How much is this a worry? ISPs argue they need the extra revenue, and that should be enough to make you concerned. It implies that the data they are mining is valuable enough to make them a good amount of money.
There’s also the concern that governments could leverage ISPs to cut off your access. Usually, this has to do with alleged copyright infringement. France has a law that requires ISPs to cut you off after a certain number of allegations. Proof is not necessarily needed.
So, yes, you should be concerned, but what can ISPs tell about you?
What ISPs can store and record
ISPs can, and often do, monitor your web browsing activity online. They argue that this is not sensitive information. So, what can your ISP actually see:
- The domains you visit, even if those domains are protected by https. They can’t see the content if it’s encrypted, but they can still see where you go. Their usual excuse for logging is to help you detect malware, but the logs can also tell them all kinds of things. They can tell if you’re looking for a new job or a divorce, if you recently bought a puppy, all kinds of things about your interests and current status.
- They can engage in something called website fingerprinting. While https protects your content, it may not necessarily stop tools from establishing the exact page on a site you are visiting. Researchers have used this to determine the exact medical condition somebody is looking into on a health site, for example. Website fingerprinting works by reading such things as how long you are on a particular page and the pattern of traffic.
- If you do go to an unencrypted website, they can tell exactly what you are doing. Such as what you might be buying on Black Friday. If they sell this to marketers, you can get even more intrusive, targeted ads.
- What devices you have and are using on the network. They can tell what kind of mobile phone you use. A sudden increase in device use may indicate that you’re hosting a party…and if this happens on a regular basis it could be used in conjunction with websites visited to establish exactly what your friends are doing when they come over. For example, they might be able to tell you’re playing Dungeons & Dragons, and then serve you ads for Pathfinder products.
- Your email. It’s illegal for your ISP to read your email while it is in transmission, but it is not illegal for them to look through stored messages. They are not allowed to disclose them to others except to law enforcement with a valid warrant. Generally, you should not consider email to be secure unless it is encrypted (which is technically challenging). Never send credit card numbers or other financial information over email.
- The size and origin of files you are downloading. Certain file sharing sites may attract suspicion (You should avoid shady file sharing in general as it is a quick way to catch a virus). Also, ISPs will sometimes throttle large file downloads, slowing your download speed to free up space for other users.
- Your IP, which they are assigning you in any case. As they already know where you live this might not be a concern until they attach it to suspicious traffic.
- Whether or not you are using a VPN. However, they cannot see into a properly configured VPN tunnel. This does allow them to block users from using certain types of VPNs, although it is more common for sites to block VPN access (usually to prevent users from using VPNs or proxies to get around geolocation requirements on streaming access).
What do they not know?
ISPs cannot see absolutely everything you do as long as you take certain precautions. They cannot tell:
- The exact file you are downloading.
- The content of web pages viewed over a https connection (Although as stated above they can still often determine this indirectly.
Why is it important to hide things from your ISP?
So, why is your ISP snooping such a big deal? You might think you have nothing to hide but…
- It is currently legal for your ISP to sell your browser history. For the most part, ISPs only sell aggregate data. However, they could theoretically sell your personal data to an advertising network, resulting in even more intrusive and creepy ads.
- Anything that your ISP logs can potentially be stolen from them by hackers. Although ISPs have good cybersecurity, information in their logs is still information in an extra place.
- Your ISP could theoretically sell advertising themselves, injecting their own ads instead of those put in place by websites. This means that if you whitelist a website to give them advertising revenue, they may still not get the money.
- With the current (October 2018) rules on net neutrality, your ISP can use your aggregate data to determine paid prioritization, pushing traffic from certain sites aside. They could even block your access to certain sites.
- The government could put pressure on your ISP to cut off your access based off of the contents of those logs. You don’t even have to be doing anything illegal, just accused of it.
How do you Hide Your Internet Traffic?
Incognito mode or private browsing will do nothing to protect you from snooping ISPs. Your best options are either the Tor browser (which is overkill for most users) or a quality VPN.
Be wary of free VPN providers, which can result in you trading your ISP snooping for the VPN provider snooping. (If you are not paying for a service in money you will often find yourself paying for it in information).
In other words, if you are at all concerned about your online privacy – and you should be – you should consider getting a good, reputable VPN to protect your data from your ISP and from others who might want to snoop on it.