How do you conclude that you do or do not trust your ISP?

Several posts mention the idea, “How much do you trust your ISP?” I’d like to explore that question. I’ll share my thoughts and then listen to your advice.

I conclude that I won’t trust my ISP. Why? First, I live in the USA where Net Neutrality is gone and domestic spying is law (Patriot Act and such) and opaque (low transparency or honesty from govt agencies). Second, I have direct experience from marketing experts about the data they can append/buy from third parties on people. So many demographics/interests and more. And consider this is on the “light side” of the Web. This data is coming from somewhere. Third, I have two ISP options where I live for “good” service. Both are brands of large corporations. My choices (that I know of) are limited.

Now, I do not have evidence that data is collected by my ISP (Spectrum, a sub-brand of a larger communications firm). Data collection isn’t some they would chat with me about. I assume they gather whatever they want. Last I looked in their terms of service, they are allowed to gather what they want. Further, I have no way to “trust and verify.” How would I even engage my ISP to honestly disclose what is mined from my data let alone sold to whom?

So, for those in the USA and in this community who may write, “I trust my ISP”, I’d like to know how you came to that conclusion? How would I do a much better job to understand how much I may trust my ISP? I am genuinely curious.

Right now I err on the side of caution which is that I assume my ISP will gather whatever they may on me to sell at an additional profit. That’s why I use a VPN. And, I realize I am then trusting the VPN as my ISP. To me, this is a “wiser bet” as VPN providers have greater transparency than my ISP and are vetted by others (such as this community).

Granted, I have a low threat model. Still, how do others come to a conclusion about their ISP?

3 Likes

I don’t think there is any solid way to actually tell if your ISP is trustworthy or not. They fact that they are allowed to collect data about you might be an indication that they do just that. As you mentioned before, The legal situation looks abit different in various regions of the world. You might try to do some research about your ISP and check if they went throught some known scandals related to data collection.

In general, I do not trust my ISP. Despite the fact they most likely do not give a heck about me, I prefer to be safe than sorry, so I use DNS over HTTPS provided by Mullvad (you can read about DoT and DoH here). When I need to research something very sensitive, I use tails , but in some cases I would rather pick Whonix instead. When I do something that is kinda delicate (like torrenting, reaching adult content etc.), I just Connect to a VPN from a separate browser. I use split tunneling, thanks to which only the apps that I pick are routed throught the VPN connection. There is a nice tutorial on how to perform split tunneling here but keep in mind that this is a bit more advanced and if you have no experience with docker, manual VPN setup etc. you might experience some issues with that. Also, you have to keep in mind, that running a VPN 24/7 with all your internet activity is abit risky and might lock you out of some of your accounts (this should not take place if you use your VPN only with some of your apps and you do it carefully)

I am not a lawyer, so I can’t really tell how to convince your ISP into revealing such details. I am guessing that they will not be very eager to share details about that.

To better understand what your ISP collects about you, consider:

  • What can be collected (your DNS queries, your unsercured HTTP requests etc.)
  • What kind of data mentioned above can be realistically harvested and processed
    (to send it to data brokers, to use it for targeted advertising, to monitor your interests etc.)
  • what can you do about that (use VPN ocasionally, use TOR(preferably with bridges), use a decent DNS server, generate noise to make your data less valuable etc.)

Usually, they just learn more about privacy / information security / whatever. Or maybe they learn about some huge data collection scandal related to their ISPs or simply their data was sold to some vicious people who threatened them in real life. The possibilities here are just endless.

I hope this answered your questions to some degree.

3 Likes

Don’t conflate unverifiable marketing claims with transparency.

Transparency is what you get when a company publishes a (meaningful and timely) post‑mortem after a PR disaster. Transparency is what you get with open-source code. Transparency does not come in the form of marketing bullet points that you, the consumer, have no choice but to trust blindly.

Frankly, most VPN providers make bold and verifiably false claims — obviously these providers are not trustworthy. But even among those that don’t make verifiably false claims, VPN servers are still just black boxes glorified with a bunch of fancy marketing.

No, they really are not.

Unless someone is an insider with significant systems access, they have no actual way to vet a VPN provider, at least short of a data breach that reveals some of the company’s true practices (case in point: NordVPN). The only thing outsiders can do is vet the company’s marketing claims and analyze the company’s behavior under duress, such as in light of a potential data breach or court order.

No, you are actually trusting two additional parties at minimum. VPN providers have their own ISPs too. If you ever connect to a second one of your VPN provider’s servers, you’ve just added a third party (another ISP) you need to trust. If the VPN provider ever changes datacenters for whatever reason, that can also introduce another separate ISP to trust.

From a pure trust standpoint, I would (and do) trust a reputable VPS provider and their Tier 1 or 2 ISP far more than a black-box commercial VPN service, where you most likely won’t even know if you’re suddenly using a different ISP one day.
Note that I am in no way recommending this practice as a way to increase privacy, because it will have the opposite effect.

How can you be so sure your VPN provider isn’t collecting data on you? You can’t. It’s impossible to know. The best you can hope for is that your VPN provider is subject to strict privacy legislation in some other country, but even then it is not a guarantee.


I’m sure you’ve seen these links from my other posts, but I’ll include them here anyway:

In your case, even though I know how scummy Charter/Spectrum is, I seriously question whether a VPN is actually doing anything beneficial for you. You can mitigate any website spoofing concerns by religiously using HTTPS‑only mode. You can bypass a lazy implementation of censorship by using a trustworthy encrypted DNS provider like Quad9 or NextDNS, but this is again another party to trust and for the most part of little or no benefit. When Encrypted Client Hello finally gets widespread adoption, your ISP won’t be able to see any of your traffic except an IP address, and that is usually a useless identifier in light of just how many sites are hosted behind Cloudflare or otherwise share a single public IP address.

And, for the times when you really need significant privacy, use Tor.

2 Likes