Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Can My ISP See What I’m Doing If I Use a Virtual Machine (VM)?

Question: In your article Can Everything I Do Online Be Monitored at My Router? you state that “your ISP can see everything you do”. Is that still true if I run a virtual machine to hide what I’m doing?

Yes, it’s still true: a VM doesn’t get you any additional privacy from your ISP.

I do need to clarify exactly what “everything you do” means. I’ll also revisit what you need to do to avoid ISP monitoring. Hint: a VM isn’t the solution, but might be a convenient part.

Become a Patron of Ask Leo! and go ad-free!

Virtual Machines

To refresh: a virtual machine, commonly referred to as a “VM”, is software you run on one machine in which you create a simulated environment of another.

The best way to conceptualize that is with a picture. Here’s a snapshot of my Mac Pro’s desktop.

Leo's Desktop

You’ll see that in addition to the Mac “Dock” (an equivalent to the Windows taskbar) across the bottom, and Chrome — the browser in which I’m writing this article — there are three additional windows, each running what looks like a completely different operating system:

  • In the upper left is Windows 10
  • In the lower left is Windows 7
  • In the upper right is Debian Linux

Each of these systems believes it’s running on dedicated hardware, but in fact is running in a software simulation of a PC. As you can see, it’s possible to run several such simulations simultaneously with different operating systems in each.1

What your ISP doesn’t see

Your ISP only sees the connections your computer makes to the internet. That means it has no concept of what software is making those connections, outside of anything those connections imply.

So when my browser makes a connection to askleo.com, my ISP can see it, regardless of whether I do it in the native browser — Chrome, in the example above — or in a browser within one of the virtual machines. My ISP just sees there’s a connection being made to askleo.com by some machine at my IP address.

This is very similar to what happens if you have more than one physical computer: your ISP cannot generally tell which is making the connection. The rule of thumb is that virtual machines behave just as if you had multiple, different, real computers.

What your ISP might see

I said your ISP has no idea what software you’re running outside of what the connections you make imply. For example:

  • If you connect to askleo.com, your ISP can tell you’re probably running a web browser.
  • If your connection is unencrypted, and your browser includes information that says “Hi! I’m Google Chrome” as part of the conversation, your ISP might see that.
  • In fact, any information in an unencrypted connection could be seen by your ISP and used to infer what software you’re running to create that connection, and what that connection is used for.

More interestingly, though, it’s the services we connect to that expose some of what you’re doing.

  • If you connect to a file-sharing service, your ISP can infer you’re running file-sharing software. However, if the connection is encrypted (as most are), your ISP can’t see what files are being shared.2
  • If you connect to a VPN (virtual private network) service, your ISP can see that you’ve done so, but cannot see beyond that.
  • If you connect to a TOR (The Onion Router) anonymization server, your ISP can see that you’ve done so, but cannot see beyond that.

But it doesn’t matter where those connections originate on your machine: from the programs you run directly, or from programs run within a VM; to the ISP, they all just look like connections and data transferring to and from your internet connection.

The best hiding you can hope for

If you don’t trust your ISP, things get difficult.

Honestly, the best privacy solution is to use a VPN. As long as it’s correctly configured, your ISP will still see that you are using a VPN, but they are not able to see what sites or services you are connecting to, or what data you’re exchanging with those sites.

The next level would be to run a dedicated TOR browsing session. It’s slower, and it’s easy to leak information if you’re not careful, but it can be done. (TOR focuses more on end-to-end privacy and traceability than a VPN, whose primary job is to protect your connection to the internet from eavesdropping.)

Finally, one approach that might be convenient, if you’re so inclined, is to set up a virtual machine that uses one of these technologies. That’s nothing more than a convenience, though, and doesn’t increase your privacy. All it does is make it easier to run a virtual machine that’s pre-configured with your favorite VPN or TOR — exactly as if it were a different always-ready physical machine at your location.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

Video Narration

Footnotes & references

1: Performance is amazingly good. On my machine (a four-year-old 12-core Mac Pro) I’ve successfully run Windows 98, XP, Vista, 7, 8, and 10, all at the same time, for fun. While not ideal, the fact that this was even possible is pretty impressive.

