A lot has been written in recent years about the rights of individuals to privacy online, and the general collection of identifiable information while online. Facebook, and other social media services, collect an extreme amount of information about us as we use their services. The Cambridge Analytica scandal of last year is an example of a high profile case where personal information of US Facebook users was used to affect the outcome of the 2016 Presidential Elections that was specifically extracted from Facebook. The fallout from that is still ongoing, with Facebook in particular taking the brunt this. However, in Europe the GDPR regulations are attempting to give the power back to individuals and similar legislation is being considered in other countries.
What this blog post is going to describe is some of the ways that technology can be used to gather information about individuals, and steps people can take to secure their privacy. This is particularly true when you are out and about, travelling in other countries and generally using the services available on the Internet for communication and information.
What Information is Gathered when Connecting to a Network?
The above diagram shows the typical connections made between your personal device and the Internet. Whatever device you are using to connect to the Internet, you will connect to some form of access point which gives you access to the Internet. That in turn connects to the Internet Service Provider, which in turn connects to the Internet and the website and/or service you are connecting to.
The router will collect information such as:
- Information regarding the router’s running status
- Number of devices connected to the router
- Types of connections (WiFi/Wired)
- LAN/WAN status
- WiFi bands and channels in use
- IP address of the routers connection to the ISP
- Routers MAC address, serial number
- Amount of data traffic processed
- Technical data about the functioning and use of the router and its Wi-Fi network
- What websites you are accessing and when
- What DNS lookups you are doing
- Failed connections.
The router will know all this information, but whether or not it passes it on to the routers manufacturer is another thing. The Netgear Nighthawk routers do send a subset of this information back to Netgear, and it is reasonable to expect other manufactures do the same. Depending on how the router is configured, this information may be logged within the router and may also be accessible to the routers owner.
If this is a domestic router, you don’t have any legal reason to collect this information. However, if you are a commercial service providing public access points to the internet (as you would see in a hotspot in a café providing free WiFi access), or your ISP, you are required to keep these logs depending on the regulations in force in the country you are in. These logs can be requested by law enforcement. The service owner can also use these logs to manage their own service, and in some cases sell this information to third party data aggregators to help people target advertisements, etc.
I hear you saying ‘What can I do to stop this?’. The short answer is not a lot. By accessing the free WiFi, or using your home ISP, you agree to certain data being aggregated about your use of the service. If you don’t want this data to be collected, then you have the choice of not using the service.
However, if your WiFi connection is enabled on your mobile device, it is randomly connecting to any WiFi network that is range. Even if the connection fails, your connection attempt is still logged and details of your device (e.g. its MAC address, the device type, model number) are recorded. If you don’t want this to happen, ensure your WiFi connection on your personal device is switched off when not directly accessing the Internet.
In the UK we are governed by the GDPR (that is until the UK leave the EU, and from then onwards I am not sure how this regulation applies which will depend on the way the UK leaves the EU). In other countries there are other regulations requiring stricter policing of Internet access (e.g. China, North Korea, Russia), and others where the regulations are almost non existent (e.g. British Virgin Islands). You need to be aware of these laws as you travel around the globe.
How can I Ensure My Privacy online?
There are various ways to ensure your connection is as private as it can be:
- Ensure you are connecting to an encrypted access point
- Make sure you are access websites using HTTPS
If you are connecting to a secure router you will need to enter a password that will be given to you by the service owner and you will be told the type of encryption in use. Typically the public WiFi hotspots you will see in Libraries, cafes, etc. this will not be encrypted. This means that all network traffic between your device and the router/access point is public and unencrypted. If you want to se how this can be exploited, I suggest you look at this article on Android Authority where it is demonstrated by using simple hacking tools how this can be done. These tools are freely available on the Internet for anyone to download and install and are used by penetration testers and hackers alike.
You also need to be aware of which WiFi hotpot you are connecting to. It is so easy to set up a rogue hotspot using a PC, your phone, or specialised devices (e.g. the Pineapple). If you see two public hotspots for your café, then question why they are there. One could be a malicious, called an ‘Evil Twin Router’. It is not unheard of for hackers to plant one of these devices in a café, do what’s called a Denial of Service attack (DoS) on the genuine access point to take it offline leaving their rogue access point. If one access point is inaccessible, but another is, I suggest you raise this with the café staff as this could be an attempt by hackers to compromise the service. In any case be aware and careful when connecting to public WiFi.
