Disarming your ISPs
Following the passage of S.J.Res. 34 I have been asked what technical steps can be taken to prevent ISPs from collecting and monetizing your traffic history. Privacy on the internet is a broad topic, and discussions start with an understanding of who you are trying to prevent from accessing what data. The most broad threats involve the most extreme solutions, which are often impractical for the average user. With regards to the recent legislation, the threat would be passive surveillance in your ISP’s infrastructure. The most appropriate response to that threat would be a VPN.
This is not a new problem. Under the Third Party Doctrine ISPs could have made a practical case for the legal monetization of your browsing history. Certainly, even without the legal monetization of customer data, data sharing agreements existed for law enforcement purposes. They may have existed for marketing purposes as well, just not on the open market. The recently repealed protections actually apply to a law introduced in October 2016 (81 Fed. Reg. 87274); a law that was attempting to increase broadband privacy, and was only coming to affect in February and March of 2017.
The concerning part of this legislation is that the removal of these specific protections may be seen as a signal to industry that it is now ok to sell customer data without fear of being taken to court to determine the legality of the sale. The public has now seen that not only do these protections not exist, but that they were specifically removed. Browsing history is expected to become increasingly available as a result, not available for the first time.
What a VPN does
VPNs create encrypted tunnels traffic can be routed through. VPNs are not “all or nothing”, a VPN can be setup that only routes traffic for certain destinations or traffic patterns, enabling use cases like a VPN for only bittorrent traffic, or using your work VPN only for work domains. The most simple use of a VPN is to take over the default route of a client, tunneling all traffic through the encrypted pipe and out of the server. Everything sent through the server will be protected on the way to the server by the VPN’s encryption, but once traffic reaches the VPN server, it exits the tunnel and is just as vulnerable and public as it was traversing an ISP without protection.
Using a VPN provider
When using a VPN provider, one pays for credentials to access a VPN server hosted by a company. This has the benefit of being easy to access and cheap. But using a managed VPN is effectively taking the power away from your ISP and giving it to the VPN company. There is nothing preventing a VPN company from recording the activity of each user and selling that data, and there is no way to audit that a VPN company is not doing this. Managed VPN providers should be approached with caution, as otherwise using one could reduce one’s privacy more than if they had used nothing at all.
Another consideration when using managed VPNs is that they can be put under legal pressure for the actions of another customer, and your data could be caught up in the investigation. VPNs are commonly used by privacy aware individuals who want protection from hostile networks, but they are also used for criminal activity. This may not be a concern when the ISP is considered the main threat however.
There are many things that can be done to reduce the risk of using a managed VPN. The first step is to minimize the amount of information the VPN provider ever learns about you. Purchase, and access, the VPN entirely over TOR. This is very much using the right tools for the job, as TOR helps protect your identity (your ISP from the VPN provider, and the VPN provider from your ISP), while the VPN protects your traffic (from malicious exit nodes and being associated with TOR). This costs bandwidth and as a result isn’t appropriate for everyone. Identity should be protected in payment as well, so use providers that accept bitcoin. Only send bitcoin from wallets you own, and never web wallets. Better yet pay with monero via ShapeShift or xmr.to (tor). As always browse safely, use a set of tools that match your needs in the browser, like uMatrix and uBlock.
A benefit to using managed VPNs is that an IP address is shared between many customers of the service. This has the effect of mixing traffic, so resources accessed on the web by users of the VPN service will be hard to identify as a specific VPN customer without access to the session logs on the VPN server.
Hosting a VPN
Hosting a VPN involves running the VPN server yourself, usually on a VPS. By hosting a VPN you control the security of the host and the logging policy, which is a double-edged sword. To control the security of the host your VPN runs on you must be able to trust that you can prevent your host from being compromised. Some systems administration experience will be required, and after installation the server should be scanned for security mistakes. In the same way that using a managed VPN gives control over to the VPN company, hosting your own VPN gives control of your traffic over to the VPS hosting company, so safe browsing habits and some degree of trust are still required.
When hosting your own VPN, all the traffic that leaves the VPN server will be uniquely identifiable as you. This does not matter very much when the broadband ISP is considered the main threat and the VPS network is expected to more privacy friendly. But it is important to understand that this is a significant difference from the privacy model of a managed VPN.
One of the reasons I prefer to use a self hosted VPN is that no technology that assesses risk or probable identity based on IP address will associate my IP with a VPN or privacy-related company. This means I do not experience an increase in captchas or other anti-spam/anti-fraud systems.
Some concepts are consistent regardless of how the VPN is hosted. Any time a new hop is introduced to a network route, latency increases. In either case, choosing a next hop that is geographically close will reduce the added latency. Depending on the nation you are located in and your intentions, it might be preferential to choose a foreign location that introduces more latency, but is less accessible to local law enforcement. For example, a US resident may want to avoid US based VPN providers due to an understanding that those providers are more exposed to FISA court orders or being coerced into PRISM. But the original goal was to protect browsing history specifically from ISPs, not to evade law enforcement. With that goal in mind it might not matter which jurisdiction the VPN is in, only that a VPN is used, and domestic providers may in fact be more desirable for consumer protection reasons.
One of the most powerful ways to use a VPN is to protect an entire network transparently. In this model, the VPN client is in your router, and any traffic sent to your router is then sent through the VPN. Clients in the router’s network do not need any configuration, nor would they even have the ability to avoid using the VPN. The entire network would be protected from the ISP.
In any security or privacy sensitive setup, manual verification that the system is working as expected is a must. VPNs can leak data in subtle ways, such as DNS, and it is wise to run your VPN while analyzing your traffic to ensure that nothing sensitive is leaking and your setup was successful. The time it takes to manually test authentication and leakage will bring peace of mind and confidence when using your VPN.
How I use VPNs
My personal setup involves a set of WireGuard servers on various VPSes. My router connects as a client to each server and uses them for different purposes. One VPS egresses all my LAN traffic transparently, while others have DNS records and forward traffic to hosts in my DMZ network. This allows me to host a variety of applications from a variety of public IP addresses, without being concerned about a dynamic IP address or ISP snooping. Should any applications in the DMZ be compromised, they will egress out the IP address associated with their DNS record, meaning my actual IP remains private. I use no managed VPNs.
In the end
Privacy online is a balance that each individual must find for themselves. I hope this post gives you some new things to think about when choosing how you’ll use VPNs. Using a VPN can itself be grounds for hacking by the FBI if you are suspected of a crime, but it’s important to make it clear that privacy is not just for criminals. VPNs are the backbone of many secure corporate infrastructures, and there is absolutely nothing wrong with wanting to prevent your ISPs from monetizing your personal data.