4 Ways to Protect Your Company’s Internet Privacy from ISPs and Other Threats

You may have heard a lot of news recently about internet service providers (ISPs) being allowed to track your internet browsing history and use that data as they see fit.

No matter where you fall in the politically-charged debate, the topic of internet privacy has come to the forefront again and we see that as a good thing. Especially for businesses, knowing how to protect your company’s data while online is a crucial element of your IT policies and infrastructure.

For those in the know, the concerns raised recently are nothing new: many of the FCC regulations reversed by the recent legislation were due to go into effect beginning later in 2017, and big ISPs along with other online companies like Google and Facebook have been tracking their users and monetizing that data for years.

That may leave you thinking: “well, we’re no worse off than we were before” and that may be true.

But particularly for larger enterprises or those in industries that generate particularly valuable data – like finance and healthcare – online security is something your company must be thoughtful about.

Why This Is a Problem for Internet Security

Even with the new regulations being canceled, it remains illegal for ISPs to sell individual internet histories; the data ISPs collect is anonymized and sold to advertisers and other data aggregation organizations in bulk.

However, it is possible to dig deeply into this anonymized data to uncover its owner.

Moreover, through the process of collecting and storing your company’s internet browsing data, ISPs in effect create an additional cyber security vulnerability by creating another target for hackers to attack and access that data.

But what can the ISPs really know about your company and employees?

At the very least, anything that can be inferred from the websites you visit, when you visit them, where you visit them from, and how much data is transmitted to and from those websites.  This includes things like:

• Institutions your company and employees bank with.
• Healthcare providers and insurers.
• Professional services your company engages.

And if your traffic is unencrypted, they may be able to learn even more from the content of your web traffic as well.

Which leads us to our recommendations for improving your company’s internet security and privacy.

4 Ways to Improve Your Company’s Internet Privacy and Prevent Data Collection

The primary way to stop ISPs from collecting your company’s internet browsing data is through various means of encryption – though in some cases it may be possible to work with an ISP to have them agree to stop collecting this information as well.

HTTPS

The simplest and best first step in protecting your company is to use HTTPS encryption wherever possible.

HTTPS encrypts the connection between your computer and a website using either the TLS or SSL protocols.  

In the past, this security measure was mostly used for particularly sensitive information like account logins and banking information. However, implementing HTTPS has gotten easier, and Google has begun to reward sites that use HTTPS, which has greatly contributed to wider adoption.

And free to use tools like the Electronic Frontier Foundation’s HTTPS Everywhere browser plugin make it easy for your company to implement an HTTPS usage policy.

When using HTTPS, the content of your web traffic and the actual web page you’re visiting is protected, but the website you’re visiting and how much data is being transferred are not encrypted for technical reasons.

This allows ISPs to know where your company’s web traffic is going, which is enough to gain more insight than you’d like.

And unfortunately, many websites still don’t use HTTPS, meaning it’s not enough to ensure your company’s privacy.

Virtual Private Networks

The next step up in encrypting your web traffic is to use a Virtual Private Network or VPN.

VPNs create a secure connection between your device and your destination – whether that’s a website, network storage device, or another computer. They essentially allow you to have a private network like the one inside your office while using public networks like the internet.

Whereas HTTPS is only offered on some websites and only protects your web browsing traffic on computers configured to use it, with the right setup, VPNs can cover the entirety of your internet traffic, including:

• Mobile devices.
• IOT devices and other network infrastructure.
• Any internet traffic, including non-web traffic (DNS lookups, conference call connections, etc.).

But VPNs aren’t without their own challenges and vulnerabilities.

Firstly, it’s important to ensure your VPN is properly setup to include all your internet traffic; while there are many easy to setup VPN options, ensuring every device is covered, and that all the internet traffic from those devices is encrypted and sent through the VPN, requires technical know-how.

And while it is possible to have a professional set up a VPN using your existing infrastructure to guarantee encryption, if this is the case your ISP will still be able to see where you’re visiting (because the traffic going from your VPN will still originate from your company and be sent directly to the websites you’re visiting; the traffic will be encrypted but the start and endpoints will be visible).

