March 30, 2017 · Technical Thoughts & Notes security privacy

What you’re revealing to your ISP, why a VPN isn’t enough, and ways to avoid leaking it

Originally published to Hacker Noon.

There’s a lot of chatter and concern about S.J. Res. 34, a pending resolution that will allow Internet Service Providers (ISPs) to record your activity and then sell that information. From what I have read, most people are focusing on your “web history.” This focus is harmful because there are many additional types of information that can reveal details about you, and you cannot solve this simply by using a VPN.

Even worse, people are out there have invalid conceptions of what data will be available; some are going as far to try and get money from people who are uninformed. That is very wrong. Let’s explore exactly what an ISP will be able to know about you.

To keep terms consistent, I will use the FCC’s term of BIAS (“broadband Internet access service”) to refer to all internet service providers (ISPs).

Why does this matter?

While this article isn’t going to get into the nit and grit of why you should care about your data and privacy, even if you think you have nothing to hide or to be concerned about, it’s important to understand what this resolution will do, if passed. It specifically will dismantle the FCC’s rule “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” (81 Fed. Reg. 87274). This set of FCC rules and regulations are more extensive than just protecting your web browsing history, it protects and prevents the recording of several sets of specific information by your BIAS.

What information does the FCC’s Privacy Regulations protect?

The FCC’s regulations protect the following information from being collected without the consent of the customer. A BIAS already has the technical ability to record this information, and could do so with customer consent, but they want to record this information without the customer’s consent. That by itself might make sense if it was purely for the operation of the service, but they explicitly want to sell this information, claiming that doing so will allow them to offer targeted marketing and thereby lower the cost of the service to their customers. While I highly doubt that they’ll ever lower the service cost, it is important to know that it has always been possible for your BIAS to see the information the FCC protected by claiming it was sensitive information. For those who are truly concerned about their privacy, even now these suggestions can help you improve your privacy and protect your data.

These are the categories of information the FCC’s regulations protected:

Let’s break down what this information means

Let’s go through the list above, breaking down what it means and think of ways to protect this information (if possible).

Broadband Service Plans

The FCC regulations stated that the Internet package you get from your provider is sensitive. This is because it reveals information about the quantity, type, and amount of use your home consumes. If you have a higher tier package, you might be more interested in video games, online video streaming services, or want more adult porn advertisements than someone with a lower speed.

This included protecting all types of services: mobile, cable, fiber; whether you are contract, prepaid (monthly); and included protecting the network speed, price, data caps, and data usage/consumption.

Besides changing your Internet provider (see below), there are not a lot of realistic options available. You could (if you don’t have a cap) consume several terabytes of data a month by seeding legal torrents like Ubuntu, CentOS, or become a host for Wikipedia dumps. Doing so will skew this information, hiding your actual usage amounts. Of course, you can also setup your own Hyperboria connection and hope that more services start to support the meshnet.

Geolocation

“Geo-location is information related to the physical or geographical location of a customer or the customer’s device(s), regardless of the particular technological method used to obtain this information.” — Federal Register / Vol. 81, № 232, Section 87282, #65

The FCC claimed that any means of determining your geolocation is considered private, and is not allowed to be recorded or shared without the consent of the customer.

Many devices, including laptops, tablets, and phones have built-in GPS. Your device will not simply report your location to your BIAS, so what is more likely is that they’ll use your home address, or data about your street, town, or region to allow for targeted individual to regional marketing.

You are usually legally required to provide your address to an Internet service provider; as a result, there is little you can do to protect this information. Your only option is to switch providers to a service that cares about you.

MAC Addresses and Other Device Identifiers

The FCC regulations stipulate that collection of device identifiers, of any kind, are protected. Each networking device has at least one MAC address; this is a unique identifier of that device’s networking hardware.

While a MAC address is only revealed during the link layer of networking, depending on your broadband service this may be an issue. If you are connected directly to the Internet or using service provided hardware for your modem or router, then this information can easily be collected.

