US ISPs can spy on customers?

[Dottie Atwater]

I use a VPN (Private Internet Access) and usually use a US location. This morning I sent a question to PIA and then received the following. Does anyone heard about this "recent US legislation?" What a bunch of crap! More intrusion into private lives.

"Currently we are experiencing higher than average helpdesk tickets due to recent US legislation changes that let your internet service provider spy on you. Your ticket will be dealt with however you may face a slightly longer than normal response time."lightly longer t normal response time.

[Twin Wolf Technology Group]

Dottie,

There is a very detailed explanation of this here:

http://www.theverge.com/2017/3/31/15138526/isp-privacy-bill-vote-trump-marsha-blackburn-internet-browsing-history

While using a VPN may give you limited protection on who can see your data, at some point your information travels in the clear.   Instead of travelling in the clear from the ISP point, it is encrypted until it gets to the other end of the VPN and then once again travels in the clear on its way to the final destination.   Basically, that means that your VPN provider can do exactly the same thing as your ISP - you are just changing the point your data is in the clear.

Also, there is additional information that is always available in order for you to connect to your ISP.   For instance, your account, your IP address, the time and length of your data connection (were you online at 3am or not).   All of this information is valuable for marketing purposes.   ISP's as well as VPN providers can collect and sell this information.   The fight and rule change is about whether or not this is considered to be permitted.   Yet as you dig deeper into it, even that statement is some what foggy as the governing body only interprets what is written and does no enforcement.

My personal take on it is this...   The collection of your data and surfing habits has already has been done for a very long time.  This is not just a US thing as it occurs in most every country.   To think that there is ANY privacy online is to not understand how your information is transmitted.   For those of us old enough to remember it - think of the Internet as a giant party line in beginning days of telephone service.   Everyone can pretty well see and hear everything.   Some information can be encrypted and hidden but the very fact you are using the Internet, when and how long, is in itself valuable information.   There is little to nothing you can do about it.

Edited April 17, 2017 by Twin Wolf Technology Group

[Bud]

Dottie and Twin Wolf,

Thanks mucho for this topic and the reply. As a [strong] believer in and proponent for privacy, this topic surfaces an interesting (read devious and pernicious) Internet capability called super cookies. Super cookies is bad stuff for those who believe in privacy. 

I recommend that those who have desire for privacy do a Google search on 'super cookies' or 'flash cookies' or 'zombie cookies', etc. You will find many articles talking about them. Randomly picking just one of them (https://www.fightidentitytheft.com/blog/new-breed-super-cookie-defies-removal-almost) will show you a couple of things that you can do to better protect yourself. But even then you are not fully protected.

Like Dottie, I routinely use a VPN; my VPN automatically starts when I turn on my computer. However, a VPN won't help against super cookies. One disappointing fact is that some businesses block users from attempting to log into their website while using VPN protections. Some banks, for instance, block VPN access under the misplaced logic that only hackers use VPNs and so they "protect" their bank customers accounts from those evil people. Nothing could further from the truth.

This next statement is a gross over generalization, but I'll say it anyway. There is zero privacy in today's digital world. And once something is on the Internet it is there forever.

Not trying to beat this to death, but most of the general public believe that data security and data privacy are the same thing. They are closely related but are not the same concept. And at times, security actually can work against privacy.   Do another Google search but on 'difference between security and privacy'.

[Dottie Atwater]

Wow, thanks for the post and the link, Bud. Macromedia/Flash do NOT make it easy to find their settings page. It will take some study to learn what settings to use to "better" protect privacy, albeit far from perfect.

I use Private Internet Access (PIA). For a long time, I could not log in to my Schwab account while connected with PIA. After PIA denying that they were the problem, they've apparently fixed this issue. Now it's Chase. I found the "fix" for either/both is to disconnect PIA and connect with the free Hotspot Shield.

Recently Flash player did an automatic update. After that, when I watched a youtube video, a small duplicate of the video would appear in the lower right of my screen. Very annoying. (That did not occur in Firefox.) When I decided Flash was the issue, I disabled it in my Chrome browser settings. Problem solved. Now, after reading the link you provided, I feel even better after disabling Flash.

[JimAndNena]

https://www.nytimes.com/2017/01/12/us/politics/nsa-gets-more-latitude-to-share-intercepted-communications.html?_r=0

WASHINGTON — In its final days, the Obama administration has expanded the power of the National Security Agency to share globally intercepted personal communications with the government’s 16 other intelligence agencies before applying privacy protections. (my emphasis)

The new rules significantly relax longstanding limits on what the N.S.A. may do with the information gathered by its most powerful surveillance operations, which are largely unregulated by American wiretapping laws. These include collecting satellite transmissions, phone calls and emails that cross network switches abroad, and messages between people abroad that cross domestic network switches.

Most of the protections afforded by the constitution were bypassed during the Cheney administration. Obama continued on the same path.

jim

[Dottie Atwater]

"Cheney administration." You got that right!

[Roundabout]

On 2017-04-17 at 7:44 PM, Twin Wolf Technology Group said:

Dottie,

There is a very detailed explanation of this here:

http://www.theverge.com/2017/3/31/15138526/isp-privacy-bill-vote-trump-marsha-blackburn-internet-browsing-history

While using a VPN may give you limited protection on who can see your data, at some point your information travels in the clear.   Instead of travelling in the clear from the ISP point, it is encrypted until it gets to the other end of the VPN and then once again travels in the clear on its way to the final destination.   Basically, that means that your VPN provider can do exactly the same thing as your ISP - you are just changing the point your data is in the clear.

Also, there is additional information that is always available in order for you to connect to your ISP.   For instance, your account, your IP address, the time and length of your data connection (were you online at 3am or not).   All of this information is valuable for marketing purposes.   ISP's as well as VPN providers can collect and sell this information.   The fight and rule change is about whether or not this is considered to be permitted.   Yet as you dig deeper into it, even that statement is some what foggy as the governing body only interprets what is written and does no enforcement.

My personal take on it is this...   The collection of your data and surfing habits has already has been done for a very long time.  This is not just a US thing as it occurs in most every country.   To think that there is ANY privacy online is to not understand how your information is transmitted.   For those of us old enough to remember it - think of the Internet as a giant party line in beginning days of telephone service.   Everyone can pretty well see and hear everything.   Some information can be encrypted and hidden but the very fact you are using the Internet, when and how long, is in itself valuable information.   There is little to nothing you can do about it.

While this may have been true at the time of posting, most of it is no longer true. Worldwide, companies and business with web presence are closing 'the last mile' where your information might be seen, which simply means that once it leaves your computer encrypted, no one but the end recipient can see it. As for the ISP being able to 'see your information', that, I doubt. Most VPN's use 256 bit SHA encryption, which apparently was developed by the NSA, and since the solution to that encryption problem involves the random 'guessing' at billions of whole numbers, it is unlikely that any ISP has the computing power to break your encryption. In order to do it they would need either a super computer or a server farm that covered 400 acres and used half the electricity in Panama.

As far as your 'information travelling in the clear' from your computer to the ISP,  this is simply not true. If you use VPN software, your data gets 'encrypted at source', in other words at your cell phone, or tablet, or computer, so it DOES NOT travel 'in the clear' to the ISP. I have confirmed this through my own tests using CocoaPacketAnalyzer, that monitors the information streams that are being send to the ISP,  and trust me, the information is definitely encrypted.

An ISP can however, had over your information stream to the NSA, who does have the capacity (if they also have the interest) to break your encryption. It can happen. Nothing is for certain. But definitely  using a VPN is an absolute must if you want to keep you password and banking information secure.

One of the most highly recommended VPN"s is NordVPN who has their servers physically located in Panama, they keep no logs, so as far as the NSA obtaining your information, it is a stretch.

