If you have been following my router reviews — and you likely have considering you’re reading this — you’ll note that I tend to mention the “online privacy risks” in increasing instances in the past couple of years.
And the case of the eero Pro 6E must have been the crescendo on this front. As I mentioned in the post, I was so concerned about the privacy risks that, for the first time, I didn’t even want to test it.
Since that post, I’ve gotten many messages on the subject. In a good number, folks expressed concerns and asked for advice. Others, from eero fans presumably, got defensive and personal, calling me names at worst or accusing me of “being biased” at best. It’s quite extreme.
This post is not another one about the eero. I’ll explain my take on online privacy and the risks of losing it (when using a Wi-Fi router) in layman’s terms. Whether or not you agree with me, it can be a fun read on a slow news day.
Dong’s note: I first published this post on July 9, 2022, and updated it on August 9 with a FAQ section.
(Real-life) privacy: It’s a matter of degree
To understand online privacy, let’s get on the same page on what privacy means in real life — and I don’t mean what the dictionary says.
Privacy: The norm
In my crude opinion, real-life privacy, applicable to this post’s topic, is a matter of exposing ourselves to the degree that doesn’t irk or offend any involved parties.
It’s about being appropriate, which includes the desire to be left alone and the ability to leave others alone.
As such, privacy is nuanced. Let’s be a little more specific.
Behind closed doors, anything goes; you do what you want. Alone, you can walk around shirtless, in your underwear, going commando, or even naked. If you’re in a relationship, it’s probably OK to skinny-deep in a private pool when your partner is around — you’d hope so anyway. The more intimate the setting, the less privacy apply to the involved parties.
Out of the door, you generally expect to be anonymous to folks you see on the streets, just like they are to you. Generally, you might acknowledge their existence with a smile, a “Hello, how are you?” or a nod and expect the same in return.
Sometimes you might even try to strike up a friendly conversation, introduce yourself, and learn a bit about a stranger. The whole thing may turn into a new friendship or nothing. But everyone goes on their merry way.
To ensure that you don’t reveal too much about yourself or bother others, you don’t wear your credit card, ID, social security number, or even your name on the back of your shirt, which also means you keep your clothes on.
Sometimes, you need to reveal yourself a bit more, such as when you walk into a store and buy something. Now, you identify yourself via your credit or ID card but only to the party who handles the transaction.
All the while, you know, via visual, that there’s nobody following you, watching what you’re doing, or how you spend your money. The vendors know what you buy, but only within their particular shop.
In other words, though you’ve been exposed to the outside world, your privacy is intact because you’re comfortable with the exposure.
Privacy: The unexpected
Once in a while, stuff happens.
Like when you’re having a me-time in your room and the police barge in because they have a “no-knock” warrant and make a mistake on the address.
Or that time when you walk from the train station to your car under heavy rain only to find it has been broken in.
Or when you’re busy writing on a deadline in your home office and your wife walks in asking you to hold your infant baby for an hour because she has “something important” to do.
The last example is a bit of a stretch, but in those cases, you feel bothered or even violated, and rightfully so. It’s the level of (unexpected) exposure you’re uncomfortable facing.
And it can also happen the other way around. A couple of years ago, I stumbled into a section of the Naturist Beach in Brighton (UK). It made me feel uneasy, and took me a long time to unsee what I had seen.
So again, privacy is a matter of being exposed appropriately. So long as involved parties are comfortable, it’s OK — then it’s not a privacy issue.
It’s in the awareness
But to be comfortable or uncomfortable, we first must be aware of what’s going on through our senses. And that’s generally a given in real life, where things are, well, real.
In any case, when we’re not aware, privacy, or the lack thereof, is almost always a security matter — it’s now a risk. Would you walk around your home naked if you know someone — not anyone in particular — is peeping? I wouldn’t.
And that brings us to online privacy.
Privacy risks occur when you’re unaware of your exposure.
Online privacy: Ignorance is (not) bliss
In the cyber world, the notion of general privacy above applies, but the element of awareness doesn’t.
That’s because everything on your screen is literally fake, as I explained in this post about online security. And there’s always more stuff than what’s shown on the screen.
For the most part, we never know the complete picture of what’s happening behind the scenes — a lot of it is technical and boring, anyway. Let’s take a specific example regarding your personal information via the simple act of visiting a website.
Online privacy: There’s always hidden stuff
You’re reading this page and probably find it interesting — and it gets better. What you might be unaware of is the following:
You’ve given away your IP address. It’s true. That’s the case when you visit any website or access any online service.
From the IP, I, the website owner, can find out where you come from, how long you’ve been on the site, how often you’ve visited it, etc.
And that’s fine. So far, that’s similar to when you’ve entered a store. You’re still anonymous.
Now, if you have an account with DKT, such as a subscriber, I’d also know your name and email address — you’re no longer anonymous. But that’s still OK. That’s like you’ve decided to buy something at the store using a credit card. You trust me enough.
But here’s where things start to get scary:
Your Wi-Fi router “knows” all that, too. In fact, it can keep tabs on everything you do online, all the websites you’ve visited, and your other activities, such as shopping, streaming, chatting, texting, and so on.