This, I am happy to say, you can do something about. If you’re using any service provided equipment (e.g. modem or router), you have two options. The first is to stop using the provided hardware entirely. That might help save you money longterm; there is often charge for “Equipment Rental Fee” for the privilege to use their crappy hardware anyway. Instead, buy your own hardware to replace it.

Replacing your service provided hardware depends on your service provider, it may not possible, so the second option that everyone has is to add your own device between your devices and your service provider. Many people already do this by having their own wireless router. Simply be sure that all of your devices connect to it first, this will report only a single MAC address to your BIAS, one that will show itself to only be a gateway device of some kind, keeping the actual devices you use private.

A third option, that doesn’t require buying hardware, would be to use a MAC address spoofer to have your devices lie about their MAC addresses. This can lead to a lot of complications and difficulties, but for those advanced users who want to protect themselves, it is available.

The use of a VPN would not protect you from revealing this information.

IP Addresses and Domain Name Information — Domain Names

While the FCC bucketed this category as “IP Addresses and Domain Name Information”, we will look at these as two separate issues because we can solve for them differently. Let us first look at the Domain Name Information. The FCC had this to say:

“We also conclude that information about the domain names visited by a customer constitute CPNI [Customer Proprietary Network Information] in the broadband context.”

A domain name is simply the name of a website that is human-readable, something like “fcc.gov”, “medium.com”, or “google.com”. These are simple for us humans to read and understand — for a computer, however, they need to be translated into an address that can be routed to. For this, computers use DNS or the “Domain Name System.” Simply, someone buys a domain they’d like to use, and they point it to the server they’d like computers to talk with whenever that domain is requested.

Your BIAS provides your default DNS provider as well, and the FCC was careful to ensure that they protected you regardless of the DNS provider you used:

“Whether or not the customer uses the BIAS [Broadband Internet Access Service] provider’s in-house DNS lookup service is irrelevant to whether domain names satisfy the statutory definition of CPNI.”

Your DNS provider is essentially the database you request when your computer needs to know the IP address a domain points to. This is necessary because there are too many domains and the IP address that a domain points to updates too frequently to have this entire database available locally on your computer. While your BIAS provides your default DNS, you can easily swap the DNS provider. Many good, free alternatives exist. Google Public DNS and Cisco OpenDNS are two very popular alternatives.

However, your use of an alternative DNS provider does not protect you! Back in the day DNS was first developed, the focus was on getting this little thing known as the Internet working before the focus of privacy and security was even raised. So DNS is not encrypted or secure. Even using an alternative DNS provider, your BIAS is able to track the domains that you are looking up, thereby revealing the domains you are requesting. This happens even if you are visiting secured web pages using HTTPS.

You have a few options here, the easiest available to most is to use DNSCrypt, which has clients for most devices and is very easy to setup and use. Other possibilities may include DNSSEC, DNSCurve, and DANE.

Whether or not you use a VPN, your DNS requests may not be encrypted by your VPN client, or you might end up using your BIAS’ as the DNS provider, so swapping DNS providers and encrypting your DNS requests is always beneficial.

IP Addresses and Domain Name Information — IP Addresses

We now enter the more difficult of the two issues bucketed together by the FCC, the IP addresses you are requesting. Domain names translate directly into IP addresses, so after your computer has (hopefully securely) determined the IP address it needs to connect with, your computer needs to make the request to that IP address. The FCC did protect you here:

“We conclude that source and destination IP addresses constitute CPNI in the broadband context because they relate to the destination, technical configuration, and/or location of a telecommunications service.”

This protection would go away; now your BIAS can easily record the IP address you are requesting. At the same time, the destination address you are connecting with can see your source IP (your home’s unique IP address). An IP address alone tells a service a lot about you. If it’s unique enough, it may reveal exactly who you are, but it always reveals your BIAS/ISP and your geographic region.

This has long posed a major privacy concern to many people and there are many services such as Private Internet Access which provide a means to protect you from leaking this sensitive information. The most popular means is a VPN.

