The United States Congress just voted on and passed a bill that allows Internet Service Providers to sell your data. I thought I’d take a moment and first explain why this is “A Bad Thing(TM)”, then tell you what you can do about it.
Given that I’m going to promote this blog post more widely than I normally do, I think it would be a good idea to get everyone who is reading this level-set on some of the technology here. Your Internet Service Provider, or ISP, is the company that provides you access to the internet. For example, on my smartphone, my ISP is AT&T. In my home, my ISP is Comcast (or Xfinity or whatever they are calling themselves these days). Any time you fire up a web browser and type in a website’s address, two things happen:
- A service on the internet called the “Domain Name Service”, or DNS, turns the human-readable website address into a series of numbers or the “IP address” of that website.
- Your web browser then connects to that IP address and sends all of the communication between your computer and that site through your ISP.
Unless you have done something to go out of your way to change things, that DNS lookup (think of it as looking up a phone number in a phone book) is performed on a server owned by, you guessed it, your ISP. Unless you are using HTTPS for your website address, all of the stuff that the site sends you and that you send the site is completely readable by, you guessed it, your ISP.
So if you are going to http://badthingsidontwantpeopletoknowilookat.com (please tell me that’s not a real website, I’m afraid to type it in) and browsing the content of that site, your ISP knows (and more importantly saves to a database) all of that “traffic”. Therefore, the fact that your ISP is now soon to be legally allowed to sell that information to whomever they want to sell it to (they couldn’t before because of this silly little thing called “privacy law”) is a very big deal.
Now you may say, I’m not doing bad stuff, I have nothing to hide. OK, let’s take a little thought experiment here. Let’s say that you are looking up articles on weight loss and the bad effects of being overweight and reading them. Nothing nefarious there, right? Let’s then say that you have private health insurance – many people do. Well there’s a revenue opportunity for your friendly neighborhood ISP! Sell your web traffic to your insurance company! They’d love to know that you might be overweight. Then, they can charge you more the next time your premiums change.
Far-fetched you say? Perhaps, but I think you get the idea. Privacy is important and, while some folks may take it more seriously than others, bad things can happen if you aren’t legally allowed to protect your privacy. So what can you, as a regular citizen do about this? First, you can contact your congress person and tell them you don’t like what they did. Here’s the list of who voted in favor of passing this legislation. Oh and it also shows how much in campaign contributions they got from the ISP lobbyists. I’ll leave it up to you to connect the dots there.
Now what can you do to make it harder for your ISP to see what you are doing online? Given that all of your internet traffic flows through them, it’s kind of hard, right? Sort of…
First off, install a browser plugin on your laptop or desktop like “HTTPS Everywhere”. This is a little free tool built by the EFF (an organization I really like and support) that forces as many websites as possible to use HTTPS for connectivity. What this means is that, while your ISP still knows you went to a particular web page, they don’t know what it said or what you said to it because all of the data is encrypted. This is the first step in undoing some of this damage. Unfortunately they still know that you went to the site.
Another thing you can do is to install the Tor Browser Bundle. What the heck is that? Well, TOR (the acronym stands for “The Onion Router”) is a technology that routes your web traffic through a series of anonymous computers on the internet so that your ISP doesn’t know where you are heading and the site doesn’t know where you came from. The only downside to TOR is that it is veeeeerrrrrrrryyyyyy sssssslllllloooooowwwww. Also, there is some controversy as to who runs these servers on the Internet and what nefarious things they could be up to. However, it will work in this particular use-case because your ISP won’t know where you went.
Another solution to this problem is to use a piece of technology called a Virtual Private Network (or VPN). This technology opens a connection from your computer to the VPN service provider’s computer and encrypts all of your traffic before it leaves your machine. The VPN service provider then forwards your traffic to its final destination and sends the results back to you. If you used a VPN provider in Dallas TX and your lived in Washington DC, it would look like all of your web traffic originated in Dallas – outside of your ISP’s ability to capture and log.