So, if you happen to (accidentally) send a naked picture of yourself to another party, that picture goes through your router. When you have a live chat with your partner, the entire section goes through the router.
In short, everything you do online goes through a router, likely the one you have at home. The router is the gateway to the Internet, so to speak.
Many routers allow you to manage what it keeps tabs on and for how long, but you must be the owner — or the controller, to be more precise — to be able to do that.
If you use a router that doesn’t allow direct access to how it works or limited access, you don’t know what it really does with your information. And if you use a router made by a company that forces you to log in via an account before you can manage your network, your privacy is generally at the mercy of that company.
In this case, it’s like you actively report your every move to a third party. And this is the scariest part: That happens completely without your direct knowledge. There’s no visual, warning, or ID checking, not a fist bump or a wink. It’s total unawareness.
The gist is this your home router plays a huge part in your online privacy (and security.) Not all routers are created equal, but if a router is compromised — by design or accident — you and your entire family are at risk of being monitored, scammed, or manipulated. Privacy is among those risks.
If your home router is compromised — by design or otherwise — your entire family are at risk of being monitored, scammed, or manipulated. Privacy is among those risks.
It’s worth noting that the behind-the-scene items I described above are just examples of things that happen when you visit a website. At any given time, there are more parties out there standing by to pry on you, especially when you use a VPN service or a special DNS server.
Online privacy: It’s also a matter of degree
Of the messages bashing me about my take on the eero Pro 6E, many said that the data collection is common and happens with all vendors. “There’s no privacy, anyway,” they alluded.
While that might be true, it’s about the degree. Most networking vendors offer options where users can use their products completely without getting connected to the vendor. You only have to log in explicitly or risk data collection when you turn on certain features, like online protection or QoS.
Most importantly, popular networking vendors like Asus, Netgear, TP-Link, Ubiquiti, etc., are independent and relatively small companies. Consequently, their data collection and the collected data are somewhat limited in scope and pervasiveness. Sometimes, that’s purely for technical purposes.
On the other hand, eero is owned by Amazon, which already has lots of data on its users in different aspects — Amazon is not a networking company. So if you’re an Amazon prime user and use an eero router, your exposure (to Amazon) is much higher than if you have a router from another networking vendor.
Tips on online privacy
To keep your privacy risks low, it’s a good idea to fragment your exposure by using different services or products for different needs.
The more deeply you get into an “ecosystem” — those of Amazon, Apple, Google, or Facebook — the more likely your privacy is compromised, no matter how you feel or believe.
If you want to stay somewhat anonymous, use different (email) accounts for different (sets of) devices or services.
Convenience is generally the antithesis of online privacy.
Here’s the most important thing: If you want to keep something completely private, don’t put it on the Internet!
It’s worth noting that these policies are designed to protect the company legally primarily. They are not necessarily an accurate indication of what the company will or will not do with your data. And a company itself can be hacked; that has happened.
We’ve been talking degrees, but this is absolutely true: Whoever controls your router can keep tabs on everything you do online. It’s only a matter of what they choose to do with that power and to what degree.
Online privacy: Frequently asked questions
Since I first published this post, I’ve gotten many questions about online privacy and security. Below are a few of them and my answers.
Does my Internet service provider (ISP) spy on me?
Technically, an Internet Service Provider can spy on its users, but whether or not it does depends on when that makes sense financially. There are two scenarios.
When you use just the terminal device (ONT or modem)
The first one is when you use a terminal device — an Internet receiver such as a cable modem or a Fiber-optic ONT — and a standard router of your choice. In this case, the ISP has no practical reason to spy on you. It’s a matter of profit.
Since a terminal device is a catch-all device, it lets information in and out at the subscribed rate without specificity.
Consequently, generally, the ISP only knows the owner of the account who pays for the service, the MAC address of the router, and the Internet traffic that flows through the account — specifically, through the WAN IP address registered to the terminal device.
The ISP does not know which person or device uses which part of the traffic — that information is shielded by the router. And an Internet connection is almost always shared between multiple parties. Without knowing which party does what, the information an ISP can collect from the account is of little value.
If the ISP wants to find out more, it’ll have to put in more recourses and target a particular subscriber’s account. But that doesn’t make sense financially.
ISPs, like all companies, are in the business to make money, not to satisfy random curiosity.
When you use an ISP-provided gateway
The second scenario is when you use an ISP-provided gateway — a device that’s a combo of the terminal device (modem, Fiber ONT, etc.) and a Wi-Fi router in a single box.
Now it’s a different ball game. In this case, it’d be much easier for the ISP if it wants to collect in-depth information from the account.
That’s because, as mentioned above, everything you do will go through the router part of the gateway. Most importantly, all devices connected to the gateway will register with their unique MAC addresses — each’s online traffic will be separated and categorized accordingly.
That’s not to mention many gateways — such as the xFi lineup of Comcast, those often advertised to deliver a “layer of advanced security” — allow you to “control” or “manage” your network via a mobile app with a login account. Now, the ISP can know exactly who does what among that bulk of traffic that passes through the WAN IP address without having to move a hair — again, you’re the one who actively reports your every move.
