The government won’t protect your internet privacy, so here’s how to do it yourself
Harm mitigation in a suddenly less secure internet
The big money of the internet comes from tracking and selling user data to better target ads. Do one search for “power drills” and you’ll be inundated with ads for related products across your whole web experience. Those are targeted ad dollars at work. This is at the core of Facebook and Google’s business models, and for good reason: the amount of money companies spend advertising online is set to outpace money spent on ads on television this year. Internet service providers (ISPs) are eager to get in on the action—once existing privacy protections for users are no longer an obstacle, that is.
Yesterday, by a vote of 215 to 205, the House of Representatives voted to strip privacy safeguards from people who use the internet. The measure already cleared the Senate with a narrow majority, and experts expect that President Trump will sign the bill into law. When he does so, ISPs, the companies that connect people to the internet, will be able to collect and sell information about specific users without their permission.
More specifically, the bill nullifies a set of rules put in place by the FCC. Collectively, the rules—which have been in the works in the works for months and years and are built on prior rulemaking—are newly formalized: The FCC published the final version last December, and most took effect in January, with one part coming into effect this March.
Some of those protections provided by these rules are, technologically speaking, ancient—like extending 1934 privacy requirements originally written for telecommunication companies to also cover broadband internet service. Modern additions deal more explicitly with consumer consent and privacy online. The rules mandate that ISPs do three things: Let customers know about (and opt-in or opt-out of) any sharing of their information; get affirmative consent when offering customers financial incentives in exchange for selling their data; and not offer cheaper service to people on the condition that they surrender privacy rights.
Without these measures in place, ISPs will be freed up to turn user data into a lucrative business—and to do so without the users’ knowledge or consent. Nullifying these rules, after all the time it took to create and implement them, gives companies implicit permission to do exactly what the rules protect against. The Electronic Frontier Foundation, a major online privacy rights organization, describes it succinctly:
This change in rules means ISPs can profit off a captive customer base twice: first, by charging them for the service, and second, by collecting data on what users do online and selling it to a third party.
“I’m concerned about their stewardship of the data,” says Shauna Dillavou, a former member of the D.C. intelligence community and a principle at Security Positive, a Washington, DC-based organization that supports community-based security learning, training, and strategy throughout the US and Canada. “We still have to pay for their service, for the most part, and a lot of the tools you’ll have to use to safeguard your privacy and your security will slow your connection down, so then you have to upgrade your service and pay even more, because ISPs are sucking your data out.”
At the same time, the information an ISP can collect has a lot more depth and specificity than what Google can glean just from searches, or what Facebook can find from stuff users post to the social network. Wider availability of an individual user’s internet footsteps could leave them more-vulnerable to security threats.
“Stealing personal information is much easier if all that data is aggregated,” says Bob Gourley, co-founder of Cognitio Corp, a firm that does security consulting, and former Chief Technology Officer of the Defense Intelligence Agency.
Using advanced tracking tools, artificial intelligence, and botnets, a malicious actor could “learn if an individual is going to be out of town at a certain time,” explains Gourley. Similarly, access to personal-finance and medical information could help would-be criminals commit fraud later on.
“This is a great way to target people,” echoes Dillavou. “It’s your name, it’s your address, it’s got your latitude and longitude attached to your IP address … From a counter-intelligence perspective, that is a gold mine.”
The loss of online privacy could make it a lot easier for criminals to gain the trust of unsuspecting marks and then exploit that trust. The more information criminals can get about a person,” Gourley says, “the easier it is to use social engineering to manipulate them.”
To make matters worse for users, should the bill be signed into law, ISPs will no longer be required to disclose data breaches. That means people could have their information stolen from the company that collected it without their consent, and then not even know that the data theft took place.
“We’ve put the entire responsibility of security on the users,” says Dillavou.
Restoring consumer protections will likely take either legislative or legal action, which means waiting until the next Congress takes office in 2019 at the earliest—or hoping a privacy-relevant case works through the courts before then.
Still, that doesn’t mean individual users are completely powerless to protect their own data. Here are some steps a user can take to secure their privacy:
Use a Virtual Private Network
“The best option is going to be using a VPN, a virtual private network,” says Dillavou. VPNs are tools installed on a user’s device, like a phone or a laptop, that encrypt the traffic from that device, and mask the user’s IP address and online behavior from tracking tools.
