized piracy. What's odious about copyright laws? This also appears to be pretty much the gold standard of due process. It's not like somebody submitting automated DMCA requests on videos with silent audio tracks or something. It's a court order for these specific domains, which would have been carefully curated and has been quite literally litigated.
The other answer is that you really don't want big corporations to be ignoring laws they don't like, because odds are pretty good that your list of bad laws doesn't match theirs. Countries have sovereignty. If a company doesn't want to obey those laws, they should not operate in that country. If the law really were bad, the way you'd actually fix this is by the democratic process. That's up to the voters, not foreign corporations.
> One answers is that this case isn't actually a bad law.
It's censoring DNS. That's a bad precedent. The technical capacity to do it shouldn't exist because otherwise it will be used for every other form of censorship, and deprive democratic countries of any moral or technical authority to object when authoritarian countries want to do it.
It will also be ineffective, leading for calls to make it effective, but the only way to do that is totalitarianism. There is no good that comes from setting out on that road.
> The other answer is that you really don't want big corporations to be ignoring laws they don't like, because odds are pretty good that your list of bad laws doesn't match theirs.
Ignoring the law doesn't get them out of paying the penalty, but penalties are meant to be sane, not some Hollywood accounting nonsense where one person watching one illicit stream of a sporting event causes the event organizers six billion dollars in damages. Then if Cloudflare wants to say "yeah, we're not doing that" and just pay the $100,000 dollar fine, it's clear that they're standing on principle -- they're paying $100,000 in exchange for ostensibly nothing -- and there is nothing wrong with that. The purpose of the penalty is to deter the underlying wrongdoing, not to deter civil disobedience. Anyone should be able to say "I am going to suffer the consequences of this because my principles are worth more than the fine" without having some authoritarians ratchet up the penalty to infinity.
> Countries have sovereignty.
Democratic countries have checks and balances. One of the checks and balances is that if you pass a law people don't respect, they don't respect it. Then you have to choose between punishing not the evildoers, but the principled idealists -- or repealing the law.
> It's censoring DNS. That's a bad precedent
France uses a sane legal system based on civil law, so precedents rarely matter. In this case the Sports Code says that piracy is bad and operators can be requested to block piracy websites if they're used and "harm" rights holders. That doesn't mean that tomorrow in a random case not related to sports piracy a judge can refer to that law and order censoring of other DNS entries.
Precedents aren't just in courts. People see something being done and then they want to do it too. If the law requires this then people who want to build systems that make it impossible would be in violation, which deters those systems from being built for the people who really need them.
> This appears to be blatant organized piracy.
What does online streaming have to do with unsanctioned boating activities.
> What's odious about copyright laws?
Their violation of our rights to freely share and improve on our culture.
> This also appears to be pretty much the gold standard of due process.
This doesn't mean the court's decision is any more defensible.
There is other alternative, such as: get rid of their DNS service entirely, or make a petition for changing these laws.
What good would getting rid of their DNS service do?
Making a petition to change the laws sounds like a great way of achieving nothing. It will certainly not mean you get to ignore the court orders.
Shutting down public DNS in France would be an option (a garbage option that nobody would actually choose in this case and that'd solve nothing, but an option nonetheless). That's not what dmitrygr was asking for though. They want big tech companies to ignore legitimate court orders to protect some scummy football pirate sites.
> a garbage option that nobody would actually choose in this case and that'd solve nothing, but an option nonetheless
It would be the ethically correct option.
Is a non-French company obligated to obey a French court order? I can probably name a few countries where most US companies won't enforce the court order from them
They have paying customers in France/they operate their business in France for a profit. Just because their headquarters aren’t there doesn’t make it a non-French related business.
The article is too thin to know what, if any fight was had.
I suspect France could find a way to make things very difficult for them all.
I suppose they could withdraw their service from the country in protest, but it's not obvious that would leave anyone better off.
It's a difficult call and I'm not prepared to harshly judge an organization for complying with a legal, enforceable injunction.
If you want to judge someone so badly, why not go after the politicians who are creating these despicable policies?
