Wait, My ISP (Internet Service Provider) Is Tracking What?!
We’re continuing our new series of interviews with Clario security experts to offer you the latest essential tips and advice on staying safe online.
This time, we interviewed Vadym Lysenko, Clario’s Product Manager, on the definition of internet service provider (ISP), the information it collects, and why it’s impossible to opt out from being tracked.
Let’s start with the basics. What is an internet service provider or ISP?
An internet service provider is an organization providing you with access to the internet. Since all of your traffic goes through its infrastructure, the ISP also has the ability to monitor, control, and, therefore, filter your internet traffic.
Do you think your ISP knows you better than your mom does?
I don’t think either of them really does. But if I had to choose, I’d say my ISP knows me better.
The information my mom knows about me these days is pretty subjective. I only tell her what I want to (I hope she’s not reading this). But my ISP sees the naked truth. It might be out of context, but this doesn’t make the information less truthful.
So what kind of data does an ISP collect?
It depends on your internet service provider, as well as your contract and the services provided. But usually, they can collect massive amounts of data. This allows them to perform different kinds of analysis: extract traffic related to a single person, find out what kind of devices they use, the brands they prefer, what activities they engage in and so on.
All your browsing passes through the ISP’s environment, right? So the ISP must keep at least some data logs and track the websites you visit, in case the government knocks on their door with a court order, asking for details about the browsing coming from a particular IP address. In this case, depending on the privacy agreement in place, your ISP can get a list of hosts you’ve visited (domain names, IP addresses), but they can’t access any encrypted data.
Let me give you an example. When you post something on Facebook, your data is encrypted and could only be decrypted on a Facebook server. But while delivering encrypted packages, your ISP can see the IP address of the server, package size, etc., and use this information to find patterns in your traffic. I mean, even encrypted traffic follows specific patterns, and often that’s enough to figure out the kind of online activity you were engaged in.
If your ISP wants to make money off you, they can then sell this information.
Okay. How long can ISPs keep your data?
You have to research the regulations of each particular country and read the service agreement of each specific ISP. But, honestly, it’s best to treat the internet as something that never forgets anything. It all depends on how much money, labor, and time it would take to collect someone’s data.
How does the data economy work?
This is a broad question, so it’s hard to answer simply. Let’s consider two cases to illustrate it.
The first case depicts the legal data economy. You sign a contract with a company and grant it access to your data. The company then uses this data to implement its business model.
If the company is a social network, it uses your data to identify your behavioral patterns and create your persona for targeted ads. Sure, this approach doesn’t give you direct profit, but Facebook, being among the top companies in the world, has shown it works to help a tech company achieve great success.
US ISPs follow a similar approach when they have the right to collect anonymous browsing data from their clients. Can they sell this data? It depends on the state and the internet service provider you signed the contract with.
Sure, this industry is expected to change in the near future - especially with the California Consumer Privacy Act (CCPA) having recently come into play and its federal equivalent already being prepared for other states. But this doesn’t necessarily mean our data will be free from any attempts to monetize it. Instead, big businesses will be obliged to warn users on how they are going to use their data as well as give them the option to opt out from this. With the advent of GDPR, the number of malicious violations in Europe has decreased, but the amount of targeting has not.
But let’s roll back to the data economy now. The second case is illegal - when data is stolen and then sold. Each category of personal data has its price ranging from a couple of cents (for an email and a name) to several hundred dollars (for a full profile: name, address, plus a social security number). Often, accounts from various services - such as Netflix, Amazon - are hacked and then sold, so you can log in and use this service, or withdraw/launder money.
By the way, how much money can you make selling user data?
The data price tag depends on several criteria, like how critical the data is and how easy it would be to use.
Let’s take credit card numbers and CVV codes (the three digits on the back of your card). They’re easy to exploit and are always sought after, so this kind of data costs a lot. Any data allowing you to do something without the user's consent carries a hefty price tag too. The more related data you have in one package (a real name + address + credit card with records), the richer the profile you get, so the higher the price of this data.
So, the price of data depends on three factors:
- How many different types of data are grouped together
- How in demand the data is
- How hard it is to get it
But can you minimize the amount of data your ISP collects?
You have to understand your ISP will always store some data in any case. If you wish to protect yourself from your specific ISP, the easiest way is to install a VPN (Virtual Private Network) on your router. It has its downside, though - your internet speed might slow down.
But then you have to realize that in this case, your online behavior will be analyzed by your VPN provider. So, you’d hide from one provider to let another one do the analysis.
I see. Well, what would you recommend to a person trying to keep everyone away from their data?
I’d say follow the basic measures of cyber hygiene. These days, most people understand what those measures are.
Protect your device
- Install security software. You need an antivirus to minimize the possibility of malware damaging your device.
- Update your software. All ecosystem players care about their safety and yours. Therefore, you should always update to the latest software version they release. These updates often fix not only UI/UX issues but also critical security bugs.
- Don’t go for default. Often, operating systems and services allow you to change default settings. Such a small step as turning off an auto login doesn’t really reflect on your user experience, but it does make you way more secure.
- Encrypt your devices. It is important to make sure that no one can access your data, even if you lose the device it is stored on. How do you make that happen? Enable FireVault on macOS. But of course, it’s better never to lose your devices.
Protect your network
- Use modern browsers capable of blocking the use of third-party cookies. This means most advertising campaigns won’t be able to track your activity until you give them explicit consent.
- Use a VPN if you don’t want to be tracked by an ISP. But remember, by accessing VPNs, you are hiding from your ISP but still remain open to a VPN provider.
- Install a security extension. Some browser extensions allow you to check the legitimacy of a website and notify you if they are suspicious.
- Do not use public Wi-Fi. But if you decide to do so, or just have no other option - use VPN.
Protect your digital identity
- Choose strong passwords. The most popular authorization mechanism is still the password, so go for unique and complex passwords. As even if you cannot remember them, password manager is always there to help you.
- Use multi-layer authentication. In most cases, two-factor authentication is more than enough. So use biometric data, temporary tokens, or SMS (worse case, but better than nothing) as an extra security in addition to the password.
And remember: in modern systems, the human factor remains the weakest link, so it's important for you to analyze any potential vulnerabilities and secure them.
Cybercriminals are always looking for ‘low hanging fruit’ in your online security set up to attack.
So it’s always important to maintain good security hygiene whenever possible, to ensure your metaphorical data fruits are hanging higher than anyone else’s.