What is your method to minimize your ISP from harvesting your data


#1

Here’s a question for you! What is the ideal way to protect your privacy/security from your ISP? I don’t like the idea of Comcast harvesting my data for sale.

Let me start by saying my current set up is NOT completely ideal. OS: PURE OS/IDEAL, Browser: Pure Browser/IDEAL, Search Engine:Startpage/IDEAL, DNS: Cloudflare IP Address 1.1.1.1/IDEAL. I don’t use a VPN and I probably should but I want to learn from my audience what they use and why?

Please share your opinions. I need to lock out ISP’s and anyone else as much as possible. Much like you, I care deeply about my online privacy and security and that is why I’m here. To learn and share my thoughts and opinions with my community.


#2

Using TLS in general (HTTPS if browsing) will protect data but not the identity if the server you are interacting with. An ISP can still MITM your DNS requests (actively or passively) and it can access the destination IP address of every packet so they can work out what you are doing. Ideally you will want packets to reveal their destination after leaving your ISP where they cannot be traced back to you. DNSCrypt would protect from the DNS MITM, but not packet inspection if they can perform a simple reverse lookup.

In other words, Tor or VPN (assuming your VPN doesn’t tag packets according to their origin in somehow).


#3

Depends on your threat model. Tor, VPN, SSH are only starting points.


#4

I have used VPNs for years, though I am not suggesting that is the only solution. I think @jukebox is correct.

I recently changed providers to one more in tune with Linux, and I looked for several things. I am sorry if I am repeating criteria; many make the same suggestions in articles and blogs.

  1. A free VPN was out for me. There is truth to the adage that “If a service is free, you (your data) are the customer.”
  2. No logging of user activity, e.g. IP traffic and DNS requests. To some degree, one must trust the VPN service’s claims, but searching will usually indicate what is really true or suspect. I suggest doing a lot of that and do not believe reviews; read the privacy policies. I found some of the more popular VPNs may log some things after all.
  3. Linux support with a kill switch. This requirement actually narrowed the candidates greatly. My prior service relied on OpenVPN in the Linux Network Manager. A few times I found myself with the VPN connection down but with me merrily doing my thing completely unaware.
  4. Speed and access. To a greater degree than logging, one is dependent on reviews unless one has a way to actually try the VPN. (I think trials are good, though I did not really avail myself to that.) My prior VPN’s IPs seemed to be blocked more than my current one, including the Debian wiki!
  5. Number of servers and locations.
  6. DNS. I use the provider’s DNS, rather than Google’s or an ISP’s.

I may be wrong on this, but I always use the TCP protocol when I connect. Being connection-oriented, it seems a bit safer than UDP, albeit slower.

A lot depends on how one uses the VPN. I use it for e-mail, browsing, and the like. I do not stream very much, though I may watch the news on some foreign sites. I do not play games or watch movies.


#5

Thank you all for giving me your input.


#6

The issue of VPN provider trust is a difficult one. Personally, I never trust what all they post on their websites. This is only to attract customers, there are various other ways to practically test it, rather than blindly believe.


#7

Bold statement :slight_smile:
Now, I’m not saying they have bad intentions. But at least keep in mind it’s a big company making money (also) by analyzing traffic. The DNS traffic is also analyzed by APNIC, who owns the IPs.

Some privacy-minding and non-censored DNS offerings, not operated by big corps, can be found here:
https://www.orsn.org/en/tech/pubdns/
https://digitalcourage.de/support/zensurfreier-dns-server

Some of those listed here might also meet that criteria:
https://www.lifewire.com/free-and-public-dns-servers-2626062


#8

I just run dns server on my laptop.


#9

Put a PI with Pi-Hole + Unbound Reverse DNS Resolver in your network between your devices and the internet. Takes about 2h to setup. The Pi can also additionally run an OpenVPN-Server.

Especially for Unbound there are some secure, non-logging DNS services as forwarders available (can be used).


#10

as i see it you minimize the data harvested from you by your isp and you let someone else harvest the rest. what do you actually control ? vpn ? there is an exit node somewhere … who controls that ? who would you trust more to manage your data ? your local isp or someone else ?
there is also the question of speed and other factors that may or may not influence you so much depending on HOW you use your devices