This is what your ISP can see about you

ESET Security Researcher, Cameron Camp

Earlier this year, President Trump signed a bill repealing rules that required your internet service provider (ISP) to get your permission if they wanted to sell your browsing history and information about your data that crosses their network. The reaction against this decision was swift. Opponents of the bill argued that the law bolsters ISP profitability at the expense of user privacy. The Electronic Frontier Foundation said the bill’s authors voted to “strip their constituents of their privacy.”

With so many business applications and consumer services being hosted on the web these days, simply shutting off your ISP service in response to this law is not a viable option, and switching to another ISP can be difficult. So I wanted to demonstrate what your ISP can “see” and, under the new law, use.

Check out the story ESET did on ISP's and privacy with America Public Media’s (APM) Marketplace HERE. (Segment starts at 17:33.)

I built a tiny device called a packet sniffer, named after the “containers” your internet traffic is divided into — packets. It was made from readily available parts and can be attached between your laptop connection and home router to examine the data generated from your use of the device. While we focused on a laptop, a tablet, smartphone or other wired or wireless device works the same.

This tiny device captures the type of data your ISP could access if they choose to (many do). Once your data leaves your house, 100 percent of it goes across their network to the internet, and then comes back across their network to your computer, so they stand in the enviable position of having a single network intersection where all your data (along with that of all the rest of their customers) is visible.

Keep in mind that some of the largest businesses in the world provide “free” products by monetizing your data, so this model is not new or theoretical; it’s just a question of whether they have access to your data.

Here’s the device we used for the test: a commonly available Raspberry Pi computer with an Ethernet adapter plugged into one of its USB ports and a power adapter, which is about the same size as a couple of decks of playing cards stacked together (in the “real” world, this functionality is already built into an ISP's equipment, so they would not be using separate devices like the Raspberry Pi).

Despite its small size, it collects data about everywhere you visit online, your email, chat sessions, podcasts, videos and any other way you interact with the internet, and then copies it all to a remote machine where it can be analyzed further.

Krissy Clark, a senior correspondent for APM's Marketplace, was up for this somewhat invasive experiment. All she had to do was plug the unit in and connect her laptop to one Ethernet port and the other end to the internet. She wouldn’t notice anything else. Her internet connectivity would work exactly the same.

An ISP can view your data in much the same way this packet sniffer does, and you would not notice anything different, which is why few people are aware of the issues. Most people just focus on internet speed, but there’s a lot going on behind the scenes to make it all “just happen.”

(Quick editorial note before we go any further: Krissy, in a brainstorming session, agreed to this experiment and gave us permission to look through the data packets. This was not done surreptitiously, and she was not “hacked” by me or anyone else at ESET. She was a great sport about this rather invasive experiment, and professional — a joy to work with.)

From Krissy’s data, I was able to make a number of observations about what ISPs can “see,” including what articles she accessed about health and childbirth, providing a deeply personal glimpse into her life. I also found she’s been checking into the recent spate of sexual accusations against people like Harvey Weinstein and about reporters being killed while reporting in hostile parts of the world. We saw what podcasts she listened to and could ascertain her likely working hours, and saw lots of details about her household in general, like what kind of browser she used and when she updates her computer. In short, I could begin to paint a deeply personal — and probably very accurate — dossier about her, her family and her work habits. The longer I could watch, the more accurate it would become. For the test, I only analyzed traffic for a few days, but an ISP would be able to analyze for years, or as long as you used them as a service provider. For more about what we found, listen to Krissy on the Marketplace podcast here.

For those concerned about their privacy and who want to take steps to protect themselves from prying eyes, I’d recommend three easy options:

1.    I could really only take a deep look at unencrypted traffic, so encrypt whenever you can. You can make sure your browser has the little lock symbol and https, rather than http, at the front of the web addresses you visit.

2.    You can encrypt your email either natively in your mail client or through third-party add-ons that use things like GPG. Once you set it up, it just works quietly to protect you.

3.    Use a VPN. Virtual private network technology routes all your traffic over an encrypted tunnel to a remote service that then routes it to the internet, all out of view of the ISP. 

All of the tools you need for these steps are either free or very low cost, and you often don’t have to install anything to make them work.

With a little work and some basic tools, you can protect against companies who collect, use and sell your data against your wishes. The main thing is to encrypt. There are widely available tools that seamlessly encrypt your data, making it opaque to an ISP or other prying eyes. Many programs you use likely already encrypt your data in transit, which is a good thing. ISPs can still tell where you went and when (and how long you were there), but not what you did when you were there (aside from inferred information). There are many reputable VPN providers out there as well, so you may want to read up on those as well.

In the end, protecting your data is up to you. That will always be the case, irrespective of the laws that apply in your country. So treat your own data protection like protecting personal property, as it’s often just as sensitive.

Remember, you may choose to visit a website and give them some personal information; that’s your choice. But you can’t opt out of “providing” information to your ISP, unlike any of the other ways in which you interact with the internet. So protect yourself.