
Ask HN: When do ISPs begin selling your data, and is a VPN all that's needed? - arikr
When does the &quot;ISPs selling your data&quot; begin, and is a VPN without logging all that&#x27;s needed?
======
atmosx
IMHO the ideal situation to selectively play along. A router running Linux/BSD
which can be configured have regular, VPN and Tor route is the ideal situation
to avoid scrutiny from third parties.

Connections to Facebook, Google, Amazon, etc. should go un-tunneled. It's good
to feed the beast with data it already owns anyway.

Connection to porn websites (say by your 16-year-old cousin who came to stay
at your place for the weekend) and other _ethically debatable_ content should
be routed via Tor. Connections to torrents should be routed via VPN[1].

I understand that some people here prefer their personal VPN against a VPN
provider like TorGuard, etc. There's no _good_ and _poor_ solution here,
everything depends on the use case. A VPN provider will be handling thousands
of encrypted connections and gives you a dozen exit nodes. From each exit node
thousands of different connections are routed. It's way harder to target and
isolate a user, even for a medium state-level actor.

Conversely, if you route all your connections from, say a DO droplet, you're
controlling the droplet, but you have one exit point for all your
connections... It's extremely easy to target your connections for a state
level actor.

Of course there are thousands of schemes one can choose. Everything depends on
the use case.

------
p49k
There are no clear answers; all the info about this is a bit fuzzy because
there's no requirement for ISPs to disclose past or current activities
surrounding their selling of data.

The bill was actually enacted to prevent privacy rules which hadn't even gone
into effect yet, which means that technically, ISPs would have already been
able to sell such data. However, the consensus seems to be that ISPs were only
selling "anonymized" data, and this move will embolden them to push further
into invasive practices.

~~~
blackflame7000
Yea great point. A lot of headlines are portraying this as a sudden new
practice rather than an attempt to formalize the rules governing existing
practices.

------
seanp2k2
Wherever you VPN to, your connection still comes out somewhere. If that
happens to be in the US, datacenters still have ISPs. If you're visiting a
site hosted in the US, that's on some ISP too. Basically, if Level3,
CenturyLink, and Verizon decide that they want to collect and sell profiles
based on browsing profiles, there's not a way around it. It'd be easier to
build a profile on a direct subscriber (e.g. Comcast profile on a subscriber
of theirs) but installing OpenVPN on a DO droplet won't magically save you
from this if you're in the US.

Will they actually do it? Well, can they make money from it? Do you trust
Comcast to be a good steward of your privacy in the absence of a legal
requirement to do so? Comcast did a hard pull on my credit when switching my
account to a new address because they were too incompetent to update it and
ended up creating a second account as a new customer for me. Comcast is my
only option of ISP, as it is for many many other apartment dwellers and many
single-family homes as well.

~~~
blackflame7000
There is not much useful data to gleaned from an encrypted VPN connection. If
you're referring to the ISPs monitoring what the VPN proxies for you that data
would be useless as well since it would be the aggregate over everyone using
the VPN. It wouldn't be possible to build browsing profiles if every request
originates from the VPNs IP address.

~~~
blibble
you only need to leak a few bits here and there once or twice and the
connections can be linked together

------
URSpider94
The recent law enacted by Congress countermanded an Obama-era regulation that
had never gone into effect. Thus, the current situation is the same as it ever
was - ISP's can sell anonymized and aggregated customer behavior data today,
just like they could yesterday.

Also important to note -- existing regulations still in effect prevent selling
un-anonymized data. Selling someone the browsing habits of a particular
identifiable customer is not allowed, never has been.

~~~
unlikelymordant
I'm not sure where this 'nothing has changed, no need to panic' talking point
has come from.

The 'Obama era regulation' was an attempt to maintain privacy regulations
after internet businesses were found to be exempt from ftc oversight in late
2016. So now there is no privacy regulation from the ftc or fcc. Things are
not the same as they always were.

------
fav_collector
VPNs aren't really private. They can see everything that an ISP could see if
you weren't using one. It's just a level of indirection.

