ISPs and Privacy

So there’s a big flap over the House passing (and Trump planning to sign) a repeal of an FCC regulation on Internet Service Providers with regards to customer privacy. All sorts of speculation about what it means is flying around. I want to clear up some things. Not about whether or not this is bad for the public, but what the ISPs can see. I’ve heard people worried about credit card info, Social Security numbers, purchases, email, and so forth.

Unfortunately, understanding the issues involves understanding how networking works. So this might get a little technical. I’ll try to keep it understandable to the average person.

Encryption

Let’s start with encryption. (I’m going to use words like “encrypt”, “encode”, and “cypher” in ways that will likely make people in cryptography cringe. Deal with it.)

Think of a simple code used by kids, assigning a replacement of letters.

This is an incredibly basic cypher (called ROT13), replacing “a” with “n”, “b” with “o”, and so forth. “Siekierski” becomes “Fvrxvrefxv”. Applying it again would get us back to “Siekierski”. The relationship between starting value and ending value is the “key”.

In order to protect information, encryption has been developed that requires two different keys. One key is used to encode a message, and this is made available to anyone who wants it. It will not help someone decode a message. The other key is private, kept secure by the person receiving the message, and is required to decode the message.

Some communication between computers uses encryption, thus making the information unreadable to anyone without the private key, and some communication is not encrypted.

Certificates

Certificates are used by computers to verify who they’re talking to. When I go to Facebook, my computer receives a certificate from Facebook’s server. This is unencrypted. It then verifies the certificate with a Certificate Authority before going any further in talking to Facebook’s server.

Once the certificate is verified, the two computers negotiate a secure conversation. It’s a bit complicated, but in essence they use the certificate as the public key to create new temporary keys (session keys) every time they start a new conversation. Once they reach the point where session keys are created, the rest of the communication happens with encryption.

Certificate Authorities are careful to make sure that the person buying a certificate really owns the domain connected to the certificate.

Now, let’s move on to some basic internet services: DNS, Email, and Websites

DNS

DNS (Domain Name System) is the internet’s phone book. Instead of having to remember their number (IP Address), we use an easily remembered name: www.netflix.com, www.amazon.com, and so forth. Your computer doesn’t have all of those names and numbers memorized (anthropomorphism!), so it has to look it up. It sends a request to an DNS server asking for the number for Amazon, and the DNS server replies. (If the DNS server doesn’t know, it goes to it’s own name servers and asks the same thing, and this goes on until it can return either a valid number or a “no such record exists” message).

That request is not encrypted. The ISP can see what website was looked up. Most of the time (unless you’ve made changes), the ISP is actually providing the DNS service, so you’re talking to their computers anyway. There are a few plans on how to encrypt that bit of communication, but it’s a bit messy.

DNS is pretty much vital to how everything else works. If this gets compromised the attacker can direct anyone pretty much anywhere they want, and most of the rest of the security is useless. Certificates can be faked at that point, for example.

Email

This is actually no too hard to explain. There are a couple of possible scenarios we can look at, for both sending and receiving email.

1) Your email is with your ISP.
2) Your email is with a web-based service like Gmail.
3) You have your own mail server.

If your email is with your ISP then they can read it.

If your email is with a web-based service, then depending on how it is accessed the ISP may be able to read it. If it’s through a web browser, then it’s subject to the limits of the section below on Websites. If you read your email through something like Thunderbird, Microsoft Mail, Apple Mail, or syncing to a smartphone (I assume wifi connections at home), then it depends on the mail provider. Many/most will have a secure connection for receiving email. Your ISP will know that you’re receiving email, but not necessarily what’s in it.

If you have your own mail server then stop reading this. You should already know it. Ok, that’s not quite true. If you have a hosted domain (say you run your own Harry Potter fan website) it probably comes with email, which is also probably accessed like the web-based services.

HTTP

Web browsing via HTTP (HyperText Transport Protocol). This is where most people spend most of their online time. Facebook, NetFlix, whatever, it’s all running across HTTP or HTTPS (which is HTTP over SSL. SSL is Secure Sockets Layer, which involves what I described above under Certificates).

Let’s say you fire up your favorite web browser (I have 7 installed on my computer). You go to Google to search for a Heating and Cooling guy in the area because your furnace went out. Google tracks that search. You chose to send them information so they use it. We all expect that.

But you ISP can’t see it.

Let me clarify that. Your ISP can tell that you went to www.google.com. It can see that Google redirected you from the unsecure http communication to the secure https. It can see the certificate checking done by your computer to verify that the web server it’s connected to really is Google’s system. And once that’s done all further communication (if properly configured) happens down an encrypted line. The ISP can see data moving back and forth, but they don’t have any private keys involved in that communication so they can’t decrypt it. They know that you’re communicating with Google but not what you’re communicating.

So if you go to an online store and enter credit card information, as long as it’s over https (look for “Secure” and a green lock near the address on Chrome or Firefox, a gray lock in the address bar on Internet Explorer or Microsoft Edge and so forth) the ISP can’t read your credit card info.

And that leads to a crossover with mail. If you’re using a web-based email service like Gmail, and view it only from a web browser, then your email is actually hidden from your ISP. If you have it synced to you smartphone, however, and are using WiFi to connect to the ISP, then it’s questionable.

The data that the ISPs can collect from your web browsing is limited by the secure nature of https. They know what sites you visited, but not what you sent to or received from the site. They know you’re watching something on Hulu, but not what you’re watching. They know you sent something to Amazon, but don’t know if it was a comment or a purchase (well, they might be able to figure that out based on which servers were talked to). You get the idea.

Summary

To sum this all up, here’s what ISPs can and can’t see:

Can see

Websites visited (http or https) and duration
Website contents (sent and received) on http sites.
Email traveling along unsecured lines.

Can’t see

Website contents (sent and received) on https sites.
Email traveling along secured lines.

I don’t see a lot to worry about, personally. My ISP knows that my family streams music from Amazon Music or Pandora for several hours each day, but they don’t know what music we’re listening to. They know I send and receive email. I’m sure there’s some way they’re monetizing this information, but in the grand scheme of things this is less concerning than the information we freely share with websites. Amazon tracking our searches and purchasing. Google tracking which sites we visit after a search. Facebook linked into everything like a weed, tracking everything. (Think about it…many sites use Facebook for their comments section now. The integration means that Facebook knows which articles you’re reading even if you haven’t posted it, and the website using Facebook for comments knows who you are.)

One thing about the regulation. It was added to the books in October 2016. So it’s only been active for 4 months or so (depending on when in October it was implemented). Last summer your ISP could use everything that they’ll be able to use again after this bill is signed.