It's almost as if the headline isn't the whole story.
It's almost like that, but more like the headline was misleading.
Fixed now, although leaving out the court order is also misleading.
If anyone wants to suggest an accurate, neutral title that gets it all under the 80 char limit, we can change it again.
Asked ChatGPT, it came up with this
Court Orders Google, Cloudflare & Cisco to Poison DNS to Stop Piracy
Not bad - I've consed "French" onto it and put it above.
Google, Cloudflare, and Cisco will poison DNS to Block Piracy as Ordered by Court
Also, the country (france) is ordering the "poisoning", these american companies just comply with local regulations.
Heavily biased article.
Remember that dns/ip systems are decentralized at the national precisely so that countries have sovereignity.
The editorial line would have us believe that france is committing a free speech crime or overturning internet infrastructure, while in actuality they are exherting their national rights.
This is literally just a framing issue. Note first that people generally believe in universal human rights, e.g. states shouldn't be allowed to do horrible things (e.g. genocide) just because they would be asserting their national rights.
Further the action of a single state often influences other states, as is especially true when it comes to the internet which is global by nature.
If you are comparing genocide with blocking pirating websites, I'm out
The example is there to establish the principle – once you accept that sovereignty has limitations it's then just a question of which limitations you think are legitimate and which aren't. I think censoring pirate websites kind of isn't.
It’s a slippery slope. Once you start losing rights, how low can you go? Historically, governments will go very low. A bad election (which is a real risk now in France) and there you have a facist state.
I understand, I was being a bit too punishing.
That said genocide is categorically different than blocking websites. Slippery slope is well regarded as a fallacy.
I did mention that states can choose to go to war though. It is within reasonable realm that the US may overturn the orders of a French court when operating in their country, but it is an act of war. It is something you would do to prevent genocide, but not to allow frenchies to watch sports without paying.
Google runs widely used public DNS server 8.8.8.8
Cloudflare runs widely used public DNS server 1.1.1.1
That's my guess why these two companies were singled out.
Probably because HN limits titles to 80 characters, so OP had to choose one to get under the limit.
No, it's editorialising. The original title "Google, Cloudflare & Cisco Will Poison DNS to Stop Piracy Block Circumvention" is 77 characters.
They're the most respected / most surprising?
Respected by who?
Respect might not be the right word, but during their meteoric rise to popularity in the past decade they have consistently shouted “we don’t moderate content, we’re just a dumb pipe, don’t take this up with us take it up with the publisher!”
In the past 3 years or so they have repeatedly proven that to be a lie; they weren’t able to have their cake and eat it too. But their old reputation still sticks around amongst people who don’t follow the space that closely.
> In the past 3 years or so they have repeatedly proven that to be a lie; they weren’t able to have their cake and eat it too.
Yeah, this is what I was referring to, not sure about the reputation but they are still popular, that's for sure.
Doubtful.
One of the interesting technical questions is how these vendors will choose to reflect the forbidden DNS entries in protocols like DoH where they have a choice. For example a reasonable thing for a DoH server to say when asked a DNS question it has been forbidden to answer truthfully, is HTTP 451 Unavailable for Legal Reasons.
That would be a layer/protocol violation. The HTTP status codes used in DoH are used to discuss the semantics of the DNS query itself, unrelated to the DNS response. For example an NXDOMAIN response is still a 200, not a 404.
Edit: for what it’s worth, Google is doing this the “right” way in the DNS protocol itself, see: https://news.ycombinator.com/item?id=40698650
> The HTTP status codes used in DoH are used to discuss the semantics of the DNS query itself.
And the the response is that the server cannot faithfully answer the DNS query due to legal reasons.
The only provider here who is stated to have said they will be complying is Google, right? So not only is singling out cloudflare incorrect, the title itself is incorrect. “French court orders Cloudflare, Google, and Cisco to poison DNS to stop piracy block circumvention” is the correct title for the article contents, possibly with an addendum of Google saying it will comply.
