What should we do after Congress repealed the privacy law?
I have received many questions from my friends about what to do now that Congress voted to repeal the online privacy rules created last October by the Obama administration.
The first thing to do is to avoid panic. Those privacy laws never took effect, so I believe we are now no worse off than we were before last October, although some commenters are disputing this.
What did the proposed regulations do? They would have forbidden your internet service provider (ISP) from collecting and using data of your online activities. Particularly from selling that data to other merchants (such as Amazon or Facebook).
When you browse the web from home (or from your phone) your ISP (Comcast, AT&T, WOW, Verizon etc.) routes your traffic from your device to the website you are visiting. That information is, of course, stored by your provider and can be aggregated and sold to the highest bidder. And, of course, if the information is stored, it can be subpoenaed, seized through a national security letter or stolen and sold online to somewhat less reputable people than Comcast.
And all of these things have happened already (Schneier’s article cites real examples):
- What the repeal of online privacy protections means for you, The New York Times
- Congress removes FCC privacy protections on your internet usage, Schneier on Security
- Five creepy things your ISP could do if Congress repeals FCC’s privacy protections, Electronic Frontier Foundation
What can you do to prevent your ISP from seeing where you browse and what websites you look at?
The best solution is to use a Virtual Private Network (VPN). A VPN is like a tunnel that routes all your internet browsing through a neutral pathway so that nobody outside the tunnel can see it. Your browsing is encrypted from your computer to the entrance to the tunnel and outsiders can only see traffic from the tunnel to your target website. Thus nobody can tell where you are browsing.
VPN’s were developed to permit protected information being transmitted across the web. If you are a Wayne State employee you can use the Wayne State VPN. If you do so, your computer (or smartphone — the VPN works with those too) talks only to Wayne State, effectively making it part of the Wayne State network. But any browsing traffic (or downloading) is encrypted, so that nobody can snoop on it (with the possible exception of the NSA, although there is some dispute about whether even they can break 64 bit encryption). You can learn about, and use the Wayne State VPN here: computing.wayne.edu/vpn.
Even if you’re not worried about Comcast or AT&T snooping on your web activities, there are good reasons to use the VPN, particularly if you are not at home. Random Wi-Fi connections in public places are notoriously vulnerable to snooping, and the VPN will protect your laptop or smartphone there. And, of course, I have written over the years about international travel and the possibility that other governments might watch over your shoulder to read your email or other activities. A few countries (China in particular) attempt to block the use of VPN’s, although they generally leave universities alone.
When you use a VPN all traffic from your computer to the website you are looking at goes through the Wayne State (or alternative–more below) first, and is encrypted from your computer to the target website. That means if someone snoops on your computer all they see is encrypted traffic from you to Wayne State. They can’t see where you are browsing.
Here’s a diagram of what happens when you DON’T use a VPN:
And here’s a diagram of what happens when you DO use a VPN:
It should be said that for older machines and slower network connections there might be a slowdown in how fast a page loads, and we don’t recommend using the VPN for streaming movies.
One last thing: be aware that when you visit a website whose URL begins with https: any text you transmit to that site is encrypted, but any site that begins http: is not encrypted. In addition, sites with https: are authentically what they say they are. You can tell this because there is a green padlock in the address bar, and the text sometimes includes the name of the company.
If you don’t have access to Wayne State’s VPN there are .alternatives. Kevin Hayes, our Chief Information Security Officer recommends not using the various free VPN’s on the market, pointing out that ‘if you are not paying, you are not the customer’. However, PC Magazine has a rating of various commercial VPN options here: pcmag.com/article2/0,2817,2403388,00.asp.