If you have been following my router reviews — and you likely have, considering you’re reading this — you’ll note that I have increasingly mentioned the “online privacy risks” notion.
The case of eero must have been the crescendo on this front. As I mentioned in those posts, I was so concerned about the privacy risks that I often felt hesitant to plug these devices into my home network for real-world testing.
Over the years, I’ve received many messages on the subject. Many expressed concerns and asked for advice. Others, for some reason, got defensive and personal, calling me names at worst or accusing me of “being biased” at best. It’s pretty extreme.
Let me break it to you: I was indeed biased in my decision not to test certain devices. Privacy is all about being biased — we only let that special someone in, so to speak. Online privacy, though, has little to do with personal preferences. It’s more about awareness.
In this post, I’ll explain my view on online privacy and the risks of losing it (when using a Wi-Fi router) in simple terms. Whether you agree with me or not, it can be a fun read on a slow news day.
Dong’s note: I first published this post on July 9, 2022, and updated it on January 24, 2024, with the latest relevant information and a FAQ section.
(Real-life) privacy: It’s a matter of degree
To understand online privacy, let’s get on the same page on what privacy means in real life. By that, I don’t mean what the dictionary says.
This subject is complicated, and I’m no shrink. So, keep in mind that everything below is written with a deliberate oversimplification to demonstrate the general idea of online privacy. It might or might not apply to everyone at all or at the same level.
Privacy: The norm
In my crude opinion, real-life privacy, applicable to this post’s topic, is a matter of exposing ourselves to a degree that doesn’t irk or offend any involved parties.
It’s about being appropriate, which includes the desire to be left alone and the ability to leave others alone.
As such, privacy is nuanced. Let’s be a little more specific.
Behind closed doors, anything goes; you do what you want. Alone, you can walk around shirtless, in your underwear, going commando, or even naked. If you’re in a relationship, it’s probably OK to skinny-dip in a private pool when your partner is around — you’d hope so anyway. The more intimate the setting, the less privacy applies to the involved parties.
Out of the door, you generally expect to be anonymous to folks you see on the streets, just like they are to you. Generally, you might acknowledge their existence with a smile, a “Hello, how are you?” or a nod and expect the same in return.
Sometimes you might even try to strike up a friendly conversation, introduce yourself, and learn a bit about a stranger. The whole thing may turn into a new friendship or nothing. But everyone goes on their merry way.
To ensure that you don’t reveal too much about yourself or bother others, you don’t wear your credit card, ID, social security number, or even your name on the back of your shirt, which also means you keep your clothes on.
Sometimes, you need to reveal yourself a bit more, such as when you walk into a store and buy something. Now, you identify yourself via your credit or ID card but only to the party who handles the transaction.
All the while, you know, via visual, that there’s nobody following you, watching what you’re doing, or how you spend your money. The vendors know what you buy, but only within their particular shop.
In other words, though you’ve been exposed to the outside world, your privacy is intact because you’re comfortable with the exposure.
Privacy breach: It’s the unexpected
Once in a while, stuff happens.
Like when you’re having a me-time in your room and the police barge in because they have a “no-knock” warrant and make a mistake on the address.
Or that time when you walked out of the grocery store only to find your car broken in.
Or when you’re busy writing on a deadline in your home office, and your wife walks in asking you to hold your infant baby for an hour because she has “something important” to do.
The last example is a bit of a stretch, but in those cases, you feel bothered or even violated, and rightfully so. It’s the level of (unexpected) exposure you’re uncomfortable facing.
And it can also happen the other way around. A couple of years ago, I stumbled into a section of the Naturist Beach in Brighton (UK). It made me feel uneasy, and took me a long time to unsee what I saw.
Wondering or confused about what “naturist” means? My case at the time, exactly!
Again, privacy is a matter of being exposed appropriately. As long as the involved parties are comfortable, it’s OK — it’s not a privacy issue.
It’s in the awareness
But to be comfortable or uncomfortable, we first must be aware of what’s going on through our senses. And that’s generally a given in real life, where things are, well, real.
In any case, when we’re not aware, privacy, or the lack thereof, is almost always a security matter — it’s now a risk. Would you walk around your home naked if you know someone — not anyone in particular — is peeping? I wouldn’t.
And that brings us to online privacy.
Privacy risks occur when you’re unaware of your exposure.
