It is easy to find numerous legends about ISP employees monitoring user traffic for the sake of private gain or when dying of boredom. But are those legends true? Let’s see what your Internet service provider really knows about you.
Big Brother Is Watching You
Providers in many countries are required to analyze user traffic for compliance with local legislation. State authorities who conduct criminal investigations often oblige ISPs to provide necessary information about specific users and their online activity.
Of course, an ISP does not store the traffic itself. It does, however, perform its processing and classification while keeping all the results in log files. The analysis of basic information is conducted in automatic mode. As a rule, the traffic of a selected user (under investigation) is mirrored to law enforcement servers and the analysis is conducted there.
Deep Packet Inspection
Deep Packet Inspection systems are hardware and software systems that work on all but the first (physical/bit) levels of the OSI network model. Network providers may use DPI to control access to certain Internet resources, such as forbidden sites endorsing terrorism. This solution can also be leveraged to monitor user traffic. DPI parses data that is transmitted over unencrypted protocols like HTTP or FTP.
Opponents of DPI claim that it interferes with people’s privacy and violates net neutrality principles. Indeed, unscrupulous ISP operators can gain a lot of personally identifiable data this way and build a fairly accurate profile of you that includes your past activities, online habits, and lifestyle details. This type of finger-printable information can be sold to interested parties, such as e-commerce resources, local businesses, or even criminal groups. To top it off, it can also facilitate various social engineering scams.
HTTPS makes it more difficult to monitor your online activity. However, with the TLS version 1.1, which is now often used for HTTPS, the domain name of a site is transmitted in clear form. Thus, the ISP will be able to find out which domains you visit. But without a private key, the provider cannot know what exactly you are doing on those websites.
In any case, Internet service providers do not monitor all clients – it is simply too expensive. But it is possible to monitor a specific individuals’ traffic upon request.
What Happens When You Visit a Website?
If the site uses an unencrypted connection (HTTP), the ISP may see the URL that you visit. From the contents of the packets, the ISP can obtain your search history, analyze the history of requests, read your correspondence, and even see your logins and passwords.
If the site uses HTTPS, then the service provider only sees the IP address of the server and the domain name, as well as the connection time and the amount of traffic. The rest of the data is encrypted and cannot be decrypted without a private key.
The ISP knows your MAC address. More precisely, it knows the MAC address of the device that connects to its network. This may not necessarily be a computer; it could be a mobile device, a router, etc. In fact, many ISPs’ authorization process requires your login, password, and MAC address.
There isn’t much an ill-minded individual can do with your MAC address once they have it. However, the disclosure might help track your location based on information harvested from Wi-Fi networks you connected to. Another theoretic abuse case involves someone manually replacing their device’s MAC address with yours in order to access web services on which your MAC address is whitelisted.
You can manually change the MAC address on many routers. On computers, the MAC address of the network adapter can be set manually as well. If you do this before the first authorization (or change later and ask to re-assign the account to a new MAC address), then the ISP will never know your true MAC address.
VPN - Virtual Private Network
In 2014, about 25% of Americans regularly (every day or nearly every day) used VPN to protect their personal data and access better content.
If you use a VPN, the Internet service provider sees that some sort of encrypted traffic (with a high level of entropy) is sent to a specific IP address. The ISP may discover that this IP address was earlier sold to VPN services.
The provider cannot automatically track where the traffic goes later on, although if the ISP compares the traffic of its subscriber to the traffic of any server using timestamps, this can facilitate further investigations. But this requires complex and expensive technical solutions that can only be justified by very serious reasons.
It’s noteworthy that VPN connection may suddenly get interrupted once in a while. This can happen at any time and with any operating system. After the VPN has stopped working, the traffic automatically starts going open, and the ISP may analyze it.
Tor - The Onion Router
When you connect through Tor, the ISP also sees that your traffic is encrypted but cannot decipher what you are doing on the Internet.
Unlike VPN, where traffic is usually routed to the same server for a long time, Tor changes IP addresses automatically. The ISP can determine that you are probably using Tor based on encrypted traffic and frequent address changes, and then reflect this in its logs.
Tor is not forbidden by the law. But remember that someone may use your IP address on the Tor network if Exit Relay is configured in the settings. If a cybercrime takes place and your IP appears in the records, the police may interrogate and even search you.
Torrent clients and trackers, as a rule, exchange data via HTTP protocol. This is an open protocol, and therefore (see above) it is possible to monitor the user's traffic and analyze it with DPI.
In many countries, it is still safe to use torrent websites. Law enforcement agencies only go after the administrators of torrent trackers and distributors of pirated content, but not regular users. However, in some European countries, large fines may ensue from the use of torrent websites.
In the U.S., you can download a torrent file, but its content really matters – it is illegal to download copyrighted or any other protected content that should not be shared or copied. You can use VPN while torrenting as both are allowed, but again, if the content is pirated you run the risk of being prosecuted.
Browser Incognito Mode
This mode does not help hide your traffic from the ISP. It is simply used to pretend that you did not use the browser. Cookies, website data, and browsing history are not stored if you turn on the Incognito mode. However, all your actions can be monitored by the service provider and the system administrator.
The ISP knows a lot about you, maybe even everything. However, small companies simply cannot afford to buy DPI equipment or set up an effective monitoring system.
If you perform legally permitted actions on the Internet openly and use VPN or Tor for things that involve privacy and confidentiality, the probability of getting onto the radar of the ISP or special services is negligible.
About David Balaban
David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking.