DNSFilter CEO Reacts to France’s “Bill to Secure and Regulate the Digital Space”

At the end of June, Vint Cerf, one of the “fathers of the internet” published an article on Medium in response to a drafted bill by the French Republic. You can read the original French proposal here, but we’ll also include a version translated into English at the bottom of this article.

First, let me provide a quick summary of what the bill is proposing:

Spurred on by the proliferation of cyber threats and attacks, the government of France is proposing a policy that would require DNS content blocking of all domains found to be a threat—specifically it is worded as domains that are “a threat to national security” in France. This would be a government-controlled initiative, dependent on what France defines as a “threat” and who they determine should be responsible for making sure that threat content is blocked.

There are currently many unknowns around this proposed bill, which I’ll do my best to discuss here. But one of the unknowns is why they have zeroed in on DNS as the main conduit for threat mitigation.

In the past, I’ve been very open about my stance on the responsibilities of DNS resolvers (such as the injunction against Quad9 in 2021) when it comes to “policing the internet.” While this topic is slightly different from the case against Quad9, and in some ways much more nuanced since we are talking about malicious web content, I thought it was appropriate I finally chime in to address this topic.

The challenges of responsibility

“DNS blocking does not remove illegal or malicious content from the Internet. It simply prevents DNS servers from directing users to it,” Cerf writes in his article.

Protective DNS is an important layer in any security stack and absolutely critical, but it does not remove this content from the internet. If that is France’s goal, they need to look somewhere else for the parties responsible for malicious content.

So who is ultimately responsible? There’s really only one person or group responsible: The threat actor(s). But in this instance, they are not the ones held accountable.

There are plenty of other players in the mix. If we move further and further down the chain, there are a lot of individuals who we can point to who are able to assist in mitigation:

• There are registrars (sites like GoDaddy, Namecheap, and so many others)
• There are the registries—often overlooked in these conversations—who are actually responsible for the TLD zones that are resold on registrars
• There is Recursive DNS—companies like DNSFilter who enable the actual resolution of DNS and can apply filters to block or allow certain domains
• There is Authoritative DNS—the servers where the official source-of-truth DNS records are stored
• There is the website owner—the person or organization who purchases the domain from the registrar, who often might be innocent and the victim of some type of threat campaign
• Finally, there is the Internet Service Provider (ISP)—this is your company like Comcast or Verizon

Now that we understand all the parties involved, I want to dive into the issues and complexities this bill raises.

Where is the harm?

Cerf acknowledges that “Article 32 of the LPM and Article 6 of the Digital Bill do not distinguish between DNS services provided by ISPs, which are typically limited to a specific geography, and open DNS resolvers, which provide universal resolution services regardless of user location.”

This issue is a sticking point with me, as it also came up with SOPA and the Quad9 injunction. Global DNS resolvers could be on the hook for blocking “threats” (as defined by the French government) in order to be in compliance with France and do business there. But this introduces a whole new level of complexity. Using DNSFilter as an example, we see a few possible outcomes:

• We block everything deemed a “threat” by France for all of our customers;
• We create geographically-specific content filters that only apply to users within France; 
• France places a geo-fence around itself, meaning DNSFilter needs to find a way to either filter IPs specifically located in France or create a dedicated anycast server in France; or
• DNSFilter can no longer do business in France.

The first one is easy, but could lead to frustrations world-wide if what France categorizes as a “threat” varies from our other customers’ definitions. The second option would require an incredible number of resources and extra work on our part. The same goes for option three, where France would force our hand to address the issue with dedicated resources. Neither solution is ideal. And obviously, being put in a position where we no longer do business in France is not something we want to occur.

But let’s step away from the question of implementation and instead address the issues with making this a requirement at all.

At DNSFilter, we do not automatically block threats. We enable our end users to choose which threats they would like to block. There are a number of reasons for why we do this, but one of them is to avoid interfering with threat research. Threat researchers, whether our own, France’s, or someone else's, need to have some level of access to the threats they are investigating. Under this proposal, those threats would be required to be blocked, and would stifle that research.

Without this access, how will threat researchers in France be able to complete full investigations? The ability to quickly respond to a cybersecurity incident will likely be further hampered by this, as certain access necessary for RCA (Root Cause Analysis) may be withheld or compromised.

And one more time I’ll come back to the question of how France will determine if a “threat” is a “threat”. On the heels of Cerf’s article, almost as if proving one of Cerf’s points around this system being used for great internet controls, French President Emmanuel Macron suggested blocking social media during a time of political unrest.

What protections would be in place to stop a leader from leveraging this new DNS blocking system to block things outside of the designation of a “threat”? Especially when the aim is not necessarily to block malicious domains but threats to national security. How is a threat to France’s national security defined? What case could they make to get social media taken down in the name of national security—or any other sites for that matter?

This proposed legislation doesn’t make room for free speech, but instead it could be wielded to block free speech under the guise of national security.