A VPN, or “Virtual Private Network,” keeps your home’s IP address protected while also encrypting and securing all your requests so that your BIAS cannot determine the true destination of your requests. Only the VPN provider will now be able to link your originating home’s IP with the true destination IP. For that reason, many of the more privacy-concerned VPN providers do not record any information.

Most VPNs protect you by implementing IPSec or a similar protocol, which is a protocol designed to encrypt all connections at a lower-level of the request, so that your applications do not need to be aware their requests are being hijacked and routed through a VPN. This makes using a VPN extremely easy. Some client software include additional privacy, security, and bandwidth saving features such as malware protection, ad & tracker blocking, and compression. A few offer real-time image and video compression to save your even more bandwidth, which can be extremely useful for mobile devices or specific geographic regions.

So this can be easily solved for! To prevent your BIAS from seeing the IP addresses you are visiting and the destination server from seeing your source IP, start using a VPN.

You can setup your own VPN, but it requires knowledge of setting up servers and running commands. For most you can search for and find a VPN provider easily. Just be careful to find one that does not log your traffic and one that is large have enough bandwidth that your traffic is not extremely slow. I personally use Private Internet Access. I’ve been using them for several years, however, there are other options out there.

Why is a proxy not an option? While you get very similar results while using a proxy as you do when using a VPN, the downside is that a proxy generally does not encrypt your connections. This means that the destination might not be able to see your source (your home’s) IP address, but your BIAS can certainly see all your traffic still. Some proxies, like HTTPS proxies, can encrypt connections, but they only support encrypting your web traffic. This means that it is not easy to configure a system-wide proxy (although apps like Proxifier do exist for that). As a result of using only a proxy, much of your computer’s traffic will not be encrypted, secured, or kept private.

Why is Tor not an option? Tor is actually a good option, but it is a limiting one. While Tor may be private, it is generally not used for the entire system, so many apps, just like when using a proxy, will still reveal information. Tor is also not great when making insecure connections (like HTTP vs. HTTPS), as it means many people along the way can both see and change the data being transmitted. Tor is decent to use when in a pinch, but it’s not going to solve all the problems.

Without the use of a VPN, you cannot hide all of the IP addresses you are requesting from a BIAS (although a secure proxy and Tor can hide some). Once the IP address you are requesting is known, it is a simple matter of doing a reverse DNS lookup on the IP addresses to get an idea of the websites you are visiting. If the connection is secure and encrypted, they’ll still know the website you are loading, but not the page or data being sent or received.

Traffic Statistics

Traffic statistics cover a range of information, including the destinations being requested (which I mentioned above, you can hide with the use of a VPN), but also including the amount of data consumed broken up either by month, by day, time of day, and including the size of data and packets.

Even when using a VPN, the amount of traffic consumed can reveal information about your habits. However, the size of packets by connection can also reveal details like whether you are streaming a video, downloading large files, or browsing the web. While you might be able to hide the specific video being watched, file being downloaded, or website you are visiting; you cannot hide this information from BIAS providers.

The FCC protects mobile services from selling your call history, including the number you spoke with, the duration, and time the call was placed or received. The FCC similarly protected our Internet habits, but you will lose this protection and regardless of the use of a VPN a BIAS can determine valuable information from the way you use our connection.

This again is another point where our only option is to switch providers to one that protects our data.

Port Information

A port is a number that helps both the sender and the receiver of a connection request know what service is being requested. This, alongside the IP address of a request, is protected by the use of a VPN. Without the protection of a VPN, even now, each connection your computer makes has a port associated with it that reveals information about your habits. This happens even if you are connecting to secured websites. There is a list of popular ports used by applications on Wikipedia.

Your BIAS can view this port, to know the type of application you are using, determining information about your habits. Such as traffic on port 80 or 443 reveal you are browsing the web, or traffic on port 6881–6887 reveal you are using a BitTorrent client. Securing yourself with a VPN protects this information from being revealed to your BIAS.