Even thought NordVPN has it's servers physically located in Panama, they keep no logs and your data is mixed in with numerous other users before being sent over the wires. In addition to those safeguards, you can also opt to have your data stream split over parallel servers, with encryption and anonymous mixing. However, since residential service providers such as Cable and Wireless (read AT&T/NSA/CIA) use a static IP address as opposed to a dynamic IP address, it does make it easier for the ISP to extract your particular information for further processing.

It has been a great concern to countries like Brazil (and others in LatAM I Imagine), that at one time every single piece of data went through the US, that is no longer the case. As with everything else, the US is slowly being moved aside thanks to all the hooliganism that they get up to.

If you really, really, really want to be secure, simply use an email program (such as Protonmail or PGP) that allows you to add a password to the data stream,  in addition the SHA256 encryption, or simply use Brazil as your exit point as Brazil has a separate line and security entrance to the WWW.

Edited August 20, 2017 by Roundabout

[Admin_01]

26 minutes ago, Roundabout said:

If you really, really, really want to be secure, simply use an email program (such as Protonmail or PGP) that allows you to add a password to the data stream,  in addition the SHA256 encryption, or simply use Brazil as your exit point as Brazil has a separate line and security entrance to the WWW.

ProtonMail (of which I am a lifetime patron/sponsor) only fully protects email when the emails are exchanged between ProtonMail users. Note that ProtonMail has somewhat limited functionality when compared with other email systems/clients, e.g., Thunderbird. For instance, ProtonMail now supports custom folders, but NOT nested folders. That is, in my opinion, a big drawback.

ProtonMail does interface with regular Internet email clients and ISPs, etc., but the extra security has to be stripped out. It is more secure but not totally secure in that scenario. Further, it is my understanding (can be bad info here) that Protonmail content between only Protonmail users has never been compromised unless one of the involved parties has divulged the content.

For those with an interest in very secure cloud storage, you may wish to check out Tresorit.

[Roundabout]

6 minutes ago, Admin_01 said:

ProtonMail (of which I am a lifetime patron/sponsor) only fully protects email when the emails are exchanged between ProtonMail users. Note that ProtonMail has somewhat limited functionality when compared with other email systems/clients, e.g., Thunderbird. For instance, ProtonMail now supports custom folders, but NOT nested folders. That is, in my opinion, a big drawback.

ProtonMail does interface with regular Internet email clients and ISPs, etc., but the extra security has to be stripped out. It is more secure but not totally secure in that scenario. Further, it is my understanding (can be bad info here) that Protonmail content between only Protonmail users has never been compromised unless one of the involved parties has divulged the content.

For those with an interest in very secure cloud storage, you may wish to check out Tresorit.

That is no longer true. Several months ago (and I use NordVPN all the time), they indicated that they can now guarantee end-to-end encryption for both Protonmail users and the general community (i.e. gmail etc). As for Tresorit, I had been signed up with them for about a year, but, someone, somewhere, put a lot of effort into hacking them and I am no longer sure how secure they really are.

Edited August 20, 2017 by Roundabout

[Roundabout]

1 hour ago, Roundabout said:

That is no longer true. Several months ago (and I use NordVPN all the time), they indicated that they can now guarantee end-to-end encryption for both Protonmail users and the general community (i.e. gmail etc). As for Tresorit, I had been signed up with them for about a year, but, someone, somewhere, put a lot of effort into hacking them and I am no longer sure how secure they really are.

I should clarify my comment. It isn't NordVPN that is providing end to end, it is Protonmail. Sorry for any confusion.

[Twin Wolf Technology Group]

I guess I should comment as I was part of the original post...

As a business in providing Internet Services in the US, I can assure you that no VPN or email service provider can guarantee end-to-end encryption unless they are controlling the both end points.   The original post was not limited to email services but was discussing all Internet traffic between the home computer and various websites/email services.

