How much can your Internet Service Provider find out through your internet traffic?

Jamie

Your ISP can see all your internet traffic

From everything you ask Alexa to all your emails and passwords: If you don’t encrypt your traffic, your Internet Service Provider (ISP) can potentially see all of it.

As your ISP handles all your internet traffic, it can see everything you do online. Your ISP could collect enough personal information about what you search for, who you email (and when), and even your Bitcoin transactions.

However, even if you encrypt all your traffic, the spikes in traffic patterns alone may be enough for your ISP to find out what you’re doing at home.

Let’s break down what your ISP can see when your data is or isn’t encrypted, and how to address each problem.

What can your ISP see if your data isn’t encrypted:

1. The exact sites you visit, and your passwords

If the websites you visit are unencrypted, i.e., they still use HTTP and not HTTPS, your ISP can, for instance, know the exact sites you visit. If you shop on http://www.a-shopping-website.com, your ISP would know what you bought, the username and password you use for your account, and any payment information you enter. If instead, you go to https://www.a-shopping-website.com, all your ISP will see is that you visited the site, but not what you do on it.

Solution: Check that the sites you visit use HTTPS (we’d recommend getting HTTPS everywhere to help ensure the web pages you visit are encrypted) and don’t visit sites with expired or invalid SSL certificates.

If you don’t want your ISP to see what sites you visit at all, use a good VPN.

2. Your emails

If you use an email service that doesn’t use Transport Layer Security (TLS) encryption, your ISP can likely see the contents of your emails, and if your ISP is also your email service provider, they definitely can.

Solution: Use an email service that has TLS encryption (often called STARTTLS) on top of HTTPS and valid SSL certificates. But keep in mind the email service can now also look at your personal emails.

Some providers, like Google Mail, will notify you with a small red lock if the recipient or sender does not use TLS correctly. You can notify the email sender about this error, or ask for another email address.

Alternatively, you could choose to delete that Gmail account and consider these privacy-conscious alternatives instead.

3. Whether you’re torrenting

Your ISP can see when you use BitTorrent to download files, even if they are legal (a game update, for instance). While they may not care so much about the contents you’re torrenting as much as some corporations (who can see your IP address from the torrent, mind you), once the ISP notices you’re using bandwidth for torrenting they might throttle your download speeds.

Solution: To prevent your ISP from identifying your torrenting activity, use a VPN for safe and fast downloading.

4. Your Bitcoin transactions

Because ordinary Bitcoin clients send standard and uniquely formatted unencrypted messages to well-established TCP ports, your ISP can quite easily spot if you use Bitcoin. From your traffic, they can also trace your transactions back to you. As the ISP can see all your incoming traffic, they can infer that any transaction you send out that’s not received from someone else is a transaction you created.

Solution: While a good VPN or the Tor Network can prevent your ISP from tracking your Bitcoin transactions from your incoming traffic, there are still other avenues through which they can figure out your transactions.

If you want to make sure your Bitcoin transactions are anonymous, check out Lexie’s guide on how to make anonymous Bitcoin payments.

What can your ISP see if your data is encrypted:

If you encrypt all your web traffic data, great work! However, your ISP can still look at the unencrypted metadata that follows the encrypted web traffic—they don’t know what exactly the traffic is, but they can make strong inferences based on the nature of its size, frequency, and timing of traffic patterns.

Recent studies have shown that network operators can still learn a lot about you from your encrypted traffic. One study found that every Youtube video has a unique traffic pattern when streamed to your device, and if the ISP wants to, they could determine the exact videos you’re watching. Another worrying study on IoT devices by researchers at Princeton University concluded:

“An ISP or other network observers can infer privacy sensitive in-home activities by analyzing Internet traffic from smart homes containing commercially-available IoT devices.”

In other words, anything from your Alexa to your SleepSense Monitor can undermine your privacy by exposing your day-to-day routine.

Connecting all your devices through a VPN-enabled router would make it incredibly difficult for your ISP to figure out which device you’re using. But it is not entirely impossible for a determined adversary to infer what kind of traffic you are sending, especially if you only have one IoT device, or if multiple devices send out sparse traffic, like smart door locks and sleep monitors.

Solution: Scramble the pattern by adding random inbound and outbound traffic into your encrypted web traffic. For this to work, you’ll need to use a VPN to bundle all traffic from your house together so the ISP can no longer differentiate between a movie, a torrent or a website.

Make sure that there’s constant traffic coming in and out of your home even when you’re not there. With constant traffic throughout the day, you avoid a traffic spike when, for example, you go online after coming home from work.

To create inbound traffic, create a constant stream that will cover up any jumps in traffic rate when, for example, you switch on your computer when you get home after work. Run an audio streaming service like Spotify, or a digital radio broadcast and mute it.

To create outbound traffic, you could share popular files like the latest version of Linux on a file-sharing service.

TL;DR: Control the information you give to your ISP

1. Check that every site has HTTPS. Use HTTPS Everywhere.
2. Use an email with TLS encryption.
3. Even better, use a paid email service that won’t keep track of your messages.
4. Use a good VPN to encrypt all your traffic.
5. Read up on how to keep your Bitcoin transactions anonymous.
6. Create inbound traffic by playing audio streams when you’re not at home, and create outbound traffic by sharing popular files through file-sharing services.

Jamie is always hungry. He also writes about digital privacy in exchange for sandwiches.