In the past few years the general use of encrypted URL’s for websites has been widely adopted. You will notice this by the URL having a https (as opposed to http) prefix, and typically a padlock icon in the URL address bar on your browser, or some other indicator you are securely connecting to the website. In this case all the information you send to the website is encrypted and cannot be seen by anyone casually sniffing the data packets on the network. Equally, the router can only record that you visited this website. However, because each picture and text block on a webpage has to be individually requested and downloaded, the router will know what has been downloaded from the lookup.
However, there is one lookup that your web browser does that you won’t necessarily know about, which is the ‘Doman Name Service’ lookup (DNS). You type into your browser something like ‘www.mysite.com’ and almost immediately you see the website displayed. What is happening in the background is the Web Browser is sending a request to a DNS service to translate what you type in into a physical IPA address of the server that will give you access to the website. This is a unique address (in the form of 123.234.345.456 for IP v4 and a longer string for IP v6). You don’t need to worry about this, except that it is often looked up unencrypted. That means that the router can see the actual request and data being transferred. Recently a new practice has emerged where this is looked up over an encrypted connection, and if you use an Android device with the latest version on it (Pie/v9) you will have the option to perform encrypted DNS lookups. However, this is very early in its rollout, but I can see this becoming as widespread as https is now. However, the DNS service will know what you are looking up, your IP address, what device you are using, etc.
OK, so you are using an encrypted DNS and https, what else can go wrong. Well, if the website doesn’t use https, you will access the website unencrypted and the router will see everything you send to the website. It will be able to track all the pages you look at, and any user ids/passwords you send over the unencrypted link. Some websites degrade to http and do not default to https, so you have to be observant.
You can protect your privacy further by using a Virtual Private Network (VPN).
In this case your device connects to a Virtual Private Network (VPN), which ensures that any traffic you route through this connection is encrypted even if you access over unencrypted http. A good explanation of VPN’s is given in this Android Authority article. In this case the DNS lookup is still done unencrypted, but because it is masked by the VPN the router won’t see the lookup n the assumption is processes the DNS lookup securely (DNS leakage).
There is a lot in the press about VPN’s ensuring your privacy on the internet. Well, this isn’t the whole story. The VPN secures a connection between your device and the VPN provider, who in turn knows everything about what you are accessing. The best ones claim not to retain any record of this activity, but you have to trust that this is the case. And even if it the case, law enforcement can still request the information they do have (e.g. that you have an account with them, when you connected and from where you connected). What they typically won’t log is the specific websites you are accessing.
At some point the VPN has to emerge onto the Internet, and this is called an exit point. At this point the VPN will typically obscure things like your actual IPA address of your device, your location and other personally identifiable information. This is useful as you can mask your true location and access services that would otherwise be blocked due to your location (try accessing the BBC iPlayer from abroad). However any information you provide to the website in the form of identifying information is sent to the website (e.g. a login/password), which then ties your access to the service directly to you irrespective of whether or not you have a VPN engaged.
I should note here that VPN’s are banned in some countries, and using one can land you in trouble with the authorities. Russia, China and Saudi Arabia are particularly strict about this, but there are some VPN’s that they do approve and often because they require a backdoor into the logs the VPN gathers. You need to do the research ahead of travelling to these countries and abide by the rules. Note, this is also the case when using cellular connections in some countries. The authorities actively monitor what is being transmitted and in some countries they don’t require warrants or court orders to do so.
What else can I do?
Lets assume that you have taken every effort to secure your physical connection to the Internet. What else can go wrong that will leak your personal information to third parties.
As we browse the internet, you will in all likelihood access websites that don’t charge for the information they are providing. However, in order to provide the service, they have to gain some income. This is typically in the form of advertisements and sponsored articles.
This is where I have a problem with this practice, since a lot of websites appear to overload their websites with advertisements and videos that start playing immediately they are downloaded. This causes the website to become slow and use a lot of data. If you are on a limited data tariff, this will hit you hard. This is why extensions to the popular web browsers (e.g. Chrome, FireFox, Edge) have been built to specifically block adverts (e.g. UBlock Origin, and other services). Once you enable one of these extensions, the web instantly becomes responsive again, but the website is denied the income it needs to provide the service in the first place. You can subscribe to responsible adverts through these adblockers if you want to.
