Governance & Risk Management , Privacy , Risk Assessments
With ISP Rule Change, Here Are Ways to Beat Web Tracking
From VPNs to Tor, Tools Can Help Maintain Privacy OnlineThere have always been compelling security arguments to use a virtual private network, better known by its acronym VPN, when connecting to the internet. The case is stronger now following the repeal of a U.S. regulation that forbid ISPs from selling information about individuals' potentially sensitive web activity without their explicit permission (see What's Next? Consumer Privacy After Dismantling of FCC Reg).
See Also: How to Take the Complexity Out of Cybersecurity
As expected, President Donald Trump signed legislation repealing the regulation on April 3, capping off weeks of bitter campaigning against the action by privacy activists and web luminaries, including Tim Berners-Lee, who called the move
"We've seen a significant increase in new accounts since the ISP privacy rules vote in the Senate - roughly double the amount of new accounts, with a few spikes well beyond that.," says Ryan Dochuk, co-founder of TunnelBear, a VPN provider based in Toronto.
VPN services offer encrypted connections from a computer to the VPN's data center. When such a connection is made, ISPs only see encrypted data streams.
Big Data Slurp
The broadband privacy regulation that's been revoked was adopted last October by the Federal Communications Commission, but had not taken effect. The regulation, crafted under the Obama administration, was opposed by the telecommunications industry, which argued that it put ISPs at a big data disadvantage versus other information harvesters, such as Google and Facebook.
In the thin-margin ISP business, selling information about customers is a potentially lucrative revenue stream, but under the privacy regulation, consumers would first have to opt in to give their permission. Now that barrier is erased. Gaining visibility into browsing traffic offers precise ways to deliver targeted ads based on a person's behavior.
Large U.S. ISPs have sought to tamp down the controversy. Comcast says it will not sell - and this is the key word - "individual" web browsing histories, which begs the question if the company will sell browsing histories in aggregate. AT&T claims that the repeal of the regulation has "zero effect on the privacy protections afforded to consumers."
The Electronic Frontier Foundation, a digital rights advocacy group, has warned that lifting the rules opens up IPSs to selling data to marketers, hijacking search engine queries, inserting advertisements into data traffic or pre-installing tracking software on mobile phones. These practices have been seen in the past, the foundation contends.
Defeating Trackers
VPNs have always been a way to shield traffic from some kinds of tracking. They're use is advisable, for example, when connecting to open Wi-Fi hotspots; otherwise, anyone on the same network can collect web activity.
ISPs have been gradually losing visibility into data traffic with the wider adoption of encryption by web-based services. An encrypted connection to a website is designated by "https" in a browser's URL window or a green padlock, which means the service is using a SSL/TLS certificate.
HTTPS connections offer a lot of benefits for web surfers, because any intercepted web traffic is unreadable. And while ISPs don't know what you're doing on a website, they still know what domain you've visited, which could potentially be embarrassing.
ISP Blackout
With a VPN, ISPs are completely blacked out. Of course, it does mean the eggs have been transferred to another basket: The VPN provider will know what websites have been visited. Many VPNs providers say they have "no logging" policies, where browsing histories are not recorded, and selling the information is off the cards.
TorrentFreak, the website that does in-depth coverage of file-sharing, copyright and privacy issues, publishes a guide to VPN providers and their policies. There are some trade-offs with using a VPN: the best and safest providers are usually subscription based.
Also, using a VPN does slow down web browsing. If I connect to a VPN's data center in Norway from Australia, it means that even if I'm going to a website based in Australia, the web browsing traffic is going to take a mighty circuitous route. To reduce that lag, VPN providers try to establish points of presence in many countries so you can connect to one in the same country.
Opera's Built-in VPN
Norway-based Opera may have come up with the best solution: It has integrated a VPN service into its web browser. Opera contracted with SurfEasy, a Canadian company, for the feature. Opera does not have access to the browsing data, it says. It, too, has seen a surge of interest. "The average number of daily, new Opera users in the U.S. has more than doubled since Congress decided to repeal certain internet privacy protections last Tuesday," according to the company's blog.
Another option is using Tor, which is short for the The Onion Router. Tor is a privacy tool that routes encrypted browsing traffic through a network of worldwide servers. Using Tor masks a computer's real IP address, and the web service only sees the IP address of the last Tor node.
Best of all, Tor is free. While it offers strong privacy protections, it's not fast. The encrypted leaps that browsing traffic takes often means frustrating latency. It makes it less practical for all-the-time use but for more targeted browsing where privacy concerns surpass performance needs.