In a well-intentioned yet dangerous move to fight online fraud, France is on the verge of forcing browsers to create a dystopian technical capability. Article 6 (para II and III) of the SREN Bill would force browser providers to create the means to mandatorily block websites present on a government provided list. Such a move will overturn decades of established content moderation norms and provide a playbook for authoritarian governments that will easily negate the existence of censorship circumvention tools.

While motivated by a legitimate concern, this move to block websites directly within the browser would be disastrous for the open internet and disproportionate to the goals of the legal proposal – fighting fraud. It will also set a worrying precedent and create technical capabilities that other regimes will leverage for far more nefarious purposes. Leveraging existing malware and phishing protection offerings rather than replacing them with government provided, device level block-lists is a far better route to achieve the goals of the legislation.

[...] Browsers have played a critical role in the growth of the web by serving as user agents that mediate our experiences with the internet. This role, which Mozilla has been an integral actor in for over 25 years via Firefox, is based on some fundamental presumptions that enable browsers to focus on serving the interests of their users while keeping content regulation decisions further up the chain with either network intermediaries (such as ISPs) or service providers (websites).

The two most commonly used malware and phishing protection systems in the industry are Google's Safe Browsing and Microsoft's Smart Screen, where Mozilla (along with Apple, Brave, and many others) use Google's Safe Browsing. The Safe Browsing service has been around since at least 2005 and currently protects close to half the world's online population on various devices and software. It covers malware, unwanted software, and social engineering (phishing and other deceptive sites). It also has broad policies that are fairly robust and is also available via a free API, which makes it a more cost effective way for organisations to protect users.