Online privacy: Ignorance is (not) bliss
In the cyber world, the notion of general privacy above applies, but the element of awareness doesn’t.
That’s because everything on your screen is literally fake. And there’s always more stuff than what’s shown on the screen.
We rarely know the complete picture of what’s happening behind the scenes — a lot of it is technical and boring, anyway. Let’s take a specific example regarding your personal information via the simple act of visiting a website.
Privacy risks: There’s always hidden stuff
You’re reading this page and probably find it interesting.
Of course! And it gets better!
You might not be aware that you’ve given away your IP address when you visit any website or access any online service. It’s true.
That’s if you know the idea of an IP address which you might not have until now.
From the IP, I, the website owner, can find out where you come from, how long you’ve been on the site, how often you’ve visited it, etc.
Not long or often enough, mind you!
And that’s fine. So far, that’s similar to when you’ve entered a store. You’re still anonymous.
Now, if you have an account with DKT, such as a subscriber, I’d also know your name and email address — you’re no longer anonymous. But that’s still OK. That’s like you’ve decided to buy something at the store using a credit card. You trust me enough.
But here’s where things start to get scary:
Your home Wi-Fi router “knows” all that, too. In fact, it can monitor everything you do online, including the websites you’ve visited and your other activities, such as shopping, streaming, chatting, texting, and so on.
So, if you (accidentally) send a naked picture of yourself to another party, that picture goes through your router. When you have a live chat with your partner, the entire section goes through the router.
In short, everything you do online goes through a router, likely the one you have at home. The router is the gateway to the Internet, so to speak.
Before you get all freaked out: Not everything that goes through the router can be viewed or read by a third party — at least not easily — since data can be encrypted. But the router always has the metadata of all information passing through it.
Many routers allow you to manage what it keeps tabs on and for how long, but you must be the owner — or the controller, to be more precise — to be able to do that.
If you use a router that doesn’t allow direct access to how it works or limited access, you don’t know what it really does with your information. And if you use a router made by a company that forces you to log in via an account before you can manage your network, your privacy is generally at the mercy of that company.
In this case, it’s like you actively report your every move to a third party. And this is the scariest part: That happens completely without your direct knowledge. There’s no visual, warning, or ID checking, not a fist bump or a wink. It’s total unawareness.
The gist is that your home router plays a huge part in your online privacy (and security.) Not all routers are created equal, but if a router is compromised or controlled by a third party — by design or accident — you and your entire family are at risk of being monitored, scammed, or manipulated. Privacy is among those risks.
If your home router is compromised — by design or otherwise — your entire family are at risk of being monitored, scammed, or manipulated. Privacy is among those risks.
It’s worth noting that the behind-the-scene items I described above are just examples of things that happen when you visit a website. At any given time, there are more parties out there standing by to spy on you, especially when you use a VPN service or a special DNS server.
Online privacy: It’s also a matter of degree
I’ve received many messages from folks saying that data collection is common and happens with all vendors. “There’s no privacy, anyway,” they alluded to.
While that might be true, it’s always in the degree.
Most networking vendors offer options where users can use their products completely without getting connected to the vendor — often, that’s the default. It’s only when you choose to turn on and use certain features, like online protection or QoS, that you would have to log in with an account or risk sharing data with a remote party.
Generally, all online protection or any traffic-related features require data sharing. It’s like in real life, you can’t have protection without somebody (like a bodyguard) watching over you.
Most importantly, popular networking vendors like Asus, Netgear, TP-Link, Ubiquiti, etc., are independent and relatively small companies. Consequently, their data collection and the collected data are somewhat limited in scope and pervasiveness. Sometimes, that’s purely for technical purposes. Still, data collection is never a good thing.
On the other hand, Amazon (which owns eero) and Google (the owner of the Google Nest Wifi brand) have lots of data on their users in different aspects — Amazon is not a networking company. So, for example, if you’re an Amazon Prime user and use an eero router, your exposure (to Amazon) is much higher than if you have a router from another networking vendor.
Come to think about it, the only reason Amazon bought eero in early 2019 might have been because it wanted the user data the then-boutique networking company had designed its routers to collect. It wanted to hook deeper into the home, so to speak.
Tips on Online Privacy
Fragmenting your exposure by using different services or products for different needs to keep online privacy and security risks low.
The more deeply you get into an “ecosystem” — those of Amazon, Apple, Google, or Facebook — the more likely your privacy is compromised, no matter how you feel or believe.
