logo

Value your privacy? You need a Virtual Private Network (VPN)

Posted on: 2017-09-10

Summary:

This year things have become significantly worse when it comes to privacy on the internet.

Firstly the senate voted to remove protections stopping ISPs (like comcast and verizon) to sell your browsing and app usage history. This is covered here

https://arstechnica.com/information-technology/2017/03/how-isps-can-sell-your-web-history-and-how-to-stop-them/ https://www.pcmag.com/news/352595/gop-senators-hand-control-of-your-data-to-isps

So whilst in the past your ISP might know what you did on the internet - now it can be sold, and you can assume that the data will now be available to numerous unknown parties. This is not good. It's also not as if you can just choose another ISP who says won't sell which websites you frequent and when.

Moreover although the data is sometimes anonymized - it has been shown through multiple studies that de-anonymizing is typically pretty simple.

https://www.theguardian.com/technology/2017/aug/01/data-browsing-habits-brokers

Apparently in the law change they don't even have to anonymize the data anyway(!)

"Unless the House or President Donald Trump oppose the Senate's action, ISPs will not have to worry about any strong privacy rules getting in the way of using your browsing history for profit. There won’t be any specific rules requiring them to get opt-in consent before sharing browsing history, even if that data is related to just one customer instead of being aggregated with other customers’ data in order to anonymize it."

This is outrageous.

Now the government has asked for the IP addresses of 1.3 million users who have accessed a site critical of the government. On Thursday the District of Colombia Superior Court gave them permission to get the data, with some caveats.

https://www.wsws.org/en/articles/2017/08/26/pers-a26.html

You would think unless there is good reason (and thus a warrant) you would not be able to access a private persons browsing data. In a free society you should be able to visit websites, without the government being able to identify you.

So what to do?

The most simple first thing to do is to make your web interaction default to encryption. You can do this using https everywhere, which is something I talk about more in another post. This will mean the ISPs can't see the contents of the traffic BUT they can still see which websites you visit.

To get a good level of protection though you are going to have to use a Virtual Private Network or VPN. The following article runs over a bunch of the reasoning and issues

https://www.pcmag.com/article/352757/privacy-101-why-you-need-a-vpn

As a quick overview - an ISP (Internet Service Provider) is the company that provides your access to the internet. You buy the service from them, and they act as the carrier of your data to and from the internet. So Comcast is an ISP, so is Verizon if they are the company you pay for your internet service. When you access the internet through your ISP you can think of them as being a super fast electronic 'postal service'. Data that you send and data you recieve is split into little packages called 'packets'. The wires the data passes down are like roads, and the servers at your ISP and throughout the internet are kind of like postal sorting centers.

Ok. Taking this analogy a little further, at the ISPs sorting centers (servers) they can see all of your packets. They can see where they come from (you and your IP address) and where they are going. If you are not using encryption (ie https) they can also see what is in the packets. This would be akin to a postal service, where in the sorting offices the mail is routinely opened and looked into. All of the comings of goings of mail - who it's from and who it's to - is recorded. Now the change in the law means that the ISP can not only use this information itself, but sell it to others.

Obviously if this happened in the real postal service people would be outraged.

You can protect yourself from the ISP from reading the contents of your mail by using encryption (ie https) and you can protect yourself from the ISP recording and selling who you are communicting with and when by using a VPN!

So how does a VPN help? In essence it creates a 'tunnel' which all of your internet packets travel through and that cannot be penetrated by your ISP. The tunnel connects to the VPN providers server and all of your traffic appears on the internet as if from the VPN providers server.

To continue the postal service analogy with a VPN you will still send your packets to the ISPs sorting centers - it's just the envelope is wrapped in another envelope that the ISP can't look inside. The outside envelope has an address - it's just not to the destination, it's to the VPNs sorting center. When the packet gets to the VPN sorting center, they have the 'key' to remove the outer envelope and can then send the packet on to the actual destination written on the inner envelope.

This means two things if you are using the VPN then

This is in principal great. You have gained a significant amount of privacy.

Unfortunately like most things in life it's not quite that simple.

It is now important that you trust your VPN provider. If they are nefarious they could do what the the ISPs are doing or worse. This is unlikely - their business proposition is that you are paying for privacy. BUT it does mean you should be careful who you select as your service provider. Second - just because you can't be identified by your IP address anymore does not mean you cannot be identified. One way to track you is that your web browser sends information about your machine, and the facilities available, and this information can be used as a kind of fingerprint to track you. You can mitigate against these problems if you follow the advice in 'Improving Privacy and Removing Ads' - specifically the Random Agent Spoofer can help.

I will cover in a following article my experiences setting up a VPN. I decided to do so through a router - as this would mean that devices using the router would use the VPN without any changes. That whilst it did deliver on that promise - it did introduce lots of other problems, some resolved and some not. Hopefully the information can help other like minded people to avoid the pitfalls I ran into.