The privacy discussion – How ISPs, search engines, and social media services collect your information

The repeal of the FCC Internet privacy rules has spurred on much discussion on privacy online and how companies collect and use that information.  I have fielded many questions on what this means for consumers and their privacy when going online, using search engines, and social media.  Some have wondered how Internet Service Providers (ISPs) differ from search engines and social media in how they collect consumer data.

The difference between how ISPs and social networks or search providers collect and use data comes down to the how easy it is for consumers to switch from one provider to another, the ability to opt out, and the ability to circumvent data collection.

Switching services

The primary difference is in how easy it is for consumers to switch providers.  Search engines are the easiest.  Simply navigate to another search engine, such as DuckDuckGo which does not track its users, and issue the same search.  Yes, the results may vary, and you may be less satisfied with the results, but the process is simple.  It takes very little time, and the impact is not great.  However, search providers offer more than just searching.  Email, cloud services, stock tracking, shopping and other services may also be tied into your search account, so for consumers to fully move away from the platform, they must also adopt new providers for each of these services.

It is a little more difficult with social networks because not all users are on all social networks and social networks cater to certain types of social sharing.  If a user decides they do not like how one social network uses their data, so they decide to leave, they may be unable to communicate with some people who are not on the next social platform of choice, or they may miss out on updates from some of their contacts.

Now let’s look at ISPs.  To change ISPs, a user must contact the ISP, which might involve breaking a contract and paying fees.  They must then pay for new service from a different ISP and wait until that provider can connect their service.  This might result in a period where the user cannot connect online.  There are some cases where there is only one ISP in the user’s region, so they have no choice but to work with that ISP no matter what their privacy policy is.

It is clear that it is more difficult for consumers to change their ISP or their social network than it is for them to change their search engine.  However, it is not clear whether it is more impactful for consumers to change their ISP than their social network.  It may also be more difficult for consumers to switch their search provider if they intend on fully disconnecting from that provider because this involves changing email, shopping, and other services as well.

Opting out

There is also a difference between ISPs and social or search providers in the ability for users to opt out.  Prior to the privacy rules that were recently repealed, ISPs opted in each user but allowed them the ability to opt out.  This is something that Facebook and Google do not do.  If you want to use Facebook and Google, you will be tracked and your data used.

Circumventing data collection

I believe the largest difference between the ISP and the social network or search providers and their collection of data is that ISP data collection can be circumvented with the use of a VPN.  ISP data collection takes place because they are an intermediary to the communication channel.   This gives them a broad view of the myriad tasks a household performs online which can be valuable in building a profile of a household.  However, the entire process can be circumvented by utilizing a VPN.  When users are on a VPN, the ISP only sees connections originating from the household (IP address) and going to the VPN service.  They do not see the traffic that goes over the connection since it is encrypted.  However, the services at the other end still do see the traffic since the traffic is designated for them.  In order to use a social network, a user must log in, and requests must be sent to the social network.  Requests cannot be sent to an intermediary to perform on their behalf.   The only alternative would be for users to set up fake or random accounts that are used for perusing social networks and then discarded but the use case of such a system would be limited due to the requirement of sending friend requests, and it would violate many social network’s terms of use.

This article is sponsored by JURINNOV, a TCDI company specializing in cybersecurity and computer forensic consulting services.

Regaining your anonymity online

Anonymity has been a longstanding hallmark of the Internet but you should no longer assume that your online activities are anonymous.

A vast amount of information is collected as you use the Internet. Search engines store the key words you search for and the pages you visit, browsers store web history, which may be integrated with the cloud, and websites store information your activities on their sites. Your IP address provides information on your general location and many applications can track your location data, obtained from your address or from GPS.

It takes a concerted effort to regain your anonymity. Anonymity must be protected from end-to-end starting with the operating system and then progressing to your network address, browser and search engine.

Operating System

Last month I wrote about the privacy features and flaws of Windows 10. What many don’t realize is that their operating system is collecting information on their activities which could be retrieved by malware or published to the cloud for data mining. This can be avoided by using an operating system that runs off a CD or DVD. Such systems, called “live” operating systems, run in memory, a storage component of your computer that retains data only while the computer is powered on. This data is not retained when you shut down the computer or restart it. CDs or DVDs are typically read-only, meaning that data cannot be written to them. Files that you are working on can be saved to a flash drive but operating system logs of activity are not stored with live operating systems. Similarly, spyware, malware and other junk cannot install on a live operating system. This further protects you against threats to your anonymity.

Network Address

Each device that connects to the Internet identifies itself with a unique IP address. This address can indicate your location and it can be used to correlate activity collected from multiple sources in order to build a profile on you. One method of obscuring this address is to use a proxy. A proxy requests Internet resources on your behalf and then presents them to you so that the requests appear to originate from the proxy rather than you.

However, one must be careful in using proxies because not all are intended for anonymity. Some send a forwarder that indicates where the data originated and others send data in the clear so that it can be potentially intercepted. Choose a proxy that uses SSL encryption and does not use http “forwarded for” headers. Another limitation of proxies is that attackers see them as a potential target because of the high volume of traffic traversing them. Compromised proxy servers could put your information in the hands of cyber criminals.

The Onion Router (TOR) extends the proxy model by bouncing connections between many computers within its network and then delivering the final request from one of many endpoints. Data within TOR is encrypted using SSL. It is still possible for a TOR server to be compromised but that server would only see a small portion of your traffic or possibly none at all depending on how your traffic was routed through the TOR network. The downside of using TOR is that connections are often slow due to the latency incurred by traversing so many computers.

Browser

The most common browsers are Internet Explorer, Mozilla Firefox and Google Chrome. Internet Explorer or its replacement, Edge, is the default browser on Windows machines. Linux variants often come equipped with either Firefox or Chrome, depending on the distribution. Each of these browsers has their share of privacy flaws but your choice of browser is much less important than the privacy settings you select within the browser. Restrict cookies and set your browser security settings to the highest level that still allows you to browse with ease. Many browsers also include a private browsing mode. This is very useful for restricting information from being collected by your browser on your activities while in this mode.

Search Engine

Most of the search engines collect data on your browsing habits so they can target ads to you and improve their search rankings. Some search engines share or sell this information with other parties. However, Duck Duck Go is a search engine that does none of these things and it is a valuable tool for searching the web anonymously.

These technologies and techniques can all be used to protect your anonymity. However, they provide the best protection when used together. It may not be feasible for you to use all of them. For example, you may need to use an application at the same time while you browse, making a live operating system impractical or you might want to test searches in a specific search engine. I encourage you to use as many as possible.  You may additionally use a virtual private network (VPN) to connect to your workplace or other common resources so that traffic between your computer and the VPN is encrypted and you can use wiping tools to more effectively erase data from your machine after deleting it. However, a discussion on these tools will have to wait for another article.

Continue reading