I was going to stuff post this over on the geekblog but, at the last moment, decided there was another angle to the article that caused me to pick up my virtual pen, and that other angle was worth mulling over here.
I know the good folk over at MakeUseOf have to earn a living (and therefore get clicks onto the MakeUseOfWebsite), but this piece of 2-dimensional clickbait is so underthought, it needs taking to task.
Yes, there are conversations (many and frequent conversations) in certain niche quarters about DNS Resolvers and, in tightly-blinkered sections of those certain quarters, the conversations usually come down to 8.8.8.8. vs 1.1.1.1. (or Google vs Cloudflare if you prefer), but outside those niche quarters, wiser heads are looking at alternatives which step away from the American sector for DNS and all other technical services.
These days, information security experts aren’t looking at Google or Cloudflare and flipping a coin, they’re looking at US vs European DNS Resolvers and setting their chess pieces out for a marathon session of technical strategy.
OK, so the resolution span between 8.8.8.8. and 1.1.1.1. can be measured in fractions of a millisecond. And yes, both Google and Cloudflare have local DNS Resolution POPs, but over in America horrible things are moving slowly beneath the sludgy surface of technical infrastructure and accompanying US legislation.
The Clarifying Lawful Overseas Use of Data Act or CLOUD Act (H.R. 4943) compels US tech corporations to provide any and all information, as requested by the US Government, no matter where that tech corporation’s infrastructure is hosted or based. What this means, is if a company not based in the US – let’s pick one at random: NHS England – uses American-owned cloud-hosted infrastructure, the US Government can tell the US company who owns that cloud-hosted infrastructure to hand over copies of all NHS data, so it can pass that data on to… well, whoever it likes.
Of course this isn’t just about NHS data about its patients, this scenario could apply to any non-American company even if the cloud-hosting infrastructure that company uses is based in Dublin, London, or Paris (to pick just 3 locations where Microsoft Azure is locally-hosted).
The US Government has routinely invoked the CLOUD act, and taken significant and extensive copies of corporate and private data (under the guise of ‘criminal investigations’) from US cloud-hosted infrastructure. Azure and AWS made heavy marketing use of ‘our infrastructure is in Europe where US laws don’t apply’, only to have Trumpism skewer that argument (and those paper-thin safeguards) with just one email from the US DoJ.
My point is we shouldn’t be asking which American DNS Resolver is better than the other, we should be encouraging every non-American organisation to develop and then implement plans to migrate away from American hosting providers.
Digital sovereignty actually means information security, and as long as the Trumpists are able to call up Azure, AWS, or whoever, and ask for copies of all of the data belonging to non-American entities (thus ignoring GDPR and all other European privacy legislation) we, as non-Americans, actually have no digital sovereignty. We also have a set of information security policies made out of Play-Doh.
There are decent European DNS Resolvers and DNS Providers, and many of them don’t use American software (some even badge themselves as being Open Source). Owning our own DNS would be the first step in moving away from American platforms, but there’s no reason such a transition can’t be planned while a hosting migration is being formed.
Austria is moving away from US-owned hosting providers, so too are local, regional, and national Government agencies in France (in fact the Gendarmerie have dumped Microsoft as a desktop OS). So too are organisations in Denmark, Germany, and Belgium. There are good local alternatives which don’t use any US tech components; alternatives offer GDPR compliance, ownership and security of all data. On a national level, data security is as important as food security and energy security (of which we also have neither).
Still, I’m sure the UK Government has considered these arguments before it signed an £81m contract to have Microsoft Azure host the entire HMRC data platform (and who wants to bet that £81m deliverable will actually have an outturn of approaching £141m?).
And yes, I’ve told the folks at MakeUseOf about this post.