It is times like this that I recommend technically inclined people to try setting up your own dns resolver and see how minimal impact a few/handful of milliseconds on first access has on the internet experience. Practically all popular domains also uses some form of anycast network, so the benefit of a single large shared resolver that caches the dns answers has steadily decreased each year.
Just make sure its not configured to be a public resolver, and only allow local network or whitelisted addresses.
Setting up your own recursive DNS resolver to circumvent ISP blocks is pointless unless you do so on a VPS or something, because otherwise, your ISP will just hijack the recursive queries it makes. And DNSSEC doesn't help if the ISP just wants to block you from learning the real IP.
> your ISP will just hijack the recursive queries it makes
This level of deep packet inspection and injection is not what ISPs commonly do in my experience. At this point, it is much easier to just block the service's IP addresses than deep-inspect DNS traffic and match the query identifier and stuff to inject a false response. Why spend that engineering time when people will just fix the DNS server and can access the site directly? Might as well force people to set up a full tunnel (such as a VPN) to bypass the block, if your ISP or court order shows this level of motivation anyway.
Insofar as I've experienced these things: fetching the mapping yourself, from a server not operated by your ISP, will circumvent DNS blocks your ISP was ordered to put in place.
Currently I've got live access to one such blocking mechanism:
The +trace option makes dig trace the delegations from root server ("who is .org?") until authoritative answer ("who is piratebay.org?"), basically this makes it a recursive resolver whereas in the default case it just asks your configured nameserver.The first IP address is a block page (accessible from outside the network, if anyone wants to take a look), the second one of the real IP addresses
> At this point, it is much easier to just block the service's IP addresses than deep-inspect DNS traffic and match the query identifier and stuff to inject a false response. Why spend that engineering time when people will just fix the DNS server and can access the site directly?
Because IP addresses can change frequently, and also because if a site is behind a CDN, that would cause a lot of collateral damage.
> The first IP address is a block page (accessible from outside the network, if anyone wants to take a look), the second one of the real IP addresses
Okay, so your ISP's particular blocking mechanism doesn't hijack recursive queries. But others do.
Could you give a example of such ISP? I have seen ISP block all DNS traffic beyond to their own server, but those have been fairly locked networks like hotel wifi. It is much cheaper, safer, and less fragile to just block everything and force customers to the isp own servers. DPI and traffic injection carries risk of false positives and minor engineering mistakes can create large support costs, and would really only be beneficial if the intention is to hide the fact of the block.
> It is much cheaper, safer, and less fragile to just block everything and force customers to the isp own servers.
Sure, that's common too. But that also precludes you from running your own recursive resolver to circumvent their blocks.
I’ve heard this before. Is there a way to reliably detect if this is occurring or case studies of where this has occurred?
Edit: I assume dns over https prevents this also, right?
DNSSEC would reveal that it's happening straight away, but that doesn't get you the IP address.
Of course, as mentioned putting your recursive DNS server on a cheap VPS somewhere that doesn't hack your connection would.
Yes, DoH prevents that, unless the DoH provider is in on it too, which most of the major ones are now, as this article is about.
There are lots of providers that aren’t CloudFlare/Google/etc: https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-av...
(There’s lots of smaller providers, but lots operated by governments, ccTLD administrators, and other major organizations)
I only bring this up because the idea that the major providers “are” the internet is the only reason this is a possible and a problem in the first place.
DJB was right.
This was a big surprise for me when I set up a local DNS for work. Everything suddenly felt much snappier.
https://docs.pi-hole.net/guides/dns/unbound/
I personally have zero interest in streaming soccer games, but the process involved here does leave me wondering just how resilient 1.1.1.1/9.9.9.9 (which I use with https-dns-proxy because I basically don't trust the business side of my local telco/cable monopolies as far as I can throw them) really are in practice. I'm starting to feel like someone should bring back ORSN and throw some (cryptocurrency-free, old-school cypherpunk) Merkle tree or DHT magic on top of it or something.
I mean, there are already issues with 1.1.1.1 where archive.is/.vn/etc sites don't work. I know this is due to that site's admin specifically blocking cloudflare, but it already happens. The real answer is to run your own recursive DNS resolver. It's not for the complete technical novice but it's the same amount of work as setting up pihole and requires the same amount of low-spec hardware. I don't think this is out of reach for anyone who is already using a non-default DNS, since with the reconfigured images available it really isn't too much of a lift.
Could you please share names/links?
https://www.mic.com/articles/85987/turkish-protesters-are-sp...
Repressive governments have a history of legal orders telling Google to block protestors from accessing twitter.com but Google always refuses to comply. So their new policy of complying isn't about legality. France is a big market. Perhaps it's about money.
France is not a big market for Google.
The entire ad revenue market (desktop + mobile + social + ....) in France, in 2023, was 5.8 billion dollars (The spread in public sources data seems to be 5.0billion-6.2 billion, so i just took the high side)
1. Google made over $240 billion in ad revenue in 2023, so even if it had 100% of all ads revenue in France, France would only account for 2.5% of Google's revenue.
2. However, Google's share in France is nowhere close to 100%. Search + Display overall is currently sitting at 20-25% of the french ad revenue above (same sources). Let's assume Google has 100% market share in France in those areas.
Then France would account for about 1.25 billion dollars of revenue for google, or about 0.5 percent of Google's revenue. Which is not a lot.
But it's still something. Or it would be, except:
3. France has fined Google 224 million so far in 2024.
Google's margins are around 25%. So that 1.25 billion of revenue produces around 312.5 million of profit. Maybe less
Of which they've been fined 224 million :)
If Google gets fined in France again this year, it would probably be operating at a loss.
Uh, there's nothing in your link about a government ordering Google to block Twitter? Since you say this is a common occurence, I'm guessing it'll be easy for you to find a source that actually supports your claim.
I think the main point is that it's trivial for people to circumvent the DNS level block by simply finding new DNS servers (in this case something other than local ISPs, Google, CF etc... still many out there) by asking others or simple googling here and there, and in extreme cases, at a physical level as in the article.
I don't understand where you got that "main point" from; nothing in the GP's comment is about that or anything tangential to that.
I think it's quite obvious but YMMV.
If it is what public DNS providers do, then they should get a bad reputation and then people should not use them. People can make their own, and/or to just use IP addresses directly (or other methods) if they know what they are from other sources. You can also use the hosts file.
Total non-sense - just pushes people to use VPN or their own custom DNS which tunnels back to 1.1.1.1 or whatever.
Or just footybite.cc will become footybite1.cc, then footybite2.cc... so on. The people writing these laws are seemingly clueless about the internet. Or perhaps, the lawyers just don't care as they are getting paid.
How will users find the new domains? If they can reliability do so then dns is not needed in the first place. If not, then the laws are effective.
There are almost certainly aggregate sites that will share the new domains, messages boards, social media, instant messaging, etc. Word of the new domains will travel very quickly.
Hell, they could setup their own public DNS outside of France and suggest users use that. Users already switched from local/ISP DNS to Cloudflare / Google because of the previous law so that is not a big hurdle (ignoring the obvious security problem - many users won't care they just want to watch the game).
My point though is that these laws will be very easy to bypass just like most anti piracy laws before it. Note that The Pirate Bay is still up and running.
> Users already switched from local/ISP DNS to Cloudflare / Google because of the previous law so that is not a big hurdle (ignoring the obvious security problem - many users won't care they just want to watch the game).
In many cases it was browsers changing the used resolver behind the users back contrary to OS-wide settings.
Twitter and Wikipedia as a source to locate the actual dns address worked for the pirate bay back in the day, I assume if nothing else piracy sites would not be afraid to just use raw ip addresses.
Google and friends (literally, your friends will tell you).
"Hey leloctai, what's the new URL for <torrent_site>?"
Could be malicious compliance at any level. Maybe the judge likes to stream football too?
Most people don't want effective censorship and effective censorship is much more technically difficult as well as dangerous.
I'm happy for them to claim ignorance and implement easily circumventable blocks, rather than go full North Korea.
