Stop your ISP from snooping on you: what works and what doesn’t

Published by on March 24, 2017 in VPN & Privacy
jeff flake sucks
Jeff Flake (R-Arizona), the Senator who introduced the privacy-killing bill

If you live in the US, your internet service provider will soon be able to sell your browsing
history and any other information it collects on you to whomever it wants without permission. Republicans are keen to roll back Obama-era regulations that prevent ISPs from sharing sensitive information about their customers. The bill has already passed in the Senate and is expected to pass in the Republican-majority House of Representatives before it lands on President Trump’s desk for a final signature before going into law. Update on March 29, 2017: The bill passed in the House of Representatives and now just needs Trump’s signature.

The bill only serves to hurt consumers and is flawed in more ways than one, which we’ll get into later. But for now it’s fairly safe to assume that this is going to happen. Americans who value their privacy will have to take steps on their own to protect their online activity from being recorded and sold.

Unfortunately, misconceptions abound about how someone can stop their ISP and other entities from snooping on them. We decided to clear the air and discuss what does and doesn’t work.

What works

VPNs

Pros

  • ISP cannot decipher encrypted internet traffic
  • ISP cannot see the desintation of your traffic
  • Encrypts and tunnels all traffic to and from the entire device

Cons

  • Good VPNs require a paid subscription
  • Free VPNs can be unsafe, slow, and cap your data

VPNs, short for virtual private network, encrypt all of a device’s internet traffic and route them through a server in a location of the user’s choosing. That means the ISP cannot read any of the data passing between your computer or smartphone and the VPN server. Nor can it determine where that data is headed. VPNs don’t just do this for your web browser; they also hide traffic to and from all your other apps including games, Spotify, torrenting clients–you name it. A reputable, paid VPN service keeps zero logs of your activity, tunnels your DNS requests through its own servers, uses uncrackable encryption, and doesn’t limit bandwidth or data transfers.

Be wary, however, of so-called “free” VPN services, of which there are many. These might seem like a good deal, but they often contain malware, log your activity, mine your browsing data, and even inject advertisements into your browser. This can actually reduce your privacy. Furthermore, free VPNs usually cap your data at a daily or monthly limit and/or throttle bandwidth so that it’s too slow to stream videos or download larger files.

If you’re interested in learning which VPNs are most secure and why, check out our list of more than 20 VPNs rated side-by-side on privacy and security.

Tor

Pros

  • ISPs cannot decipher encrypted internet traffic
  • ISPs cannot see the destination of your traffic
  • Free

Cons

  • Slow, only suitable for web browsing
  • ISP can see that you are using Tor

Tor, short for The Onion Router, is a network of volunteer “nodes” scattered around the world. Whenever you connect to the Tor network, your internet traffic is encrypted and then sent through several of these nodes randomly each time you go to a new website. Tor has been the go-to tool for netizens seeking online anonymity for years. The easiest way to use Tor is to download and install the Tor Browser, which is based on Firefox. Note that it will not have any plugins, bookmarks, cookies, or anything else that sacrifices privacy for the sake of convenience. Not only can ISPs not see your internet traffic or where it’s going, the websites you visit will also not be able to tell who you are. This can be a good or bad thing, depending on your needs. Tor and the Tor Browser are completely free to use.

On the downside, Tor is slow. A lot of people use it and it’s volunteer-run, so don’t expect to be able to stream HD videos or torrent large files. While your ISP might not be able to monitor your browsing, it will be able to detect that you are using Tor. This can draw undue attention to yourself, as Tor is frequently used by criminals, activists, journalists, whistleblowers, and other people who desire anonymity.

Read more: A beginner’s guide to using Tor for anonymous browsing

What sort of works

HTTPS proxies

Pros

  • ISPs cannot decipher encrypted internet traffic
  • ISPs cannot see what web pages you visit

Cons

  • ISPs can see what websites you visit, but not their content or specific pages
  • Only works for web browsers

HTTPS proxies are similar in many ways to VPNs. They encrypt traffic and send it through an intermediary server so that your ISP cannot see what you’re looking at. Some are free and some are not, but for the same reasons we caution against free VPNs, we advise you to be wary of anyone advertising a “free” HTTPS proxy.

The problem with HTTPS proxies is that they do not send DNS requests through the intermediary server. DNS, short for domain name system, is how computers turn web page URLs (e.g. www.comparitech.com) into IP addresses (e.g. 123.45.67.89). DNS requests are often sent to your ISP, which means the ISP can still log what websites you visit, although not the content of those websites nor what specific pages you looked at.

