how much does an ISP know?
August 20, 2014 6:17 AM   Subscribe

Does your ISP know the sites you're going to and what you're doing there if you use a strong or open VPN?

I access the internet from a place where it's censored. To get around this, many users employ a "strong VPN." Surprisingly, the IPS (perhaps a government, perhaps a business: understand that I cannot clarify) doesn't seem to mind this.

It is whispered, though, that the reason they don't seem to mind is that they can tell what you're doing all the while, that you aren't really surfing the internet confidentially, as many users fondly imagine.

Thus a few questions:

Do ISPs know when you specifically are using an strong VP, or do they merely know that somebody somewhere on the network is doing so?

If they do know it's you, do they know what websites you're going to?

If they know what websites you're going to, are they also able to tell what sort of things you're doing there (eg, would they know it was you that posted a certain comment).

Thanks, anybody, for any clarification.
posted by Opengreen to Technology (7 answers total) 1 user marked this as a favorite
A computer being used to browse the web could have software installed on it that records the users' actions, in which case encrypting or otherwise obfuscating the traffic between the web browser and the web server would pose no interference to snooping. Or a camera or other surveillance device could be positioned to observe the computer's display.
posted by XMLicious at 6:29 AM on August 20, 2014

No, there's no camera. And this is my own computer.
posted by Opengreen at 6:30 AM on August 20, 2014

If they care to look, your ISP can tell that you're using a VPN, unless the data is being obfuscated to look as if it's part of another protocol. *If* the encryption & authentication is strong, then no-one can tell which sites you're visiting just by looking at the data stream between you and the other end of the VPN.

If they can tap the data coming out of the VPN endpoint, then they can correlate the packet timings with those in the encrypted stream. If they can put their public key on your computer as a trusted signing key, then they can man-in-the-middle your VPN and your computer will trust the connection from the intercepting computer because it will be signed with a trusted key. If they install code on your computer to tap your connection they can see everything.

If all you want is to know which sites a browser is visiting, then it's possible to fingerprint the packets returned by the major sites and look at the VPN packet stream and correlate the two - you can get a reasonable idea of which sites someone is visiting this way.

A VPN cannot provide protection against a powerful adversary who is targeting you personally: All it can really provide is the expectation of privacy against casual snooping.
posted by pharm at 6:41 AM on August 20, 2014

And this is my own computer.

Do you use any sort of third-party software to connect to the internet, or just the basic networking tools built into your OS?

With an VPN (and assuming you're routing all your traffic through it) the only thing the ISP should see is that your computer is communicating encrypted data only with a single other computer. If the VPN service promises anonymization, that computer doesn't keep any records of that communication. So assuming no one is already spying on you, the ISP knows you're using a VPN, but they don't know what you're saying to it or what's coming back to you.

That being said, if anyone with enough money and technical know-how wants to know what you, specifically, are doing on the web, they can find out by any number of ways as others have listed above.
posted by griphus at 6:45 AM on August 20, 2014

Hi, former ISP employee here. Assuming you live in a place where ISP's are actively spying on customers, they'll be able to know every IP you connect to, and read every website you view (that's not using https like gmail) and all your email, and if you use them for phone service, record all your calls, whether you're using VOIP or traditional phones. To be clear, most American ISP's don't do anything like this -- the one I worked for logged DNS and DHCP, but only for a few days for debugging purposes.

If you connect to a secure VPN, they'll only know that you've connected to a VPN, though. The question then is whether the VPN is secure. I'd assume that every popular VPN has taps on it by the NSA, Russian and Chinese intelligence. You'd probably be better off with a trusted friend in the US or Europe who would be willing to set up a VPN for you on their broadband account. It would be MUCH harder to target you in that case.
posted by empath at 7:17 AM on August 20, 2014

If you want to see what a theoretical 100% packet capture box can recover of your internet traffic, try installing Network Time Machine and capturing a browsing session -- it'll show you all the stuff it can reconstruct from the packets, including emails and so on.
posted by empath at 7:21 AM on August 20, 2014 [1 favorite]

Do you use any sort of third-party software to connect to the internet, or just the basic networking tools built into your OS?

No, just basic Mozilla off Windows 8.
posted by Opengreen at 7:36 AM on August 20, 2014

« Older NeedHelpWithaHorseFilter: Inherited a horse in...   |   New Laptop Needed – Alternatives to Windows 8 Newer »
This thread is closed to new comments.