Protect against potential ISP snooping by using https and a VPN

A bill passed by Congress, if signed by the president, would prevent the FCC from putting in place Obama-era rules to restrict ISP tracking of your online actions.

cloak
Credit: Cloak

Our online privacy rights have almost always eroded in the U.S., rather than improved. The Obama Administration created a new set of restrictions on Internet service providers (ISPs) intended to define more clearly and explicitly bar greater use of our information that ISPs could conceivably gather, store, and sell. A Congressional joint resolution may be signed by President Trump by the time you read this that prevents those new rules from going into effect. The status quo remains.

However, the aggressive enforcement of certain privacy rules and net-neutrality polices by the FCC and FTC during the Obama era seemed to prevent ISPs from pushing forward. With the new rules rejected and a friendlier FCC chair in place, there’s legitimate concern that ISPs will ramp up efforts to use our browsing habits and behavior to sell to marketers to better target ads against us, to create new ISP-operated targeted advertising systems, and to have information available to release to the U.S. government without the requirement of a warrant.

Many well-meaning people immediately suggested a host of different ways to block your behavior from being tracked, but some of them don’t increase your privacy—and could, in fact, reduce it. Let me look at what’s most effective and what you should avoid.

Https and VPN: Bury yourself in a tunnel

You’ve probably heard a lot (from me and everywhere else) about the increasing usefulness and need to encrypt Web communications in order to protect yourself from criminals, malicious snoopers, and overreaching government entities. Web encryption via an https connection from your browser protects end to end, though the Web server’s operator can obviously see what you’re up to. But nobody in between can.

With https, an ISP can intercept the name of the Web site to which you connect, but not the full URL with the path and potentially variables sent. It also can’t read interactions that happen in Web apps. It also prevents code injection, which some ISPs and hotspot operators use to insert popup messages, swap out or insert ads on a Web page, and otherwise interfere with the page sent from a Web site.

But ISPs can see how often you connect, when, and the size of payloads sent and returned, from which a lot of insight can be gleaned. You can’t rely on https to protect you from snooping, but it turns the dials down on a lot of specifics. The Web is rapidly moving to https being available everywhere, and beyond that to https-only Web sites.

To ratchet it up a notch, you could use a virtual private network (VPN) connection, which encrypts all the connections of any kind leaving your computer and decrypts it at some point on the Internet where the VPN operator has a termination point, usually in a data center, which can be located in a country that’s not your own. (I’ve also written about using the Tor network, which securely anonymizes browsing, but it’s difficult to use for day-to-day purposes in which you log into accounts or make purchases.)

VPNs have the advantage of cloaking everything. Neither an ISP nor any party between you and the VPN termination point can inspect what you’re doing, except the amount of traffic flowing. However, because you’re terminating at another point, this can slowdown throughput (the net amount of bytes flowing) and latency (the time between an action happening on one side of the connection and a response being received on the other). Depending on your network’s bandwidth and other factors, a VPN could slow you down or stall you quite a bit.

Not all VPN operators are equal. There are thousands of VPN services out there, many of which advertise or offer affiliate networks, so that other parties promote their services in exchange for a piece of revenue. It’s important to find a VPN run by a company with some history you can find online, so they aren’t freshly minted or anonymous, and in a country that upholds legal norms. Some VPN services are run from China and Russia or owned by companies in those countries. Because of local laws, practices, and problems with the court systems in those two lands and many others, regardless of the ability and reputation of a given company, it would be very difficult to ensure the integrity and privacy of your information.

Brian Krebs, a long-time security writer, explained at length his philosophy about finding a VPN which has the policies and reputation that aligns with user-privacy and security interests. He also pointed to a site that runs down in even greater depth a lot of the specifics of what to look for.

What a good privacy policy looks like

While I hesitate to recommend any service in particular, I’ve used Cloak off and on for years as travel and other circumstances dictate. The founders, based in Seattle, sold it and joined StackPath a year ago, but continue to operate as a separate organization with in it. StackPath is in Texas and operates as a U.S. company. Cloak sells access for many platforms, and offers recurring subscriptions and term-based passes.

In Cloak’s privacy policy, it talks a lot of the right talk, making statements that are legally enforceable. As I’ve noted before, the FTC can’t typically proscribe policies to digital or other firms, but it can sue based on when promises made are broken. Thus the more explicit a policy, the more a company can be subject to individual, state, or federal liability if the firm fails to uphold it.

Cloak notes:

We will never share your personally identifiable information with any third party, for any reason, ever. We will never share your anonymized session data with any third party, for any reason, ever. The one important exception is if we need to respond to a legal request.

Under that legal request section, it notes:

First, we would only respond to a legally binding request…from a United States federal, state, or local authority. Second, our data collection and retention policies are quite specific; in practice, there is likely to be little or no valuable data that we could share with law enforcement.

Finally, they note:

When you use Cloak to secure your connection, we collect:

The number of bytes you’ve sent and received

The amount of time you’ve been connected

The IP address you’re connected from

The assigned (virtual) IP address on our VPN network

The source port of each outgoing connection with start and end times

We keep this information for at most sixteen (16) days, after which we permanently delete it.

This specificity is what you should look for with any VPN provider.

Routing around privacy failures

The Internet’s resiliency often lets it “route around failures,” meaning that with many paths to reach a destination, a single point of failure doesn’t cause the net to break.

If Congress and the current administration choose to walk back privacy for literally no consumer benefit, we can route around this failure.

Shop Tech Products at Amazon