Can my ISP see sites I visit?
The FCC wants to help protect privacy when it comes to ISPs. After reading an article about online privacy and ISPs, engineers who understand law and technology think you’re making the wrong assumptions, so the Upturn team tells you and your policy makers that ISPs are actually I want you to know what you can see.
Unless you are paying your bill or having connectivity issues, then you might not give much thought to your Internet service provider (ISP). Do you ever stop to think about what your ISP can actually see and knows about you? Much like Google, your ISP knows pretty much everything about you. And ISPs share your personal information for marketing and other uses.
FCC Chairman Tom Wheeler doesn’t believe consumers really grasp how much personal data they hand over to their ISPs, so the FCC wants ISPs to get their customers’ consent before sharing that data. Wheeler pointed out that all your network traffic goes through your ISP which can see all unencrypted traffic and even “private information such as a chronic medical condition or financial problems” when the data is encrypted.
Some high-profile ISPs were not pleased after the FCC proposed rules (pdf) to give broadband consumers more privacy. To dispute the notion that ISPs are “somehow uniquely positioned in the Internet ecosystem,” AT&T wants you read Georgia Institute of Technology professor Peter Swire’s paper titled “Online Privacy and ISPs: ISP Access to Consumer Data is Limited and Often Less than Access by Others.”
Although Swire’s paper may be used to assist the FCC as it decides how to handle broadband privacy, the same paper was criticized for technical inaccuracies by Princeton professor Nick Feamster before Feamster revised his statement to say Swire’s paper skips over “important additional facts that should be considered by policymakers.”
Technologists at Upturn, who “understand law and policy,” also believe Swire’s paper could mislead readers into believing what broadband ISPs can see. So the Upturn team provided an “alternate, technically expert assessment” of what ISPs can see; it includes four key technical clarifications.
ISPs can still see the domains that their subscribers visit with HTTPS.
When a site uses HTTPS, the Upturn team explained that “the ISP cannot see URLs and content in an unencrypted form”, but can see and monitor requests sent to the Domain Name System (DNS) . Swire’s article suggests that it “seems impractical and too expensive” for ISPs to collect and use DNS queries, but Upturn claims that ISPs that register DNS are very common “to detect potential infections of malware on users’ devices”; It’s “relatively cheap” and DNS records can be archived for later analysis. Comcast, for example, implements “DNS monitoring features for each subscriber that focus on the security of their network.”
Truly pervasive encryption on the Internet is still a long way off.
Of the 50 most popular websites across the three domains, 86% are health and shopping sites and 90% are unencrypted news sites. Your ISP can see the URL and content of your site on any page. “Many sites have small amounts of data, but personal information is highly confidential,” Upturn wrote. “Even for a short time, it can reveal the user’s online and offline life.”
Sites that use HTTPS may also send browser warnings to users because some parts of the site, such as third-party advertisements, are not encrypted. The second is IoT devices that cannot encrypt all incoming and outgoing traffic. This is a huge amount of data that is completely visible to your ISP.
Encrypted Internet traffic itself can be surprisingly revealing to ISPs.
Upturn cites numerous studies showing how much monitoring an ISP can provide, even if a subscriber’s internet traffic is encrypted. Such “side-channel” monitoring is gaining popularity in countries where the internet is censored.
“If you have encrypted content, your ISP won’t be able to see the URL and detailed content, even if they try,” the Upturn engineers claim, as the Swire documentation says. “by user.
Even when a user browsed an HTTPS connection, the researchers were able to infer “a website user’s health status for personal health and annual household income and investment choices of major financial website users” and “encrypted VoIP call sharing”. reconstruction “.
In general, ISPs may not rely on these methods, but that could definitely change as people start using more encryption. “Policy makers need to have a clear understanding of what ISPs can learn now and in the future,” Upturn wrote.
VPNs are poorly adopted and can provide incomplete protection from ISPs.
Although you can protect your privacy by using a VPN, Swire cited a survey which found a pathetic 16% of users in the US have ever used a VPN; many of those are believed to be business users. Upturn suggested, “Relative to other countries, the rate of VPN use in the US is among the lowest in the world.” The cost of a reliable VPN might be an adoption hurdle. There are free VPN services, but Upturn noted that “subscribers generally get what they pay for.”
Swire maintains that using a VPN blocks an ISP from seeing where you surf and the domains you visit, but Upturn says that’s not always true; a VPN is not a “privacy silver bullet.” It “depends entirely on the user’s VPN configuration – and it would be quite difficult for non-experts to tell whether their configuration is properly tunneling their DNS queries, let alone to know that this is a question that needs to be asked. This is particularly common for Windows users.”
It’s your data and you should care about the FCC’s proposed rules to protect your online privacy from ISPs. I highly recommend reading the Upturn post in full. Oh, and happy Pi Day! If you think about it though, every day is PII day.