VPNs are already a standard security recommendation for anyone working over unsecured WiFi—like what you might find in a coffee shop. But with ISPs now collecting data, and not just routing it, the workaround makes sense for home use as well. (They also come in handy when you’re trying to get TV streaming to work overseas.)
That process isn’t without side-effects. “To run a VPN will slow down your ability to do anything,” says Dillavou, and it won’t work for every site. “You could have really fast connection speeds and wouldn’t miss it so much, but streaming services like Netflix can detect VPN traffic, and they won’t let someone use the service if they’re running a VPN.”
Both Gourley and Dillavou recommend paid VPNs, both for security and the user-friendly experience. Gourley provided “HideMyAss.com as an example of a good VPN he’d examined, in the relatively low-cost range. If a user’s willing to pay for a full year of access at once, the rate is under $7 a month.
Dillavou suggests TunnelBear. The company is Toronto-based, which means it operates under Canadian laws—though just because a VPN provider is in a foreign jurisdiction, it won’t work with the United States if the governments are close. Dillavous highlighted the low cost of TunnelBear as a positive feature, as well as the fact that the service lets a customer use the same VPN login across multiple devices.
A VPN can protect against a third party seeing someone’s traffic, but alone it can’t protect against tracking cookies placed on users by the sites they visit or by ISPs.
Keep Track of Cookies Tracking You
Cookies are the bits of information that let sites remember users within a browser. Supercookies, in comparison, can track users across multiple sites. For now, using supercookies without consent is a major no-no. Last spring, the FCC fined Verizon $1.35 million for using supercookies to track users without their knowledge or consent. With the new changes to FCC rules, companies would be free to track users online with impunity.
“If you use VPN, you will have different IP addresses when you browse internet sites,” says Gourley, “but they will put cookies on your browser to track your session, including supercookies, that now your ISPs are going to be able to use.” As a result, it’s much easier to get a full picture of a user’s actions, even as they navigate from site to site, regardless of whether or not a VPN is in use.
Privacy Badger is a browser extension from the EFF that blocks third-party tracking tools on websites, so it’s one line of defense against tracking and supercookies that Dillavou recommends. Ghostery is another tool for this, through either a browser extension or a mobile browser. And on browsers that offer it, a privacy mode like Private Browsing in Firefox or Incognito Mode in Google Chrome offer a tiny bit of privacy, according to Gourley.
What about Tor?
Tor, or The Onion Router, is a browser that’s has been around for over a decade, and is a regular feature in most security tool roundups.
Tor is free, which is a popular trait, and there’s a bit of clever premise at work: Tor routes traffic through lots of nodes, or intermediate computers that are part of the Tor network, making it unclear where a request started, ultimately delivering a user to the site they wanted to visit. Because it’s been around for so long, Tor is an established target, with security researchers and the FBI spending time cracking it, in part because people used Tor as a way to access illicit online black market Silk Road.
“I wouldn’t recommend using Tor for various reasons. First and foremost, I don’t think it makes a difference if you’re sitting at your house and connecting through Tor, the exit node [your home address] is always an issue, because it does show up,” says Dillavou, “Plus it’s slow. In this situation I think it would just make you look suspicious and slow you down, and it’s not an incredibly reliable tool.”
Extra Credit: Change Your Domain Name Service To Protect Against Malware That Gets Through
When companies collect data on their users, they put that data at risk, whether through their own weak security or because someone with ill intent may buy that information as step one in extracting more information from a target. As a safeguard against this, Gourley recommends users set up their own Domain Name Service, rather than use the one provided by the ISP for the customer. DNS helps the browser translate human-friendly web addresses (like PopSci.com) into computer-readable IP addresses. It’s an essential piece of the internet experience as we know it, but it can be an opportunity for deception. For instance, you could type a specific website into your browser, but the DNS provided by the ISP sends you to a different, and potentially malicious, IP address with no indicator that something might be wrong.
“Consider the example of the old-fashioned phone operator,” Gourley explained through metaphor, “What if you were receiving a call from someone you do not know, and before connecting the operator gets on the line with you and says ‘Based on our historical records, the person calling you has a record of conducting fraud and they are probably going to try to deceive you.’ That would have been a nice feature back in the day.”
If there’s already malicious code on one of your devices, having a different DNS than the one provided by the ISP can prevent that malicious code from communicating back to the person who put it there. Gourley recommends several free tools people can use to configure their own DNS for their home, and some of them even come with straightforward walkthroughs.