There are some free ones out there such as proXPN but the free ones generally are slow. You can purchase a monthly VPN service for typically less than $10 per month. You do want to make sure you are working with a reputable company and one who doesn’t log all of your traffic (the problem we are trying to avoid) so choose carefully. I’m a fan of Air VPN but there are others out there who are good as well. A VPN will slow you down somewhat, but it is way faster than trying to use TOR in my experience.
The only problem with everything we have talked about so-far is that it requires that you have flawless operational security (opSec) 100% of the time. The one time you forget to use TOR or fire up your VPN client and your data is now captured by the ISP and can be sold to whomever they want to sell it to. What you really need is something that is always on and more foolproof.
Now you are talking about spending some money. There are privacy protecting routers you can buy on the internet. Are they any good? I don’t know. Are the companies who sell them any good? Beats me. This is the point where I put on my tinfoil hat and suggest a “roll your own” strategy.
What we need is a little computer that sits between your home network and your Internet Service Provider that does all of the encryption, routing, etc. so you don’t have to think about it. I’m a big fan of the PC Engines APU2 single board computer. For about $150, you can put together a completely silent (it is air cooled) 2 or 3 “NIC” (network interface card) router that even has its own WiFi capability. I am a big fan of the OpenBSD operating system because its primary mission is to be secure. The tagline on the website is “only two remote holes in the default install in a heck of a long time”.
This open source project takes its security very seriously. I have a blog post that I wrote almost a year ago talking about how to build one of these little gems and turn it into a router/firewall for your home network. If you start with that, you’ll have something that you can plug between your ISP-supplied cable-modem/router and your home network that will give you some additional security. It is the launching pad for doing ever better stuff as we will see below.
The next step is that pesky DNS lookup. Some folks might tell you to use Google’s DNS service or something like OpenDNS and now your DNS traffic doesn’t go to your ISP. However, we know that Google loves to trade in data so that would probably be “out of the frying pan and into the fire” and OpenDNS is actually owned by Cisco, the largest purveyor of networking equipment in the world – probably not a good place to give that data to either.
This is a job for “DNS Crypt Proxy”!!!! What this wonderful little open source gem does is take all of your DNS lookups and ship them (encrypted of course) to another country to be resolved. It adds a tiny (read un-noticable) amount of overhead and gets that data out of the hands of your ISP. You set this baby up on your APU2 box like I outlined in my blog post above, and your traffic is now significantly more private.
Now, if you want to take it one step further, you can use this wonderful little OpenBSD router you built to route all of your traffic through your VPN all of the time. Here is a great blog post outlining how to do just that. You probably want your VPN traffic to exit in a country that is more privacy friendly than the US or our allies. Do a web search on “fourteen eyes” to understand where you can be more secure. Some other things you can do are outlined in a website I reference frequently. Installing the plugins recommended and switching to Firefox instead of Chrome is just good hygiene.
Finally, think about who you are using for web searches. Don’t use Google if you can avoid it. They are under no compunctions to protect your privacy. Look into a search tool like DuckDuckGo (I know, goofy name but whatever). You can configure your web browser to use that as your search tool by default and they don’t log your searches. Your web searches can tell the world a heck of a lot about you…
So hopefully this gives you some good tips on how to better protect yourself from your own ISP. Wait. What? Oh, you want to know what to do to help yourself with your smartphone. Darn. I was hoping we could skip that part because it’s very hard to do. Oh well, I’ll give it a shot.
One thing you could do is to carry around a big battery for your APU2 box and duct tape that to your APU2 and your cell phone and only use WiFi to access it with a second cell phone taped to the APU2 to route your traffic to the ISP. Hmm, while it would work, probably isn’t the most practical thing around. However, you’d end up with great arm muscles from carrying around the additional weight…
Honestly, the problem with cell phones is that there isn’t a good solution. For the most part on Android, you can’t install 100% of the plugins that I like for Firefox and there is zero way you can do anything like that on iOS. The best you can do is to install an “OpenVPN” client “app” on your phone and use a service like AirVPN to route all of your traffic through the VPN. You are on the hook for remembering to turn it on (because it turns off by itself if you aren’t using it for a period of time). That’s about all I have right now. I’ll probably learn more later so stay tuned if I have any better ideas down the road.
Thanks everyone, hope you enjoyed the read.