ISP Snooping — 1
I have been reading about the ways ISPs can invade customer privacy. With respect to connecting to the internet there is no way to avoid an ISP.
Since the dawn of computer networks system administrators have had access to user files. A reasonable presumption is many admins are ethical, but a sane balancing presumption is many admins have snooped around user accounts at least once in a while.
An ISP is a large scale admin. Many ISPs might lack incentive to snoop on customers, but the possibility remains.
I live a rather ordinary life. I prefer to think I am not that interesting, but who knows what tempts anybody to snoop. The challenge is not whether I am interesting, but that a malicious person could use information in a harmful way, not to forget that such snooping violates a person’s expected privacy boundaries.
This discussion easily traverses into tinfoil hat territory. Yet being a tad paranoid is not a bad strategy for both privacy and security.
A primary challenge is trust. All human relationships are based on trust. Establishing trust is not a simple if-then programming challenge. Trust involves a human element. People are fickle. Trust can disappear like the dew on a hot sunny morning.
A second challenge is all internet traffic, whether web browsing, email, or other forms, requires knowing the source and destination IP addresses. There is no way to hide or mask that fundamental information. Various tools such as proxies or virtual private networks (VPNs) only “move the goal posts.” The source and destination information remains known.
There is no way to hide the first originating IP address from the ISP because the ISP assigns that IP address. While that IP address can be masked or hidden from other people on the internet, if the primary focus is protecting privacy from the ISP then other methods are needed. This becomes a game of obfuscation.
By default email is transferred and stored in plain text. IMAP account mails are stored indefinitely on somebody’s computer, often not encrypted at rest. POP3 accounts cannot avoid temporary storage.
Using HTTPS helps with web browsing but falls short of stopping all snooping. An ISP will know the top level domain and can create a browsing history through DNS queries.
Connections made outside a web browser create additional snooping challenges. SSH helps with encrypted tunnels, but the ISP knows the destination IP address.
Tor is an option for web browsing only. Unless using webmail Tor won’t help with email or other connections outside a web browser.
A VPN is a common remedy to impede an ISP’s ability to snoop, but can’t stop the VPN provider from snooping.
Can the ISP be thwarted? For many people the challenge might seem Sisyphean.
Through the years I've done well to protect my privacy. I long have exercised caution about sharing personal information online. Online I use aliases. Google is not a part of my life. I never used social media. I don’t use data mining and tracking smart devices. I am careful about what my web browsing might reveal.
I'm not into torrents, online videos, or “adult” content. The lack of such usage goes far to reduce interest in my habits.
My goal or threat model is not anonymity but protecting my privacy from a potentially invasive ISP or rogue ISP employee.
I plan to explore further.