Your online privacy protections have been repealed. Here's a look at your options.

This week, Congress voted to repeal rules proposed by the Obama administration that would restrict Internet Service Providers such as Comcast and AT&T from selling customers' browsing habits to advertisers and other parties without their approval. President Trump is expected to sign the bill repealing the rules, though it's not known exactly when.

Surfers of the modern internet have a few privacy options at their disposal, but not all are useful when an Internet Service Provider, or ISP, is in the business of selling your search and browsing history. Understanding the limitations of each option is an important first step in figuring out your own privacy strategy.

Let's take a look at some security features and technologies, and how they factor into protecting your browsing activity.

Browser Incognito Mode

Helpful for keeping websites out of your local browsing history and for testing user session and caching bugs, Incognito Mode (or Private Browsing) does not prevent identifiable information being sent across the ISP’s network. Everything this mode does only affects the device it’s being used on. Queries and site requests coming from your computer in Incognito Mode still work like normal traffic, though sometimes without cookies or other site-specific identifiers. Requests still come from your IP address, which your ISP can trivially associate with your personal identity. 

SSL/HTTPS

SSL, or Secure Sockets Layer, is a general term often used to refer to sites which use HTTPS, a protocol that encrypts traffic between your computer and the web server providing it. It’s not a perfect analogy, but you can think of HTTPS as an envelope for a letter, and normal unsecured HTTP as just sending a postcard. Without the strong encryption provided by HTTPS, your credit card details, passwords, and the contents of your web searches would be just as easily readable as if they were written on a postcard in the mail.

HTTPS gets us part of the way toward keeping an ISP from watching everything that we do. But when we make requests to websites, even ones with https:// in front of them, requests can still be observed -- just as there's a mailing address on the outside of an envelope. The domain name, at the very least, can still be discovered by tools that analyze network traffic. That’s because DNS, the address book of the internet, doesn’t use encrypted requests. When you request a given website, DNS servers take your request and hand back a numeric address that your browser can communicate with. If you’re using your ISP’s DNS servers, they can easily link your IP address to requests for websites. If you’re using a third party’s DNS servers, such as the ones that OpenDNS and Google provide, the traffic can still be inspected, and the request information observed. 

And, while it takes slightly more resources to accomplish, malicious network operators can attempt to spoof secure sites in order to collect personal information.

VPN

VPN, or Virtual Private Networking, takes us a step further in obscuring even our requests from the ISP. A VPN can be configured to take all of your computer's (or network’s) traffic, requests and all, to a different network. A VPN is an encrypted tunnel through which information flows, routed through your ISP’s network out to somewhere else on the internet. To continue our envelope analogy, a VPN is like an armored mailtruck that takes letters to and from a distant mail sorting facility, rather than the local one. And with the recent decisions by Congress to allow ISP’s to track and monetize browsing data, this sounds like a pretty good option for people in the US wanting to keep their information as private as possible.

But what we get in terms of privacy from using a VPN to tunnel through the ISP’s network, we have to compensate for on the other end. Effectively, we’re pushing the trust in our network out to the very end, where the VPN tunnel actually connects to the internet. If you’re only trying to keep Comcast from finding out you’re a die-hard Warriors fan, a VPN of most any type would probably get the job done. But the question remains as to what network your data ends up on. 

That exit network can still be observed by its owner, and depending on how honest or enterprising they are, they could sell your request data, correlated with your other activity visible to them. There are quite a few free and low-cost VPN Providers out there who are perfectly content to track your activity and traffic and serve you ads based on that. 

So with a VPN, the question remains, how do we trust the far end? And the unfortunate answer is, unless you’re in the enviable position of having direct access to the internet backbone, you can’t. There are some reasonable options available to you — but as with most things, they’re based on the level of trust you personally have in whatever system hosts your VPN. 

You could configure your own VPN server, using basic Linux command line skills, on a network you trust, using software such as Streisand or Algo. Many cloud hosts are probably safe(ish) to set up a server on and send your traffic to — Azure, Google, Linode, and so forth. Other hosts, such as DigitalOcean and Vultr may be an option, as well. But cloud hosts may record and monetize their traffic too — and most of them have bandwidth limits for servers in their clouds. 

You may choose to use a VPN host in another country, but with that comes other concerns (and the inconvenience of appearing to be outside of the US for shopping and streaming purposes). 

Or, you could sign up for a paid VPN service, which ostensibly has a stake in staying reputable. A popular option for this is Cloak.

Tor

Another option is to use the Tor network, which takes your computer's traffic and routes it around a network of other computers, or nodes, in order to obscure the contents and the origin. But Tor has its drawbacks, too -- it can affect the speed of your browsing, it sometimes can suffer the same problems as an out-of-country VPN, and sometimes, Tor exit nodes can be malicious, set up for the express purpose of observing what is intended to be private traffic.

Trust

The point here is that there's no one magic bullet for guaranteed privacy and security online. Combining some of these options, you can get close -- but at a cost of convenience. What's important with all of these options is that you do research to determine if you trust them.

And of course, no privacy strategy is complete without the basics -- so make sure you're up to speed with Computer Security and Internet Safety Fundamentals. And if you're curious about the IT security world, check out IT Security Career Paths and Certifications.