A VPN is effective from the source point, such as the home computer, to the end point of the VPN provider.   Once your traffic leaves the VPN end point, they have no control over whether your traffic is encrypted or not.    Now, if you are visiting a site via secure protocol, such as https or if you are using an email client that uses SSL, then you are still encrypted but that is not universal.   Many websites still use non-secure protocols (http alone, not https) or do not use SSL within the email client.   That traffic is in the clear at the point it leaves the VPN end point.

Yes, it is true that more and more sites are now using secure protocols as security concerns increase.   But the point that was being made in the original post is that just because you have a VPN does not mean you are encrypted end-to end.   This is a common misunderstanding.   The VPN provider can see any traffic that is destined to travel in the clear once it leaves the VPN end point unless it was further encrypted by an additional process before it entered the VPN.   The concern here was that VPN providers can collect data that ends up in the clear and sell it or use it.

Add to the mix that digital certificates that are used to encrypt the data stream are now being provided free without responsibility.   At one time, to obtain one these certificates for a website, the website owner needed to go thru a verification process.   That is no longer the case.  That means that now, just because you are visiting a site that says is encrypted, it does not mean that the site is legitimate like it used be when they encryption certificates were verified.   This has become a large issue for free digital certificate providers such as "Let's Encrypt".

One last worry for email users is that even if your data was encrypted from your computer to receiving end point, it is rare for the email or other data to be then stored in an encrypted form on the email server equipment.   Email service providers, their staff and anyone having access to the server can see your data in the clear.    Some email service providers store your data in an encrypted form but that is the exception rather than the rule. 

For the layman concerned about what can and cannot be seen,  the original post still stands.   Be aware that despite your best efforts their are likely points where your data is visible.   The best you can do is reduce this risk but you can not eliminate it.   Do not fall for claims that a company can guarantee end-to-end encryption unless they are controlling both end points.   Even then ask how the data is stored at the far end point.   Data breaches happen, not from hackers guessing passwords but from access to points where data is non-encrypted.

[Roundabout]

11 minutes ago, Twin Wolf Technology Group said:

I guess I should comment as I was part of the original post...

As a business in providing Internet Services in the US, I can assure you that no VPN or email service provider can guarantee end-to-end encryption unless they are controlling the both end points.   The original post was not limited to email services but was discussing all Internet traffic between the home computer and various websites/email services.

A VPN is effective from the source point, such as the home computer, to the end point of the VPN provider.   Once your traffic leaves the VPN end point, they have no control over whether your traffic is encrypted or not.    Now, if you are visiting a site via secure protocol, such as https or if you are using an email client that uses SSL, then you are still encrypted but that is not universal.   Many websites still use non-secure protocols (http alone, not https) or do not use SSL within the email client.   That traffic is in the clear at the point it leaves the VPN end point.

Yes, it is true that more and more sites are now using secure protocols as security concerns increase.   But the point that was being made in the original post is that just because you have a VPN does not mean you are encrypted end-to end.   This is a common misunderstanding.   The VPN provider can see any traffic that is destined to travel in the clear once it leaves the VPN end point unless it was further encrypted by an additional process before it entered the VPN.   The concern here was that VPN providers can collect data that ends up in the clear and sell it or use it.

Add to the mix that digital certificates that are used to encrypt the data stream are now being provided free without responsibility.   At one time, to obtain one these certificates for a website, the website owner needed to go thru a verification process.   That is no longer the case.  That means that now, just because you are visiting a site that says is encrypted, it does not mean that the site is legitimate like it used be when they encryption certificates were verified.   This has become a large issue for free digital certificate providers such as "Let's Encrypt".

One last worry for email users is that even if your data was encrypted from your computer to receiving end point, it is rare for the email or other data to be then stored in an encrypted form on the email server equipment.   Email service providers, their staff and anyone having access to the server can see your data in the clear.    Some email service providers store your data in an encrypted form but that is the exception rather than the rule. 

