For those of you who’ve forgotten, on March 28, 2017 the United States House of Representatives voted in favor of overturning a FCC provision that required Internet Service Providers to uphold the privacy of their users. A week earlier, the Senate had already passed the measure in a vote.
Before the bill can become law it still needs to be signed by President Trump.
In the wake of Congress’ vote to repeal FCC rules limiting ISP sharing of your browsing info, should you VPN? https://t.co/yEGshwjGWW
— briankrebs (@briankrebs) March 30, 2017
The bill aims to overturn a rule put in place by the FCC only six months earlier and is intended to manifest long standing policy practices by American Internet Service Providers.
While in practice having little effect on how ISPs handle sensitive information, it once again highlights how few protections there are against personal data being collected for commercial gain, and how much consumer expectations differ from reality.
Even the FCC rules adopted in October 2016, which had not yet come into force, only make a vague distinction between sensitive and nonsensitive data. Sensitive data, including social security numbers, financial information, location or browsing history can only be used or shared after explicit consent of the customer.
Other data, such as email addresses and service-tier information can be used and shared unless a user explicitly opts out.
Implicitly, all information can be collected, stored and analyzed, even just for the purpose of identifying whether information is sensitive or not.
What about privacy?
Users are, as the intense outcry on social media demonstrates, uncomfortable about their Internet Service Provider sniffing through their browsing history. But as far as Internet Service Providers go, they have little choice.
About 30 percent of American households have only one or no option in broadband service providers, while 67 percent have two options, or less.
There are many reasons why the home broadband market in the United States is not supplying the kind of choice and variety consumers are used to elsewhere.
In a more efficient market consumers could opt for the privacy model they see fit for themselves, for example by connecting through privacy conscious companies that are able to build a reputation not to throttle speeds, read through data or sell personal information.
Proxies as alternative
Those who consider their privacy highly valuable can immediately start using a proxy network to hide their data from their ISP.
Two solutions stick out, private, commercial virtual private networks (VPNs) and the Tor Network. Both offer drastically different security, privacy and performance trade-offs.
This is very bad and everyone needs to start using a VPN. I say that at someone who doesn’t know how to do this. https://t.co/XswoAXZPgR
— Jon Lovett (@jonlovett) March 28, 2017
The Tor network comes closest in providing anonymity, separating the user from the site they are visiting in a way that protects both from finding out each other’s location.
As far as ISPs are concerned, they have no way of telling what content their users are browsing, even if they were to collude with other internet service providers or government agencies.
ISPs are able to detect that users are on the Tor network, but as long as all traffic is sent through Tor, this information appears to be of little value.
VPNs are virtual ISPs
VPN networks are much faster than the Tor network, and without much configuration encrypt all traffic by default, away from the prying eyes of the ISP. VPNs run in the background, and the user does not need to get accustomed to a new browser or unexpected behavior of web pages.
Unlike Tor however, VPN networks are trusted networks. Most applications are not open-source, and from a purely technical standpoint, a VPN is not much different from a Virtual ISP, which could inspect your data, store personal information or inject ads.
While the sheer number of available VPN apps can be overwhelming, and despite fear of many VPN applications being malicious, it is not difficult to find a trustworthy VPN.
So what can you do? One option is to find and use a trusted VPN (likely paid) – this prevents your ISP from seeing any of that data.
— Sarah Jamie Lewis (@SarahJamieLewis) March 29, 2017
- Paid service
- No outlandish claims, but nuanced and credible advice
- Clear logging policy that explains which data is collected, and why
- A well made and bug-free website and application
Additionally it’s nice to have:
- Bitcoin payments
- OpenVPN config files
There are plenty of signs through which people can judge a good VPN provider. While it is true that users are unable to look behind the curtains and observe what data a VPN really keeps, a VPN that is outspoken about not keeping logs is putting its reputation, and business model, on the line.
A business built on the promise of privacy is already magnitudes more preferable than a business that is openly selling your data.
A VPN provider lying about the data they keep and use will get caught. They might inadvertently get outed by someone buying their data, or by a journalist posing as a potential buyer. A VPN might be subpoenaed for customer data, and from court records it will be visible what data was available. Users might also complain about receiving notices or indictments for things they did while using the VPN, a clear sign that data was collected by the VPN company.
There is a good market for VPN services
Unlike for ISPs, users have a broad choice between dozens of trusted, competent and privacy conscious VPN companies. A VPN company can make its services available globally, rather than being restricted by licensing or geographic constraints.
The user can freely switch between VPN services, subscribe to multiple services at once or even run their own in a jurisdiction or data center they trust the most.
This competition is essentially what keeps VPN providers in check. As long as a lively and competitive market exists for VPN services, users are better off connecting to a VPN service, for example by setting up their routers, than solely trusting their ISP.
This does however come at a cost, and as ISPs find it increasingly difficult to monetize user data they might be tempted to further raise prices.
Long term solutions
In the long run, encrypting browser sessions end-to-end and making sure markets for ISPs remain competitive seem the most viable long term solutions.
Technologies like HTTPS are readily available and cheap and easy to deploy by website administrators. While adoption is rapidly increasing, many large sites still don’t offer it, and instead transmit sensitive data unencrypted.
Browser extensions like HTTPS Everywhere help users where HTTPS is available, but for many sites contacting administrators and insisting on secure connections is the only option.