I’m sure you’ve heard that the Senate, then House, voted to allow Internet Service Providers (ISPs) to sell your browsing and Internet usage data. This is astounding, and has huge implications for each and every one of us that has any Internet usage that might be looked at askance by whomever decides to license your usage data.
So let’s cover some basics on technology, the potential uses for your usage data, and some ideas of what you can do to protect yourself.
I’m sure you’re aware of basic Internet tracking tech, but I’ll begin there and grow in complexity. I expect I’ll cover many of thee issues in Part 2 of my post on tech and protecting yourself, but Adam and Major Major Major Major brought up the idea, and I agreed to write this post today as it’s timely.
The Technology
When you connect to the Internet from your home or on your mobile device, you are using an ISP. When you use someone else’s Internet connection, you’re using their ISP. For the most part, your usage from your home or mobile ISP is the ISP of concern for this post.
When you connect to the Internet, you get an Internet Protocol (IP) address. It’s 4 block of numbers (XXX.XXX.XXX.XXX), and for remote computers/servers, it’s usually expressed as a name to make it easier on us humans. So, for example, the IP address for www.balloon-juice.com is 63.247.137.229.
When you use a web browser, websites put cookies on your machine. They are used to track your site visits, page visits, etc. Although cookies come from different sources, many are actually parts of syndicates or networks and so all members of a syndicate can see what people did not just on their sites, but on others’ too. And so should you enter your name on one site that’s a member of the syndicate, then all members can link your behavior to your name (or any other info you enter online).
Don’t get me started on Facebook or Google – they track everybody everywhere possible and link all kinds of data they license or buy so that one of them most likely has the biggest db (and the other, the second-biggest) of people and their online AND offline behavior and characteristics in the world. That’s a different post.
There are other ways to track behavior – “blank pixel” technology”, browser fingerprinting, mobile device supercookies, and so many more things. Did you know that when you open an email and you see a picture, that’s often used to inform the email sender that you’ve opened the email?
And of course there’s lots of folks combining disparate data to develop even more thorough profiles of people and their online and offline behavior to drive psychographic analysis and predictions on behavior.
There are truly a myriad examples I could list, but let’s focus on the focus of today’s post: your ISP. I’ll use home usage as the scenario for the rest of this post.
When you access the Internet, your computer sends out a request such as “give me a webpage from XXX.XXX.XXX.XXX” or “check email from my email server at XXX.XXX.XXX.XXX”. Really, your computer is saying “open a Y protocol connection with XXX.XXX.XXX.XXX” and then the remote computer and your computer work out a series of handshakes to successfully transmit the data and correct any errors that occur. That basic information is needed to do whatever it is you want to do, like dialing a phone number or putting an address on an envelope. That’s not secret or private, it’s important metadata that begins the handshake process that results in doing whatever it is you are trying to do.
But, since the signals from your computer going back and forth to the remote computer are on the ISP’s wires, they can see what it is you are saying. So no biggie, you’ve got nothing to hide, right? I’m a firm believer that everyone’s got stuff to hide for a good reason – your private business is YOUR private business. You can choose to declassify anything you want to anyone, but no one has a default policy of allowing anyone to probe your private business whenever they want, without having to get your permission.
So once Trump signs the law and it goes into effect, ISPs will then be able to analyze, organize, and sell/license this data. And there’s no way to ensure that “only big, responsible corporations” will get access to this data – it will be a huge target for foreign and domestic intelligence agencies, criminal enterprises, hackers, anarchists, psychos, manipulators, blackmailers, teens, insurance and other medical companies, law enforcement, credit agencies, etc. So those who want it will buy, license, or steal it. Or perhaps gain covert access to it, or access to it via an allowed third party that has poor security. Really, there are countless ways that, once this data is captured, it will leak out to bad folks and folks that you’d prefer not know that, late on Friday nights, once your buzz is on, you like to read, look at, or watch deviant porn.
