More and more people are taking their online privacy seriously. Facebook, Google, Amazon, and numerous other online platforms are rightfully receiving criticism for the amount of personal data they collect and monetize. However, they are not the only monopolistic corporations you should be concerned about.
ISPs can monitor which websites you visit and the right to sell this data to advertisers. Worse yet, they are practically inescapable. An ISP handles nearly every one of your Internet connections and, depending on where you live, you have no choice about which ISP you can use. Yet, ISPs face much less public scrutiny. This article will explain what an ISP is, what data they can collect, and how they have treated user privacy in the past. It will also describe what you can do, both individually and collectively, to protect your private data from your ISP.
What does ISP stand for?
ISP stands for Internet service provider. As their name suggests, they are the companies that provide their customers with access to the Internet. They maintain the broadband and DSL cables, operate DNS servers, and provide you with your IP address so that you can browse the Internet.
What data can an ISP collect?
An ISP handles all of your online communication, which means it can monitor almost all of your activity. At the very least, your ISP can see which website you are on and how long you stay on it through your DNS requests. Your device makes DNS requests when it translates human-friendly URLs into numerical IP addresses that computers can understand. These requests are not encrypted and can be read by your ISP.
If you visit a website that does not use HTTPS, then your ISP can see everything you do. It will see your username and password when you log in, what products you are purchasing when you check out, and your credit card number and address when you enter them for payment. (Just another reason to use HTTPS Everywhere.)
Even if you do visit a website with HTTPS, your HTTPS server name indication is not encrypted either, which can also let your ISP know which site you are visiting. Additionally, an ISP can still learn a lot about your activity by closely evaluating your Internet traffic and its metadata — like the size, timing, and destination of your data packets. They could see you are streaming a film or detect that you are torrenting or downloading files, amongst other things.
This means that ISPs could potentially have more of your data than Facebook or Google.
What do ISPs do with your data?
The laws that govern ISPs and how they can treat their users vary from country to country, and now in the US, from state to state. In some places, ISPs help repressive governments censor the Internet. In other countries, the ISPs shut the Internet down completely.
In the United States, ISPs have had the right to sell your private browsing history since 2017, as long as they anonymized your personal data. Major American ISPs, like AT&T Comcast, and Verizon, said their customers would be able to opt out of data collection.
Unfortunately, these ISPs do not have great track records of respecting their users’ privacy rights. Verizon was fined for using “supercookies” to track their users’ activity on the Internet. These cookies would remain, even if you cleared cookies from your browser. Meanwhile, AT&T tried to argue that privacy was a premium service. It charged its users 50% more for its monthly service if they opted out of letting AT&T sell their data to third parties.
These abuses have finally gotten the government’s attention. The FTC is investigating how ISPs handle personal data, specifically how they aggregate and anonymize it, how long they retain it, and whether they share it with any third parties. The state of Maine went even further when they passed a law forbidding ISPs from selling personal data without an individual’s express permission. And the California Consumer Privacy Act took effect on Jan. 1, 2020, which gives California residents the right to opt out of having their data sold. This has inspired a flurry of other states to consider similar privacy protection legislation.
How to protect your IP address
There are also measures you can take to protect your data from being collected and sold by your ISP.
As mentioned above, visiting websites that use HTTPS encryption will limit how much of your activity your ISP can see on a given page. However, HTTPS does not encrypt its server name indication or DNS queries, so your ISP will still be able to see what websites you are visiting.
The Tor network is the most private and secure way of browsing the Internet. Your Internet traffic is encrypted and routed through multiple Tor servers. Tor encrypts your traffic in such a way that no one server can access both your IP address and the site you are visiting. This makes it very difficult to link your activity to your device. However, using Tor requires you to use a specialized browser, and its connections can be slow. Finally, Tor has many limitations, such as not being able to torrent files or stream video, to name a couple.
A VPN is probably the most user-friendly way of preventing your ISP from collecting your data. It works with any browser, and its fast speeds allow you to use it to watch your favorite shows or share files with your friends. A VPN encrypts your Internet traffic between your device and a VPN server before it goes on to connect to your website. Your ISP will see you are connected to a VPN, but it will not be able to see what websites you are visiting. Make sure your VPN also prevents DNS leaks, which could let your ISP determine which sites you visited from your DNS queries.
It is important to note that when you are connected to a VPN server, your VPN service provider replaces your ISP. It will be able to see all of your online activity. That is why it is essential that you only use a trustworthy VPN service that has an explicit no logs policy and doesn’t sell your data to third parties.
Proton VPN’s mission is to make a private and secure Internet available to everyone. We believe everyone has the right to use the Internet without forfeiting their browsing data to a corporation. To prevent your ISP from collecting and sharing your online activity, sign up for a free Proton VPN account today.
Finally, if you are a US citizen and you feel that your online data should not be for sale, contact your representative or senator. Encourage them to pressure the FTC to continue their investigations or to pass new legislation to protect your online privacy. The only way to stem the tide of corporate surveillance is to unite against it.
The Proton VPN Team
UPDATE Jan. 24, 2019: This blog post was modified to mention the recently enacted California Consumer Protection Act and the proposed legislation it has inspired in other states.
You can follow us on social media to stay up to date on the latest Proton VPN releases: