Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Can My Mobile Provider Track What I Do Online?

//
Can your mobile data service provider keep track of your online browsing history and activities?

Yes.

Whether or not they do is a different and perhaps even more important question. Exactly how much they might track is also at play.

Naturally, the next question is what to do about it.

Become a Patron of Ask Leo! and go ad-free!

The role of your ISP

It’s important to realize that your ISP — your Internet Service Provider — can see everything you do.

They provide the infrastructure that connects you to the internet and routes the requests and responses between your device and the sites you visit and services you use. Almost by definition, they must know what site you want to visit in order to route your request to that site.

And yes, whoever is providing your internet service, be it your ISP at home, your mobile provider, or the open Wi-Fi at your library, is your Internet Service Provider in that situation, with all the inspection capabilities that implies.

Are you really that interesting?

Mobile ComputingMy first question is, why would they want to monitor your activity?

You and I just aren’t that interesting, and there’s way, way, way too much traffic to monitor or log everyone’s activities. They have more important things to do, like make sure their service is working.

I suppose you could be “someone interesting” for one reason or another. Most people aren’t (even when they think they are), but for a moment let’s assume you’re worth paying attention to.

There are two levels of information an ISP can pay attention to: the sites and services you connect to on the internet, and the data you exchange with those sites and services.

The sites you visit

Seeing the sites you visit and services you use requires nothing more than watching the IP addresses and domain names to which you are connecting.

I’ll use Ask Leo! — https://askleo.com — as my example site, but substitute whatever sites and services you use online.

Your ISP can see when you visit https://askleo.com, because they facilitated your connection to the Ask Leo! server when you visit the site.

That doesn’t mean your activity was logged; only that the information is readily available to the ISP as a side effect of the ISP doing its job. You can’t determine whether it is logged or not; your ISP would have to tell you what they do.

Your activity also doesn’t have to be logged to be blocked. If your ISP was under government orders to prevent https://askleo.com from being accessed, they would simply fail the connection request regardless of who made it. They could choose to log and record who was asking, but again, there’s no way to know.

The information you exchange

Of more interest might be the contents of your interactions with sites and servers on the internet.

While your ISP needs to know you’re accessing Ask Leo! to exchange data between Ask Leo! and your computer, they don’t need to see the actual data. They should just pass it along without looking.

But they could look.

This is where “https” comes in.

Without https — in other words, a plain “http” connection — the questions you enter, searches you perform, and pages you view would all be visible to your ISP or anyone else capable of intercepting the conversation.

With https, your conversation is encrypted in such a way that only you and the remote site or service can decipher it.

But the ISP can still see that you visited the site.

Hiding the sites you visit

The only way to hide which sites and services you visit from your ISP is to use a VPN, or Virtual Private Network, service.

A VPN works by acting as your virtual ISP, remotely, through your actual ISP.

Rather than asking your ISP to connect you to Ask Leo!, you ask it to connect you to the VPN service, and then ask the VPN service to connect you to the site. Whatever you ask of the VPN is hidden from your ISP by encryption. All your ISP sees is that you’re connected to a VPN service, and to which you are connected. Everything else is hidden.

Everything is hidden from your ISP, that is.

As I said, though, the VPN service is now providing your connection to the rest of the internet. In a very real sense, they have become your ISP.

So now they could see everything you do.

Podcast audio

Play

Video Narration

24 comments on “Can My Mobile Provider Track What I Do Online?”

    • Presumably you trust your VPN provider more than you do your ISP. Most VPN providers are fanatic about building a trustworthy reputation. Indeed, it’s a cornerstone of their business model.

      Reply
    • VPNs are useful if a) you plan to torrent or b) you plan to circumvent geo-blocks. Besides that, they’re not really useful at all. Using one doesn’t improve your security and nor does it improve you privacy. The VPN companies have, however, done a very good of hoodwinking people into believing their products are needed.

      Reply
      • Some people might overestimate the level of protection offered by a VPN but VPNs are definitely a layer of protection, especially if you are using your laptop or mobile in a public place. They protect against any sniffing if you are connected to a non SSL website. They also hide all websites you are visiting from any sniffers. But apart from preventing people seeing the websites you are visiting, surfing SSL (HTTPS:) gives you full end to end encryption and full privacy in communication..

        Reply
        • “…..gives you full end to end encryption and full privacy in communication.” — So does HTTPS. That’s actually its purpose: to enable secure transactions over insecure networks..

