Editor’s note: Nations around the world are struggling with Internet security. This article about a proposed law in the United Kingdom reviews some of the key issues facing Internet users.
Through pressure from Google, Facebook, and other major providers such as Yahoo and Apple the World Wide Web is slowly becoming more secure, with Web services using HTTPS to encrypt Web traffic by default. However, the arrival of the draft Investigatory Powers Bill raises questions about who can potentially get access to what—here are some answers.
Can anyone see all my Web requests?
Yes. Whenever you see HTTP in the browser’s address bar, then any data sent over the link will not be encrypted. This means the address of the page and domain you’re browsing, and any data you send, such as in a form, and any data that is returned.
Can anyone see my Web requests if I use HTTPS?
No. If you see HTTPS in the browser’s address bar, then the connection is encrypted using SSL/TLS. Only the Internet Protocol (IP) address of the destination (and the port used, usually 443) can be determined. No details of what pages or resources were accessed, nor any further data sent over the connection will be accessible. Google, Facebook, and many other major online services now use HTTPS by default, so all your Google search requests, for example, are protected and your Internet service provider (ISP) cannot see the URL and the results of the request.
If I use HTTPS, will anyone be able to access my details from the remote Web server logs?
Yes. HTTPS tunnels encrypt data across the Internet to prevent eavesdropping, but the traffic is decrypted at either end so the server log will show details of which IP address has accessed what resource and when. As the SSL/TLS used by HTTPS uses a client-server model, the key required to decrypt the connection is available on the server—unlike with end-to-end encryption services where only the parties involved have the decryption key. This means spies and investigators could serve a warrant and demand the service provider hand over its copy of the decryption key and access your communications. HTTPS only protects the transmission of the data over the Internet, and the full details of the request and reply can be logged on the server.
Can my DNS requests be logged?
Yes. DNS—the Domain Name System, which translates human-friendly domain names into the IP addresses of the Web servers where Web pages are located—uses unencrypted User Datagram Protocol (UDP) on port 53. Your ISP will be able to log your Domain Name System (DNS) requests, and any spies or investigators will be able to request that data.
Can my ISP determine which of us at home is accessing a certain site?
No. Typically, home broadband connections share a single, traceable public IP address between many computers and smartphones using what’s called Network Address Translation (NAT). Your ISP will log only the single public IP address assigned to your home router, not which individual device in the home was using it at the time.
If I connect to a website using a VPN, will my requests be logged?
Perhaps. A Virtual Private Network (VPN) is a point-to-point encrypted tunnel from one computer to another through the public Internet. Your ISP cannot see the details of the data packets traveling through the tunnel. Exactly what network traffic goes through the encrypted tunnel and what doesn’t depend on how the VPN has been set up. For example, it’s possible to pass DNS through an encrypted tunnel, too, if it is routed to the corporate VPN server. Companies also often use systems called proxy servers, where the details of the computer within the network will not be revealed to external logs.
If I use a Tor browser, will my ISP be able to log my Web requests?
No. Using a Tor-enabled browser it’s possible to browse the public Internet using the Tor anonymizing network. Your ISP will not be able to see any of the data transmitted, and the Web server log will record only the address of the gateway node—the entry point into the Tor network, not the origin (your browser) or ultimate destination (the Web server).
How can ISPs trace me?
Normally, a session cookie is used for each user’s Web browsing session. These are unencrypted, clear text items which can be harvested when communicating over HTTP and mined for information that will often reveal identifying details about the user.




