Ignorance is not an excuse…. big brother is watching…
Yesterday, the House of Representatives approved a measure that killed an upcoming FCC ruling that would have required internet providers to ask your permission to sell your browsing data. Now, everyone’s trying to find a way around this, and virtual private networks (VPNs) are the most popular means of doing so. But what the heck are they?
Before we start, it’s worth catching up on politics at play here. Back in October, the FCC laid the groundwork for a new rule that required you to opt-in to ISPs collecting your browsing data and selling it to advertisers. Collecting and selling data is something ISPs have been doing and want to continue doing, but the FCC was going to make that slightly more difficult for them. The FCC’s new privacy rule was supposed to go into effect in December of this year, but last week the Senate voted to remove it. Yesterday, the House followed suit, and there’s no reason to expect the President to do any different.
You’re probably asking yourself why or how this even happened, because an ISP asking you if it’s okay to sell your private data seems straightforward and simple enough. Hell, it feels downright American, because most apps, operating systems, and other services need to do the same. Opponents of the FCC regulations suggest that we, the consumers, should have the freedom to choose an internet provider that doesn’t track and sell our data… even if they all do.
AT&T, Sprint, and T-Mobile have all sold smartphones with preinstalled tracking software, Verizon secretly bundled phones with tracking files, and Comcast once suggested charging extra for privacy. Regardless of all that, chances are you don’t have the luxury of choice for your home ISP. Every city I’ve ever lived in has one or two ISP options at the most. Here are the privacy policies from the largest U.S. ISPs, and none of them are going to keep your data to themselves:
Time Warner Cable/Spectrum
After the bill passed the Senate, tech bloggers around the U.S. quickly came back with a solution to get around your ISP tracking you: VPNs. A virtual private network encrypts your traffic before it leaves your device, and that data stays encrypted while it goes through your ISP’s network. Once it reaches the VPN’s server, it then decrypts the data then sends it off to the internet at large. It’s a middleman between you and the internet. So your ISP can only see a bunch of encrypted traffic that looks like random characters. To your ISP, using a VPN all the time looks like you only visit one web site. Then they couldn’t sell your data because they’d have no idea what you’re looking at on the internet. VPNs are subscription services that range from free to $10/month.
Historically, VPNs are most popular for security. Businesses use them because it’s an easy way for remote employees to access their work network securely when they’re away. That same security goes for the rest of us too, especially when we’re using public Wi-Fi. I’ve used a VPN while traveling at hotels or working from coffee shops for a very long time.
VPNs are also a popular means to get around geo-restricted content or government blackouts. A provider can host a VPN anywhere in the world, and wherever that VPN is, that’s where you’ll appear to the internet. So, if you use a VPN in England, you can access the the UK version of the internet, including all that BBC content you’ve been dying to watch. If you’re in North Korea, you can circumvent that country’s censorship. VPNs do not provide anonymity, they merely encrypt your traffic, making it hard for a third-party snooper to see what web sites you visit.
VPNs are all the rage today, but they’re no magic bullet. The hotter these things get, the shadier the business practices will be, and nobody can stop them.
A VPN knows as much about your web traffic as your ISP would. A VPN might hide that traffic from the ISP, but they could be collecting and selling that same data themselves. Worse, VPNs aren’t regulated and there’s no strong peer review system, which means it’s hard to find one that’s trustworthy. A lot of VPN software is free and open source, which means anyone with reasonable technical skills can set one up and charge you to access it pretty easily. If you want to display your tin foil hat proudly for a second, there’s even the possibility that the VPN companies are collecting and selling data to government, or heck, maybe they’re even run by governments, because why not at this point.
Case in point, earlier this year, researchers released a white paper that found that 18 percent of Android VPNs didn’t encrypt traffic at all. Why? Because they don’t have to. They can do whatever they want. Sure, once they’re caught, they go out of business, delete their apps, and disappear, but they can pop up in another form as quickly. Encryption is only one piece of that puzzle. Security is important, but so is privacy. If your VPN provider is logging all your traffic and selling it, then they’re no better than your ISP.
We’ve broken down a system for finding a reliable VPN before, so I won’t repeat that here, but the short version is: free is almost always bad news and do your research before you subscribe to a VPN provider. That One Privacy Site has a massive list of VPNs that includes what country they’re based in (which also means what jurisdiction they fall under), whether the VPN logs traffic, whether it logs IP addresses, accept anonymous payment methods, and tons more. For our take, we’ve found Private Internet Access, SlickVPN, NordVPN, Hideman, and Tunnelbear have all been reliable and transparent over the years. Remember, it’s not just your home internet provider that’s collecting this data, it’s your cell phone provider too, so you’ll need to use a VPN at home and on the go to get around this.
If you don’t want to trust your data to a third-party VPN, I don’t blame you, but creating your own solution isn’t exactly simple. To roll your own VPN that’s useful for circumventing your own ISP’s data tracking, it needs to be off-site. That means you’ll need to host it on a web server. Popular options for doing so include Streisand, Sovereign, OpenVPN, and AutoVPN. Streisand is the simplest of these tools, but you’ll still need to know how to set up an Ubuntu server on Amazon, DigitalOcean, or the other providers they support, and you’ll need some technical know-how to do it. Also, while the software itself is free, the web server isn’t. You will at least get the peace of mind that your VPN is fully under your control though.
Circumventing the system might feel like an earnest political statement where you can lounge on the couch covered in salt and vinegar chips with your middle finger in the air, but it’s not only lazy, it’s also a bad way to influence change. As a tech site, a VPN is obviously the solution we come up with, but this is a policy problem. Placing the burden of privacy on the consumer right now suggests that Congress has no interest in providing us with a solution in the future.
VPNs and privacy-focused browser extensions are a temporary workaround, but we can’t and shouldn’t have to sustain that forever. It’s a statement, but there still needs to be a long-term plan. We need to push for more security and better privacy practices from our ISPs and the sites we visit, because clearly the government isn’t going to help us without a fight.
Here’s one small example: more sites could make the switch from HTTP to HTTPS, which secures your connection to a web site. It also makes it harder for your ISP to see what you’re doing on any web site, as they can only see that you’re at YouTube, not which video you’re on. This isn’t easy by any means. Last year, Wired detailed their process and they ran into a lot of problems. Adding the HTTPS Everywhere browser extension is great for the tech-minded amongst us, but my mom, who also doesn’t want her ISP tracking her, isn’t going to do that.
Finally, to state the obvious, your ISP isn’t the only one tracking you. Nearly every web site, from Google to Amazon to some random blog deep in internet-land, track and collect your browsing data. They do this through cookies or scripts, and their data profiles of you are likely much more advanced than your ISPs. Using an extension like uBlock Origin or Disconnect can help block that data collection, but if you still insist on being logged into your Google account all the time, that’s all for naught. This will all happen regardless of whether you’re on a VPN. Remember, a good VPN only solves one part of the problem, obscuring your traffic from your ISP or from gnarly snoopers on public Wi-Fi. Tons of other places collect data about you.