But now that we're comfortable with using the web for everything from chatting with distant (and not so distant) friends, banking, shopping, searching for doctors, and researching day care centers, we need to ask who else is aware of our movements on the web.
Most people don't understand how the Internet works. This isn't surprising. Much like the rest of our reliable utilities, we take their function for granted. The details of how the electricity or natural gas actually gets from the supplier to the house are boring and seemingly not relevant to our lives.
Right up until there is an outage.
The BasicsWhen information is sent over the internet it is broken into small manageable pieces that are numbered and reassembled at the destination. Each of these pieces is called a packet.
Packets are like pieces of mail, and your ISP is like the mailman. When you send unencrypted packets, as in the case with standard HTTP connections, you are sending postcards. The mailman needs to read the address, but he could also read the contents of your message because it's there for all to see. In fact, everyone in line from your mailman, the mail room, the sorters, and the delivering mailman can read the contents of your postcard.
HTTPS connections are like sending a standard letter. The address is still visible so it can be delivered, but no one in the postal service knows what's in the letter. That's because the message is encrypted, except for the address, which is needed for delivery.
That's a lot better, but a smart postal employee might keep track of every letter you send, and in doing so can learn a lot about you. Like where you get your utilities from, where your family lives, your interests from the magazines you get. We call this Metadata, and when gathered together it can really tell you about a person.
The ThreatsSticking with the mail analogy, you can see there are two types of threats. The first is the knowledge of the rightful carrier of your mail. They see all of your mail, but you trust that they don't really care because they deliver a lot of mail.
The second threat would be someone looking through your mail, say a nosy neighbor. You don't really control your mailbox, so it's easy for someone to see. In the tech world, this is snooping and is usually done via Man in the Middle hacks. Common in coffee shops, hotels, airports etc.
This information could be aggregated for legal and less than legal. A term life salesman looking for older people might want a list of all the houses that get AARP mail, or a thief might want to know who is getting a lot of mail from cruise lines and airline memberships. Either way, someone who sees your mail could be useful.
Public "free" wifi
Before we move on, we have to pause and talk about all the wifi hotspots you will also encounter. Most of these are set up by legitimate businesses who use it as a draw for customers or because it comes bundled with their business Internet service (as is the case with many Xfinity connections.) The biggest problem is that your phone, in order to be efficient and helpful, will happily reconnect to any network with the same name as a previous connection. So, is that a real Xfinity hotspot, or did I just name my router Xfinity to collect all your traffic?
In many cases, we trade our privacy for use of a service as in the case of Google. We all enjoy Google maps, Gmail, even this blogging platform. But rarely do we think about what information is collected.
Well, let's look at what Google acknowledges they collect. (source)
The same applies for Facebook, Twitter, etc. No free lunches.
Stepping a bit closer to home, what is my ISP (in this case Xfinity/Comcast) collecting (source):
Comcast transmits, and may collect and store for a period of time, personally identifiable and non-personally identifiable information about you when you use our high-speed Internet and phone services to:
- send and receive e-mail, video mail, and instant messages;
- transfer and share files;
- make files accessible;
- visit websites;
- place or receive calls;
- leave and receive voice mail messages;
- use the applicable communications center or voice center;
- establish custom settings or preferences;
- communicate with us for support; or
- otherwise use the services and their features.
You have very few. And despite the recent headlines, you never have. While phone call logs are protected, and require a warrant, your surfing data isn't treated that way, and can be monitored, intercepted, and perhaps worst, sold.