“But,” you say, “don’t worry – I use Privacy mode when I browse, so no worries, right?”
Not so fast sparky – Privacy mode in a browser isn’t going to stop your ISP from seeing what you’re reading, writing, buying or selling. It limits cookies and other online tracking tech from your current session, but it doesn’t prevent the ISP from “listening on the line”, which is really what we’re talking about.
So what’s the magic bullet to slay this new beast on the horizon? Encryption!
When you encrypt things, your ISP just knows that you’re having an encrypted session with a remote computer at XXX.XXX.XXX.XXX in Y protocol. That’s it, as long as the encryption is strong and implemented well. The initial part of the handshake is unencrypted, but as soon as your computer and the remote computer work it out, the rest of the transaction is encrypted and thus private. This isn’t an on-off kind of thing; when you click on something, a new handshake takes place, and then that data is encrypted and transmitted and then decrypted.
So hurrah – such a simple answer, right? Well, yes, but…. no.
Encryption is very complex, but the end-user consumer side of it is pretty simple. Encryption uses advanced math to scramble your data and without the proper key to unscramble the data, it’s gibberish. But, as computers and techniques advance, what would have taken years now takes days. It’s a constantly moving, evolving world.
Some of you may recall last year when Balloon Juice enabled Secure Sockets Layer (SSL) and so the address went to https:// instead of just http://. That was 100% a privacy issue – because the site uses the secure HTTPS protocol, anything you read or write is protected by your browser’s encryption, ensuring your privacy. Of course, anyone that’s curious could just go to the website and read for themselves what’s here since we don’t require login or allow private messages, but there’s no way for a general person on the Internet to link your commenter nym to your IP address. And so your privacy is protected.
So you’re already using some encryption to protect some of your privacy, and that’s great! But there’s lots of sites that don’t yet use HTTPS, and there’s lots of things that you do that may not be encrypted. And perhaps you’d prefer it if your ISP has a black hole when it comes to your online behavior so that they know nothing about your behavior.
One last thing I should mention about privacy and what’s not protected: email. Email is not protected by encryption. What happens when you send an email is that you write it and hit send, and that message is then sent across the Internet from your outgoing mail server to the incoming mail server for the destination. And that email message – all of it, addressing info as well as the content and any attachments – is sent unencrypted. And it doesn’t go directly; it may go over as many as 20 different routers and computers, allowing anyone observing one or more of those machines the option to read your email and attachments. So emailing logins & passwords, credit card numbers, or any other important codes or numbers is a VERY bad idea.
A final detail about email – using an email client (Outlook, Thunderbird, Eudora, etc.) downloads your email to your local machine, but unless you’ve got encryption setup between you and the mail server, that mail is all sent “in the clear”, allowing an ISP to read them. But, should you use a web browser to work with your email, then your sending and receiving is protected by the web browsers SSL capabilities. Relatedly, don’t forget that, when using a web browser to check email, sending from/to the same system is usually VERY secure. So, for example, using a browser to send email from and to a Gmail account keeps the email “in the Gmail system” and it is encrypted the whole way through, so no ISP surveillance will work.
Next Steps
There are a few answers, different paths you can take, to protect your privacy from the prying eyes of your ISP. They all involve encryption of one form or another. And really, they all involve a Virtual Private Network (VPN) or Proxy Server, where your Internet requests are routed to another computer over an encrypted connection so that all your ISP knows is that you’re using an encrypted tunnel with a remote computer.
So, what does that mean?
It means that you pay some third party out there to allow you to setup an encrypted connection to route some or all of your Internet usage through. Of course, if that company keeps copious records of all the routing, requests, etc., and they then sell that data, you’re in exactly the same boat as with your ISP. So a company’s retention and privacy policies are very important, crucial, really.
Of course, there’s a great free solution called Tor, which you may have heard of. It is a protocol and framework designed by the US government to allow folks in repressive countries to communicate with journalists, human rights organizations, etc. without giving up their privacy or identity. Of course lots of bad guys use Tor to shroud their online activities – the Silk Road drug, gun, porn, and assassination marketplace was famously compromised because one element on a page on the site was not setup correctly, and so the FBI traced it to the server that was running the site’s forum software. And Silk Road truthers – let’s not quibble about parallel track or other ways they may have found the site’s server!
If you have something to hide, something illicit, then you likely already know about and use Tor. I’ve never played with it, so I am not in any way an expert on it, but to me, it does have a fundamental flaw – exit nodes. If a party sets up enough Tor exit nodes, then they will be able to monitor and/or capture enough traffic to track folks. Not that Tor isn’t a great thing for many privacy purposes, but it’s not magic and does have vulnerabilities, not the least of which is that human beings make the sites that are in Tor, and they often make coding mistakes or leave cookie crumbs in tech forums asking for help or advice. Oh, and did I mention that it’s complicated and that you can’t route most of what you do on the Internet through it?
“Wait,” you say, “I’ve heard that this web browser called Opera has a built-in VPN for privacy, so I can just use that, right?”
Opera, a great browser, does in fact have a VPN function built-in for privacy protection. But…it was just purchased by a Chinese Internet security firm and, well, who knows if you can trust them. I’m not sure I’d trust a browser maker anyway, as that just seems like a honeypot to attract folks (criminals) trying to hide their online behavior.
Recommendations
Depending on your needs, I recommend two different paths. I will not give any brand name recommendations.
For someone who wants to obscure everything, you’ll want to get a VPN router and route everything to a paid VPN service provider that has a privacy and data retention policy you like. This means that every signal coming in or out of your house will be encrypted, but this will slow everything down, and will likely muck up online streaming, game playing, and other high-bandwidth/low-latency uses. And this only effects the house and Internet users of the wired or WiFi connection. Your phone won’t be protected when you’re not home, for example.
For me, and for most folks, this is not a good plan. I have heard tell that Netflix is very good at blocking VPN users so it would likely not work for long, even if it does at first. And not being able to play a game or stream anything I want without issue is non-negotiable!
So my preferred solution is to setup a VPN or proxy server for just one computer or just one browser. That way, I have normal usage in the household, but have a privacy option I can use whenever I want.
So right now, on this machine I’m using, if I open Firefox, it wants to use my own private encrypted proxy server rather than the normal Internet connection that the rest of the computer (other browsers and software) use. And when I use that connection, everything I do in Firefox is safe from the prying eyes of Comcast. In my case, I am using a cloud computer that I rent as opposed to a service as this way, I control it and I like that approach as I’m a techie. I can also change my phone’s setting to always use that connection, should I so desire, but I don’t do much browsing on it. I can of course make my iPad use the proxy, but since I stream so much video and audio on it, that would be a problem!
One bonus to my approach – I can “appear” like I am somewhere else, wherever the server I use is located. This is great to reduce advertising and screws up geotargeting, etc. that advertisers use. Before I set this all up, I did ensure that I wasn’t signed into my Gmail account in Firefox, deleted all cookies and history, etc., and closed all open tabs so that Firefox opened to a blank page. To reduce browser fingerprinting, uninstalling add-ons, extensions, and toolbars is a good idea, too. That way, as far as Firefox is concerned, I am not physically where the rest of my computer knows I am, and I’ve left few crumbs to help find me.
The Risks of Strangers Knowing Your Behavior
Many of you are likely rubbing your eyes and wondering why this is so important an issue, why it’s a fundamental change in the relationship between you and the world outside of your home. Until now, neither the phone company nor the USPS could examine the content of your communications and sell that information. They could not listen and record everything you said on the phone and then sell the recording to as many different folks as want to buy it. They could not open your letters and packages, photograph or photocopy it all, and sell it to whomever wants it, without you having a thing to say about it.
