Ask HN: When do ISPs begin selling your data, and is a VPN all that's needed?

35 points by arikr ↗ HN
When does the "ISPs selling your data" begin, and is a VPN without logging all that's needed?

27 comments

[ 3.1 ms ] story [ 65.0 ms ] thread
There are no clear answers; all the info about this is a bit fuzzy because there's no requirement for ISPs to disclose past or current activities surrounding their selling of data.

The bill was actually enacted to prevent privacy rules which hadn't even gone into effect yet, which means that technically, ISPs would have already been able to sell such data. However, the consensus seems to be that ISPs were only selling "anonymized" data, and this move will embolden them to push further into invasive practices.

Yea great point. A lot of headlines are portraying this as a sudden new practice rather than an attempt to formalize the rules governing existing practices.
Wherever you VPN to, your connection still comes out somewhere. If that happens to be in the US, datacenters still have ISPs. If you're visiting a site hosted in the US, that's on some ISP too. Basically, if Level3, CenturyLink, and Verizon decide that they want to collect and sell profiles based on browsing profiles, there's not a way around it. It'd be easier to build a profile on a direct subscriber (e.g. Comcast profile on a subscriber of theirs) but installing OpenVPN on a DO droplet won't magically save you from this if you're in the US.

Will they actually do it? Well, can they make money from it? Do you trust Comcast to be a good steward of your privacy in the absence of a legal requirement to do so? Comcast did a hard pull on my credit when switching my account to a new address because they were too incompetent to update it and ended up creating a second account as a new customer for me. Comcast is my only option of ISP, as it is for many many other apartment dwellers and many single-family homes as well.

There is not much useful data to gleaned from an encrypted VPN connection. If you're referring to the ISPs monitoring what the VPN proxies for you that data would be useless as well since it would be the aggregate over everyone using the VPN. It wouldn't be possible to build browsing profiles if every request originates from the VPNs IP address.
you only need to leak a few bits here and there once or twice and the connections can be linked together
Answering the question of choosing a VPN is complex and varies by what's important to you. Like with security, there are few black and white answers.

The VPN comparison chart [1] is the best reference I've seen on the dozens of factors one might care about.

[1]: https://thatoneprivacysite.net/vpn-comparison-chart/

It's unclear to me why this got downvoted as it addresses OP's question with one of the most popular and detailed references for choosing a VPN which also explains the specific privacy implications to consider (which of course cannot be answered universally as they vary by person).
VPNs aren't really private. They can see everything that an ISP could see if you weren't using one. It's just a level of indirection.

I trust ISP companies more than I trust VPN companies because ISP companies are in the USA and are much larger (so engage in less risky behavior), so they at least have to sell data in aggregate and scrub PII

> I trust ISP companies more than I trust VPN companies because ISP companies are in the USA and are much larger

That fact only supports their practice of selling user data. If we did not have such a barrier of entry for new ISPs, the market would be able to react to this abuse. But instead, large ISPs like AT&T, Verison, Comcast, Time Warner, etc. hold the market so tightly that they can get away with abusing their customers without a serious reaction.

Because ISPs have so much control over the market, the only viable response without regulation are VPNs. A VPN can sell privacy to a customer who feels abused by their ISP. Since privacy is essentially the foundation of the VPN provider's business, VPN providers compete to prove to customers they can protect their users' privacy.

There are a large number of VPNs, commercial or otherwise, that someone can use. Where I live, I have a very small number of ISPs to choose from and they would all have my billing information if I used them. Some of the VPNs offer connections in other countries, and some of them claim not to log. The VPN's ISP would see my data move around, but wouldn't have my billing information. The VPN would, but if it's commercial I can likely sue them if they do something egregious with it.

In my opinion, VPNs help more than hurt privacy, assuming you choose a reputable one to use.

If a person wants anonymity, then go for Tor or Freenet.

You could always setup your own VPN on a VPS with

https://github.com/jlund/streisand

FWIW I tried this on DO and had a bitch of a time.

I'm a developer and I run linux as my primary OS, so there weren't any new concepts, exactly. I had to do a lot of google searching of error messages.

In the end, it kept failing after droplet creation, I think when whitelisting my IP or something similar.

This happened 2 days ago.

Anyway, I couldn't even get it running on the droplet, let alone get all connected and ready to go. Might try again with AWS.

