Just looking? ISPs are watching you browse

Privacy news
6 mins
Eye in a cloud.

You are being watched. From everything you ask Alexa to all your emails and passwords: If you don’t encrypt your traffic, your Internet Service Provider (ISP) can potentially see all of it.

What’s more, you’re paying for the privilege. As your ISP handles all your internet traffic, it can see everything you do online. Your ISP could collect enough personal information about what you search for, who you email (and when), and even your Bitcoin transactions. And while ISPs say they’re not selling this data to companies or handing it over to government agencies, the 2013 Snowden revelations and the more recently discovered Verizon “perma-cookies” point to something different altogether. 

Around the world, law enforcement can compel ISPs to reveal user information. In Australia, for example, ISPs have in some cases been ordered to provide federal police with customer browsing history under data retention laws—some of which has been stored for up to two years—in an effort to combat cybercrime. In the U.S., ISPs aren’t required to track IP and port connections, but many do and retain that information for a period of time, possibly a year or more. Still, this doesn’t sound so bad—basic IP data that’s relatively anonymous could be used to improve service delivery or justify infrastructure expansions.

But here’s the thing: ISPs could do far more than that if they wanted to. This includes discovering exactly what kind of content you view, what you write in emails, and what you purchase online. Most don’t because of the potential backlash that comes with violating consumer privacy rights, but it’s still a good idea to consider using a virtual private network (VPN) to make sure there’s no way that you can be tracked. Even if you have nothing to hide, consumers shouldn’t have to opt out of being monitored.

However, even if you encrypt all your traffic, the spikes in traffic patterns alone may be enough for your ISP to find out what you’re doing at home. Let’s break down what your ISP can see when your data is or isn’t encrypted, and how to address each problem.

What can your ISP see if your data isn’t encrypted?

1. The exact sites you visit, and your passwords

If the websites you visit are unencrypted—i.e., they still use HTTP and not HTTPS—your ISP can, for instance, know the exact sites you visit. If you shop on http://www.a-shopping-website.com, your ISP would know what you bought, the username and password you use for your account, and any payment information you enter. If instead, you go to https://www.a-shopping-website.com, all your ISP will see is that you visited the site, but not what you do on it.

Solution: Check that the sites you visit use HTTPS, and don’t visit sites with expired or invalid SSL certificates. All major browsers can be set up to only take you to HTTPS sites by default whenever available. A VPN would also encrypt your activity to keep it hidden from your ISP

2. Your emails

If you use an email service that doesn’t use Transport Layer Security (TLS) encryption, your ISP can likely see the contents of your emails, and if your ISP is also your email service provider, they definitely can.

Solution: Use an email service that has TLS encryption (often called STARTTLS) on top of HTTPS and valid SSL certificates. Luckily, most major free email service providers utilize TLS encryption e.g. Gmail, Yahoo, Hotmail, ProtonMail. In fact, TLS encryption is also available on all mainstream email clients tooe.g. Outlook, Thunderbird, Apple Mailit’s just a case of ensuring that it is enabled when setting up your inbox.

Some providers, like Google Mail, will notify you with a small red lock if the recipient or sender does not use TLS correctly. You can notify the email sender about this error, or ask for another email address.

Alternatively, opt for a privacy-focused email service.

3. Whether you’re file-sharing or streaming

While they may not care about the content you’re downloading or streaming, once the ISP notices you’re using a large amount of bandwidth, they might throttle your download speeds.

Solution: To prevent your ISP from identifying your downloading or streaming activity, use a VPN for safe and fast downloading.

4. Your Bitcoin transactions

Because ordinary Bitcoin clients send standard and uniquely formatted unencrypted messages to well-established TCP ports, your ISP can quite easily spot if you use Bitcoin. From your traffic, they can also trace your transactions back to you. As the ISP can see all your incoming traffic, they can infer that any transaction you send out that’s not received from someone else is a transaction you created.

Solution: While a good VPN or the Tor Network can prevent your ISP from tracking your Bitcoin transactions from your incoming traffic, there are still other avenues through which they can figure out your transactions.

If you want to make sure your Bitcoin transactions are anonymous, check out Lexie’s guide on how to make anonymous Bitcoin payments.

What can your ISP see if your data is encrypted?

If you encrypt all your web traffic data, great work! However, your ISP can still look at the unencrypted metadata that follows the encrypted web traffic—they don’t know what exactly the traffic is, but they can make strong inferences based on the nature of its size, frequency, and timing of traffic patterns.

Recent studies have shown that network operators can still learn a lot about you from your encrypted traffic. One study found that every YouTube video has a unique traffic pattern when streamed to your device, and if the ISP wants to, they could determine the exact videos you’re watching. Another worrying study on IoT devices by researchers at Princeton University concluded:

“An ISP or other network observers can infer privacy sensitive in-home activities by analyzing Internet traffic from smart homes containing commercially-available IoT devices.”

In other words, anything from your Alexa to your SleepSense Monitor can undermine your privacy by exposing your day-to-day routine.

Connecting all your devices through a VPN-enabled router would make it incredibly difficult for your ISP to figure out which device you’re using. But it is not entirely impossible for a determined adversary to infer what kind of traffic you are sending, especially if you only have one IoT device, or if multiple devices send out sparse traffic, like smart door locks and sleep monitors.

Solution: Scramble the pattern by adding random inbound and outbound traffic into your encrypted web traffic. For this to work, you’ll need to use a VPN, which bundles all traffic from your network together so the ISP can no longer differentiate between a movie and a website.

Make sure there’s constant traffic coming in and out of your home even when you’re not there. With constant traffic throughout the day, you avoid a traffic spike when, for example, you go online after coming home from work.

To create inbound traffic, create a constant stream that will cover up any jumps in traffic rate when, for example, you switch on your computer when you get home after work. Run an audio streaming service like Spotify, or a digital radio broadcast and mute it.

To create outbound traffic, you could share popular files like the latest version of Linux on a file-sharing service.

TL;DR: Control the information you give to your ISP

  1. Check that every site you visit has HTTPS.
  2. Use an email with TLS encryption.
  3. Even better, use a paid email service that won’t keep track of your messages.
  4. Use a good VPN to encrypt all your traffic.
  5. Read up on how to keep your Bitcoin transactions anonymous.
  6. Create inbound traffic by playing audio streams when you’re not at home, and create outbound traffic by sharing popular files through file-sharing services.
Phone protected by ExpressVPN.
Take back control of your privacy

30-day money-back guarantee

A phone with a padlock.
Enjoy a safer online experience with powerful privacy protection
What is a VPN?
ExpressVPN is dedicated to your online security and privacy. Posts from this account will focus on company news or significant privacy and security stories.