I trust ISP companies more than I trust VPN companies because ISP companies
are in the USA and are much larger (so engage in less risky behavior), so they
at least have to sell data in aggregate and scrub PII

~~~
thomastjeffery
> I trust ISP companies more than I trust VPN companies because ISP companies
> are in the USA and are much larger

That fact only supports their practice of selling user data. If we did not
have such a barrier of entry for new ISPs, the market would be able to react
to this abuse. But instead, large ISPs like AT&T, Verison, Comcast, Time
Warner, etc. hold the market so tightly that they can get away with abusing
their customers without a serious reaction.

Because ISPs have so much control over the market, the only viable response
without regulation are VPNs. A VPN can sell privacy to a customer who feels
abused by their ISP. Since privacy is essentially the foundation of the VPN
provider's business, VPN providers compete to prove to customers they can
protect their users' privacy.

------
eb0la
DNS and Certificates are the key:

You should remove all CA certificates installed by software that show like it
were "installed by you".

Some AV software does MITM sending you a "trusted" certificate signed by their
own CA whilst acting as a proxy between the actual site and the AV.

Theoretically anybody could do the same on the network side transparently.

Also if you don't trust your ISP, you shouldn't use their DNS servers. I don't
know about commercial integration between DHCP and DNS requests to track
people but it is feasible with some work.

For DNS just grab a raspberry pi and setup a dns resolver. You only need the
right root zone seed file. Just don't make it available to the whole internet.

------
godshatter
There are a large number of VPNs, commercial or otherwise, that someone can
use. Where I live, I have a very small number of ISPs to choose from and they
would all have my billing information if I used them. Some of the VPNs offer
connections in other countries, and some of them claim not to log. The VPN's
ISP would see my data move around, but wouldn't have my billing information.
The VPN would, but if it's commercial I can likely sue them if they do
something egregious with it.

In my opinion, VPNs help more than hurt privacy, assuming you choose a
reputable one to use.

If a person wants anonymity, then go for Tor or Freenet.

------
auganov
VPNs only give you indirection. And you have to trust your VPN provider.
You're just moving your trust. Now if you diversify well enough you are
probably less likely to be effectively snooped on, but then you're just
reinventing TOR[0].

Adopting HTTPS across the board is so much more important.

[0] Which too only gives you indirection, remember that!

------
mvidal01
Will the VPN in Opera prevent this tracking? How long before Chrome and
Firefox offer this?

------
tmaly
You could always setup your own VPN on a VPS with

[https://github.com/jlund/streisand](https://github.com/jlund/streisand)

~~~
mod
FWIW I tried this on DO and had a bitch of a time.

I'm a developer and I run linux as my primary OS, so there weren't any new
concepts, exactly. I had to do a lot of google searching of error messages.

In the end, it kept failing after droplet creation, I think when whitelisting
my IP or something similar.

This happened 2 days ago.

Anyway, I couldn't even get it running on the droplet, let alone get all
connected and ready to go. Might try again with AWS.

~~~
mancerayder
I did exactly this, using DO. It works beautifully, and my droplet is in a
foreign country. Two things I'd recommend if you have trouble are:

a) Look up Digital Ocean's own instructions for setting up OpenVPN. Follow
exactly.

or

b) look at HN threads from today, some people wrote Ansible playbooks and
scripts to set it up.

~~~
randomnumber314
There's a good chance I'm wrong here, but isn't directing your traffic
overseas the exact thing that makes it fair game to state-level inspection?

~~~
mancerayder
Fair game legally or technically?

Legally maybe, probably, who knows. Personally I don't feel protected legally
anymore with regards to privacy. It's a good thing I don't really do anything
illegal, even if it both saddens and angers me that the world is letting this
happen.

Technically I'm assuming without some serious cooperation with Digital Ocean
it's going to be hard. Sure, if someone gives the authorities (or the hackers
get) root, then my OpenVPN software will be more Open than "VPN."

------
tedmiston
Answering the question of choosing a VPN is complex and varies by what's
important to you. Like with security, there are few black and white answers.

The VPN comparison chart [1] is the best reference I've seen on the dozens of
factors one might care about.

[1]: [https://thatoneprivacysite.net/vpn-comparison-
chart/](https://thatoneprivacysite.net/vpn-comparison-chart/)

~~~
tedmiston
It's unclear to me why this got downvoted as it addresses OP's question with
one of the most popular and detailed references for choosing a VPN which also
explains the specific privacy implications to consider (which of course cannot
be answered universally as they vary by person).

------
sigjuice
If you use a VPN, you are just trading one ISP for another.

~~~
iends
Yeah, but I trust Digital Ocean or AWS (and whatever providers they rely on)
more than I trust AT&T, Time Warner, and Comcast combined.

------
_RPM
Context?

