Last year, ISPs were classified as common carriers under Title II of the Communications Act by the FCC to enforce net neutrality. The FCC is now looking to implement regulation that ISPs will have to follow in order to protect their customers’ information. In light of this, Team Upturn published a report to “provide technical grounding for policymakers and other interested parties, regarding the extent of ISP visibility into the activities of their subscribers.”
The report opens with 4 observations:
- Many sites still don’t provide encryption, allowing ISPs to easily monitor their users.
- Even with HTTPS, ISPs can still see domains visited which can be very revealing over a long period of time. In fact, ISPs already look at this data.
- Sometimes HTTPS isn’t enough.
- VPNs are hardly used and provide “incomplete protection”.
Unencrypted HTTP allows ISPs to see the full URL and page contents of sites visited. If that wasn’t enough to convince you that unencrypted HTTP is bad, then consider the fact that unencrypted HTTP in general isn’t fun at all. A brief survey done by Team Upturn revealed that 85% of the top 50 health, news, and shopping sites – as ranked by Alexa – didn’t fully support encryption by default. Team Upturn explained that it can very hard for sites to fully adopt encryption because a lot of them depend on third-party services that provide analytics, advertising, tracking, and embedded videos. Many of these third-parties don’t provide encryption. A 2015 survey of 2,156 online advertising services revealed that over 85% of them didn’t support HTTPS.
The report also found that IoT (Internet Of Things) devices often use unencrypted HTTP to transfer data – as if IoT wasn’t already bad enough.
“Researchers at the Center for Information Technology Policy at Princeton recently found a range of popular devices — from the Nest thermostat to the Ubi voice system, to the PixStar photo frame — transmitting unencrypted data across the network ”Investigating the traffic to and from these devices turned out to be much easier than expected,” observed Professor Nick Feamster.”
Even if you used HTTPS, ISPs would still see the domains visited due to how HTTPS works and because DNS queries are rarely ever encrypted. Although ISPs would only see the domains, that data can still be very sensitive as Team Upturn points out:
“Even a short series of visited domains from one subscriber can be sensitive. A pivotal moment in a user’s life, for example, could generate the following log at the user’s ISP (assuming the user hasn’t invested in special privacy tools):[2015/03/09 18:34:44] abortionfacts.com
[2015/03/09 18:35:23] plannedparenthood.org
[2015/03/09 18:42:29] dcabortionfund.org
[2015/03/09 19:02:12] maps.google.com”
ISPs already do monitor DNS queries and real time user traffic to identify and block malware using services from companies such as Damballa. It’s been reported that Comcast deploys this functionality to customers. It’s also been reported that small ISPs use DNS servers that are malicious just to make a quick buck.
Sometimes HTTPS isn’t enough either. The report explains that “A growing body of computer science research demonstrates that a network operator can learn a surprising amount about the contents of encrypted traffic without breaking or weakening encryption. By examining the features of the traffic — like the size, timing and destination of the encrypted packets — it is possible to uniquely identify certain web page visits or otherwise reveal information about what those packets likely contain. In the technical literature, inferences reached in this way are called “side channel” information.”
However, the report also states that side-channel attacks are very unlikely to be carried out by ISPs; but as encryption becomes more widespread, it may be more and more tempting to do.
“Policymakers should have a clear understanding of what’s possible for ISPs to learn, both now and in the future.”
One way that users can protect themselves is by using a VPN but they are rarely ever used. A 2014 survey reveals that only 14% of users in North America have used a VPN. Even if a user does start using a VPN, the privacy it provides is questionable as the report brings up:
“VPNs are not a privacy silver bullet. The use of VPNs and encrypted proxies merely shifts user trust from one intermediary (the ISP) to another (the VPN or proxy operator). In order to more thoroughly protect their traffic from their ISP, a subscriber must entrust that same traffic to another network operator.”
It’s also possible that a DNS leak could occur and thus allow a user’s ISP to see their DNS queries.
Those out there who want to protect their privacy must consider whether or not their ISP is an adversary and act accordingly as Team Upturn concludes, “Today, ISPs can see a significant amount of their subscribers’ Internet activity, and have the ability to infer substantial amounts of sensitive information from it. …”
Note: The sources for the surveys mentioned in this article can be found in Team Upturn’s report.