When we surf the web, there are several ways that our activity can be tracked. But one spy we often overlook is our internet service providers. Not just our home internet provider, but also our cellular service provider. (You might also want to check my article that explains what a VPN is and, perhaps more important, isn’t.)
Thankfully, in recent years, HTTPS has been much more widely adopted on the internet. That “S” at the end means that all the packets flowing between your computer and the far end server are encrypted. (By the way, that’s usually all it means. Specifically, it doesn’t mean that you can trust the website.) You can maximize the benefits of HTTPS with browser plugins like EFF’s HTTPS Everywhere. It ensures that if HTTPS is possible for website XYZ that it’s actually used. Bottom line: If you’re using HTTPS on a website, then all communications with that site (the contents of the page and any data you send) are private.
Chinks in the Armor
However, there are still many ways your web surfing habits can leak out. For example, the websites you visit are chock full of trackers. (See this article for protecting against this.) Also, if you’re using the Chrome browser, you should just assume Google knows everything you do there. (Switch to Firefox.) Even with HTTPS, there will be plenty of evidence on your computer about your browsing history. (You can curb this by using incognito mode.) We’ve even seen how antivirus software can be used to track everything you do on the web.
As if all of that wasn’t bad enough, the name of every single website you visit is completely visible (unencrypted). Before you talk to any website, you have to look up its number. That is, you have to turn the domain name (eg, Amazon.com) into a routable IP Address (like 188.8.131.52). This process is almost never encrypted today, meaning that your lookup query is completely visible, even if the HTTPS connection prevents them from seeing the subsequent communication. (See this article for one way to fix this.)
Man in the Middle
Your internet service provider connects you to the internet. Therefore they are in the unique position of being able to see every single data packet that comes in or our of your home. When you’re using a smartphone, your cellular provider is your ISP. And when you’re using public WiFi hotspots or even a wired hotel network, whoever owns that service has the same total access to your web traffic. While HTTPS connections are opaque, there are still several sites that don’t yet support it. And all of your smart apps are silently checking in with dozens of unknown servers in the background. Those communications may or may not be encrypted.
The modern solution to this is a virtual private network (VPN) service. You sign up for the service and download a special app which runs on your computer or your smartphone. It establishes an encrypted connection to a VPN server, somewhere out on the internet, usually geographically close to you. This special app then forces all your internet traffic (inbound and out) to go across this secure connection. For this reason, the connection is often referred to as a “tunnel”. It’s like having a secret underground passage from your house to some location a few blocks away. No one watching your house would be able to see you come or go.
It’s crucial to realize that by doing this you are trading your trust in your ISP for your trust in the VPN service provider. Not all VPN providers are trustworthy – many of them also collect and sell your web surfing info.
Choosing a VPN Service
There are many, many VPN service providers out there. How do you know which service you can trust? Honestly, it’s really, really hard to figure that out. I’ve read many reviews of VPN services, and the results are rarely conclusive. Many reviews focus on connection speed or number of VPN exit points or even just cost. None of those have any bearing on privacy, though.
There are so many things to consider there. Does the service log any activity? If so, what info is logged and how long is that data maintained? Does it share this data with any third parties, and if so, whom? And how can you know if the answers they give you are true?
I recently found an article on The Wirecutter that is easily the most comprehensive VPN service review I’ve ever seen. And its number one priority was privacy. It’s a very long article, but I would recommend that you read through most of it. It explains a lot of really important stuff and how it chose the top services (IVPN and Mullvad).
Many of the most popular services didn’t make the cut in this review, due to lack of transparency and/or independent auditing. This is something most other reviews don’t even address. My guess is that this review will actually drive some of the more popular services to up their privacy game. Also, there are several promising services on the horizon like Cloudflare’s Warp. So… use this review to pick a service for the next year, and then check back for updates.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!