Options – you have some
While it’s unclear how that change will actually play out, many are expecting ISPs to go on a data-selling orgy selling everything to anyone.
In light of that possibility it’s worth figuring out, what data does your ISP have and how can you prevent them from getting it?
The first question is pretty easy to answer, ISPs know just about everything. In order to connect you to the network in the first place they need all your personal data, name, address, current location (in the case of a mobile network), credit card, etc. It also know every website you’ve ever connected to, every song you’ve streamed, movie you’ve watched, every item you’ve purchase. It’s also entirely possible for your ISP to buy other information from the world’s various data brokers, things like loan history and credit card purchases for example. Put it all together and, in practical terms, your ISP could know more about you than you do.
How do you stop that from happening? The short, depressing answer, is that you don’t really. Not without radically altering how you use the internet anyway.
That said, there are a few things you can do to reduce what your ISP knows about you.
Before I go into that, though, it’s worth noting if you spend all your time, for example, signed into the Chrome web browser and have Facebook open all day you’re leaking your data to Google and Facebook anyway, does it really matter if your ISP has it too? Google and Facebook sell that data to marketers too. So before you freak about ISPs selling your data, take stock of what you’re already giving away without thinking about it.
Let’s assume that you’re using Firefox and you don’t use Facebook much. Your ISP can still see everything. That’s where the first thing comes in – HTTPS. The HTTPS protocol encrypts your traffic to and from the server. When you connect to an HTTPS page your ISP can’t see what you see. Don’t get too excited though because it can still learn a heck of a lot about your request such as the base domain. It can see that you’ve requested, for example, wikipedia.org, even if it can’t see which page you’re connected to.
Your ISP can also see what time you connected, where you where and cross reference that with your established browsing habits to make a pretty good guess about which page you connected to. Now, to be fair, we have no real way of knowing if that’s something ISPs do – Facebook, however, does – but it’s certainly within the realm of possibilities. Also bear in mind that once this information is sold, other companies can make all the same connections and educated guesses.
So while HTTPS helps, it doesn’t solve the problem. And again, nothing really does, but there is one thing that can help a whole lot — a Virtual Private Network (VPN).
A VPN is a service provider that acts like a black box. Instead of connecting directly to the internet, you connect to the VPN (which your ISP can see) and then the VPN box connects to the actual site (which the ISP can no longer see).
The advantage of a VPN is that everything is hidden. Neither your ISP nor any other snooping party between your PC and wherever the VPN is terminating can see what you’re up to. They can still see the amount of data flowing and make some educated guesses perhaps, but they’d be too unreliable to be a value to advertisers, which are the primary target when ISPs are selling your collected data.
The downside is that a VPN connection is slower because it has to connect twice, once to the VPN and then again, though the VPN to another point. That means slower throughput and slower browsing. If you have a nice fast connection you might not notice a VPN, but if you’re using a VPN through your phone over 3G, you’ll most definitely notice. Trust me, I use one every day and it slows down already slow connections.
The speed difference and the complexity of setting up a VPN are part of the reason I said you’ll need to change your internet habits to really stop ISP snooping. Then there’s also the headache of picking a VPN, which is a very important decision since all you’re really doing here is using one company, the VPN, to hide your data from another (your ISP). Your VPN can see everything your ISP used to see so you want to make sure you pick a company that you trust and that doesn’t retain data.
That latter bit is key. Because while it’s true that ISPs need to see your traffic to optimize their networks, it’s not true that they need to store it. So when you look for a VPN, make sure they’re totally transparent about what data they log, how long they keep it, who they share data with, what jurisdiction they’re in and what their track record is.
Picking a VPN is greatly complicated by the number of spammy VPN reviews out there that are little more the affiliate marketing links, though they often look innocuous enough. Security researcher Brian Krebs has some good advice on picking a VPN and the limitations of even good VPNs, though in terms of hiding your data from ISPs just about any VPN will work, the question is, how much do you trust that VPN? Krebs points to this site as a good starting point for VPN comparisons.
If you don’t want to pay for a VPN then you should not use one. A free VPN’s business model is going to be selling your data, defeating the purpose of routing around your ISP in the first place. There is another option, however – the Tor network.
Tor, which is short for “The Onion Router,” works by bouncing your requests through a series of relays (a bit like layers of an onion, hence the name) around the world, encrypting your data at every relay. There are some limitations, but in terms of just hiding things from your ISP, Tor will do the job. I suggest getting the Tor bundle, which handles configuring the network and opening a browser all ready to go.
The trade-off again is speed. Tor will be even slower than a VPN, but depending on how much you value your privacy, that may be an acceptable concession.
Oh, and if you’d like to get vindictive, there’s a website raising money to buy and then publish the internet browsing histories of all the lawmakers who repealed the FCC rules. As snarkishly satisfying as that would be, it’s unlikely to happen and your money is better put toward privacy advocate groups like the Electronic Frontier Foundation. ®