You may have heard a lot of news recently about internet service providers (ISPs) tracking your browsing history and selling all your data. What does this mean, and how can you best protect yourself?
Traditionally, the Federal Trade Commission (FTC) has been in charge of regulating ISPs. In early 2015, the Federal Communications Commission (FCC) voted to reclassify broadband Internet access as a “common carrier” service, as part of a push for net neutrality. This moved the regulation of ISPs from the FTC to the FCC.
The FCC then placed restrictions on what ISPs were and weren’t allowed to do with their customers. ISPs would be prevented from redirecting search traffic, injecting additional ads into web pages, and selling user data (like location and browsing history), among other practices that are profitable at the expense of users.
In March 2017, the Senate and House voted on a Congressional Review Act (CRA) resolution to repeal the FCC’s privacy rules, and prevent them from making future regulations. Their justification for the bill was that companies like Google and Facebook are allowed to sell this information, and that the regulations unfairly prevent ISPs from competing. Lawmakers claimed that because Google has roughly an 81% market share in search, they have more market control than any ISP. While Google’s dominance in search is real, internet users have the option to avoid Google, or Facebook, or any other site. Most people use Google for search, but there are plenty of other options and it’s easy to switch. Using tools like Privacy Badger, it’s pretty easy to avoid Google or Facebook’s analytics around the web. In comparison, all of your internet traffic goes through your ISP, and very few Americans have more than one or two choices.
The bill was signed by the President in early April. While not all of the FCC’s regulations had gone into effect before they were voided, this is still a major blow to the privacy of Americans online. Because ISPs are still classified as common carriers, no other regulatory body has the oversight to reinstate these rules.
Many of the FCC’s regulations were due to begin throughout 2017 and 2018. Big ISPs have been tracking their users for years. Verizon famously used to inject a supercookie into all of their customers’ browser requests, allowing them (and third parties) to track individual users across the web. The supercookie was being added to requests after they had left the users’ computers, so there was no way to avoid them until Verizon caved and added an opt-out. For a while, AT&T charged clients an extra $30 per month to not track their internet usage. This case was the inspiration for the FCC’s privacy regulations.ADVERTISEMENT
It’s easy to think: “Well, we’re no worse off than we were a year ago.” And that may be partially true. We’re living under the same rules we were then; it’s just that they now won’t change for the better. It still isn’t possible to purchase an individual’s internet history; the data is anonymized and sold to advertisers and other organizations in bulk.
However, these new regulations (that now aren’t going to go into effect) would have patched up a significant hole in internet privacy. If you dig deep into anonymized data, it can be easy to uncover its owner. Plus, there’s the argument to be made that ISPs are, in effect, double-dipping. The position that this ruling puts ISPs in a more competitive space with services like Google is a bit disingenuous. ISPs rule the “final mile” to their customers’ premises, and we already pay good money for access to it.
Many people are concerned by the bill’s passing, and want ways to protect themselves from their ISP’s prying eyes. Fortunately, there are some things you can do to help ensure your privacy. Most of these methods are geared toward protecting you from what we call Man-in-the-Middle (MitM) attacks. The journey your data takes on the trip from your PC to an internet server and back passes through a host of intermediaries. In a MitM attack, a malicious actor inserts itself into the system somewhere along that journey for the purposes of eavesdropping, storing, or even modifying your data.
Traditionally, a MitM is assumed to be a bad actor who inserts themselves into the process; you trust the routers, firewalls, and ISPs between you and your destination. However, if you can’t trust your ISP, things get trickier. Keep in mind this applies to all internet traffic, not just what you see in your browser. The good news (if you can call it that), is that MitM attacks are an old and common enough problem that we’ve developed pretty good tools you can use to protect yourself.
HTTPS encrypts the connection between your computer and a website, using a protocol called TLS (or the older SSL). In the past, this mostly used for sensitive information like login pages or bank information. However, implementing HTTPS has gotten easier and cheaper. These days, over half of all internet traffic is encrypted.ADVERTISEMENT
When you’re using HTTPS, the content of data packets are encrypted, including the actual URL you’re visiting. However, the hostname of your destination (for example, howtogeek.com) is kept unencrypted, since the nodes between your device and your data’s destination need to know where to send your traffic. Even though ISPs can’t see what you’re sending over HTTPS, they can still tell which sites you’re visiting.
There is still some metadata (data about data) that isn’t possible to hide using HTTPS. Anyone monitoring your traffic knows how much is downloaded in any given request. If a server only has one file or page of a specific size, this can be a giveaway. It’s also easy to determine what time requests are made, and how long connections last (say, the length of a streaming video).
Let’s put this all together. Imagine there’s a MitM between me and the internet, intercepting my packets. If I’m using HTTPS, they could tell, for example, that I went to reddit.com at 11:58 PM, but they wouldn’t know if I’m visiting the frontpage, /r/technology, or another, less-safe-for-work page. With effort, it might be possible for them to determine the page based on the amount of data transferred, but it’s unlikely if you’re visiting a dynamic site with lots of content. Since I load the page once and it doesn’t change in real time, connection length should be short and hard to learn anything from.