On that note, I have a few more questions…

Outstanding questions

In no particular order, here is a list of questions I still have around this bill and how the French government intends on acting on their idea of blocking all malicious content:

• How will they define “threats” and where will that data come from?
• Will that list be publicly available, or will DNS resolvers and other responsible parties need to opt-in to request that data?
• Will there be exemptions for threat researchers in France, or will all threat data be outsourced?
• How will they handle the problem of bypass via VPN?
• How will organizations who facilitate DNS be held accountable, and will there be a difference in how the various organizations are treated in any failure to comply with the blocking mandate?
• How does a domain reverse its designation of “threat” to become accessible again? This is particularly important for false positive cases.
• On that note: What happens if France wants whatever provider they designate to block a domain that turns out to be a false positive? How can the provider petition to get the false positive removed, and what are the repercussions of allowing a false positive in the first place?
• What does this mean for the surveillance of French citizens? 
• Who is responsible for paying the infrastructure costs necessary to make this happen? 

There are many unanswered questions, and still much left undefined or unclear in this proposed bill. We’ll keep an eye on it as it unfolds, and hopefully learn more about how this might work.

However, the best action for France to take in my opinion is to drop this bill and work more closely with companies working to stop cyberattacks at the source and take down these bad actors. 

As this proposal stands now, it would be very difficult for DNSFilter to offer our services to customers, current and potential, inside France. Such actions would limit the capabilities of any global cybersecurity offerings from any industry leaders, and would severely hinder the detection and prevention of any threat campaign targeted exclusively inside French borders.

As promised, here is the translation:

Source (in French): https://www.assemblee-nationale.fr/dyn/16/textes/l16b1033_projet-loi#D_Chapitre_V_39

Chapter V

Information systems security

Section 32

After Article L. 2321-2-2 of the Defense Code, an Article L. 2321-2-3 is inserted as follows:

" Art. L. 2321-2-3. – I. – When it is found that a threat likely to harm national security results from the use of a domain name without the knowledge of its holder who registered it in good faith, the national information systems security authority may ask this holder to take the appropriate measures to neutralize this threat within the time limit it sets.

“In the absence of neutralization of this threat within the time limit, the national authority may request:

"1° To a person mentioned in 1 or 2 of I of Article 6 of Law No. 2004-575 of June 21, 2004 on confidence in the digital economy performing a name resolution system supplier activity within the meaning of Article L. 2321-3-1 of this code to block the domain name;

“2° At the registration office, mentioned in article L. 45 of the postal and electronic communications code, or at a registration office established on French territory, mentioned in article L. 45‑ 4 of the same code, to suspend the domain name.

“When the holder of the domain name provides elements establishing that the threat has been neutralized, the national authority requests that the measures taken pursuant to 1° or 2° be terminated without delay.

“II. – When it is found that a threat likely to affect national security results from the use of a domain name registered for this purpose, the national information systems security authority may request:

“1° To a person mentioned in 1° of I to block or redirect the domain name to a secure server of the national authority or to a neutral server;

“2° To the registrar or a registrar, mentioned in 2° of I, to register, renew, suspend or transfer the domain name. At the request of the national authority, the registration data is not made public.

“III. – The measures provided for in I and II are taken by the persons mentioned in 1° and 2° of I and II within a time limit, set by the national authority, which may not be less than forty-eight hours.

"They are implemented for the duration and to the extent strictly necessary and proportionate in their effects to the preservation of the integrity of the network, to the characterization and neutralization of the threat and to the information of the users or holders of the systems affected, threatened or attacked.

“The measures for redirecting a domain name to a secure server of the national authority taken for the purpose of characterizing the threat cannot exceed a period of two months. They can be renewed once in the event of persistence of the threat, after an assent of the Authority of the regulations of the electronic communications, the posts and the distribution of the press. They end immediately when the threat is neutralized.

“Measures other than those provided for in the preceding paragraph are subject to the control of this authority under the conditions provided for in I of Article L. 36-14 of the Post and Electronic Communications Code.

“IV. – Data directly useful for characterizing threats, collected by the national information systems security authority in application of II, may not be kept for more than ten years. The other data collected are destroyed without delay when they are not useful for characterizing the threat, with the exception of data allowing the identification of the users or holders of the threatened information systems, who may be informed by the national authority, where applicable after implementation of the first paragraph of Article L. 2321-3.

“V. – A Conseil d'Etat decree, taken after consulting the Regulatory Authority for Electronic Communications, Posts and Press Distribution, specifies the terms of application of this article as well as the terms of compensation. identifiable and specific additional costs of the services provided in this respect, at the request of the State, by the persons mentioned in 1° and 2° of I and II of this article. »

Section 33

After Article L. 2321-3 of the Defense Code, an Article L. 2321-3-1 is inserted as follows:

" Art. L. 2321-3-1. – For the purposes of information system security and for the sole purpose of detecting and characterizing computer attacks, electronic communications operators or domain name resolution system providers transmit to agents of the national authority of security of individually designated and specially authorized information systems non-identifying technical data temporarily recorded by their servers managing the domain addressing system.

