This post originally appeared at the Electronic Frontier Foundation.
We pay our monthly internet bill to be able to access the internet. We don’t pay it to give our internet service provider (ISP) a chance to collect and sell our private data to make more money. This was apparently lost on congressional Republicans as they voted to strip their constituents of their privacy. Even though our elected representatives have failed us, there are technical measures we can take to protect our privacy from ISPs.
Bear in mind that these measures aren’t a replacement for the privacy rules that were repealed or would protect our privacy completely, but they will certainly help.
Pick an ISP that respects your privacy
It goes without saying: If privacy is a concern of yours, vote with your wallet and pick an ISP that respects your privacy. Here is a list of them.
Given the dismal state of ISP competition in the US, you may not have this luxury, so read on for other steps you can take.
Opt-out of supercookies and other ISP tracking
In 2014, Verizon was caught injecting cookie-like trackers into their users’ traffic, allowing websites and third-party ad networks to build profiles without users’ consent. Following criticism from US senators and FCC action, Verizon stopped auto-enrolling users and instead made it opt-in. Users now have a choice of whether to participate in this privacy-intrusive service.
You should check your account settings to see if your ISP allows you to opt-out of any tracking. It is generally found under the privacy, marketing, or ads settings. Your ISP doesn’t have to provide this opt-out, especially in light of the repeals of the privacy rules, but it can never hurt to check.
EFF makes this browser extension so that users connect to a service securely using encryption. If a website or service offers a secure connection, then the ISP is generally not able to see what exactly you’re doing on the service. However, the ISP is still able to see that you’re connecting to a certain website. For example, if you were to visit https://www.eff.org/https-everywhere, your ISP wouldn’t be able to tell that you’re on the HTTPS Everywhere page, but would still be able to see that you’re connecting to EFF’s website at https://www.eff.org.
While there are limitations of HTTPS Everywhere when it comes to your privacy, with the ISP being able to see what you’re connecting to, it’s still a valuable tool.
If you use a site that doesn’t have HTTPS by default, email them and ask them to join the movement to encrypt the web.
In the wake of the privacy rules repeal, the advice to use a Virtual Private Network (VPN) to protect your privacy has dominated the conversation. However, while VPNs can be useful, they carry their own unique privacy risk. When using a VPN, you’re making your internet traffic pass through the VPN provider’s servers before reaching your destination on the internet. Your ISP will see that you’re connecting to a VPN provider, but won’t be able to see what you’re ultimately connecting to. This is important to understand because you’re exposing your entire internet activity to the VPN provider and shifting your trust from the ISP to the VPN.
In other words, you should be damn sure you trust your VPN provider to not do the shady things that you don’t want your ISP to do.
VPNs can see, modify, and log your internet traffic. Many VPN providers make promises to not log your traffic and to take other privacy protective measures, but it can be hard to verify this independently since these services are built on closed platforms. For example, a recent study found that up to 38 percent of VPN apps available for Android contained some form of malware or spyware.
Below, we detail some factors that should be considered when selecting a VPN provider. Keep in mind that these are considerations for someone who is interested in preventing their ISP from snooping on their internet traffic, and not meant for someone who is interested in protecting their information from the government — a whistleblower, for instance. As with all things security and privacy-related, it’s important to consider your threat model.
- Is your VPN service dirt-cheap or free? Does the service cost $20 for a lifetime service? There’s probably a reason for that and your browsing history may be the actual product that the company is selling to others.
- How long has your VPN provider been around? If it is relatively new and without a reliable history, you’d have to trust the provider a great deal in order to use such a service.
- Does the VPN provider log your traffic? If yes, what kind of information is logged? You should look for one that explicitly promises to not log your internet traffic and how active the VPN provider is in advocating for user privacy.
- Does the VPN provider use encryption in providing the service? It’s generally recommended to use services that support a well-vetted open source protocol like OpenVPN or IPSec. Utilizing these protocols ensures best security available.
- If your VPN provider uses encryption, but has a single shared password for all of the users, it’s not sufficient encryption.
- Do you need to use the VPN provider’s proprietary client to use the service? You should avoid these and look for services that you can use with an open source client. There are many clients that support the above-mentioned OpenVPN or IPSec protocols.
- Would using the VPN service still leak your DNS queries to your ISP?
- Does the VPN support IPv6? As the internet transitions from IPv4 to the IPv6 protocol, some VPN providers may not support it. Consequently, if your digital device is trying to reach a destination that has an IPv6 address using a VPN connection that only supports IPv4, the old protocol, it may attempt to do so outside of the VPN connection. This can enable the ISP to see what you’re connecting to since the traffic would be outside of the encrypted VPN traffic.
Now that you know what to look for in a VPN provider, you can use these two guides as your starting point for research. Though keep in mind that a lot of the information in the guides is derived from or given by the provider, so again, it requires us to trust their assertions.
If you are trying to protect your privacy from your internet company, Tor Browser perhaps offers the most robust protection. Your ISP will only see that you are connecting to the Tor network, and not your ultimate destination, similar to VPNs.
Keep in mind that with Tor, exit node operators can spy on your ultimate destination in the same way a VPN can, but Tor does attempt to hide your real IP address, which can improve anonymity relative to a VPN.
Users should be aware that some websites may not work in the Tor browser because of the protections built in. Additionally, maintaining privacy on Tor does require users to alter their browsing habits a little. See this for more information.
It’s a shame that our elected representatives decided to prioritize corporate interests over our privacy rights. We shouldn’t have to take extraordinary steps to limit how our personal information can be used, but that is clearly something that we are all forced to do now. EFF will continue to advocate for internet users’ privacy and will work to fix this in the future.