Unless you are paying your bill or having connectivity issues, then you might not give much thought to your Internet service provider (ISP). Do you ever stop to think about what your ISP can actually see and knows about you? Much like Google, your ISP knows pretty much everything about you. And ISPs share your personal information for marketing and other uses.
FCC Chairman Tom Wheeler doesn’t believe consumers really grasp how much personal data they hand over to their ISPs, so the FCC wants ISPs to get their customers’ consent before sharing that data. Wheeler pointed out that all your network traffic goes through your ISP which can see all unencrypted traffic and even “private information such as a chronic medical condition or financial problems” when the data is encrypted.
Some high-profile ISPs were not pleased after the FCC proposed rules (pdf) to give broadband consumers more privacy. To dispute the notion that ISPs are “somehow uniquely positioned in the Internet ecosystem,” AT&T wants you read Georgia Institute of Technology professor Peter Swire’s paper titled “Online Privacy and ISPs: ISP Access to Consumer Data is Limited and Often Less than Access by Others.”
Although Swire’s paper may be used to assist the FCC as it decides how to handle broadband privacy, the same paper was criticized for technical inaccuracies by Princeton professor Nick Feamster before Feamster revised his statement to say Swire’s paper skips over “important additional facts that should be considered by policymakers.”
Technologists at Upturn, who “understand law and policy,” also believe Swire’s paper could mislead readers into believing what broadband ISPs can see. So the Upturn team provided an “alternate, technically expert assessment” of what ISPs can see; it includes four key technical clarifications.
1. Truly pervasive encryption on the Internet is still a long way off.
Of the 50 most popular websites in three areas, 86% of health and shopping sites and 90% of news sites do not encrypt. ISPs can see the site URLs and content on each page. “Many sites are small in data volume, but high in privacy sensitivity,” Upturn wrote. “They can paint a revealing picture of the user’s online and offline life, even within a short period of time.”
Even a site that uses HTTPS can throw browser warnings at users because some part of the site is not encrypted, such as third-party advertising. Then there’s IoT devices that fail to encrypt all traffic sent and received. That’s a lot of data that’s fully visible to your ISP.
2. Even with HTTPS, ISPs can still see the domains that their subscribers visit.
When a site does use HTTPS, the Upturn team explained that an “ISP cannot see the URLs and content in unencrypted form,” but it can see and monitor requests made to the Domain Name System (DNS). Swire’s paper suggests that it “appears to be impractical and cost-prohibitive” for ISPs to collect and use DNS queries, but Upturn argues that ISPs logging DNS is pretty common “to detect potential infections of malicious software on user devices;” it’s “relatively cheap” and your DNS logs can be stored for later analysis. Comcast, for example, deploys “security-focused, per-subscriber DNS monitoring functionality on its network.”
“Detailed analysis of DNS query information on a per-subscriber basis is not only technically feasible and cost-effective, but actually takes place in the field today,” Upturn wrote. If you don’t really grasp the problem, Upturn offered this example of what an ISP could determine about a person based on domains visited over a short period of time:
- [2015/03/09 18:34:44] abortionfacts.com
- [2015/03/09 18:35:23] plannedparenthood.org
- [2015/03/09 18:42:29] dcabortionfund.org
- [2015/03/09 19:02:12] maps.google.com
Now add metadata collected over a longer period of time by an ISP and it “paints a revealing picture about a subscriber’s habits and interests.”
3. Encrypted Internet traffic itself can be surprisingly revealing.
Upturn cites numerous research studies that show how much monitoring an ISP can still pull off even if a subscriber’s Internet traffic is encrypted. Such “side channel” monitoring is a big hit in countries which censor the Internet.
While the Swire paper claims that “[w]ith encrypted content, ISPs cannot see detailed URLs and content even if they try,” Upturn technologists claim, “Web site fingerprinting is a well-known technique that allows an ISP to potentially identify the specific encrypted web page that a user is visiting.”
Even when users surf over HTTPS connections, researchers have been able to successfully infer “the medical condition of users of a personal health web site, and the annual family income and investment choices of users of a leading financial web site,” as well as “reconstruct portions of encrypted VoIP conversations.”
ISPs overall may not rely on those methods, but that can certainly change if people start using encryption more. “Policymakers should have a clear understanding of what’s possible for ISPs to learn, both now and in the future,” Upturn wrote.
4. VPNs are poorly adopted and can provide incomplete protection.
Although you can protect your privacy by using a VPN, Swire cited a survey which found a pathetic 16% of users in the US have ever used a VPN; many of those are believed to be business users. Upturn suggested, “Relative to other countries, the rate of VPN use in the US is among the lowest in the world.” The cost of a reliable VPN might be an adoption hurdle. There are free VPN services, but Upturn noted that “subscribers generally get what they pay for.”
Swire maintains that using a VPN blocks an ISP from seeing where you surf and the domains you visit, but Upturn says that’s not always true; a VPN is not a “privacy silver bullet.” It “depends entirely on the user’s VPN configuration – and it would be quite difficult for non-experts to tell whether their configuration is properly tunneling their DNS queries, let alone to know that this is a question that needs to be asked. This is particularly common for Windows users.”
It’s your data and you should care about the FCC’s proposed rules to protect your online privacy from ISPs. I highly recommend reading the Upturn post in full. Oh, and happy Pi Day! If you think about it though, every day is PII day.