          ” They protect against any sniffing if you are connected to a non-SSL website.” I can’t remember the last time I encountered a non-SSL website. Additionally, the chance somebody actually sniffing your non-SSL traffic is so minuscule that it’d only worry the most utterly paranoid and, even if they did, it’s traffic that doesn’t matter.

          And, no, unless you’re using a home-brewed VPN, it doesn’t provide you with any additional privacy. You’re basically substituting Starbucks for . Personally, I’d rather trust my security to HTTPS than a company with unclear ownership that’s registered in some far flung corner of the world and which exists primarily to enable people to do shady things.

          VPN companies are serving Kool-Aid and people are lapping it up. Here’s a good read for you.

          https://gist.github.com/joepie91/5a9909939e6ce7d09e29

          Reply
          • If you had read my comment carefully, you would have seen that I mentioned many people overestimate the need for a VPN and that the the only advantage a VPN gives you when accessing a SSL (https:) protected site is to hide the address of the sites you are visiting. And SSL protects you from any possible prying eyes of the VPN.

    • The police or other legal authorities in your location can get a court order to force your ISP to hand over all logs etc. of your activities via their systems. However, using a VPN essentially puts up a virtual wall which your ISP cannot penetrate, therefore are unable to provide the information that the authorities want. And yes these court orders are very often used for fishing expeditions done on very flimsy and spurious grounds.

      Reply
      • An SSL (https:) connection also protects you against an ISP turning over your Internet data exchanges. An SSL connection gives you an end-to-end connection between you and the https: website. A VPN gives you additional protection when visiting non-SSL sites and hides which sites you are visiting. Hiding your sites visited, in some cases, might be important.

        Reply
      • “However, using a VPN essentially puts up a virtual wall which your ISP cannot penetrate, therefore are unable to provide the information that the authorities want.” — But your VPN provider may well be able to provide information to the authorities, and they sometimes do just that:

        “Further, records from PureVPN show that the same email accounts-Lin’s gmail account and the teleportfx gmail account-were accessed from the same WANSecurity IP address. Significantly, PureVPN was able to determine that their service was accessed by the same customer from two originating IP addresses: the RCNIP address fromthe home Lin was living in at the time, and the software company where Lin was employed at the time.”

        https://www.justice.gov/opa/press-release/file/1001841/download

        Bottom line: it’d be a mistake to assume that a $10/month VPN company doesn’t log or that they’ll put up too much of a fight if law enforcement asking for information.

        Reply
  1. I am wondering about Avast . They have a feature that hides your real IP address by deriving it to another city and giving you a fake IP address.
    Is that what you call a VPN link?
    And how efficient is this?
    Thanks

    Reply
    • Depends on what version of Avast you are using , older versions of Secure line and the standalone version leak DNS by default. The newer version has DNS leak protection enabled.

      Reply
    • Anything that claims to hide an IP address is, in some form or another, a VPN. VPNs in general do slow things down somewhat — you’re going through additional equipment and services to get to where you’re doing. Unofortunately I don’t have any good information on just how good Avast’s offering is.

      Reply
  2. “You and I just aren’t that interesting, and there’s way, way, way too much traffic to monitor or log everyone’s activities. ” – Of course we’re interesting. That’s why companies invest heavily in technologies that enable them to track us (browser fingerprinting, for example). It’s also why companies like Google and Facebook collect huge amounts of data about us. It’s also why stores use loyalty card data to track our habits. It’s also why data brokers collect and aggregate huge quantities of data from multiple online and offline sources and compile detailed profiles us as individuals.

    https://www.ftc.gov/news-events/press-releases/2014/05/ftc-recommends-congress-require-data-broker-industry-be-more

    Sorry, but suggesting that we “just aren’t that interesting” is old-school thinking, plain silly and shows a complete lack of understanding as to just how valuable our data is.

    Reply
    • I was unclear/incomplete. As individuals we’re not interesting. I stand by that. No one really cares what Leo Notenboom purchased at the grocery store yesterday, or what he viewed at Amazon. As groups of course, we’re very interesting. All that tracking that concerns you is absolutely tracking the “over 60, white, male, homeowner” demographic. But again, that’s not about me, that’s about the various demographic classes that I happen to fall into.

