Tuesday, March 28, 2017

Are You Being Spied On by Your ISP?

IMHO, Leo Notenboom is up there amongst the best tech writers in the IT education industry.  Beyond just clearly communicating the technical stuff, his writing style is as close to Strunk and White (google them) as I've seen.  

I could just point to this article by a link, but I am teaching a security course this term, so I want to make this particular article readily available to my students.  So, with appropriate citation, here is a really great article on overall security of your stuff on the internet.  Especially read the VPN information.  

Note that he really doesn't mention that your VPNed data really isn't secure unless the VPN server is the "end point" of your communication.  For example, for work you might communicate via VPN.  The object of your communication is a server in your company and it is the end point for your VPN.  So your message is encrypted all the way to the end point and it is up to your company to preserve your security.  If you are using a public VPN and your target end point is not the VPN server, then your message can end up unencrypted when it leaves the VPN.  Better use a completely private server, either set up by you (that's fun) or one of the many companies that have popped up to provide end-to-end security.  Note that, normally Google Drive and iCloud would fit the bill, except they are big companies that could have generic filters set up around the encryption step.  I really don't think us run-of-the-mill users have to worry about that.  So use, for example,Google Drive or sign up for Google GSuite for an even more secure environment ($5/mo or about $50/yr).   (Be sure you've encrypted your own computer, which is both a source and repository for your documents.  Use Window's free BitLocker or Apple free Filevault to do this.  Your smart devices should also be encrypted with their bundled encryption software.)


Newsletter FAQ & administration

The Ask Leo! Newsletter - Be sure to allow image display for the best viewing

How Do I Protect Myself from My ISP?

I know you'll think I'm nuts, but I'm absolutely convinced my ISP is snooping on what I do and reporting it to the government. I know you said my ISP can see everything
, but … how do I stop them?
This is a composite question crafted from the many variations on the theme that, over the years, keep coming from time to time.
While I don't actually think people are nuts, I do think that 99% of the time, they are mistaken, misled, or misinformed.
The 1%, however, can be all too real for some people.

Your ISP really doesn't care

For at least 99% of internet users: your ISP doesn't care what you do, where you go, or what you use their connection for. You and I just aren't that interesting. No one is watching you. No one is monitoring your online behavior. No one is updating your "permanent record" with your digital exploits.
If you look carefully at the terms of service you probably agreed to when you established your internet connectivity, you'll probably see there are a couple of things your ISP does care about – the most blatant being excessive use for whatever account type you have. So, in that sense, they might be keeping loose track of how many bytes you upload or download over some period of time. If you exceed some threshold, they might tap you on the shoulder and ask you to slow down, or pay more, or in the worse case, find a different ISP. Or they might just slow your connection.
But chances are they're not looking at what you're doing – just keeping an eye on how much.
Your ISP may also respond to complaints about your usage, some of which we'll see next, but it's not something they proactively look for. They have better things to do with their time and resources.

When your ISP does care

There are some things an ISP might choose to care about – either on their own, in response to complaints, or at the request of others.
  • Large media companies might ask your ISP to track large downloads to identify people downloading copyrighted material.
  • If they suspect you are involved in some kind of criminal activity, law enforcement agencies might ask – or even require – your ISP to track your activity.
  • Overly oppressive governments might require ISPs to monitor the actions of their citizens more actively.
Of course, your employer can certainly monitor your usage of the connections they provide for a variety of reasons, as can public or private institutions like libraries, internet cafés, or others.
Perhaps more realistically, since anyone who provides your connection to the internet is your ISPyour landlord
, the hotel's IT "department"
, or the stranger in the corner at a coffee shop with Wi-Fi
 could all just be nosy, for whatever reason.

Then what?