HTTPS is great, but it’s no silver bullet when it comes to protecting you from your ISP. As stated earlier, it obscures content, but can’t protect metadata. And while little to no effort is required from the end user, server owners need to configure their servers to use it. Unfortunately, there are still many websites that don’t support HTTPS. Also, only web browser traffic can be encrypted with HTTPS. The TLS protocol is used in other applications, but typically isn’t visible to users. This makes it hard to tell when—or if—your application traffic is being encrypted.
A Virtual Private Network (VPN) creates a secure connection between your device and a termination point. It’s essentially like having a private network created within the public internet network, which is why we often refer to a VPN connection as a tunnel. When using a VPN, all of your traffic is encrypted locally on your device, and then sent through the tunnel to your VPN’s termination point—usually a server on whatever VPN service you’re using. At the termination point, your traffic decrypted, and then sent along to its intended destination. Return traffic is sent back to the VPN termination point, where it is encrypted and then sent back through the tunnel to you.
One of the most common uses for VPNs is to allow employees to access company resources remotely. It’s considered best practice to keep internal company assets disconnected from the internet. Users can tunnel to a VPN termination point inside a corporate network, which then allows them access to servers, printers, and other computers—all while keeping them hidden from the internet at large.ADVERTISEMENT
In recent years, VPNs have become popular for personal use, to enhance security and privacy. Take the example of the free Wi-Fi at the coffee shop. It’s easy to sniff traffic on unsecured Wi-Fi networks. It’s also possible you’re connecting to an evil twin network—a fake Wi-Fi access point masquerading as a legitimate one—that hopes to serve malware. If you use a VPN, all they can see is encrypted data, with no indication of where or with whom you’re communicating. The VPN tunnel also provides integrity, meaning that a malicious outsider cannot modify the traffic.
When you use a VPN, your ISP can’t see or change what’s going through the encrypted tunnel. Because everything is encrypted until it reaches the termination point, they don’t know what sites you’re visiting or what data you’re sending. ISPs can tell that you’re using a VPN, and see the VPN’s termination point (a good indicator of which VPN service you’re using). They also know how much traffic you’re producing at what times.
Using a VPN can also affect network performance. Congestion on a VPN can slow you down, but in rare cases, you can get better speeds while on a VPN. You should also check if the VPN leaks any information.
Companies and colleges often provide free VPN access for their users. Be sure to check the usage policy; their administrators likely don’t want you streaming video or doing anything unrelated to work on their network. Alternatively, you can pay for access to a VPN service, usually $5-10 a month. You should do some research to choose the best VPN for your needs.
Keep in mind, you must be able to trust your VPN provider. The VPN does prevent your ISP from seeing the tunneled traffic. However, your traffic needs to be decrypted once it reaches the termination point, so that the termination point can forward it to the proper destination. This means your VPN provider can see this information. Many VPN services claim not to log, use, or sell your traffic. However, there often is no way to tell whether or not they follow through on these promises. Even if they are being honest, it’s possible their ISP is mining the data.
In particular, you should be wary of free VPNs. Lately, VPN browser extensions have become popular, largely because of their low/no cost and ease of use. Running a VPN service is expensive, and operators don’t do it out of the goodness of their hearts. Using one of these free services often just switches the ability to spy on you and inject ads from your ISP to the VPN. Remember: when you aren’t paying for a service with operating costs, you are the product.
Ultimately, VPNs are a useful, but imperfect solution. They provide a way to transfer trust from your ISP to a third party, but there’s no easy way to determine if a VPN provider is trustworthy. If you know your ISP can’t be trusted, VPNs may be worth a shot. HTTPS/TLS should be used with a VPN to further enhance your security and privacy.
The Onion Router (Tor) is a system that encrypts and anonymizes traffic. Tor is complex, and whole articles can (and have) been written on it. While Tor is helpful for lots of people, it can be challenging to use correctly. Tor will have a much more noticeable (negative) effect on the quality and performance of your day-to-day internet usage than the other methods mentioned in this article.
ISPs haven’t gained any new powers from this bill, but it has prevented the government from ensuring your privacy. There is no silver bullet to prevent your ISP from spying on you, but there is still plenty of ammunition. Use HTTPS whenever possible to protect message content between you and the destination. Consider using a VPN to tunnel around your ISP. While you’re making changes, consider protecting yourself from other sources of snooping and spying. Configure your operating system’s settings to improve privacy (Windows and OSX), and your web browser as well (Chrome, Firefox, or Opera). Use a search engine that respects your privacy, too. Protecting your privacy is an uphill battle, now more so than ever, but How-To Geek is dedicated to helping you along the way.