In addition, askleo.com itself is a virtual machine. Virtual hosting providers use exceptionally high-end servers with multiple cores and lots of disk space and RAM to host multiple instances of various servers for various customers. That the askleo.com server is on such a virtual host is completely transparent to it: it thinks it’s on a dedicated server.

2: Even this isn’t absolute. While your ISP can’t decrypt the data, they might be able to compare characteristics of your download against known downloads of specific files. As a grossly oversimplified example, if they download a specific movie and you download the same movie, the encrypted data might look identical, so they would “know” what you’ve downloaded.

17 comments on “Can My ISP See What I’m Doing If I Use a Virtual Machine (VM)?”

  1. When I started reading that article, I wondered if, maybe, the person asking the question confused VM (Virtual Machine) with VPN (Virtual Private Networking). Then you eventually discussed how a VPN works, so even if the person asked the wrong question you covered it anyway.

    Reply
  2. “Honestly, the best privacy solution is to use a VPN. As long as it’s correctly configured,”

    Unfortunately some Dial up VPN connections leak DNS requests by default, so people may believe they are correctly setup but in fact are still leaking information to their ISP.

    Reply
    • While this is a risk, this is not true of all VPNs. Because this is a known issue many VPNs carefully handle DNS requests as well. (And I’m not sure what you mean by “dial up” VPN. All VPNs are services to which you need to connect to use.)

      Reply
  3. HI Leo what about Proxy servers like the one in Opera web browser? can they still see threw it like normal browsing. i seen you covered VPN and VM but said nothing about proxys?

    Reply
    • A proxy is in a sense a more limited form of VPN. The proxy provider can see everything that goes through the proxy just as if they were your ISP.

      Reply
        • That’s off the mark, in my opinion. Proxies can be (and often are) encrypted as well. I think of Proxies as browser-based web-pages only, whereas VPNs should handle all internet traffic.

          Reply
    • There’s no way to know for sure but in addition to the question of DNS leaking, it’s necessary to be able to trust your VPN. This article discuses Kaspersky Internet Security but it applies equally to any of Kaspersky’s products. Your VPN has access to all of your unencrypted internet traffic and all of the sites you visit. The integrity of your VPN provider is extremely important.
      https://askleo.com/safe-kaspersky-internet-security/

      Reply
  4. Regarding the various versions of Windows you’ve tested in VMs, I would imagine that Windows 98, XP and Vista are so old and no longer updated that you would simply disable the ethernet connection in the VM, and those are then in effect in a closed sand box. Otherwise, same as the PC.

    Reply
    • True. Unfortunately, though, that typically means disabling the network connection which dramatically reduces their ability to access even other machines locally.

      Reply
  5. I do believe that I have heard that there are utility programs that can help you determine if you configured VPN is leaking info?? Do you know about any of these utility programs and how they are used. I would like to lean more about this. Thanks

    Reply
  6. In addition to DNS leaks there are problems with WebRTC leaking information, whilst this is apparently a browser problem it is a concern.

    This is a list of 16 VPN providers who are known to leak according to a report done by Tech Pro Reasearch

    “Of the 74 VPNs analyzed in the report, 16 were leaking data. DNS leaks, WebRTC and IP leaks, and Chrome extension leaks were the most common, the report found.”

    “VPNs leak for a variety of reasons,” the report stated. “DNS server issues and WebRTC API conflicts can cause your true location to shine through. The problem is that these often strike when you least expect it.”

    Hoxx VPN (free & paid version)
    Hola (free version)
    VPN.ht (paid version)
    SecureVPN (paid version)
    DotVPN (free version)
    Speedify (free version)
    Betternet (free version)
    Ivacy (free version)
    Touch VPN (paid version)
    Zenmate (free version)
    Ace VPN (paid version)
    AzireVPN (paid version)
    BTGuard (paid version)
    Ra4w VPN (paid version)
    VPN Gate (free version)

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.