Journalists should learn how to protect themselves from the prying eyes of Internet Service Providers (ISP) as they are often used by governments to spy on internet users.
An Internet Service Provider (ISP) is a company that provides both the physical and logical infrastructure that enables businesses and individuals to access the internet. However, ISPs are potentially dangerous because they have access to a lot of information shared during the communication and are technically able to spy on users. By default (without encryption), an ISP can see everything that an internet user does: read emails, listen in on phone conversations, monitor app usage and see messages to sources.
As governments often force ISPs to share the data they collect, and in some countries even make it a legal requirement for them to operate, journalists should be aware of the potential risks they present for their own safety and their sources’ confidentiality.
ISPs – the internet’s post office
By default, a message will not be encrypted and will travel like a postcard – with the ISP being able to read what is written on it. In a physical post office, when one sends a package, it goes through several persons before it is handed to the final recipient. This analogy works for sending emails or requesting information from a website. Much like the post office will know a its sender and receiver, the time it was sent, package’s dimensions, weight, and can confirm that its contents aren’t illegal before forwarding it on, an ISP knows the metadata of a message, such as the mail address of both sender and receiver, time of sending, size of the message, and presence of attached files.
With a post office, there is often a legal guarantee that they won’t open your mail. There are indeed limited laws preventing ISPs from looking at the sender’s data, but nobody can tell if the metadata or non-encrypted data has been accessed and what was done with it.
Also, one ISP may not own the entire route that the data takes. Similarly to the way a letter will go through more than just one post office, data can pass through dozens of countries’ ISPs before getting to its destination and, although ISPs do have the power to control this path, it will never be revealed. For example, a data package going from Vietnam may travel through both of the highly monitored China and Russia systems. For this reason, US executive branch agencies including the Department of Justice, Homeland Security, and Defense recently moved to prevent US internet traffic from going through Chinese ISPs in fear of their monitoring. Even messages exchanged within a single country can go through another country’s ISP without the sender’s knowledge.
How can you protect yourself?
- Use End-to-end Encryption (E2EE) to keep your message contents private.
- Use an encrypted Virtual Private Network (VPN) such as Freedome or NordVPN as it obscures some of the metadata and encrypts the messages being sent. It’s similar to hiring a courier, which diminishes the risk of the message being read but doesn’t remove it.
- Mesh communication apps such as Briar or Bridgefy, which allow users to keep in touch without having internet access, add another layer of protection.
- Encrypted browsers such as Tor, security conscious browsers like Brave or private search engines such as DuckDuckGo will provide protection against third-party trackers by keeping the user’s identity anonymous.
- When browsing, prefer websites that use HTTPS encryption protocol (Hypertext Transfer Protocol Secure) instead of just HTTP which is unencrypted.
Written by Benjamin Finn. From Houston (USA), Benjamin has been in the IT field for a decade, during which his primary focus was the deployment of internal security tools across large enterprises. Over the last two years, he has been working in Myanmar and researching how to maintain proper security in the context of an oppressive nation-state. In the last few months, he has been working with multiple groups in Taiwan to train them on proper security and safety measures.