How To Browse Privately After Congress Nixed FCC Protections

Over the last several days, both the U.S. House and the Senate passed legislation to repeal the FCC’s privacy protections against internet service providers (ISPs) abusing customer data for their own benefit, largely without any consent.

It’s likely that the only real long-term solution against this type of abuse will be for policymakers to pass new legislation that brings back the broadband and wireless customer privacy protections that they’ve now repealed. Granted, this probably won’t happen with a Congress under the current configuration, as the current crop of lawmakers clearly wanted to eliminate those types of protections.

However, a future Congress, backed by enough interest from citizens and political will, could shape stronger internet privacy policies into a law that would be harder to repeal than the FCC’s own rules.

In the meantime, there are some things you can do to stop, or at least significantly restrict, ISPs from tracking you across the web.

Don’t Buy/Rent Devices From Your ISP

If possible, it would be best not to buy, subsidize, or rent any type of device from your wireless or broadband provider, whether it’s a smartphone, tablet, Chromebook, router, modem, or what have you.

This is among the easiest ways in which the ISP or wireless service providers can track everything you do on the web, because they get full or almost full control over the devices they sell or rent to their customers. It’s trivial for them to install firmware or applications on those devices to track you without you even knowing it.

As Verizon eagerly showed us after the House vote to repeal the FCC’s privacy framework, wireless service providers can’t wait to start collecting as much data as possible about what you do online.

HTTPS Encryption Is Your Friend

Wireless carriers and ISPs aren’t exactly new at tracking customers on the web and serving them ads; they’ve often been caught injecting ads into their customers’ web traffic. For instance, you may be visiting a website, that may even have its own ads, and suddenly, an ad from your ISP or carrier would appear as well.

However, this can only happen if the website you visit doesn’t use HTTPS encryption and the address bar is marked with HTTP instead. When a website doesn’t use HTTPS, the ISP can shape and control that flow of data however it likes. HTTPS encryption stops carriers from tracking your browsing habits in more detail and also from showing you their own ads.

There is one caveat to this, which is that the service provider doesn’t control the device, as mentioned above. If it does, then it could create a “man-in-the-middle (MITM) attack” by interposing itself between you and the HTTPS encrypted website you’re trying to visit.

This shouldn’t be possible anymore on Android 7+ devices, because Google now mandates that there can’t be any other certificates than the ones it’s allowing. However, service providers could still be able to control other devices in this way.

VPN Services

Having to visit HTTPS-only websites may be easier said than done. EFF extensions such as HTTPS Everywhere do allow users to automatically switch websites from HTTP to HTTPS, but only when the HTTP website doesn’t automatically redirect all of its web pages to the HTTPS versions. The extension redirects automatically for you.

HTTPS Everywhere also has an option to “Block all unencrypted requests,” which essentially forces your browser to only retrieve web pages and connections that are encrypted with HTTPS. This is probably an option not too many are willing to use just yet, though, as much of the web remains unencrypted, and it could quickly become a frustrating exercise.

Because not all websites you may visit use HTTPS, that makes a VPN service provider a major tool in your arsenal against ISP tracking, too. The VPN creates a secure tunnel for all of your device’s internet traffic, so it’s irrelevant whether the websites you visit have encryption or not -- the ISPs won’t be able to see that traffic. Another caveat: You have to research VPN providers, because many will sell your data, which defeats the purpose of using one to evade ISP snooping in the first place.

Tor Browser

The Tor browser is the tool of choice for those who want maximum privacy, or anything resembling true anonymity on the web. This comes with some caveats, especially when you’re up against intelligence agencies and you’re a target. However, it should be more than good enough against ISP tracking, or any other common kinds of tracking on the web.

The Tor browser may load websites a little more slowly, even compared to VPN services, because it routes your traffic through more locations around the world. This is the only price you have to pay, though, because the tool is free to use. Most VPNs, especially if you want to use them for all of your internet needs, aren’t. You can also use a VPN and the Tor browser together for even better privacy.

Change Your DNS Servers

Even if you visit encrypted websites, ISPs may still be able to see the browser requests you make via their own Domain Name System (DNS) servers which are automatically assigned to your computer or smartphone.

