Digital Hygiene Part 1: VPN

A few years ago I used to not care much about the digital trail I left all over the internet. The optimistic assumption “nothing to hide, nothing to fear”, convenience of numerous new services that offered some minor perk in exchange for my data, and the general trend for the population of developed world to share more and more, all pushed in that direction. Since then, a couple of developments changed my attitude. Firstly, Edward Snowden’s exposure off mass surveillance programmes run by the governments of the US and UK challenged the implicit assumption that such data collection, while technically feasible, would most likely be too expensive and too impractical to be actually enacted. Secondly, the growing appetite of western societies for populists and for authoritarian rule – from PiS election victories in 2015 in Poland, through Trump in the US now, to projected gains of Front national in France – hammered home that even if I consider present governments benign and non-inquisitive, that might change on a short notice. Finally, increasing criminal activity targeting personal data that is not adequately protected or just left out in the open, and industrialisation of personal computer and mobile phone hacks, puts more urgency on appropriately securing our devices and – more importantly – altering behaviours.

As a result, over the last couple of years I adopted more careful approach to digital services and devices, and in this series of posts I would like to share some of the practices I developed. I will attempt to present them in an accessible way that does not require extensive background in IT, just working familiarity with computers and internet. They will be laid out in no particular order, but I will strive to start with ones that are relatively easy to implement and do not cause undue inconvenience. If something ends up not being mentioned it does not mean it is unimportant in general – perhaps I did not consider it important in my particular situation.

Let us start with my most recent habit: Virtual Private Network, or VPN.

What

Whenever you browse the web (the discussion applies to other internet services as well, but we will focus on web browsing as it is a representative example), the information about the websites you visit is visible to the internet service provider (ISP) you use. For example, when you access http://news.bbc.co.uk, your browser sends a request out through the network controlled by your ISP. Shown below is an example of the information they can intercept:

Among all this seemingly random gibberish at the bottom, the name of the website and the specific page in it (/news/) are clearly visible, and can be decoded as shown at the top of the picture. Doesn’t use of “secure”, https websites, solve the problem? Let us see what the ISP can capture when you instead go to https://notepad.mmakowski.com:

They might not know what exact pages you are browsing, but they definitely know that you are accessing notepad.mmakowski.com website!

Virtual Private Network is a fairly broad term, but for our purposes it means that instead of sending the internet traffic in clear text, as illustrated above, your computer first connects to a server owned by the provider of the VPN and sets up an encrypted connection to it. Once this is done, all requests to fetch web pages are sent over that encrypted connection to the VPN server. The server then decrypts those request and sends them to the target website, as if the request originated on the server, not on your computer. Web pages travel back in the same way: first to the VPN server, where they are encrypted, and then to your computer. All your ISP sees is data travelling back and forth between your computer and the VPN server, but what this data is, they have no clue. That’s all they see:

Why

ISPs have always been able to access your browsing information shown in the preceding section. Up till recently my assumption was that they generally would not do that, and definitely would not store it, because 1) it’s expensive and 2) it might violate privacy laws. Recent Investigatory Powers Bill, also known as Snooper’s Charter, changed that perception completely. It requires that ISPs record what websites everyone visits and store those records for a period of one year. In an independent development, a bill is being proposed in the UK that might involve blocking access to videos of “non-conventional sex acts”. In my mind, the government and ISPs have no business tracking what I do online and determining whether or not I should be allowed to watch someone being (consensually) spanked.

With a VPN, an ISP can record the traffic going out of your house to their hearts content and they will not be able to make any sense out of it, other than that you use a VPN, and the volume of the data transferred. But whether you are browsing BBC or PornTube – they cannot tell. When it comes to certain content being blocked in a specific country, VPN providers usually have servers in many different countries, so you can pick one in location where the content you would like to access is not blocked. As of today, watching TV channels that are only accessible to users from a particular country is probably the primary reason for private use of VPNs.

VPN comes with a big caveat though: while the ISP no longer sees what you are up to on the internet, the VPN provider now has the view of all this activity. Whether or not that is better depends on how much you trust the VPN provider. For one thing, they might not operate under your local jurisdiction, so might not have the same log retention responsiblities. The majority of VPN providers proudly advertise “no logs!”, meaning that they do not record any of your activity – but there is no way of verifying that, you have to trust them. There are alternatives that do not have this drawback, such as Tor (we might get to that in some future installment of this series), but they are typically much more cumbersome and less user-friendly.

How

Due to increasing appetite of states for controlling and monitoring citizen’s internet activities, and perhaps even more due to popular TV shows being available for streaming with regional restrictions, the VPN market is booming and there are hundreds of providers to choose from. Deciding between them is not easy, and I didn’t do a comprehensive job of it. All I did was look at some ranking on a reasonably reputable website. In there I found NordVPN, liked their comprehensive geographic coverage, operating system support, Tor-bridging and some of the marketing blurb (“Nordic ideals”. Panama-based. Right…), so went with that. Too early to tell first hand, but I have since heard some positive testimonials, their setup process seems user friendly and they have a sale this week (US$3 per month for 2-year contract), so I might as well tentatively recommend this provider. Just pay, follow the tutorial, and you should be protected from the prying eyes of your ISP.

30/11/2016

→ 2: Password Manager