If you want to stay somewhat anonymous, use different (email) accounts for different (sets of) devices or services.
Convenience is generally the antithesis of online privacy.
Here’s the most important thing: If you want to keep something completely private, don’t put it on the Internet!
It’s worth noting that these policies are designed primarily to protect the company legally. They are not necessarily an accurate indication of what the company will or will not do with your data. And a company itself can be hacked; that has happened.
We’ve been talking degrees, but this is absolutely true: Whoever controls your router can monitor everything you do online. It’s only a matter of what they choose to do with that power and to what degree.
Online privacy: Frequently asked questions
Update: Since I first published this post, I’ve gotten many questions about online privacy and security. Below are a few of them and my answers.
Does my Internet service provider (ISP) spy on me?
Technically, an Internet Service Provider can spy on its users, but whether or not it does depends on when that makes sense financially. There are two scenarios.
When you use just the terminal device (ONT or modem)
The first one is when you use a terminal device — an Internet receiver such as a cable modem or a Fiber-optic ONT — and a standard router of your choice. In this case, the ISP has no practical reason to spy on you. It’s a matter of profit.
Since a terminal device is a catch-all device, it lets information in and out at the subscribed rate without specificity.
Consequently, generally, the ISP only knows the owner of the account who pays for the service, the MAC address of the router, and the Internet traffic that flows through the account — specifically, through the WAN IP address registered to the terminal device.
The ISP does not know which person or device uses which part of the traffic — that specificity is shielded by the router. An Internet connection is almost always shared between multiple parties. Without knowing which party does what, the information an ISP can collect from the account is of little value.
If the ISP wants to find out more, it’ll have to put in more resources and target a particular subscriber’s account. But that doesn’t make sense financially.
ISPs, like all companies, are in the business to make money, not to satisfy random curiosity.
When you use an ISP-provided gateway
The second scenario is when you use an ISP-provided gateway, which is a combination terminal device (modem, Fiber ONT, etc.) and a Wi-Fi router in a single box.
If you don’t know what a gateway is, as opposed to a standard Wi-Fi router, check out this post on networking basics.
Now, it’s a different ball game. In this case, the ISP would find it much easier to collect in-depth information from the account.
That’s because, as mentioned above, everything you do will go through the router part of the gateway. Most importantly, all devices connected to the gateway will register with their unique MAC addresses — each’s online traffic will be separated and categorized accordingly.
That’s not to mention many gateways — such as Comcast’s xFi lineup, which is often advertised as delivering a “layer of advanced security” — allow you to “control” or “manage” your network via a login account and mobile app. The app has different profiles for each or a group of connected clients. Now, the ISP can know exactly who does what among that bulk of traffic that passes through the WAN IP address without having to move a hair — again, you’re the one who actively reports your and your loved ones’ every move.
Using a gateway provided by your ISP doesn’t necessarily mean your ISP spies on you. But to repeat the point above, whoever controls your router can easily monitor your online activities. By the way, you can get a retail gateway, such as the ARRIS SURFboard G54, to avoid this.
Big ISPs generally want you to use their gateways, which are often accompanied by a mobile app associated with a login account. I’d say there are some ulterior motives.
Extra: I use a Cable modem and my own router but still get the DMCA notification from Comcast when I download a movie. What gives?
First and foremost, stop downloading pirated content! Secondly, that’s none of my business.
A DMCA, short for Digital Millennium Copy Right Act, notice is what an ISP might send to a subscriber when it detects illegal downloads of copyrighted content via the subscriber’s WAN IP.
The notice states what was detected and when and asks the user to find the content within their network and delete it. That’s it.
If you get such notices, that doesn’t mean the ISP spies on you. It’s quite simple. Imagine your WAN IP is a freeway. We have this crude analogy:
When you stand on an overpass, you can easily see the traffic underneath. You can tell cars from trucks, bikes from cars, and more. You can even point out vehicles violating traffic laws, such as driving on the shoulder or in the wrong lane. But you have no idea how to identify that automobile (against others of the same make, model, and paint color) or the driver.
That’s the level of “spying” the ISP does when sending out that notice.
Read the DMCA notice carefully, and you’ll note that the ISP doesn’t accuse the account owner of doing anything wrong — it can’t prove that.
