Metadata, VPNs, and Tor – ACS

You are being watched.

Everything you do online is being captured, stored and analysed in order to determine your personality, preferences, and predict your behaviour.

In this special 3-part Information Age series, we look at the ways your online activity is being tracked and some of the steps you can take to control your personal data.

In the first part of this series, we looked at how your browser choice and configuration can stop advertisers from recording your internet activity by blocking third-party cookies and other site trackers.

With your browser no longer sending data elsewhere, there is another source of potential data leakage: your internet service provider (ISP).

It is established practice in the US for certain ISPs to package its customers browsing data to sell for targeted advertising.

And in 2018 Crikey reported the practice had made it to Australia (hidden behind 'privacy policies') citing a concerned advertising executive who was offered insights derived from Optus customer data.

An Optus spokesperson told Information Age the telco does not sell customers internet usage history to advertisers nor does it share information that directly identifies customers with any third-party for commercial purposes.

But Optuss privacy policy currently says it may analyse anonymous viewing and/or browsing data which could be de-identified and shared with its business partners.

Telstra also says it uses business intelligence techniques to get high level insights about aspects of its network usage including demographic trends and other types of behavioural data which may be shared with its own business and commercial partners.

Of course, advertisers arent the only ones seeking direct access to your internet activity from ISPs.

Metadata retention

Under the Telecommunications (Interception and Access) Act 1979, your ISP is required to store certain information about your internet use for at least two years.

There are six categories of data your ISP has to keep, including: subscriber information; the source and destination (IP addresses) of communications; the date, time, type, and duration; and the location of equipment used during the communication.

For law enforcement this data has obvious use-cases, such as when tracking down people who share child exploitation material, theoretically allowing police to cross-reference instances of illicit behaviour and match them with real-world perpetrators.

ISPs are technically not required to store web browsing histories or the contents of communication under the act in order to allay fears of mass government surveillance but the differentiation between what is information about an internet communication and what are its content is not so clear-cut.

Last year, the Parliamentary Joint Committee on Intelligence and Security completed its review of the mandatory data retention regime, recommending the legislation should be updated to better define what is content or substance of a communication.

This followed revelations that law enforcement agencies were effectively given access to web browsing history, despite that being outside the scope of collection.

In one public committee hearing, Commonwealth Ombudsman Michael Manthorpe whose office provides oversight to the accessing of metadata under this scheme described issues with the scheme.

"The piece of ambiguity we have observed through our inspections is that sometimes the metadata, in the way it's captured particularly URL data and sometimes IP addresses does, in its granularity, start to communicate something about the content of what is being looked at."

Since an ISP is your gateway to the internet, how can you avoid them using your internet history for advertising or passing it onto the government?

A VPN might work

You will no doubt have seen or heard ads for virtual private network (VPN) companies trying to sell their services by creating perceived need for one of their main purposes:

-Unlocking geoblocked content (such as internationally available streaming services)

-Securing your data

-Anonymising your internet use

As far as online anonymity goes, VPNs hide activity data from your ISP by encrypting your service requests and tunnelling them into its private network.

This means your ISP will only see that you are connected to a VPN and the size of data moving back-and-forth but it wont see what websites or services you are accessing within that network.

And because government website blocking is done at the ISP level, VPNs may also act as a way of circumventing restrictions on unlawful piracy or online gambling websites.

VPN companies tend to be headquartered in countries with minimal government oversight in order to avoid regulatory hurdles like mandatory data retention regimes.

Unfortunately, this means taking these companies claims about privacy and security on face value, which brings its own set of problems.

Just last year, security researchers at Comparitech discovered an exposed database from UFO VPN.

Despite the company claiming it did not track or log its customers internet activity, the database revealed UFO VPN was storing account passwords in plain text and keeping records of users IP addresses along with the VPN servers they were connected to.

Typically you also want to avoid any free VPN services as they are likely just designed to harvest and sell web data.

For example Onavo Protect a now-defunct privacy-focused VPN app owned by Facebook told users it would protect and encrypt their user data but instead shuffled that information straight to Facebook for analysis.

Trustworthiness

VPN brands are working hard to establish consumer trust in the growing market in order to stay ahead of opportunistic companies.

NordVPN started contracting independent auditors Pricewaterhouse Coopers (PwC) to double-check its no-log claims a process fellow VPN heavyweight Express VPN copied by having PwC conduct an audit of its systems, too.

ProtonVPN from the same company that operates end-to-end encrypted email service Proton Mail tries to differentiate itself by being open source and allowing security researchers to check under the hood for nefarious features.

And non-profit Mozilla also has its own product, Mozilla VPN but its not yet available in Australia.

Theres no shortage of lists naming the best top or most secure VPNs around the internet, many of which feature NordVPN and ExpressVPN up the top.

But before signing up to the next VPN service being sold to you on a podcast or YouTube video, beware that not all VPNs are created equal.

A decent VPN service will cost you around $10 a month and can be a bit cheaper if you pay annually.

The onion router

If you are interested in anonymous web browsing and dont want to shop around for a VPN, you could always try using the free anonymity network Tor.

Like a VPN, Tor hides the details of your internet activity from your ISP but it will still likely know you are connecting to Tor.

Tor uses onion routing which sees your server requests covered in many layers (hence onion) of encryption.

It is then passed through a relay of networked volunteer computers, each of which peels off a layer of the encrypted request until the last layer of encryption is removed and your request gets fulfilled.

It is then wrapped back up in multiple encryption layers and passed down the relay to your machine.

All these relays will naturally slow down your internet connection.

Tor keeps you anonymous by design because no single point in the relay sees both the sender and receiver which is in stark contrast to ISPs and VPNs, each of which needs to see both sender and receiver in order to deliver the message.

Because of its in-built anonymity features, Tor has long been used for illicit online activity and is host to hidden onion services which can only be reached through Tor and make up part of the infamous dark web.

The underlying Tor software is maintained by the non-profit Tor Project which is funded largely through US government grants, and the most common way to access Tor is by using the Tor Browser.

Do keep in mind, though, that when it comes to remaining anonymous online, how you access the internet is just as important as what you access on the internet.

In Part III: Social media and other sandboxes.

Excerpt from:
Metadata, VPNs, and Tor - ACS