With the inevitable rise in chatter regarding the recent rollback of FCC privacy rules related to internet service providers (ISPs) handling of consumer data, it's crucial to understand the role privacy plays in our own lives.

To read the original FCC ruling and the Congressional joint resolution signed by the President on April 3rd, 2017, see the reference detail for 'S.J.Res.34' at this end of this article.

The initial question to answer is, "How do internet browser sessions actually work?". At a high level, it all starts with DNS (Domain Name System). DNS is like your computer's internet scout: it finds the location of the web resources you are looking for, and returns the information on how to get there to your computer.

Let's say you want to shop for that sweet vintage Fender guitar amp you've been looking for, so you decide to search on Ebay. You know that the website is www.ebay.com, but your computer doesn't know where the servers hosting Ebay's website are. That's where DNS comes in! When you enter Ebay's website address (URL) in your browser, your computer issues DNS queries to identify where Ebay's web server is and then, unbeknownst to you, your browser is transparently taken to Ebay's website. Time to search for amps at your heart's content! Luckily, all the DNS querying and searching process happens in the background and all you see is the website load in your browser.

In basic terms, DNS converts our text queries, finds the web resource location, and tells our browser where to go for the web resources we asked for. With that understood, you now know:

Your ISP can see any website you visit. This is true regardless of whether you visit HTTP or HTTPS websites.

The next question to ask is, "Can your ISP view what you search for, stream, or download once you arrive at a website?" The answer is…it depends!

Let’s look at a few scenarios to start with, and then address some important points.

Scenario 1: HTTP Website

Network packet capture of a standard web session (unencrypted, HTTP)

'user.example.com' represents your computer, where 'local.dns.server.example' is the DNS provider.

In this scenario, no data is encrypted and your ISP (along with any other entity or person between you and the website) can view any data that is transmitted between your computer and the website. Viewable data may include:

  • Usernames and passwords
  • Search terms
  • Form data
  • Any other content

In other words, this scenario provides zero privacy!

Scenario 2: HTTPS Website

Network packet capture of a standard web session (TLS)

'user.example.com' represents your computer, where 'download.dnscrypt.org' is the website you are connected to.

In this scenario, upon arriving to the website, session data is encrypted and your ISP only knows that you have an active session with that website. They can see where you went, but not what you did while you were there (e.g., which pages you visited, what content you viewed or downloaded). It's important to note that the website owner will always have visibility into what you do or download on their website (depending upon the privacy policy).

In this scenario, the amount of privacy you realize is reliant on your trust of the website owner, and the encryption protocols (e.g., TLS), used to protect your session with the website.

In other words, this scenario provides better privacy!

Scenario 3: VPN

Example of VPN encrypted traffic. The network inbetween you and the VPN server can see your IP address and the IP address (DNS entry)

'user.example.com' represents your computer, where 'remote.vpn.example' is the VPN service provider you are connected to.

In the second scenario, you activate a VPN before browsing the internet. The VPN establishes an encrypted tunnel with your VPN service provider – meaning that all data is encrypted between you and the VPN provider after the VPN is activated.

However, in this case, your privacy is entirely in the hands of your VPN service provider. Your ISP will only see that you established an encrypted session with the VPN service provider (not even which websites you visit), but your VPN service provider will see everything that comes through that VPN tunnel.

It is vital that you exercise due diligence and select a VPN service provider that you feel you can trust. Essential questions to consider when evaluating VPN service providers include:

  1. What is your Privacy policy?
  2. What data do you retain from my session activity?
  3. What data do you log?

Some level of logging is actually required to provide a reliable service, but it is important to know what is being logged to ensure your privacy needs are met.

While this scenario can provide even better privacy, it requires a significant amount of trust as well

Finally, let's address the topic of encrypted DNS. Encrypted DNS allows your DNS queries (including the responses from the DNS server) to be encrypted. Take a look at the following network packet capture from a laptop using DNSCrypt.

'user.example.com' represents your computer, where 'OpenDNS.server' is the encrypted DNS provider and 'facebook.example2' is the website you connected to.

Awesome – DNSCrypt works! However, it only encrypts the queries. The traffic showing the website visited (second line) is still unencrypted. From a privacy standpoint, this doesn't really provide an edge over Scenario 2.

Now that you understand the basics of how internet web sessions work, you can have a real discussion around data privacy, and decide what level of privacy your business requires.

Thank you for reading our article on this important Congressional repeal. We hope you walk away feeling more informed and equipped to respond accordingly to this change in legislation.

Feel free to reach out to our cyber security team to discuss additional questions, or data privacy strategies for your business. Delap LLP is one of Portland’s largest local tax, assurance, wealth advisory, and information security consulting firms, located in Lake Oswego, Oregon

Additional Resources:

81 Fed. Reg. 87274 (December 2, 2016