Dean Buczek-Security Engineer at iSECURE, LLC
Recently I was asked my thoughts on this article: https://www.quora.com/Is-it-true-that-my-ISP-is-spying-on-my-web-browsing-Does-DuckDuckGo-fix-that/answer/Gabriel-Weinberg
A summation of the article is that your Big Bad ISP is spying on you and DuckDuckGo can help stop it. Well, both of those statements are only partially true. Can your ISP tell what web sites you’re visiting? Yes, they can see the web URL you are going to but not the specific page you are visiting. So, if you were browsing to ‘https://www.thisurl.com/web_page.html’, they would be able to see the ‘https://www.thisurl.com’, but not the ‘web_page.html’ part. The caveat to that is that the website URL needs to start with HTTPS. The ‘S’ is a crucial component there. The ‘S’ and the lock that you will see in the left corner of the web browser. The ‘S’ ensures that there is a secure encrypted “tunnel” between your computer’s web browser and the web site you are visiting. That means that any data shared between you and the website cannot be seen by prying eyes. When you log onto a bank website, for example, to check your account, your username and password nor any other pieces of data are visible to anyone that may be able to capture that data traffic. Today, almost any website you visit will have this secure encrypted tunnel (search engines, banking sites, e-commerce sites, even playboy.com).
That does not mean that your ISP cannot glean an enormous amount of data from your web browsing if they wanted to. They can see how long you’ve been on a website. They can see the size of a data file you download. They can see the number of characters in a URL that you visit. So, you ask, what can they do with this data? It is primarily used for aggregating statistics of people’s browsing habits. For the most part, ISPs do not care about you as an individual. I realize it may come as shock to you, but you are not the most important person in the whole wide world. What they do with that data has to be stated in the Terms of Service for the ISP.
On the other hand, websites that
you visit do collect a large amount of data about you. One way they can track
Not the sweet delicious treats we all know and love, but little pieces of
information left behind on your computer by the websites you visit. Have you
ever visited a shopping site and placed something in your ‘shopping cart’? Then
you forget about it and go back a month later and find that the items are still
in your cart. Or, after you leave that site, the ads you see while you’re
browsing are for the items you placed in your cart. That’s because websites
read that cookie data and know that you have an interest in that item. That is
either helpful to you, or if you’re a little paranoid, creepy. If you remain
logged into Yahoo, Gmail, Amazon, etc. all the time, then it is also possible
that those sites may collect your cookie data and associate it with you. You
should read the Terms of Service (that thing you ignore and click “I read the
agreement” anyway) to find out what data sites are collecting and how they use
Here are my personal recommendations for staying relatively un-tracked online:
- Use ‘InPrivate” or “Incognito” mode in web browsers when logging into websites to check mail or purchase items – then close the browser as soon as you’re done. Cookies will be deleted as soon as the browser is closed.
- If you don’t regularly use ‘InPrivate” or “Incognito” mode while browsing, you should clear your internet cache fairly often – programs like Ccleaner can help remove unwanted tracking data while keeping web information you want like usernames and form data. You can also do this from within the browser itself.
- Make use of multiple email accounts – have one for communication and another for signing up for things that you don’t wish to get spam from. You may even want a separate one for banking and finances. Be sure to use strong passwords in your accounts too!
- Never give out personally identifiable information unless you absolutely have to – most websites I use that require a sign-in and wanted personal information to setup think my DoB is 1/1/1990. My phone number always includes several 5s and my email is email@example.com or whatever works. Funny side note – you will likely receive coupons and happy birthday wishes on January 1st from places you forgot you gave your information to. If your birthday is 1/1/1990, use a different date – you get the picture.
- Always log out of websites you’ve logged into once you’re done with them.
- If you use an account like Gmail/Google, periodically look at the data they have collected on you and delete it. Here is a link showing how to see control & delete the info in your Google Account for example.