Thanks to our US Senate & House’s decision, Internet Service Providers (ISPs) can sell your entire web browsing history to literally anyone without your permission. The only rules that prevented this are all being repealed, and won’t be reinstated any time soon (it would take an act of Congress).
You might be wondering: Who benefits from repealing these rules? Other than those monopoly ISPs that control America’s “last mile” of internet cables and cell towers?
No one. No one else benefits in any way. Our privacy (and our nation’s security) have been diminished so a few mega-corporations can make a little extra cash.
So what kind of messed-up things can ISPs now legally do with our data?
According to the Electronic Frontier Foundation, there are at least five creepy things the FCC regulations would have made illegal. But thanks to the Senate, ISPs can now continue doing these things as much as they want, and it will probably be years before we can do anything to stop them.
- Sell your browsing history to basically any corporation or government that wants to buy it
- Hijack your searches and share them with third parties
- Monitor all your traffic by injecting their own malware-filled ads into the websites you visit
- Stuff undetectable, un-deletable tracking cookies into all of your non-encrypted traffic
- Pre-install software on phones that will monitor all traffic — even HTTPS traffic — before it gets encrypted. AT&T, Sprint, and T-Mobile have already done this with some Android phones.
Step 1: enable HTTPS Everywhere
As I mentioned, ISPs can work around HTTPS if they are able to factory-install spyware on your phone’s operating system. As long as you can avoid buying those models of phones, HTTPS will give you a huge amount of additional protection.
HTTPS works by encrypting traffic between destination websites and your device by using the secure TLS protocol.
The problem is that, as of 2017, only about 10% of websites have enabled HTTPS, and even many of those websites haven’t properly configured their systems to disallow insecure non-HTTPS traffic (even though it’s free and easy to do using LetsEncrypt).
This is where the EFF’s HTTPS Everywhere extension comes in handy. It will make these websites default to HTTPS, and will alert you if you try and access a site that isn’t HTTPS. It’s free and you can install it here.
One thing we know for sure — thanks to the recent WikiLeaks release of the CIA’s hacking arsenal — is that encryption still works. As long as you’re using secure forms of encryption that haven’t yet been cracked — and as far as we know, HTTPS’s TLS encryption hasn’t been — your data will remain private.
By the way, if you haven’t already, I strongly recommend you read my article on how to encrypt your entire life in less than an hour.
But even with HTTPS enabled, ISPs will still know — thanks to their role in actually connecting you to websites themselves — what websites you’re visiting, even if they don’t know what you’re doing there.
And just knowing where you’re going — the “metadata” of your web activity — gives ISPs a lot of information they can sell.
For example, someone visiting Cars.com may be in the market for a new car, and someone visiting BabyCenter.com may be pregnant.
That’s where using a VPN comes in.
How VPNs can protect you
VPN stands for Virtual Private Network.
- Virtual because you’re not creating a new physical connecting with your destination — your data is just traveling through existing wires between you and your destination.
- Private because it encrypts your activity before sending it, then decrypts it at the destination.
People have traditionally used VPNs as a way to get around websites that are blocked in their country (for example, Medium is blocked in Malaysia) or to watch movies that aren’t available in certain countries. But VPNs are extremely useful for privacy, too.
There are several types of VPN options, with varying degrees of convenience and security.
Experts estimate that as many as 90% of VPNs are “hopelessly insecure” and this changes from time to time. So even if you use the tools I recommend here, I recommend you take the time to do your homework.
Most VPNs are services that cost money. But the first VPN option I’m going to tell you about is convenient and completely free.
Opera is a popular web browser that comes with some excellent privacy features, like a free built-in VPN and a free ad blocker (and as you may know, ads can spy on you).
If you just want a secure way to browse the web without ISPs being able to easily snoop on you and sell your data, Opera is a great start. Let’s install and configure it real quick. This takes less than 5 minutes.
Before you get started, note that this will only anonymize the things you do within the Opera browser. Also, I’m obligated to point out that even though Opera’s parent company is European, it was recently purchased by a consortium of Chinese tech companies, and there is a non-zero risk that it could be compromised by the Chinese government.
Having said that, here’s how to browse securely with Opera:
Step #1: Download the Opera browser
Step #2: Turn on its ad blocker
Step #3: Turn on its VPN
Step #4: Install HTTPS Everywhere
When you’re done, Opera should look like this:
Presto — you can now browse the web with reasonable confidence that your ISPs — or really anyone else —don’t know who you are or what you’re doing.
You can even set your VPN to a different country. Here, I’ve set mine to Singapore so websites will think I’m in Singapore. To test this out, I visited ipleak.net and they did indeed think I was in Singapore.
Since the internet is complex, and data passes through hundreds of providers through a system of peering and trading traffic, US-based ISPs shouldn’t be able to monitor my traffic when it emerges from Singapore.
If you want to take things next level, you can try Tor, which is extremely private, and extremely hard to de-anonymize (though it can be done, as depicted in the TV show Mr. Robot — though it would require incredible resources).
Tor’s a bit more work to set up and use, and is slower than using a VPN. If you want to learn more, I have a getting-started guide for Tor here.
The most common way people get VPNs is through a monthly service. There are a ton of these. Ultimately, you must trust the company running the VPN, because there’s no way to know what they’re doing with your data.
As I said, some VPNs are improperly configured, and may leak personally identifying data.
Even though most users of VPNs are companies with remote employees, the NSA will still put you on a list if you purchased a VPN. So I recommend using something anonymous to do so, like a pre-loaded Visa card.