There’s an interesting set of competing objectives unfolding at present as it relates to the protection of our data while it flies around the internet:
On the one hand, there’s unprecedented oversight of the bytes we’re sending backwards and forwards, especially on behalf of governments mandating collection via ISPs. A great example of this is the UK’s recently passed Investigatory Powers Act or as many know it, the “Snoopers’ Charter”. That rather uncharitable nickname gives you a good idea of how many people feel about ISPs being asked to retain information about everyone’s browsing habits. More recently in the US, the House of Representative rolled back FCC privacy regulations allowing ISPs to sell information about their customers’ browsing history. Even down here in Australia where we’re generally pretty easy going about most things, the government decided that ISPs should be retaining metadata on our browsing history (although alarmingly, our government isn’t quite sure what metadata actually is…)
On the other hand, we’ve never had more encryption and easier access to it than what we do today. WhatsApp and iCloud are great examples of large scale, consumer-focused messaging apps that not only encrypt data in transit, but do so end-to-end such that it never rests with an intermediary in a readable fashion. The rapid expansion of HTTPS on websites is another one and the little green padlock in the browser has never been more prevalent than it is today. We now have around 20% of the world’s top 1 million websites serving their traffic over encrypted connections and that ranges from banks to news sites to adult entertainment. However, it’s here that we begin to see the cracks in the protection that encryption provides us.
In fact, that last example about adult entertainment demonstrates the problem perfectly and just the other day I wrote about how encrypted web traffic doesn’t necessarily hide your weird fetishes. Now we can extend that same premise to any class of website and I’ll give you a perfect example: Let’s say you’re suffering from an illness and as you’d rightly expect, many people would like to keep something like that private. Searches for the illness over Google are all encrypted using HTTPS so anyone between the web browser and Google themselves (such as your ISP) cannot see what you’re searching for. Now let’s say the illness is depression and you end up on our Aussie Health Direct website which provides a symptom checker for the condition. This site is also all HTTPS so again, your traffic is encrypted and protected from prying eyes. But there’s a catch – your ISP knows you’re on this website and this is where the provisions of website security alone start to fail you.
Having now decided you may be suffering from depression, you browse over to Beyond Blue, a site dedicated to those suffering from depression and anxiety. It’s also fully encrypted which means your ISP doesn’t know which pages you’re looking at, but because they know you’re on beyondblue.org.au, they can take a pretty educated guess at why you’re there. They know you’re on this site because your browser begins “negotiating” the encryption that should be used in a fashion they can observe. This also happens after your browser makes a request to the domain name system so it can figure out where to find beyondblue.org.au and again, the ISP can observe this. Of course, your ISP also knows everything about the traffic you send to websites that don’t implement encryption of their traffic, but I suspect that most people reading this are already aware of that.
This is where a VPN comes in because rather than entrusting a local ISP with snippets of information about your browsing habits, you now have the ability to encrypt the entire communication between your PC or mobile device and the VPN provider. What you’re doing is moving the trust away from that local organisation that’s increasingly beholden to tracking your browsing habits to the provider of the VPN service. Of course, this now means that you need to have a great deal of trust in that service so choosing the right VPN provider is absolutely critical.
For me personally, Freedome goes on as soon as I connect to any unfamiliar network and that’s been my default process for many years now, especially with the amount of travel I do. But increasingly, the points above about ISP tracking have caused me to use it more and more at home on a network I trust, albeit communicating via an ISP beholden to hand over my personal browsing history. It’s not that I have things I want to hide, but rather like all of us, I simply have some things that I’ve decided not to share.
This is sponsored guest post. All views of those of the author.
To commemorate F-Secure’s 30th year of innovation, we’re profiling 30 of our fellows from our more than…
August 16, 2018