A great example of why you should be running your own validating recursor instead of relying on a third party
The problem is that if everyone does that, DNS no longer scales; or it should be done smartly with only recursing censored answers. And then it will escalate with IP-level blocking of root servers or NS servers of censored websites.
Can you elaborate on the validating part?
https://www.icann.org/resources/pages/dnssec-what-is-it-why-...
And how to enable it on `unbound` https://www.howtoforge.com/how-to-set-up-local-dns-with-unbo...
I’ve always been curious why dns is a go-to for oppressing unwanted websites. Is it truly difficult to block at an IP level? There would be collateral damage in doing so, but it wouldn’t take long for most VPS providers to dump piracy sites if the alternate is their entire network block being dropped.
A good amount of these websites are proxied by Cloudflare, so you're connecting to CF and CF connects to the website.
And many websites use CF, so if you were to block a CF IP, you'd block a whole bunch of websites.
In that case, what makes Cloudflare immune to court ordered blocks?
You've identified exactly the problem. They'd be blocking thousands of unrelated innocent websites. Also, changing your IP address is really easy.
That’s something cloudflare doesn’t want either. They wouldn’t even need to do it, just threatening to would have a financial impact on cf.
More likely the opposite. A site which is legal in the US or elsewhere but not in the EU would then have fewer options for finding a convenient host, even though it's perfectly legal in the country where it actually operates, because the EU would be exerting extrajurisdictional pressure on hosts by blocking all of their other customers. Those customers would then prefer a host large enough to resist that pressure, which is Cloudflare, because a country that tried to block them would break the internet in their country. And then Cloudflare would improve their reputation among customers by resisting an attempt to DoS a site which is legal where it operates.
Meanwhile it would do nothing to put the site offline regardless because there are more hosting companies than there are atoms in the universe and many of them serve primarily local clientele and wouldn't really care if they got blocked in a country where their customers aren't. They'd have to be blocking the majority of the total IPv4 address space before the site ran out of somewhere to move.
In Italy we gave rights to a private company to tell all ISPs what sites should be blocked by ip. Eventually, other websites go down when some cloudflare ip gets blocked
It is funny how the article lists the blocked websites and what content could be found there. Barbara strikes again.
are you not aware of torrentfreak?
I'm, but it is still funny.
This is a great opportunity for a VPN provider to come up with an extra product being a paid DNS resolver.
Mullvad has it and it's not even paid, it's free.
"A French court has ordered Google, Cloudflare, and Cisco to poison their DNS resolvers to prevent circumvention of blocking measures, targeting around 117 pirate sports streaming domains."
Most if not all of these domains probably use Cloudflare as their authoritative DNS servers because they are using Cloudflare CDN. Why not just ask Cloudflare to "poison" those RRs. No need to issue orders to a selection of cache operators.
Wonder why they don't just go after the DNS registrars for these domains, or the DNS root servers.
Because those are not under the French government's jurisdiction unlike responses served to French users. Many of the used TLDs are even explicitly under other countries' governance.
So, with 1.1.1.1 and 8.8.8.8 being useless then, what DNS Server is recommended going forward?
Personally I use quad9 (https://www.quad9.net)
Maybe opendns or nextdns?
Opendns is literally cisco umbrella with less features. Which is one of the companies in the title.
Well that could be considered a pretty useful list
I’d just add the IPs to my LMHOSTS file (Windows) if I really wanted to watch sports badly enough. I mean, I was doing that back in the day for local development anyway.
A new law requires plant shops to stop selling poisonous plants. If people really want to grow these plants they will find a way. Nature still exists.
Theft is theft, don't matter if it's irl or online. As a developer who periodically witnesses users spending hours trying to circumvent 1 dollar payments I think that the time has come for the piracy culture to end. And I used to do piracy too
Copyright infringement is not theft -- false comparison.
Also, have you considered how likely the people who are trying to get around your payment would be to pay up if they didn't find a way? If what you say about how long they try is true, I'd say the chance is extremely close to 0%.