Just because an Internet connection has been used for illegal purposes doesn’t mean the owner is responsible. And it’s generally impossible to prove (beyond a reasonable doubt) who did it. Again, an Internet connection can be shared between many people, sometimes without the owner’s knowledge or approval. That happens quite often.
However, if the subscriber uses the ISP’s gateway, their situation might be a bit more precarious. Using the same freeway analogy, your observation of the traffic in this case is similar to that of someone working for a tollbooth with cameras, license plate readers, etc., instead of someone standing on the overpass. You can pinpoint exactly which vehicle that violates the traffic laws. Still, even so, proving that someone has done something illegal online still requires a lot of work.
In any case, it’s never a good idea to download illegal content. You might end up with unpleasant surprises.
I use a VPN, so I’m safe?
Sort of, but not necessarily.
If you’re physically in one place and want to appear on the Internet as if you’re somewhere else, a VPN is the best tool. So, using a VPN will help you avoid those pesky DMCA notices above, albeit at the expense of markedly reduced download speed.
But the notion that virtual private networks (VPNs) are good for privacy or security is about as true as the falsehood that ISPs always spy on their users.
I detailed VPNs in this post, but generally, VPNs have little or nothing to do with security or privacy. It’s just a matter of convenience or location spoofing. Privacy or security might or might not apply.
Using a VPN is a double-edged sword. You’re at the mercy of the VPN providers, and in most, if not all, cases, they spy on you (while your ISP doesn’t).
Specifically, when you’re home and use your office VPN, your boss can spy on you. If you use a third-party VPN service — there are many of them — that service will likely collect your online activities and sell the information to advertisers.
The point is, if you believe a VPN keeps you safe, you’re fooling yourself. That depends. The question is a bit irrelevant since, again, VPNs have little or nothing to do with online security or privacy.
When you hear a VPN provider invoke online privacy or security to prop up its service, it’s likely lying to you.
My router has auto firmware updates and regular security patches, so it’s better than those that don’t, right?
Frequent firmware updates and security patches are other nonsense that certain hardware vendors use to promote their products. But let’s get one thing straight: Security patches mean the product is bad. Good hardware (or firmware) shouldn’t need any security patches. That makes sense, no?
The point is there’s nothing glorious in having security patches. It’s a nuisance at best — your network is unavailable during a firmware update — and not something anyone should brag about. In fact, if your device needs patches frequently, you should get rid of it — it’s about as good as a vulnerable device with no patch. Clearly, those patches don’t work.
If your bathtub keeps leaking, you’ll get rid of it or hire a new plumber. Having to get it patched regularly — no matter how easily each time — is in no way a good indication of the tub’s or the patching work’s quality.
But this is a matter of degree. No hardware can be completely free of vulnerabilities, so once in a while, a patch is required. Still, the auto-firmware update removes the user’s freedom to choose. What if you don’t want to update? Or if you want to do that based on your own timeline?
Auto-firmware updating allows the vendor to add, remove, or change things in a home network without the user having any say. Often, that comes with a notice of changes in the “User Agreement” that most users would just agree to since they have no choice anyway.
How would you feel if somebody, no matter how good a person, kept coming to your home and making changes, no matter how “wonderful” the improvement, with a complete disregard for your opinion?
Having no freedom to choose is the worst vulnerability.
Good hardware should give users options, and many routers indeed allow users to turn the auto update on or off, among other things. Some hardware even allows for manual firmware updates, the use of older firmware versions, or even open-source alternatives, such as Merlin or DD-WRT.
In any case, security patches have little to do with the quality of a product — they are irrelevant — and auto-firmware updating only means convenience at best. As mentioned earlier, convenience is the antithesis of online privacy.
On the subject of online privacy, I’ve heard many saying that they “have nothing to hide,” so it doesn’t matter. That’s like saying it’s OK to streak as long as you’re unaware or comfortable with exposing yourself in public, which is illegal in certain areas. Still, I’m nobody to judge.
Unlike running naked, there are real consequences to getting overexposed in the cyber world. It’s hard to imagine anyone can be comfortable with nasty surprises.
Our social circles are similar to an onion with layers that define different levels of intimacy. No matter how open-minded or comfortable you are inside your skin, you might not want to have that instant meaningless zero degree of separation with a stranger whose intention is to benefit themselves at your expense.
And that might be what’s happening right now, to different degrees, depending on which router you’re using, regardless of whether or not you’re aware of or happy with it.