Application Header

We’re now getting into a category of tracking that should truly worry all people. The FCC defined Application Header as:

“The application will usually append one or more headers to the payload; these headers contain information about the application payload that the application is sending or requesting. For example, in web browsing, the Uniform Resource Locator (URL) of a Web page constitutes application header information. In a conversation via email, instant message, or video chat, an application header may disclose the parties to the conversation.”

The FCC was exactly right. Many requests reveal a lot of information in those connection headers, including the domain you are requesting, the page being requested, the application you are using (i.e. web browser you are using), and request headers like the search terms you are requesting. Now, many web servers are encrypted using TLS/SSL (HTTPS), so for any encrypted connection, none of this information is revealed to anyone except the destination server.

This is also true when using a VPN. Even when using a VPN, any insecure connection is still going to be visible to the VPN provider. Whenever you make an insecure connection, there is exposed risk of a MITM attack (“man in the middle”). A MITM attack allows anyone between your computer and the destination to change the request or response, without either party being able to tell it was changed. This has been a security risk for a very long time and is why there are movements like Let’s Encrypt making it easier for website providers to encrypt their traffic supported by major services like Mozilla.

To protect yourself, you should always use encrypted connections when they are available. I strongly recommend the use of HTTPS Everywhere, a browser extension that works with Chrome, Firefox, and Opera to automatically reroute your request to be secure when a website supports encrypted connections.

I use HTTPS Everywhere with the additional feature to “Block all unencrypted requests” enabled. Doing this poses a noticeable impact on the usability of the Internet, but it protects me. Services such as eBay.com do not support whole-site encryption, as a result, whenever you browse ebay.com the searches you perform and products you look at are revealed to your BIAS. That is unacceptable to me and I refuse to use eBay again until they fix this major flaw to their users privacy. Many other similar situations exist, but all the good websites out there support full encryption. For the most part, blocking all insecure requests does not affect my usage of the Internet. (Although, I wish Amazon’s short urls http://a.co/… supported HTTPS, because when people share a link to an Amazon Product, I now don’t have a way to hide the product I am about to view).

Application Usage

A BIAS still might be able to determine the applications you’re using to generate connections, regardless of you using a VPN. Due to the variety of ways a BIAS can collect information about you, it is possible to use heuristics and machine learning to determine this information. The applications used, such as your web browser (e.g. Chrome, Firefox, Opera), messaging, email, music/video streaming, or torrent applications all generate traffic. They do so in unique ways and have unique characteristics that make it possible (if difficult) to determine even when you use an encrypted secure connection.

To truly hide this information, your best chance is to use a VPN with a client that supports good encryption.

Beyond just the application you use, many services are unique enough that with a VPN and encrypted connection it is possible for your BIAS to determine specific habits. Specifically, streaming technologies from unique services like YouTube, Netflix, Spotify, and many video games are optimized enough (to save bandwidth) that their unique patterns of requests can be determined even through the encryption. While your BIAS might not see the specific video being watched, they can determine the service, time of day, and size of requests to get an idea of the kind of videos you are watching. You cannot protect yourself from this data gathering, without the regulations the FCC put in place.

Application Payload

Every connection has two parts key parts, the headers (discussed above in “Application Headers”) and the payload. While the headers reveal information about the pages and metadata about the clients being used, the payload is the actual content of a request. This is the HTML content of a web page, that makeup the body and text you see. It is also the content of every image, video, and file requested or downloaded.

Similar to protecting your Application Headers, any secure connection protects this information from being revealed. The use of a VPN can help hide more details from your BIAS, but you should always prefer the use of a secure connection over an insecure one, so install HTTPS Everywhere.

Customer Premises Equipment and Device Information

I’ve touched on this in the “MAC Addresses and Other Device Identifiers” section, that hardware provided by your BIAS is suspect and should be untrusted. However, the FCC specifically claimed that the hardware they provide should be protected. This means that the model of the devices they provide cannot be sold, as that might reveal the service, package, or capabilities of your service. They protect this specifically because the FCC similarly protects customer of mobile/wireless service providers by not allowing mobile services to sell information about the mobile devices being used, such as the mobile of cell phone you use. While your mobile service knows that information, they cannot reveal or sell it to others. The FCC wanted to protect us similarly, even if the hardware was provided by the BIAS.

