The federal government has authorized your internet service provider to spy on you. The right was enshrined by a 2017 act of Congress that cancelled anti-spying regulations enacted by the Obama-era Federal Communications Commission. Today, your ISP can log every place you go online and use that data any way it wants, such as building user profiles for its own or other companies’ advertising platforms.
But ISPs’ most powerful spying tool is now easy to block, by encrypting what’s called a DNS request—a bit of data that announces the websites you visit. Mozilla’s Firefox browser already offers DNS encryption as an option, and it’s about to turn it on by default in the coming days or weeks. This protects you not only from a snooping ISP but also from a hacker who wants to watch your surfing or even redirect you to bogus sites containing malware.
Google also plans to make DNS encryption possible in its Chrome web browser and Android operating system, although in a much slower fashion that involves coordinating with the internet service providers. Nevertheless, ISPs recently sent a letter to six House and Senate Committees asking them to stop Google from moving forward. News site Motherboard also unearthed a misleading slide deck that Comcast lobbyists are using to sway politicians.
Today, Comcast published a post announcing that it does not track the websites customers visit or the apps they use. Comcast further says that it doesn’t build profiles and has never sold user information. These are all voluntary measures, however. There’s no law or regulation (at least at the national level) to prevent an ISP from doing any of this.
The skinny on DNS
While the politics play out, you can take simple steps right now to secure your surfing. Here’s a quick explanation of how DNS works, and how to encrypt it.
Typing “Google.com” into your browser means nothing to the internet, which needs a numerical IP address like 126.96.36.199 in order to find Google’s web servers, which host its site. To resolve the problem, your browser first visits a domain name system (DNS) server, which maintains a lookup table of web domains and their corresponding IP addresses. By default, your computer (or phone or tablet) uses the DNS server provided by your ISP, giving the company a handy list of all the sites you visit.
The privacy solution is called DNS over HTTPS, which uses the same encryption that secures your connections to most websites. (You can spot those web addresses because they start with “https” and are designated by a lock icon.) Mozilla is the furthest along, introducing both the encryption technology and an encrypted DNS service provider, run by cloud computing company Cloudflare. The latter has agreed to purge any data it collects and not provide it to any other parties. Mozilla is close to signing on additional DNS providers under the same terms, says Marshall Erwin, senior director of trust and security at Mozilla.
Setting it up
The easiest fix is to use the Firefox browser, as the switchover to DNS over HTTPs is about to start. If you just can’t wait, or you want to use another browser, here’s what to do.
On the desktop
To enable DNS encryption in Firefox, click the “hamburger” (three horizontal line) icon on the upper right of the program window. Click Preferences > General > Network Settings, scroll to the bottom of the popup window and check the box next to “Enable DNS over HTTPS.”
If you prefer another browser, you’ll need to change the DNS settings in your computer’s operating system. Cloudflare offers detailed instructions for Windows, Mac, and Linux. While the instructions are straightforward, bear in mind that making a mistake here could knock your whole system offline until you figure out what you did wrong.
On mobile devices
It doesn’t matter what browser you use on Android or iOS devices. Cloudflare provides a free app called 188.8.131.52 that automatically shifts all of your internet-connected apps (not just browsers) to its encrypted DNS service. The 184.108.40.206 app also provides a free virtual private network (VPN) that encrypts all your internet traffic, protecting you even more from snoops and hackers.
This article has been updated with comment from Comcast describing a policy of not tracking users via DNS. A previous version of the headline erroneously implied that Comcast was spying on users.