For the layman concerned about what can and cannot be seen,  the original post still stands.   Be aware that despite your best efforts their are likely points where your data is visible.   The best you can do is reduce this risk but you can not eliminate it.   Do not fall for claims that a company can guarantee end-to-end encryption unless they are controlling both end points.   Even then ask how the data is stored at the far end point.   Data breaches happen, not from hackers guessing passwords but from access to points where data is non-encrypted.

So 'how' exactly does the ISP 'see' your encrypted data before it leaves their system, right at the point when the data is unencrypted? If there is no further encryption carrier, i.e. last mile encryption?

[Twin Wolf Technology Group]

When an email is sent using SSL, it get encrypted on your computer and goes to your ISP, in the encrypted form.   It becomes unencrypted entering the ISPs mail server.   At that time it is copied to the user's sent file in the clear and then sent on to its ultimate destination in the clear.   In other words email traffic from ISP's email server to the destination email server is done in the clear even if it was encrypted coming in from the original point.   Email servers do not use encryption when exchanging mail between each other.

As an email provider, I can set my system to see all traffic entering and leaving the mail server which means I can see all traffic that came into the server in an encrypted form because it was unencrypted to be handled and sent on to the destination.

Since the ISP can see all traffic leaving their mail server, they can see what entered their system encrypted but is now being sent on in an unencrypted form.   The same is true of anyone wanting to snoop along the path between the two mail servers exchanging mail.

[Roundabout]

Yes, but your assumption is that a log is kept. NordVPN, from everything I know, does not keep logs, but I have never looked into the backbone they run off of. I should do that.

[Twin Wolf Technology Group]

Both the VPN and the SSL encryption only take effect up to their end points and the moment email exchange happens between two email servers, those end points have already been passed.  

Lets give this example.   You want to send an email using your VPN and SSL from your-address@myISP.com to friend@gmail.com

When you send an email from your home email address it is protected by both SSL and your VPN.   Your email does not go direct to Gmail.   The first hop is for your email going to the "myISP.com" mail server.   During that time, it is encrypted.   When it reaches the "myISP.com" mail server, it is then unencrypted and two things happen.   It is written to the "sent" folder of the user.   It is then also sent to the Gmail server from the myISP.com server.   That final journey from the ISP to Gmail is done in the clear regardless of how it was received.   The ISP can see it as well as anyone snooping along the route between myISP.com and the Gmail server.

Since your VPN only protected you from your computer to the "myISP.com" server and since the SSL email encryption is terminated at the first hop, the mail is then in the clear both for storage at the ISP and for the continued journey to Gmail.

If the email went direct from your computer to the destination you would be completely protected but that is not the case.   If you were sending to an address on the same server (gmail to gmail or protonmail to protonmail) you are protected.   The problem comes in when you are sending from one email server to another (gmail to protonmail or isp to gmail) which is most email traffic.   That traffic spends part of its journey in the clear.

 

[Roundabout]

I think we are talking two different things here. SSL is the physical transport layer. Great if it is encrypted, but it need not be, because the software that the VPN provide creates an encrypted message for you. Now the only way I know of, for someone getting a hold of that encrypted message is through spooking ti's destination address. I'm sure that in the past the NSA/CIA/ETC had that capacity, but now that that DNS servers have been physically moved out of the US, I doubt it. In order to do such a re-direct you would require super Amin access and then reload the servers at least twice. The other thing is that if the message is encrypted by software, it may not be a simple matter of applying brute force to decode the message. The message may be doubly encrypted, in other words there would be 256**256 possible prime numbers to guess at. With those kinds of numbers you are approaching infinity.

As far as 'seeing your information' goes, I stand by what I said earlier. If no logs are kept, there is no reason for your information to be decrypted - it can just pass through to it's (presumed) destinatinon. 

 

[Roundabout]

2 minutes ago, Twin Wolf Technology Group said:

Both the VPN and the SSL encryption only take effect up to their end points and the moment email exchange happens between two email servers, those end points have already been passed.  