Something that you won’t notice with these adverts is that they are dropping what’s called ‘Cookies’ into your browser that allow the advert provider to track you on the internet. A cookie is a small file containing some data that allows this to happen. This allows the website and the advert provider to track where you go next and what you saw. If you are accessing a website about Wind Surfing, the advert provider knows you are interested in this and can then serve you adverts specific to your interests. This information can be built up over time by tracking your specific PC/Web browser fingerprint.
The Electronic Frontier Foundation provides a service where you can test this on your browser at their Panopticlick service. Perform the test using your favourite browser and see what comes back. Also look at the fingerprinting information for your browser. Do it again once you have enabled an adblocker and you will see how effective that adbloker is in blocking adverts and ensuring your privacy.
There is another aspect to the adverts you see on webpages. Adverts will typically be benign, but in some cases they can be malicious if the advert provider has been hacked, or they have been looked up using unencrypted http connections which can be affected by what’s call ‘man in the middle’ attacks. In this case the advert may drop malware onto your PC in what’s called a ‘Drive By Attack’. Using an Adblocker extension will help to remove this threat, but not totally since websites can also be hacked to deliver malware. In this case you are down to the browser defending you, your antivirus software or other service you subscribe to. Defending against malware will be the subject of a future blog post.
Another thing that can be deployed to websites are ‘Trackers’. These are similar to what adverts do to track you, but these are purely hidden from view and are normally embedded into the coding of the website. Some Adblockers will also block these, but there are other extensions (e.g. Ghostery) that specifically block these trackers. Now, these tracking services are another way for the website to monetise their service, and by using them you also deny them of their income. However, if you are particularly concerned about privacy, then this is the way you have to go.
Denying websites their income from adverts and trackers (among others) will ultimately affect the viability of the website to provide the content you want to look at. So, use these extensions judiciously.
What about the TOR Network?
OK, the TOR network gets a lot of bad press as being the place where criminals sell their illegal products on the dark web. However the TOR Project was started by the US Department of the Navy to provide a secure way for people in locations that were subject to high levels of surveillance to communicate securely and privately. It has been extended to a non-profit organisation sponsoring private communications across the world. Take a look at the TOR Project About Page here for more info. OK, so yes the TOR network allows access to the dark web, which allows criminals to operate, but that was not the original intention.
If you want to use the TOR network you can download their browser (which is based on FireFox), use a VPN (e.g. Nord VPN which provides a TOR access point) or if you are an Android user you can use the Orbot app which allows you to set up a VPN through the TOR network. Look out for my future blog post on the TOR network and the Dark/Deep web.
One word of caution when using the TOR network. The dark/deep web has been totally infiltrated by law enforcement. There are some sites out there that are providing the genuine illegal services, but most are honey traps laid by law enforcement. Anyone can set up an access node on the TOR network, and law enforcement do this as well. As a result, if you do access one of the illegal dark/deep websites, it is highly likely that you will be tracked. Also, countries wanting to watch their population will also set up these honey traps. So, be aware if your intention is use this service.
What About Cellular Data?
OK, so if I use Cellular Data that’s OK – Right?
Well, not really. There are threats here too. It is possible to set up fake cell towers that can fool your devices to connect to them instead of the genuine article. A Stingray is such a device. These devices send out a fake cell tower signal that your cellular device thinks is your service provides tower. Your device will seek out the strongest signal and connect to it, which in all likelihood will be the Stingray. Once you connect to this device, the traffic is decrypted, sent to the owner of the device and then re-routed to a genuine cell tower. The tricky thing here is that you may not know this is happening.
These devices are often deployed by law enforcement in some countries, state actors intent on spying and hackers. They are often deployed in high traffic areas, near to government buildings and embassies. There was a recent report in the popular press where a lot of these devices were tracking the US White House employees.