While you cannot protect yourself from this data being collected, you can make the information they have less meaningful. Even if you are forced to use provided hardware (e.g. router, modem), you can often adjust its settings to lock it down, disable shared wireless signals. Or, even better, add your own hardware to the mix, as to not reveal anything about your home’s actual devices such as their MAC addresses.

Takeaways

I realize this is a lengthy article, but it is necessary to see how much information is truly at risk, and while you can do a lot to protect yourself, you are not in control of much of the data that is going to be collected and sold about us.

For those who want to do all they can, the list is this:

  1. Switch providers (see below) if at all possible, to one that will not sell your data.
  2. Use a VPN to protect and encrypt your traffic from your BIAS and to hide your source (your home’s) IP address from others.
  3. Enable DNS security, use DNSCrypt or DNSSEC and change your DNS provider.
  4. Use HTTPS as much as possible, install HTTPS Everywhere.
  5. Be sure to use a device you control as your Internet gateway, so none of the device’s unique identities can be revealed. Setup your own wireless network and replace any provided hardware if possible.

If you take these precautions, this is the kind of information your BIAS will be able to know and sell about you:

  1. Your Internet plan, including price, speeds, and data caps.
  2. Your Internet usage, including data consumption, and times of days you use it.
  3. Your geolocation (down to your address).
  4. The manufacturer of your gateway/router device (possibly).
  5. Potentially be capable of identifying the services you use for video or music streaming, or that you play video games.
  6. Without a secure VPN, the IP address (and domains through a reverse DNS lookup) you communicate with.

For those with misconceptions, I am not trying to downplay the severity or the damage that removing these regulations will have on the privacy of American people. I do want to make it clear that anyone who believes your BIAS will have unlimited access to your traffic is mistaken, and any information being sold by a BIAS will not be a list of all of the websites you visit unless you allow them to have that information.

Talk to your representatives and support eff.org which works to help improve our right to privacy.

Switching Internet Providers

Since I mention it as a possible solution many times, I thought I’d share some notes on your options for switching service providers.

For broadband services

For broadband use, switch to a local provider rather than using a big provider such as Comcast or Verizon. While that is difficult in many regions of American, some regional services might exist in the form of a DSL provider, or in specific regions, you might have local companies you can support.

Additionally, consider joining a Hyperboria community near you (or starting one) or trying out other similar means to decentralize the Internet a bit like ZeroNet.

For mobile services

Worth mentioning is mobile services as well, including your cell phone service provider. Many providers such as Google Project Fi, Ting, Charge.co, and others care about their customer’s privacy and protect it.

FAQ 1: What if I cannot use a VPN

I’m just going to address this concern now, as I know it will be mentioned a lot. There are many downsides to using a VPN, primarily, that it slows your network speeds and may cost you money for the additional services and bandwidth.

For those who cannot use a VPN and who cannot switch BIAS providers to one that protects your privacy, I understand this. For myself, I don’t particularly care if my BIAS wants to see I am accessing google.com or reddit.com; as long as they cannot read my search terms, emails, and the specific posts, news, and comments I am reading.

In cases like this, be sure to use encrypted DNS (DNSCrypt) and only use secure connections (HTTPS Everywhere) and protect what you can. Reverse DNS is not 100% accurate, so your BIAS will still not always be able to determine the websites you visit by IP address alone.

Otherwise, Tor and HTTPS Proxies are available to at least protect your web browsing habits.

Hacker Noon is how hackers start their afternoons. We’re a part of the @AMIfamily. We are now accepting submissions and happy to discuss advertising & sponsorship opportunities.
To learn more, read our about page, like/message us on Facebook, or simply, tweet/DM @HackerNoon.
If you enjoyed this story, we recommend reading our latest tech stories and trending tech stories. Until next time, don’t take the realities of the world for granted!