      Reply
      • “No one really cares what Leo Notenboom purchased at the grocery store yesterday.” – Sure they do. That data is very useful for marketing purposes. For example, the combination of products you purchase may indicate that you’re pregnant and that it’s therefore a good time to start mailing you coupons for baby-related items. This has actually happened:

        http://techland.time.com/2012/02/17/how-target-knew-a-high-school-girl-was-pregnant-before-her-parents/

        And, of course, this data is very likely to be sold to/shared with a data broker who’ll then sell/share it with other companies. Consider the broader implications here. For example, insurance companies are already using big data/broker data and would likely be very interested to know if your purchase history indicates you may have an illness that could shorten your life. Perhaps they’d even like to know if you eat at greasy spoon cafe more often than you should.

        Bottom line: we don’t care anywhere near as much as we should about our data and privacy as we should and nor do we have much in the way of legal protections. Companies can harvest, aggregate and share our data with very little restriction.

        Reply
        • The discussion gets convoluted when we talk about apples and oranges. On the apples corner, of course companies want our information, and they’ll get it, and there isn’t anything we can do about it. As for the oranges, to Leo’s point that “we’re not that interesting”, this is true if you’re talking about the chances of specifically being targeted for a hack, as opposed to the few billion other people on the planet. If you are specifically targeted to be hacked or compromised, again, there isn’t anything you can do about it, regardless of VPN, HTTPS, or whatever. Enjoy the Internet.

          Reply
          • “As for the oranges, to Leo’s point that “we’re not that interesting”, this is true if you’re talking about the chances of specifically being targeted for a hack” — Hacking is utterly irrelevant. The article isn’t about hacking; it’s about tracking. And, yes, we absolutely *are* that interesting to companies.

          • Ray is absolutely correct about everything, all the time. We should always give him the last work. Thank you Ray for your wisdom, insight and contribution. I just wish there were an “Ask Ray” website.

  3. I always wondered how those free VPN services paid their bills.

    Leo, I would appreciate if you could recommend an idiot proof simple to use VPN service. One that is always on without me having to jump through hoops.
    Thanks.

    Reply
    • I’m not sure that there’s a completely simple VPN. The reality is that the technology is just too complex for things like networking (which, honestly, is surprisingly complex all by itself without VPNs). I happen do to use TunnelBear (affiliate link), and it’s relatively seamless when you turn it on, but that doesn’t mean it’s without hiccups from time to time.

      Reply
  4. I’m certainly not going to get in between the interchange of Leo & Ray Smith. But when I go to say a Home Depot site I see ads for items I was viewing on another site like Amazon or someone else. I know Leo had an article on this a while back re 3rd party tracking like DoubleClick & the like. So my specific surfing & content are tracked for marketing purposes. And we know that big companies sell my data & preferences to 3rd party companies for that purpose also. It can be a little unnerving to see an ad for something you viewed on another website appear on a wholly unrelated one.

    Reply
    • I suspect you mean this article: Why Do Ads Follow Me Around the Internet?

      Even in those cases, though, the sites and ads don’t care about “Ron”. They’re not tracking you as a person. They care about “people who looked at X on HomeDepot” or “people who looked at X on Amazon”. Anyone who happens to fall into that category will see that behavior. It’s not about you, personally, it’s about anyone who happens to do X.

      Reply
      • “They’re not tracking you as a person.” — Yes, they absolutely are. To quote a member of the Mozilla team:

        “You might think that this tracking is anonymous, since your real name is not attached to it. But many third-parties do know your real identity. For example, when Facebook acts as a third-party tracker, they can know your identity as long as you’ve created a Facebook account and are logged in — and perhaps even if you aren’t logged in. It is also possible for a tracker to de-anonymize a user by algorithmically exploiting the statistical similarity between their browsing history and their social media profile.”

        And that’s not to mention things like browser fingerprinting which, when combined with various other methodologies, can also effectively strip away your anonymity.

        You may like to do some research into data brokers and how they collect and aggregate data from multiple online and offline sources.(see FTC link I previously posted). You’ll likely find it quite enlightening.

        Reply
    • Above I said “there isn’t anything you can do” about companies tracking you. But, if you are really bothered by seeing ads for something you looked at previously, there are couple of things you can do, although they are really not worth the effort:

      – Clean your cookies every time before going from one site to another. Yes, I know there are many other tracking methods other than “regular” cookies, but to get to those and clean them up means getting painfully technical. Cleaning regular cookies go a long way to suppress the apparent tracking. Easiest way is to use CCleaner.

      – Log out of Google, Facebook or any other account you’re logged into and clear cookies before doing searches, shopping or general browsing.

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.