Protecting Data Privacy Online
Congress voted to dissolve privacy protections for broadband subscribers in a 50-48 vote on March 28, 2017. The rules would have limited data collection, require user to opt-in to further collection and require ISPs to in-turn be transparent when there is a break or hack of their network.
Friends and family and have asked for advice on what this means to them and how they can protect as much of their privacy by doing as little as possible. This is meant to be Privacy Guide 101 to inform and empower people to take passive aggressive action.
First, the realities:
- ISPs are not selling personal information of individuals to advertising companies. They are selling the ability for advertisers and companies to put targeted ads into your browsing sessions. Source
- Both your home internet service provider and your mobile phone provider will be doing this to different degrees. Adjustments must be made for both.
- The ISP will not just be looking at your browsing activity, but all your installed applications that are making background requests to the internet will also be observed and tracked. It will also capture your IoT devices' activity--Nest thermostats, Samsung TV, Alexa, etc. These devices are only going to create more traffic moving forward and presumably the traffic will be more important.
- ISPs collect a ton of (meta)data on everyone. Source1
- Deleting your browser history won't do one thing.
- I prefer using Electronic Free Frontier (EFF) tools, as they are designed to protect dissidents against nation states. If it's good enough for that...
What you should do in order of priority and technical complexity (steps 2-6 only take 1 minute each). Most people only need to perform steps 1-6:
- Opt-out of your ISP's Customer Proprietary Network Information (CPNI) data collection. It depends on the ISP, but this probably won't stop them from collecting everything, but it might limit how they use the information. I'm skeptical, but it's probably worth the time. Source If it’s not on the list then Google “CPNI data opt-out <ISP name>”.
- Use Chrome as your laptop's browser. I simply recommend Chrome for security rather than privacy. It's the browser that consistently has the least number of bugs and vulnerabilities. Source Chrome is planning to release built-in ad blocking into their regular and mobile editions. Source
- Install "HTTPS Everywhere" as a Chrome extension on your laptop. This will make sure as many of your sessions are encrypted as possible--if a website support HTTPS this will force it to that mode. ISPs won't be able to decrypt and inspect these sessions (hopefully unless they use a beefy proxy, like ours). That means that they won't be able to see what URLs you're going to and what you're searching for. It is free and only needs to be enabled after it is installed. This is an EFF tool. Source They will still know that you go to "google.com", "cnn.com", and "amazon.com" because your laptop makes a DNS request for that domain name, but they won't know what items you're buying.
- Install the "Brave" browser on your cell phones and tablets. Since extensions like HTTPS Everywhere can't be installed on (iOS/Apple) mobile browsers (Chrome, mobile), you still need the same coverage. This browser does that by having HTTPS Everywhere, an ad blocker and tracker blocker built in, it's Fast and free. This is an EFF tool. Search for it in the iOS App Store and look the Lion icon.
- Install a browser extension that blocks trackers. This blocks cookies and beacons from following you from one website to the next. Disconnect is the most popular. I used Ghostery for a long time and enjoyed it, now I use Privacy Badger (EFF tool and I have the badger sticker on my laptop). These are addictive little extensions. These might block parts of the websites, so sometimes you must toggle which items are blocked to see the relevant parts of the web page you are reading.
- Install an ad-blocker on your browser. This will block several ads on the web sites that you visit. It prevents third parties from knowing your location and what you like. It might block some parts of the web page that you're viewing, so there's a trade-off. I think it's well worth it and you can adjust the settings to the level of acceptability you want. This will help both privacy and security--it blocks a normal infection path that some malware uses. The popular one is Adblock Plus, but I now use uBlock Origin (EFF tool). This will still not block Youtube ads since they are enabled using QUIC and can only be blocked by disabling the QUIC protocol in each browser.
- Anonymize your connection with Tor. I do NOT recommend this for most people, nor do I use this myself. It's above VPNs because it is free and easier to set up. You install a Tor browser on your desktop or mobile device and it will tunnel your connections to a Tor exit node. Your ISP can't see really what you are doing. This is good for privacy, but not security. The Tor exit nodes are being monitored by many nation states and some are even run by them, but this is still the preferred technology for a lot of criminals, so if they trust it... Tor is also slow for streaming media. I believe there is a Tor SOCKS5 tunnel agent that will tunnel all of your traffic through it instead of just your browser info. I can't comment on this since I haven't used this.
- Hide your activity with a VPN. Most people do NOT need to do this. These come in the form of agents that are installed on your laptop and mobile phone. They will tunnel your data--browsing and all others--to the VPN concentrator and exit there. The ISP shouldn't see any of your info, even what domain names you're trying to contact (this might vary). There's a lot of disinformation out there about VPNs, but this list of VPNs and their profiles is start, but it's really information overload if you don't know what you're looking for. Try to find one that doesn't keep logs. Use one that isn't free, because if you're not paying, then you are the product--they probably are modifying content in your session. Source I use Private Internet Access (PIA).
- Install a VPN on your home router. This is more complex than everything before. It will insure that all your home's devices' info is private. 99% of home routers don't support this (estimated). I don't even do this, yet.
- Build and run your own DNS resolver. I’ve had one running for a few years and it’s easy if you have the infrastructure. Having this in place will lessen your reliance on your ISP’s (or other) DNS server in real time, otherwise they know which domain names are being browsed. It can be optimized for further privacy if it’s updated in bulk nightly to grab the top 5K domains or so.