Lets give this example.   You want to send an email using your VPN and SSL from your-address@myISP.com to friend@gmail.com

When you send an email from your home email address it is protected by both SSL and your VPN.   Your email does not go direct to Gmail.   The first hop is for your email going to the "myISP.com" mail server.   During that time, it is encrypted.   When it reaches the "myISP.com" mail server, it is then unencrypted and two things happen.   It is written to the "sent" folder of the user.   It is then also sent to the Gmail server from the myISP.com server.   That final journey from the ISP to Gmail is done in the clear regardless of how it was received.   The ISP can see it as well as anyone snooping along the route between myISP.com and the Gmail server.

Since your VPN only protected you from your computer to the "myISP.com" server and since the SSL email encryption is terminated at the first hop, the mail is then in the clear both for storage at the ISP and for the continued journey to Gmail.

If the email went direct from your computer to the destination you would be completely protected but that is not the case.   If you were sending to an address on the same server (gmail to gmail or protonmail to protonmail) you are protected.   The problem comes in when you are sending from one email server to another (gmail to protonmail or isp to gmail) which is most email traffic.   That traffic spends part of its journey in the clear.

 

OK. thanks. That is great information. Is this a 'world' standard, or something that is implemented in the US. Also, what if you are sending PgP email. Is that decoded as well?

[Roundabout]

And I guess more to the point is, do you agree with this setup? Why should people lose their tradition rights to privacy?

[Twin Wolf Technology Group]

Currently this is world standard.   Email was never designed for security.   The addition of SSL and VPN and all the various protocols have helped but there are still large holes.   If you  are sending a message using PgP, you are 100% protected.   The encryption is done on your computer and the ONLY person able to decyrpt it is the receiving part with the other key.    Unfortunately, the process of encrypting and decrypting email messages seems to challenge the general public and there have been little successes getting it adopted.    It is the only way I know to be 100% covered since is even stays encrypted when it is stored on the receiving email server.

[Roundabout]

OK. thanks again. And I agree, PgP is a royal pain, but for now there is no other way. Hey, I have an idea. Start a company that takes silicon imprint of you thumb and index finger so that your wife/girlfriend/whomever can use your technology. Whadda think?

[Twin Wolf Technology Group]

2 minutes ago, Roundabout said:

And I guess more to the point is, do you agree with this setup? Why should people lose their tradition rights to privacy?

I am 100% behind privacy and protecting people.   It is one of my pet peeves when I see people saying that using any one product will protect them 100% when it is simply not true.   I advocate for more security online at all times but education as well.   Technology is hard enough for the general public to understand and those of us that do "get it" have a responsibility to state the truth and educate the rest as best we can. 

[Twin Wolf Technology Group]

 I think I have enough problems  LOL

[Roundabout]

You know, there is such a chasm between the way Canadians relate to and expect their government to perform, and the way American's basically hide the silver. I know this is way off topic, but anyhow, I have a deep IT background and I am absolutely amazed to hear that so called encrypted data is 'in the open' for any period of time.

Reminds me of a couple of years ago when your 'officials' opened a bonded letter that was being sent to me. Opened up everything, got access to my card, my expiry date, my CVC number and then repackaged it (poorly) and sent it on. Obviously I cancelled the car as soon as I saw it, but I ask you, who they hell are they to open declared highly personal mail? They could have just scanned it. \

No, for sure, everything is out of control and needs to be? (1) loved into submission or (2) terminated

Edited August 20, 2017 by Roundabout

[Twin Wolf Technology Group]

If you want to add one more worry ... realize that 90% of databases are not encrypted.   That means once someone gets access to a database, all of its information is in the clear.   I am far more worried about that then I am email.   Virtually everything is stored in a database (in the clear).   There is a growing push to encrypt databases but the cost is high.   Right now, some database items are encrypted, like your credit card number (or they are suppose to be) but that is a far cry from something I would call secure.

[Roundabout]

Yeah, for sure. I guess we need to revisit the old Honeywell 'Ring' security idea. Of course user information needs to be protected. What government %*%*&*&%% would argue otherwise?