So what can you do here to protect yourself? Your device will connect to the StingRay and you can’t do much about that unless you have some security app that detects them (e.g. SnoopSnitch, but you will require a rooted Android device for this to work, which is ill advised). You can go dark and use a VPN for all your data traffic. You can also use one of the many messaging aps (e.g. Skype, WhatsApp, Telegram, FaceTime) to encrypt your voice calls and instant messages. Skype in particular allows you to communicate with normal landlines and cell phones, which a lot of the others don’t.
Note that Voice calls and SMS messages are normally transmitted in an unencrypted form, so in this context they will be insecure.
What about Location Tracking?
On your mobile devices, you will notice something called ‘Location Services’, which use GPS and cellular information to track where you are in the world. If you want to use satellite navigation this is essential, but the apps you install on your devices can perform this tracking without you knowing it. Android is particularly guilty of this, and Google Maps through your Google Id is a very pernicious gatherer of location information. However, there are so many apps out there that require Location Services in order for them to work, irrespective of whether or not they actually need it.
I recently took a look at a number of apps on Android and found a Flash Light app that required a lot of permissions that I thought was just overkill (see the screengrab on the left). This was a particularly bad example, but there are other apps out there that are just a guilty.
What you do here is switch off your location services on your device, and restrict where possible access to the permission to location services for each app you install. Depending on the device you use, the process to do this varies, but I will be writing a blog post in the future specifically on this subject. The other trick here is to examine the permissions an App wants before you install it. If it is asking for permissions that don’t seem aligned with its function, then don’t install it. There are plenty that ask for fewer permissions. You also need to look at what permissions the app is generally requesting, and if these don’t align with the function of the app, then deny them or de-install the app.
What about Bluetooth & NFC?
Bluetooth is a highly flexible feature of most mobile devices. It can do almost anything from connecting a wireless headset to connecting you to a network. However, when it is switched on it is broadcasting your devices Bluetooth name, which can be picked up by any Bluetooth enabled device. Swift it on now and see how many devices you can find nearby, particularly if you are in a café or some other public place. Most of the time to pair with another Bluetooth device you need to go through a pairing sequence, but not always. This is just another way for a hacker to get into your devices.
The best option is to turn Bluetooth off when it is not actively in use. This might be inconvenient as you may rely on your phone connecting wirelessly to your cars infotainment system, or other service you use regularly. However, if you want to deny this attack method, then you know what to do.
Near Field Communications (NFC) is similar to Bluetooth, and this is often a way for a device to connect to yours to exchange information or pair over Bluetooth. It is also the method used to make contactless mobile payments. If you enable mobile payments, this is a potential attack method to defraud you of your money by casually bumping your phone with a malicious card reader. Again, the best approach is to turn off NFC when not in use. However here, as with Bluetooth and WiFi, you lose some convenience for extra safety.
While this is not necessarily the actual attack method, this video does prove how easy it would be for a hacker to create a device that could perform all the functions of a payment card reader.
Look out for my blog post on contactless payments coming in the near future.
I hope I have explained some of the myths about how your privacy can be compromised just by going about your business on the internet. The message I want to get across here is that if you access the internet, even from a secure connection, you leave digital records everywhere you go. This information can be used by corporations as well as hackers. By using these free WiFi services you automatically give the provider permission to gather information on your activities. There are ways to restrict this, but in the end someone knows where you are going and what you are doing.
The threat is particularly an issue with free WIFi hotspots provided in libraries, cafes and hotels. When you are travelling you often use free WiFi as using your cellular connection is probably very expensive. However, you have to be careful.
A few simple precautions you can take are:
- Ensure your WiFi connection is turned off unless you are actively using it
- Ensure you always use HTTPS connections
- Use an encrypted DNS lookup if available
- Look out for suspicious WiFi networks
- Keep Bluetooth and NFC switched off unless you are intending to use them
- Use a VPN when you are out in public to help obscure what the hotspot is tracking
- Enable ad blocking and tracking blocking extensions in your browser (suggest you use FireFox of Microsoft Edge on your mobile devices and not Google Chrome).
The best advice I can give here is to be aware of what you are doing. If something looks dodgy, then in all likelihood it is and you should not connect to it.
All I want to do now is which you all a safe internet experience where you can safeguard your online privacy.
I am by no means a privacy expert, so if any such experts are reading this blog post and I have miss-stated something please get in touch with me via the contact form.
Headline image provided by Shutterstock.