The DNS servers’ role is to resolve the website addresses you type in your browser to the IP addresses of those websites’ physical servers. That means that if you use the DNS servers automatically provided by your ISP, the ISP should be able to log which websites you visited.

OpenNIC DNS servers tend to be more privacy-focused than other better known DNS server alternatives such as Google’s own DNS servers or OpenDNS (now owned by Cisco), but there are others as well.

Officially Opting Out Of ISP Tracking

Some, if not all, of the ISPs and carriers should provide ways for you to opt-out of most of their tracking. However, it often involves multiple steps, and the opt-out may still not be complete. Therefore, you may still want to use some of the above options, just in case the ISPs don't actually stop much of their tracking.

Future Of Web Privacy Looks Uncertain

If the net neutrality rules fall as well under the existing Congress and FCC leadership, then some of these tools may start to lose their effectiveness, as they could become the primary enemies of ISPs trying to collect that user data. Some of the services could be slowed down, and some could even be blocked, which is basically why the net neutrality rules were proposed by the former FCC leadership in the first place.

However, if millions or tens of millions of people start relying on them, the ISPs may fear a backlash, even if there wouldn’t be any rules or laws left to keep them from hurting the performance of these tools and services in order to increase their profits.

Regardless of what happens in the future, these tools can be used right now to drastically reduce the amount of tracking ISPs and wireless carriers can do to you. If you’re serious about privacy, or at least not wanting internet providers to sell your data without consent, you may want to start using some of these tools today.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • ledhead11
    Thanks for the tips. I thought I read here and a few other places that TOR browser had some vulnerabilities that were being exploited. Has it been patched?
    I haven't read it yet but there's link to an article about VPN's having some susceptibility to the new rulings too on ardOcp.
    Reply
  • popatim
    Thank you Lucian
    Reply
  • plateLunch
    Add one more option: If you have a Republican representative or Senator, WRITE THEM and let them know how you feel. Tell them you have technical expertise and they have made a big mistake. Tell them you do tech support for your neighborhood and you're telling all your neighbors about how their privacy is going to be sold and the rep or senator is responsible. Collect privacy horror stories such as someone searching about a medical condition and seeing his insurance rates suspiciously go up. Tell your rep or senator that the neighborhood is upset now and they're holding him/her responsible.
    Sometimes the solutions aren't all technical.
    Reply
  • Clamyboy74
    Meanwhile Toms does not have https... I had a good laugh. Thanks for the https everywhere link!
    Reply
  • Morbus
    Haha, this is very funny.
    Very good article though, good stuff.
    All around, really.
    Reply
  • schwatzz
    19502028 said:
    Add one more option: If you have a Republican representative or Senator, WRITE THEM and let them know how you feel. Tell them you have technical expertise and they have made a big mistake. Tell them you do tech support for your neighborhood and you're telling all your neighbors about how their privacy is going to be sold and the rep or senator is responsible. Collect privacy horror stories such as someone searching about a medical condition and seeing his insurance rates suspiciously go up. Tell your rep or senator that the neighborhood is upset now and they're holding him/her responsible.
    Sometimes the solutions aren't all technical.

    They don't care
    Reply
  • BoredSysAdmin
    https will encrypt the content of your bank page, your pay stubs online or your shopping cart at large online vendor, but it won't hide your tracks that you visited citi.com, adp.com or amazon.com.
    Not talking about clear text dns requests - there is cure for that DNSCrypt (google if curious), but SNI implementation in current https handshake required domain address to be sent in clear test before encryption could start.
    Reply
  • coolitic
    Toms is constantly saying "everyone should https", but they don't do it on their own site.

    At this point I simply find it amusing.
    Reply
  • knowom
    This went through and passed due to both parties of republicans and democrat's so keep the political fodder out of it. Neither party stopped these changes from happening or really openly tried to do so quite frankly or at least not enough from either party to make a difference.
    Reply
  • USAFRet
    "Major internet providers say will not sell customer browsing histories"
    http://www.reuters.com/article/us-usa-fcc-data-idUSKBN1722D6
    Reply