That's the dirty secret of the anti-piracy campaigns of rightsholders. The "lost sales" narrative is a load of made-up horseradish, and they know it.
There are many such local laws limitations that big techs have to bow to (that smaller obscure companies choose not to). For example, Google won't offer its VPN service as part of Google One in India. Whereas, proton/mullvad works just fine.
Is there some decentralized anti-censorship technology that can prevent this type of action, where ISPs and DNS providers and other points of centralization are forced to implement things on behalf of other parties (like Canal+ or a government)?
Well there are a couple of ways one can do this!
1. Recursively lookup DNS, so domains will have to be blocked at the registrar level, since DNS is unencrypted, it can be blocked at ISP level as well.
2. Use a protocol alternative to DNS, a good mature example is GNS. It aims to replace DNS, with a built from group up, modernish protocol. Using a DHT and public-key cryptography.
3. There are "block chain" solutions to the whole domain problem, look at Handshake, ENS etc.
No.
No matter how decentralized something is, ultimately you need to have a server and cables connecting it to the internet located somewhere. That somewhere will be within some legal entity or sovereign's jurisdiction which you must answer to and comply with.
As long as the protocol is easy to detect and block.
If whatever technology that is being used is so intertwined into the base of all use cases (including totally legal) and legal vs. illegal is practically indistinguishable at scale, then decentralization cannot be blocked without physically blocking all the legal use cases too: sure they can "cut cables" but it will have much more greater consequences as they have just cut cables connecting all the legal activity too.
I mean, this is literally a case of killing off the general infrastructure to stop illegal activities.
DNS can be used for both legal and illegal purposes, and the French courts authorized dropping nukes on them to stop illegal activities with no damns given to the legal because the laws cited provided no such safeguards or reservations.
Have you ever used Tor?
Decentralized and global consensus are contradictory properties, in order to have an otherwise arbitrary ASCII string resolve to a particular machine EVERYWHERE, you need a central authority to say who's who.
If you just want to prevent other central authorities (e.g. France) from barging in on the existing central authorities your computer expects to get answers from (e.g. ICANN, Verisign etc) there are plenty of projects for semiuncensoring DNS in a distributed way. But nobody is stopping, say, the US from doing to ICANN or Verisign what France is doing to CloudFlare and Google.
> Decentralized and global consensus are contradictory properties
That's literally what blockchain solves. ENS (Ethereum Naming Service) already does this.
The ethereum block chain is centralized - it may not have a geographical location, but there's still only one of it. In a global partition there become zero of it (only two incorrect fragments), not two of it.
Other people have even argued that blockchains are states - as in governments, not as in distributed state replication protocols.
So, looks like there's a market for non-censoring public DNS providers. Any recommended providers?
So if you're using something like a pihole, and provided you're not using any of the mentioned companies, your go to go?
AFAIK pihole still relies on an external recursive resolver (at least by default), so you'd still be subject to whatever blocks your ISP/cloudflare/google imposes.
Couldn't Cloudflare route these DNS queries outside the country, and therefore not be subject to French laws?
They could, but it would be weird. They use anycast for their DNS, so it will land on the French server before they know what the query is. There isn't really a way to tell a client, "no go to another server with the same IP address". But also they still want all the other French traffic to go to the French servers for performance reasons, so they wouldn't want to send all French traffic outside the country.
That's easy to circumvent.
A VPS host running DNS resolver and point your boxes to it.
You're welcome.
Unless France starts blocking DNS port 53/udp and 53/tcp and start whitelisting DNS servers ... :-/
This would be the point where DNS over HTTPS would save the day if it had more widespread adoption..
And ultimately DNS over TCP should it further devolves into.
No mention in dns0.eu, which is what I use and also hosted in the EU.
I'm sure that will work.
(too bad HN can't load my sarcasm font)
If you need to poison the DNS by court order. Can you also just poison the requestees DNS entries? E.g. Canal+ own websites?
That is really good point. The court is basically giving them permission to do this, by asking them to not have net neutrality.