To get around this, you can configure your device to use different DNS servers than the default ones provided by your ISP. Free, public DNS servers that we recommend are DNS.WATCH and OpenNIC. You can find setup instructions for your particular device on their websites; it only takes a couple minutes. You can alternatively opt for a smart DNS or DNS proxy service, which we’ll discuss next.

Smart DNS and DNS proxies

Pros

  • ISPs cannot see your DNS requests

Cons

  • ISPs can see contents of unencrypted traffic
  • ISPs can determine the destination of your traffic

Smart DNS and DNS proxies are tools primarily used for unblocking geo-locked content on the internet. They are not as apt for hiding your online activity, although they can be used in combination with an HTTPS proxy for this purpose (see above). DNS proxies merely send your DNS requests to a server other than the default one used by your ISP.

To be fair, recording DNS requests might be the easiest way for your ISP to monitor what websites you visit online, and a DNS proxy will prevent that. The ISP can still still determine the contents and destination of your normal web traffic, however, using a tactic called “packet inspection.” Here’s a good explanation via StackExchange:

“Even when using a third-party DNS provider, the actual traffic between you and websites goes over your ISP’s network. In this case, they can see that @user1 visited 173.194.113.80 and made some requests. If the site is running over HTTP, they can even see that you requested pages from a specific host, thanks to header data such as Host: google.com in each request, and the specific pages thanks to the HTTP verb used (e.g. GET /search?q=dodgy+things).”

What doesn’t work

SOCKS proxies

SOCKS4 and SOCKS5 proxies are not encrypted and do not necessarily route DNS requests through the proxy server, so neither the contents nor the destination of your internet traffic is hidden from the ISP. SOCKS proxies are primarily used for unblocking geo-locked content. The only exception is if you visit an HTTPS website, the content will be encrypted, but your DNS requests are still sent to your ISP so the website you visit is not hidden.

“Private” and “Incognito” browsing

Most browser today have a feature called something like “in private” or “incognito” mode. These browsing modes can prevent you from picking up cookies and don’t add the pages you visit to your browser history.

They do not affect in any way what your ISP sees, however. The web pages you visit and their contents still travel unencrypted over your ISP’s network, and web page requests are still resolved through the ISP’s DNS servers. While your browsing activity might be hidden from other people who use your web browser, private and incognito modes don’t hide anything from your ISP.

Clearing your browsing history

Deleting your browser history has no effect on the information that your ISP collects, stores, and sells. Your ISP will keep its own copy of your browsing history and does not need the data recorded on your browser.

Disabling cookies and Javascript

Disabling browser functions like cookies and Javascript can be a good step toward better privacy and safer browsing online. Cookies are the main tool used to target people with advertisements pretty much everywhere online. Javascript can be used to serve malware.

But these have little to no effect onn your ISP’s snooping. While your ISP might inject cookies into your browser, stopping it from doing so won’t prevent it from recording the pages you visit and their contents.

Why ISP snooping is such a big deal

The proponents of the US bill, which has passed in the Senate and will likely pass in the House, argue that if Google and Facebook can collect and sell user data, then ISPs should be allowed to do it, too.

There are several problems with that argument. Chief among them, you can choose to not use Google and Facebook. Most Americans, however, cannot choose their ISP. ISPs often hold regional monopolies or duopolies. They make it extremely difficult for new players to enter the market, so there’s practically no competition. This is why Americans pay manifold what most other developed countries do for internet and mobile phone service.

Secondly, no one wants this. Just because other companies are doing it doesn’t make it right. Big telecom is paying off your representatives so they can sacrifice your privacy and make money.

Third, while some companies will collect and sell your personal data, most do not. They allow third parties to use de-identified information to target particular demographics and people who view certain content with advertisements. This is done using a combination of cookies and other unique identifiers, but not your personally identifiable info like names, email addresses, addresses, etc.

Finally, Facebook, Google, Amazon, Apple–all the big ones–actually give you pretty granular control over what information they record and store. Most people just never bother to change their default privacy settings. But only in California are companies obligated to hand over information they’ve gathered about you on demand, and even then they aren’t required to delete it on request. There’s a huge lack of transparency across the board in the telecom industry.

Leave a Reply

Your email address will not be published. Required fields are marked *