But with your ISP and this new law, things have changed. There are so very many examples of how private data can be used for bad, but let’s look at a basic, relevant example.
A family member has Top Secret clearance and works with the Intelligence community. He is well trained, and mindful, and does not, to my eyes and ears, make a mistake when it comes to his phone, laptop, and other work-related things. He is trained to look for surveillance, etc., and varies his routes, times, etc. He doesn’t do much online.
But he lives in a house with his wife and children. And so everything they do won’t remain private, meaning that a foreign adversary could acquire meaningful data that might be useful for manipulation, blackmail, etc. So although he’s doing 100% what he’s supposed to do, suddenly his family become targets because their data may unveil a method to get to him.
And that’s just a personal example. With the theft of so much OMB data that was revealed in 2015, I can envision any number of ways that that purloined data could be used when coupled with ISP-recorded data. And that’s just in the Intelligence, Government, and Military world; there are so many people whose data was acquired that, for the next 20 years, people will be at risk of further targeting and violations of their privacy.
So, it’s time to give some serious thought to protecting yourself and to setting up at least one browser or computer to be your privacy vanguard. The sooner that everyone’s online behavior is a black hole to ISPs, the sooner they’ll realize that their goal should be to protect our privacy, not exploit it for profit!
Candidly, I’m thinking of launching a paid service, sort of a combo of proxy server and related privacy consultation and support because I know many folks would benefit from this setup, but for now if you have questions or want help, use the contact form and drop me a line. I will not be in the comments much as I have a few other important duties vying for my attention today.
cervantes
“So my preferred solution is to setup a VPN or proxy server for just one computer or just one browser. That way, I have normal usage in the household, but have a privacy option I can use whenever I want.
So right now, on this machine I’m using, if I open Firefox, it wants to use my own private encrypted proxy server rather than the normal Internet connection that the rest of the computer (other browsers and software) use. And when I use that connection, everything I do in Firefox is safe from the prying eyes of Comcast. In my case, I am using a cloud computer that I rent as opposed to a service as this way, I control it and I like that approach as I’m a techie. I can also change my phone’s setting to always use that connection, should I so desire, but I don’t do much browsing on it. I can of course make my iPad use the proxy, but since I stream so much video and audio on it, that would be a problem!”
Sorry, but to me this is complete gibberish. You need to explain this in English. What exactly are people supposed to do? I’ve read this four times and I don’t have a clue.
Gin & Tonic
@cervantes: With due respect to Alain (and I understand exactly what he is doing and how) this is a viable option for about one person out of a thousand.
NotMax
Have been yelling at the clouds for years and years that whether or not one has something to hide is not the point, the claim of an unfettered ability and right to look and examine is.
That people can recognize that their proprietary data has a distinct value and yet are perfectly willing to trade it away for nothing continues to astound me.
NotMax
Oh, and shall also mention for the umpteenth time that a more than decent Google alternative is Ixquick.
Some folks swear by DuckDuckGo, but have no experience with it so cannot readily recommend.
Ransom
@cervantes: Alain isn’t telling you how to do it; he’s describing what can be done. If you want to set it up, there’s no end of help to be found on the interwebs. Anyway, its under Firefox preferences > advanced > Connection and you set up the proxy connection to your vpn server address. And I disagree that its an option to 1 in a thousand. Anyone can sign up with a vpn service and in a few minutes have their browser connecting through it.
Butch
@cervantes: FWIW, I didn’t understand a word either, but it does make me concerned about on-line purchases. Is that supposedly secure information (the credit card) fairly well protected?
cervantes
@Ransom: There is no such thing in Firefox as “preferences.” Otherwise that’s very helpful.
12xuser
I’ve been using Private Internet Access for a couple of years. They say they don’t log anything, and have removed their servers from places that require logging, so I kinda trust them. It’s pretty easy to install and doesn’t slow things down. Forty bucks a year.