If you want to pair on this, I'd be interested. Even if I don't use it, it's something I've wanted to do for the learning experience. I have enough knowledge of all the pieces to be dangerous, but haven't actually tied all the pieces together.

My email is in my profile if interested.

I did exactly this, using DO. It works beautifully, and my droplet is in a foreign country. Two things I'd recommend if you have trouble are:

a) Look up Digital Ocean's own instructions for setting up OpenVPN. Follow exactly.

or

b) look at HN threads from today, some people wrote Ansible playbooks and scripts to set it up.

There's a good chance I'm wrong here, but isn't directing your traffic overseas the exact thing that makes it fair game to state-level inspection?
Fair game legally or technically?

Legally maybe, probably, who knows. Personally I don't feel protected legally anymore with regards to privacy. It's a good thing I don't really do anything illegal, even if it both saddens and angers me that the world is letting this happen.

Technically I'm assuming without some serious cooperation with Digital Ocean it's going to be hard. Sure, if someone gives the authorities (or the hackers get) root, then my OpenVPN software will be more Open than "VPN."

I'm not a developer nor run Linux as my primary and got this working on DO and Vultr and XenServer. The github issue community is pretty active. Check out some of that info. The main maintainer is also easy to contact.

I set it up using MacOS. It's all about the playbooks. Get that right and you're good.

I tried first with streisand and ran into problems... but Algo with AWS worked great for me.
IMHO the ideal situation to selectively play along. A router running Linux/BSD which can be configured have regular, VPN and Tor route is the ideal situation to avoid scrutiny from third parties.

Connections to Facebook, Google, Amazon, etc. should go un-tunneled. It's good to feed the beast with data it already owns anyway.

Connection to porn websites (say by your 16-year-old cousin who came to stay at your place for the weekend) and other ethically debatable content should be routed via Tor. Connections to torrents should be routed via VPN[1].

I understand that some people here prefer their personal VPN against a VPN provider like TorGuard, etc. There's no good and poor solution here, everything depends on the use case. A VPN provider will be handling thousands of encrypted connections and gives you a dozen exit nodes. From each exit node thousands of different connections are routed. It's way harder to target and isolate a user, even for a medium state-level actor.

Conversely, if you route all your connections from, say a DO droplet, you're controlling the droplet, but you have one exit point for all your connections... It's extremely easy to target your connections for a state level actor.

Of course there are thousands of schemes one can choose. Everything depends on the use case.

Will the VPN in Opera prevent this tracking? How long before Chrome and Firefox offer this?
The recent law enacted by Congress countermanded an Obama-era regulation that had never gone into effect. Thus, the current situation is the same as it ever was - ISP's can sell anonymized and aggregated customer behavior data today, just like they could yesterday.

Also important to note -- existing regulations still in effect prevent selling un-anonymized data. Selling someone the browsing habits of a particular identifiable customer is not allowed, never has been.

I'm not sure where this 'nothing has changed, no need to panic' talking point has come from.

The 'Obama era regulation' was an attempt to maintain privacy regulations after internet businesses were found to be exempt from ftc oversight in late 2016. So now there is no privacy regulation from the ftc or fcc. Things are not the same as they always were.

DNS and Certificates are the key:

You should remove all CA certificates installed by software that show like it were "installed by you".

Some AV software does MITM sending you a "trusted" certificate signed by their own CA whilst acting as a proxy between the actual site and the AV.

Theoretically anybody could do the same on the network side transparently.

Also if you don't trust your ISP, you shouldn't use their DNS servers. I don't know about commercial integration between DHCP and DNS requests to track people but it is feasible with some work.

For DNS just grab a raspberry pi and setup a dns resolver. You only need the right root zone seed file. Just don't make it available to the whole internet.

If you use a VPN, you are just trading one ISP for another.
Yeah, but I trust Digital Ocean or AWS (and whatever providers they rely on) more than I trust AT&T, Time Warner, and Comcast combined.
VPNs only give you indirection. And you have to trust your VPN provider. You're just moving your trust. Now if you diversify well enough you are probably less likely to be effectively snooped on, but then you're just reinventing TOR[0].

Adopting HTTPS across the board is so much more important.

[0] Which too only gives you indirection, remember that!