Option 1: Choose a different ISP

The first, knee-jerk reaction is that if you don't trust your ISP, find another ISP.
In some cases, that's simply not practical. In areas that have a monopoly provider, you might only have one choice.
Switching may also not be practical. Often, when there are alternate providers, the cost, performance, or service differential is high. You might find yourself an ISP you can trust, only to find their offerings come with significantly slower speeds or reliability.
Switching may also not be cost effective. Only you can determine the relative priority of the threat versus the potential of increased costs incurred by choosing a different provider.
In a home or business environment, the options typically boil down to cable, telephone/DSL, or wireless. You'll need to take into account the different cost/performance/service tradeoffs of each.
Of course, all this assumes you can find service from an ISP that you would trust any more than the one you currently have. If you can, and they meet your needs, this option can be the simplest in the long run.

Option 2: Use a VPN

The classic solution for protecting yourself over an untrusted connection of any sort is to use a VPN, or Virtual Private Network.
When using a VPN, your device creates an encrypted connection to that VPN's servers, and all of your internet traffic is routed through that connection. All your ISP sees is that you've connected to a remote server using an encrypted protocol; it cannot see what actually transpires over that connection.
This makes a VPN a perfect solution for travelers who regularly use otherwise untrusted connections, such as those in airports, hotels, and coffee shops.
It also means a VPN is a potential solution for any untrusted connection, even if that untrusted connection is your home internet, as provided by your ISP.
VPNs are not without issues, however.

The cost of a VPN

Using a VPN typically involves two types of costs: monetary and performance – and these two costs are often at odds.
There are free VPN services out there, but they often have poor performance. Spending money to purchase a VPN subscription typically means you'll get better service and speeds.
This ends up becoming important because when using a VPN, you're adding an additional layer of complexity to everything being communicated over your internet connection. The data itself is "wrapped" in a layer of encryption, and it's all routed through extra servers run by the VPN. While slower speeds are perhaps tolerable periodically while traveling, if you're constantly using a VPN at home, you probably want it to impact your experience as little as possible.

The privacy of a VPN

One thing many people overlook is that when using a VPN, in a very real sense that VPN becomes your ISP. While the ISP can no longer see everything you do, the VPN service can. All of your internet activity is routed through their servers.
Therefore, it's important to select a VPN provider you trust – presumably more than you trust your ISP.

What your ISP can still see

There's one important thing your ISP can most definitely see that there's simply no practical way around: your ISP can see that you're using a VPN. In fact, they can probably see which VPN service you're using.
Indeed, some governments have gone so far as to outlaw VPN connections, or to block as many VPN providers as they can keep track of, to prevent you from bypassing their mandated monitoring.

Option 3: Don't use your ISP

This is the most cumbersome and perhaps even impractical option. In a way, it's really the same as option #1, but with more legwork.
If you can't get an alternate ISP for your location, and using a VPN isn't an appropriate approach for you, then the only real solution is to go elsewhere. By that, I mean when you want to use the internet, take a laptop to a location with an ISP you can trust.
What that might be, I can't tell you. It could be the coffee shop or library down the street – but then you'd probably want that VPN. It could be a friend's house, or your place of work – again, as long as their ISPs are more trustworthy to you.
But if you can't "fix" or bypass the internet connection at home, and you can't trust it, then you shouldn't use it… at least not for anything you consider sensitive.

Postscript: I'm soaking in it

I trust my ISP. I trust that my ISP cares little about me, as long as I pay my bills and cause them no problems. As a result, while I have a subscription to a VPN service (TunnelBear
), I don't regularly use it at home.

I decided to try it out while researching and writing this article, so I enabled the VPN here on my desktop at home. I confirmed (via my own "what's my IP address
" page) that my IP address had changed, and that I was indeed connecting to the internet from a different location – New York, it would appear, as opposed to my ISP's normal point of presence here in Washington State.

Everything kept working, albeit ever so slightly more slowly. My web browsing continued; my remote server connections disconnected when the change was made, but quickly reconnected and continued to work; Dropbox, OneDrive, and Google Drive1 all reconnected and kept on synchronizing.
Running everything through a VPN is possible, but as I said, it's unlikely you actually need to; and which one to trust is also going to be a function of your specific situation as well.
Related Links & Comments: How Do I Protect Myself from My ISP?

https://askleo.com/26881

No comments:

Post a Comment

Printfriendly

Print Friendly and PDF