Which is why you’ll want to ensure your VPN configuration includes the use of proxy servers.

With a proxy server, all your VPN traffic will be routed first to that server then to your end destination – meaning your ISP will see your web traffic going to that server, but not its ultimate destination.

A few things to be aware of with this:

• Professional VPN companies often include proxying as part of their service, but they’ll be able to both see your unencrypted data and know where it’s heading – so it’s critical to find a trustworthy provider who does not log this data.
• ISPs will still be able to see the amount of traffic coming to and from your business which, with other potential methods of tracking, could lead them to insights you don’t want them to have.
• Large, complex entities like Tier 1 ISPs and government agencies are able to monitor vast amounts of internet traffic, which means they can make complex correlations.  For example, if your business is in New York and you use a VPN with a proxy server in Texas, a large enough organization may be able to track how much data is flowing between your business and the proxy server and from the proxy server to your destination, and from that be able to accurately guess that the traffic is yours.
• Proxy servers have the potential to slow down your internet access speeds due to the extra distance that traffic will need to travel to get to the server and that server’s ability to handle all the traffic coming to and from it.

With all this in mind, VPNs are currently the best method of protecting your internet data and privacy when properly configured.

Tor

While VPNs and proxy servers are operated either in-house or by a single provider, Tor is an open source distributed network that aims to preserve anonymity by routing traffic through a series of servers.

With a VPN and proxy server set up, your traffic is encrypted on your company’s computers, then sent to the proxy server and from there to its end destination where it’s decrypted.

Tor adds an extra step to this – after your traffic reaches that first proxy server, it’s then sent to a few others in the Tor network before heading to your final destination.

The advantage of this is that it’s much more difficult for any one server operator or tracking organization to be able to associate the traffic going to your end destination with your business; only the “exit node” (the server that sends traffic from Tor to your destination) knows your destination and won’t likely be able to know that traffic originated from you.

Disadvantages of Tor include:

• While VPNs with proxy servers may be slow without the right setup, the extra hops your traffic makes through Tor make it much more likely to be slowed down and much harder to improve speeds, even with professional help.
• Because, at the moment, Tor is used most by spy agencies, hacker groups, and those aiming to secure valuable conversations and web traffic, it’s a particularly valuable hacking target – meaning exploiting its vulnerabilities is a top priority for hackers of all sorts (whereas “regular” web traffic has much more volume to sift through, making it harder to find data of interest).

Because of the speed issues and technical knowledge required to safely use Tor, we generally don’t recommend it for anything but the most extreme security scenarios.

Changing or Renegotiating with ISPs

AT&T used to charge clients $30/month to opt-out of their data tracking.

While that charge was made illegal, it’s still possible to opt-out of ISP data collection activities (the recently canceled legislation would have made this tracking an opt-in process).

To see if this is possible, we recommend contacting your ISP’s customer support to ask how you can opt-out – and don’t take their initial hesitations as “it’s not possible.”

And if your company is large enough to negotiate specific SLAs with your ISP, be sure to include an anti-data tracking clause.

However, internet privacy being an ongoing concern, several smaller ISPs have also specifically decided to not collect web browsing data as part of their service.

The EFF recently had some of these ISPs sign a letter expressing their concerns to congress about the recent legislation; while many of these companies only operate in a few areas, it may be worth following up with them to see if making the switch to a more privacy-minded ISP is possible for your business.

Ensure Your Business Is Protected – Call in The Experts

ISPs may not have gained any new powers from the recent bill, but the situation has reaffirmed that internet privacy concerns start from the moment traffic leaves your building.

There’s no single, perfect answer when it comes to protecting your businesses from online data collection, but the options we outlined above represent a good start toward more secure internet access.

But to make sure your company’s most sensitive data is as secure as you need it to be, it’s important to call in IT security experts experienced in the nuances of online privacy vulnerabilities and technologies.

That’s where we come in.