“For the purposes of the first paragraph, domain name resolution system provider means any person providing a service allowing the translation of a domain name into a unique number identifying a device connected to the Internet.

“The data collected is neither directly nor indirectly identifying and may only be used for the sole purposes mentioned in the first paragraph, to the exclusion of any other use.

"A Conseil d'Etat decree, taken after consulting the Regulatory Authority for Electronic Communications, Posts and Press Distribution, sets the terms and conditions for the application of this article. In particular, it determines the technical data collected by the agents of the national information systems security authority. »

Section 34

After Article L. 2321-4 of the Defense Code, an Article L. 2321-4-1 is inserted as follows:

" Art. L. 2321-4-1. – In the event of a significant vulnerability affecting one of their products or in the event of a computer incident compromising the security of their information systems likely to affect one of their products, the software publishers notify the national systems security authority this vulnerability or this incident as well as the analysis of its causes and consequences. This obligation applies to publishers who provide this product:

“1° On French territory;

“2° To companies having their registered office on French territory;

“3° Or to companies controlled, within the meaning of Article L. 233-3 of the Commercial Code, by companies having their registered office on French territory.

“Software publishers inform users using this product as soon as possible. Failing this, the national information systems security authority may order software publishers to provide this information. It can also inform users or make this vulnerability or incident public, as well as its injunction to publishers if it has not been implemented.

“A Conseil d’Etat decree sets the terms and conditions for the application of this article. »

Section 35

1. – The Defense Code is amended as follows:

1° Article L. 2321-2-1 is replaced by the following provisions:

" Art. L. 2321-2-1. – When it becomes aware of a threat likely to undermine the security of the information systems of the public authorities, of the operators mentioned in Articles L. 1332-1 and L. 1332-2 of this code or of the operators mentioned in Article 5 of Law No. 2018-133 of February 26, 2018 on various provisions for adaptation to European Union law in the field of security, the national information systems security authority may implement work, on the network of an electronic communications operator or on the information system of a person mentioned in 1 or 2 of I of Article 6 of Law No. 2004-575 of June 21, 2004 for the confidence in the digital economy or of a data center operator:

“1° Devices implementing technical markers;

"2° Or, after obtaining the assent of the Regulatory Authority for Electronic Communications, Posts and Press Distribution, devices allowing the collection of data on the network of an electronic communications operator or on the system information of a person mentioned in 1 or 2 of I of article 6 of the law of June 21, 2004 mentioned above or of a data center operator affected by the threat.

"These systems are implemented for the duration and to the extent strictly necessary to characterize the threat and for the sole purpose of detecting and characterizing events likely to affect the security of the information systems of public authorities, operators mentioned in articles L. 1332-1 and L. 1332-2 of this code or in article 5 of the law of February 26, 2018 mentioned above and public or private operators participating in the information systems of these entities.

"The agents of the national information systems security authority, individually designated and specially authorized, are authorized, for the sole purpose of preventing and characterizing the threat affecting the information systems of the entities mentioned in the first paragraph, to proceed to the collection data and the analysis of only relevant technical data, to the exclusion of any other exploitation.

“Data directly useful for the prevention and characterization of threats cannot be kept for more than two years. The other data collected by the devices mentioned in 1° are immediately destroyed and those collected by the devices mentioned in 2° of this article are destroyed without delay when they are not useful for characterizing the threat.

“A Conseil d’Etat decree defines the terms of application of this article. » ;

2° In Article L. 2321-3:

1. a) In the first paragraph, the words: "and sworn" are deleted and after the second occurrence of the word: "electronic," are inserted the words: "and the persons mentioned in 2 of I of Article 6 of Law no. ° 2004‑575 of June 21, 2004 for confidence in the digital economy, pursuant to II of the same article,”;
2. b) The last two paragraphs are replaced by the following provisions:

"When the national information systems security authority is informed, pursuant to Article L. 33-14 of the Postal and Electronic Communications Code, of the existence of an event affecting the security of information systems information from a public authority, an operator mentioned in articles L. 1332-1 and L. 1332-2 of this code, an operator mentioned in article 5 of the law of February 26, 2018 mentioned above above or from a public or private operator participating in the information systems of one of the entities mentioned in this paragraph, the agents mentioned in the first paragraph of this article may obtain from the electronic communications operators the technical data strictly necessary for the analysis of this event. This data may only be used for the sole purpose of characterizing the threat affecting the security of these systems, to the exclusion of any other use. They cannot be kept for more than ten years.

“The identifiable and specific additional costs of the following services carried out at the request of the national information systems security authority are compensated according to the procedures provided for by decree in Council of State:

“- the services provided by electronic communications operators pursuant to the first paragraph, in accordance with the procedures provided for in VI of Article L. 34-1 of the Postal and Electronic Communications Code, and the second paragraph of this article;

“- the services provided by the persons mentioned in 2 of I of article 6 of the law of 21 June 2004 mentioned above. » ;

3° In article L. 2321-5, the words: “of article L. 2321-2-1 and of the second

‍