When you open an Incognito tab in Chrome or a Private window in Firefox, the first screen lets you know that while your browsing history and cookies will not be stored in this mode of browsing, you will still be visible to your government or internet service provider (ISP), i.e., they can see what pages you visit.
While reading that disclaimer on the blank page of such incognito tabs, have you ever wondered how your ISP can track your online activity?
Also, you might have heard that HTTPS-encrypted web pages cannot be read by a third party, i.e., no one else, except you and the website you’re on, can determine what you’re doing on that website (what pages you visit, what content you see etc.). So, can your ISP know what web pages you’re visiting if all the pages you visit are HTTPS-encrypted (in simple words, their URL stars with “https://”)?
Let’s start with what an HTTPS encryption really is.
What is the HTTPS protocol?
HTTPS is just good old HTTP, with an extra ‘S’ at the end. While HTTP stands for Hypertext Transfer Protocol, the extra “S” in HTTPS stands for ‘Secure’.
HTTPS is a kind of protocol where encrypted HTTP data is transferred over a secure connection. While HTTP pages are more vulnerable to snooping by third parties, HTTPS pages are not, as they encrypt your communication with the website you’re on.
When you open an HTTPS website on your browser, the website sends its SSL certificate to the latter. SSL (Security Sockets Layer) certificates provide secure and encrypted communication between an internet browser and a website. The SSL certificate contains the ‘public key’ (basically a long digital code) that is required to begin the secure session (between the website and your browser).
Based on this exchange, your browser and the target website do an ‘SSL’ handshake, which involves producing shared ‘secrets’ that help establish a uniquely secure connection between your browser and the website. Once this secure connection is established, the connection between your browser and the website becomes encrypted, meaning that no third party can access the information you share with that website. This is the biggest advantage of HTTPS over HTTP, at least in theory.
In modern browsers, such as Chrome and Firefox, you will see a padlock icon in the browser address bar whenever you visit an HTTPS-encrypted website.
How can your ISP see your online activity?
If you have an internet connection, it means that you have an ISP, i.e., an Internet Service Provider. Not only does an ISP provide an internet connection to its customers, but it also controls it… in a major way!
It doesn’t matter whether you use the Incognito mode and only visit HTTPS-protected websites… your ISP can still see what websites you log on to.
You see, when you visit a website, your computer asks your DNS server (most likely controlled by your ISP) to translate the domain name (e.g. “scienceabc.com”) into an IP address. Subsequently, your computer connects to the server at the given ‘target’ IP address, and then they start ‘talking’ with the help of URLs (i.e., downloading and uploading information).
Notice that you never asked your ISP to take you to those URLs; all you did was ask your DNS server (likely controlled by your ISP) to convert a domain name into an IP address. Once your ISP did that, the rest of the communication was between your browser and the server of the target website, with your ISP acting as a mailman or messenger, i.e., delivering your messages to the website, collecting its reply and then delivering it to you.
Can my ISP still track my online activity if I only use HTTPS-encrypted websites?
It sure can. And in many cases, they actually do.
As mentioned earlier, your ISP acts as a messenger or mailman. It takes your letters and packages where they need to go. Now, HTTPS encryption certainly protects the contents of your letters, but the mailman still has to take those letters from you to the addressee. As such, it has to know where exactly you want to send your letters, right? In other words, it needs to know the address of your addressee.
In a nutshell, your ISP might not be able to see what exactly you’re looking at on a website (say, Youtube) if it’s HTTPS-encrypted, but it can certainly see that you logged on to Youtube. Just as you cannot hide the recipient’s address from the mailman, you also cannot hide which websites you’re accessing from your ISP.
However, there are certain alternatives, like using a VPN (Virtual Private Network), which can protect your online privacy. Unfortunately, these often come at a premium price, and their effectiveness and reliability are often a cause of concern for users.
- Stanford University
- SANS Technology Institute
- Mississippi State University
- University of California, Santa Barbara