Childishness aside, this is a dumb idea because it's going to piss off more users than appease. Most don't care about the struggle for internet freedom or whatever, and just want their sites to work. For them blocking legitimate sites a sign that their ISP is broken, especially when their friends/colleges report that it's working fine on their connections. Moreover blocking illegal streaming sites is court sanctioned whereas blocking the plaintiff's sites is not, and likely expose them to getting sued for tortious interference or similar.
You could just redirect it to the page they need to show for the bad sites :)
I'm not sure how that's any less childish/tortious interference. At the end of the day you're still unilaterally deciding to interfere with some company's website.
absolutely appalling on France here
Only in France?
[dead]
[flagged]
Rampant? Read the article before commenting, they are talking about 800 people in the whole of France.
It's clearly not about severity, but about control. They would try the overreach even if there is no damage to be found (like using ridiculous "this is the money we lost" calculations).
>Rampant? Read the article before commenting, they are talking about 800 people in the whole of France.
800 is the figure given by google's attorney for people that would be affected by the block enforced by public DNS servers, not the total amount of "rampant piracy" that's going on.
Logical extensions of this principle:
* Domestic abuse is the victim's fault because they shouldn't have made their partner angry. * The Chinese GFW is the fault of the people who criticized the government. They shouldn't criticize the government. * Israel indiscriminately bombing Gaza is the fault of the Gazans who fought back the last time Israel did that. * The Holocaust is the Jews' fault for not fleeing the country sooner.
I don't think it's a good principle.
>* Domestic abuse is the victim's fault because they shouldn't have made their partner angry. * The Chinese GFW is the fault of the people who criticized the government. They shouldn't criticize the government. * Israel indiscriminately bombing Gaza is the fault of the Gazans who fought back the last time Israel did that. * The Holocaust is the Jews' fault for not fleeing the country sooner.
Except in all those cases, you can vaguely make the case that the "victims" were in the right (eg. the right to be not physically assaulted). It's far more questionable to claim that people have the right to free live sports streaming.
Doesn't matter. Even if you have no right to be annoying, being annoying doesn't justify punching you in the face. Even if you have no right to kill 100 people, killing 100 people still doesn't justify killing 50000 people. Even if you have no right to watch sportsball, watching sportsball doesn't justify shutting down the Internet.
>Even if you have no right to be annoying, being annoying doesn't justify punching you in the face.
Being "annoying" however does justify you being escorted off the premises, which is probably closer to what's happening to those streaming sites than being "punched in the face".
>Even if you have no right to watch sportsball, watching sportsball doesn't justify shutting down the Internet.
Get a grip. Returning incorrect IPs for several known illegal stream websites is hardly "shutting down the Internet", any more than arresting a bunch of belligerent protesters is enacting a police state.
Alternative title:
French courts order American DNS providers to block unlicensed sports streaming websites.
*American multinationals
Your claim would make sense if they had no operations in France, but I highly doubt that's the case. If you operate in those countries, you have to comply with their laws. The fact that your company is incorporated elsewhere is irrelevant.
I agree. It would be pretty wild for courts to issue an order for something outside french soil.
While refuting the fact that said unlicensed streaming websites are not hosted on American DNS servers.
I wonder if it's possible to just use Yandex DNS. Russia won't comply obviously.
Also, Yandex search is the best for certain search queries that google and American companies want/forced to remove.
With this DNS provider, I would be equally if not more worried about what the Russian government forces Yandex to block or censor.
Just add 1.1.1.1 as the second dns server
> rightsholders can demand “all proportionate measures likely to prevent or put an end to this infringement, against any person likely to contribute to remedying it.”
Rightsholder: "Let's see, life insurance payouts are €1M and we are losing at least €50M to these sites, so..."
This looks like such a non issue to be honest. Government branches should have technical and legal capabilities to block domestic and foreign hosts. Legitimate foreign service providers, should either comply with local government, cease operations in that country, or be prepared for war.
Wouldn't China's GFW be considered a good thing by that argument?
Not a fan of categorizing stuff as good or bad.
But yes, countries should have control over their borders, both physical and digital.