In a well-intentioned yet dangerous move to fight online fraud, France is on the verge of forcing browsers to create a dystopian technical capability. Article 6 (para II and III) of the SREN Bill would force browser providers to create the means to mandatorily block websites present on a government provided list. Such a move will overturn decades of established content moderation norms and provide a playbook for authoritarian governments that will easily negate the existence of censorship circumvention tools.
While motivated by a legitimate concern, this move to block websites directly within the browser would be disastrous for the open internet and disproportionate to the goals of the legal proposal – fighting fraud. It will also set a worrying precedent and create technical capabilities that other regimes will leverage for far more nefarious purposes. Leveraging existing malware and phishing protection offerings rather than replacing them with government provided, device level block-lists is a far better route to achieve the goals of the legislation.
The rest of the post will provide a brief overview of the current state of phishing protection systems in browsers, the distinction between industry practices and what the draft law proposes, and proposes alternatives to achieve the goals of the legislation in a less extreme manner.
Browsers and Phishing Protection Systems
Browsers have played a critical role in the growth of the web by serving as user agents that mediate our experiences with the internet. This role, which Mozilla has been an integral actor in for over 25 years via Firefox, is based on some fundamental presumptions that enable browsers to focus on serving the interests of their users while keeping content regulation decisions further up the chain with either network intermediaries (such as ISPs) or service providers (websites).
The two most commonly used malware and phishing protection systems in the industry are Google’s Safe Browsing and Microsoft’s Smart Screen, where Mozilla (along with Apple, Brave, and many others) use Google’s Safe Browsing. The Safe Browsing service has been around since at least 2005 and currently protects close to half the world’s online population on various devices and software. It covers malware, unwanted software, and social engineering (phishing and other deceptive sites). It also has broad policies that are fairly robust and is also available via a free API, which makes it a more cost effective way for organisations to protect users.
Firefox has used Google’s Safe Browsing offering for more than a decade and has a unique, privacy preserving implementation that protects user privacy while simultaneously preventing them from becoming victims of malware and phishing. This setting can also be turned off by users at any time, leaving them in control of their experience on the web.
It might seem that current malware and phishing protection industry practices are not so different from the French proposal. This is far from the truth, where the key differentiating factor is that they do not block websites but merely warn users about the risks and allow them to access the websites if they choose to accept it. No such language is present in the current proposal, which is focused on blocking. Neither are there any references to privacy preserving implementations or mechanisms to prevent this feature from being utilized for other purposes. In fact, a government being able to mandate that a certain website not open at all on a browser/system is uncharted territory and even the most repressive regimes in the world prefer to block websites further up the network (ISPs, etc.) so far.
Forcing browsers to create capabilities that enable website blocking at the browser level is a slippery slope. While it might be leveraged only for malware and phishing in France today, it will set a precedent and create the technical capability within browsers for whatever a government might want to restrict or criminalize in a given jurisdiction forever. A world in which browsers can be forced to incorporate a list of banned websites at the software-level that simply do not open, either in a region or globally, is a worrying prospect that raises serious concerns around freedom of expression. If it successfully passes into law, the precedent this would set would make it much harder for browsers to reject such requests from other governments.
Better Solutions Exist
Rather than mandate browser based blocking, we think the legislation should focus on improving the existing mechanisms already utilized by browsers – services such as Safe Browsing and Smart Screen. The law should instead focus on establishing clear yet reasonable timelines under which major phishing protection systems should handle legitimate website inclusion requests from authorized government agencies. All such requests for inclusion should be based on a robust set of public criteria limited to phishing/scam websites, subject to independent review from experts, and contain judicial appellate mechanisms in case an inclusion request is rejected by a provider. Such a legal framework would create a balanced coordination mechanism rather than a website blocking proposal that would protect users not just in France but around the world. Leveraging offerings that are already present in billions of devices and software to fight fraud is a far more effective way forward rather than attempting to reinvent the (ticking time bomb) of a wheel with browser-based website blocking.
We remain engaged in conversations with relevant stakeholders and hope that the final law leads to a more palatable outcome for the open internet.
This blog was translated into French (available here) with the help of Sylvestre Ledru and the Mozilla community.