Using a gateway doesn’t necessarily mean your ISP spies on you. But to repeat the point above, whoever controls your router can easily keep tabs on your online activities.
And big ISPs generally want you to use their gateways. I’d say there are some ulterior motives.
Extra: I use a Cable modem and my own router but still get the DMCA notification from Comcast when I download a movie. What gives?
First and foremost, stop downloading pirated content! Secondly, that’s none of my business.
A DMCA, short for Digital Millennium Copy Right Act, notice is what an ISP might send to a subscriber when it detects illegal downloads of copyrighted content via the subscriber’s WAN IP.
The notice states what was detected and when and asks the user to find the content within their network and delete it. That’s it.
If you get such notices, that doesn’t mean the ISP spies on you. It’s quite simple. Imagine your WAN IP is a freeway. We have this crude analogy:
When you stand on an overpass, you can easily see the traffic underneath. You can tell cars vs trucks vs bikes, etc., and more.
You can even point out vehicles violating traffic laws, such as driving on the shoulder or in the wrong lane. But you have no idea how to identify that automobile (against others of the same make, model, and paint color) or the driver.
And that’s the level of “spying” the ISP has when sending out that notice. (That’s also the level it has in general when a subscriber uses a terminal device.)
Read the DMCA notice carefully, you’ll note that the ISP doesn’t accuse the account owner of doing anything wrong — it can’t prove that.
Just because an Internet connection has been used for illegal stuff doesn’t mean it’s the owner who’s done it. And it’s generally impossible to prove (beyond a reasonable doubt) who did it. Again, an Internet connection can be shared between many people, sometimes without the owner’s knowledge or approval. That happens quite often.
Suppose the subscriber uses the ISP’s gateway(*), their situation might be a bit more precarious. But even then, proving that they are the ones who have done something illegal online still requires a lot of work.
But, in any case, it’s not a good idea to download illegal content. Among other things, you might end up with unpleasant surprises.
I use VPN, so I’m safe?
If you want to avoid those pesky DMCA notices above, using a VPN will help. Or if you’re physically at one place and want to appear on the Internet that you’re somewhere else, VPN is the best tool.
But the notion that virtual private networks (VPNs) are good for privacy or security is about as true as ISPs always spy on their users.
I detailed VPNs in this post, but generally, VPNs have nothing to do with security or privacy. It’s just a matter of convenience or location spoofing. Privacy or security might or might not apply.
In fact, using VPN is a double-edged sword. You’re at the mercy of the VPN providers. In most, if not all, cases, they are the ones that spy on you (while your ISP doesn’t).
Specifically, when you’re home and use your office VPN, your boss can spy on you. If you use a third-party VPN service — there are many of them — that service will likely collect your online activities and sell the information to advertisers.
The point is, if you believe a VPN keeps you safe, you’re fooling yourself. That depends.
My router has auto firmware updates and regular security patches. It’s better than those that don’t, right?
Frequent firmware updates and security patches are another nonsense that certain hardware vendors use to prop up their products. (Again, the notorious actor, in this case, is eero.)
Let’s get one thing straight: Security patches mean the product is bad. Good hardware (or firmware) shouldn’t need any security patches. (That makes sense, no?)
But this is a matter of degree. No hardware can be completely free of vulnerabilities, so once in a while, a patch is necessary.
The point is there’s nothing glorious in having security patches. It’s not something anyone should brag about. In fact, if your device needs patches frequently, you should get rid of it — it’s about as good as a vulnerable device with no patch. Clearly, those patches don’t work.
Another thing to note is that the auto-firmware update approach is evil. It takes away the user’s freedom to choose and allows the vendor to control the device completely, even for worse. What if a new version breaks things, and you want to skip it?
Auto-firmware updating allows the vendor to add, remove, or change things in a home network without the user having any say. (Often, that comes with a notice of changes in “User Agreement” that most users would just agree to since they have no choice anyway.)
Good hardware should give users options, not forcing the vendor’s will on them. And many routers allow users to turn the auto update on or off, among other things.
Some hardware allows for manual firmware updates, meaning you can use older versions or even open-source alternatives, such as Merlin or DD-WRT. That’s not all good or user-friendly, but at least you know you have a choice.
Having no freedom to choose is the worst vulnerability.
In any case, auto-firmware updating sure is convenient. And as mentioned earlier, convenience is the antithesis of online privacy. Keep that in mind.
Regarding online privacy, I’ve heard many saying that they “have nothing to hide,” so it doesn’t matter. That’s like saying it’s OK to streak as long as you’re unaware or comfortable with the fact that you’re naked. And I’m nobody to judge.
Unlike running naked, there are real consequences to getting overexposed in the cyber world. And I’m not sure if anyone can be conformable with nasty surprises.
Our social circles are similar to an onion with layers that define different levels of intimacy. No matter how open-minded or comfortable you are inside your skin, you might not want to have that instant meaningless zero degree of separation with a stranger whose intention is to benefit themselves at your expense.
And that might be what’s happening right now. To different degrees. Depending on which router you’re using. Whether or not you’re aware of or happy with it.