If you have been following my router reviews — and you likely have, considering you’re reading this — you’ll note that I tend to mention the “online privacy risks” in increasing instances in the past couple of years.
And the case of the eero Pro 6E must have been the crescendo on this front. As I mentioned in the post, I was so concerned about the privacy risks that, for the first time, I didn’t even want to test it.
Since that post, I’ve gotten many messages on the subject. In a good number, folks expressed concerns and asked for advice. Others, from eero fans presumably, got defensive and personal, calling me names at worst or accusing me of “being biased” at best. It’s pretty extreme.
Let me break it to you: I was indeed biased in my decision not to test the eero Pro 6E. Privacy is all about being biased — we only let that special someone in, so to speak. Online privacy, though, has little to do with personal preferences. It’s more about awareness.
This post is not another one about the eero. I’ll explain in simple terms my take on online privacy and the risks of losing it (when using a Wi-Fi router). Whether or not you agree with me, it can be a fun read on a slow news day.
Dong’s note: I first published this post on July 9, 2022, and updated it on August 9 with a FAQ section.
Table of Contents
(Real-life) privacy: It’s a matter of degree
To understand online privacy, let’s get on the same page on what privacy means in real life — and I don’t mean what the dictionary says.
This subject is complicated, and I’m no shrink. So, keep in mind that everything below is written with a deliberate oversimplification to demonstrate the general idea of online privacy. It might or might not apply to everyone, at all or at the same level.
Privacy: The norm
In my crude opinion, real-life privacy, applicable to this post’s topic, is a matter of exposing ourselves to the degree that doesn’t irk or offend any involved parties.
It’s about being appropriate, which includes the desire to be left alone and the ability to leave others alone.
As such, privacy is nuanced. Let’s be a little more specific.
Behind closed doors, anything goes; you do what you want. Alone, you can walk around shirtless, in your underwear, going commando, or even naked. If you’re in a relationship, it’s probably OK to skinny-deep in a private pool when your partner is around — you’d hope so anyway. The more intimate the setting, the less privacy apply to the involved parties.
Out of the door, you generally expect to be anonymous to folks you see on the streets, just like they are to you. Generally, you might acknowledge their existence with a smile, a “Hello, how are you?” or a nod and expect the same in return.
Sometimes you might even try to strike up a friendly conversation, introduce yourself, and learn a bit about a stranger. The whole thing may turn into a new friendship or nothing. But everyone goes on their merry way.
To ensure that you don’t reveal too much about yourself or bother others, you don’t wear your credit card, ID, social security number, or even your name on the back of your shirt, which also means you keep your clothes on.
Sometimes, you need to reveal yourself a bit more, such as when you walk into a store and buy something. Now, you identify yourself via your credit or ID card but only to the party who handles the transaction.
All the while, you know, via visual, that there’s nobody following you, watching what you’re doing, or how you spend your money. The vendors know what you buy, but only within their particular shop.
In other words, though you’ve been exposed to the outside world, your privacy is intact because you’re comfortable with the exposure.
Privacy: The unexpected
Once in a while, stuff happens.
Like when you’re having a me-time in your room and the police barge in because they have a “no-knock” warrant and make a mistake on the address.
Or that time when you walk from the train station to your car under heavy rain only to find it has been broken in.
Or when you’re busy writing on a deadline in your home office and your wife walks in asking you to hold your infant baby for an hour because she has “something important” to do.
The last example is a bit of a stretch, but in those cases, you feel bothered or even violated, and rightfully so. It’s the level of (unexpected) exposure you’re uncomfortable facing.
And it can also happen the other way around. A couple of years ago, I stumbled into a section of the Naturist Beach in Brighton (UK). It made me feel uneasy, and took me a long time to unsee what I had seen.
Wondering or confused about what “naturist” means? My case at the time, exactly!
So again, privacy is a matter of being exposed appropriately. So long as involved parties are comfortable, it’s OK — then it’s not a privacy issue.
It’s in the awareness
But to be comfortable or uncomfortable, we first must be aware of what’s going on through our senses. And that’s generally a given in real life, where things are, well, real.
In any case, when we’re not aware, privacy, or the lack thereof, is almost always a security matter — it’s now a risk. Would you walk around your home naked if you know someone — not anyone in particular — is peeping? I wouldn’t.
And that brings us to online privacy.
Privacy risks occur when you’re unaware of your exposure.
Online privacy: Ignorance is (not) bliss
In the cyber world, the notion of general privacy above applies, but the element of awareness doesn’t.
That’s because everything on your screen is literally fake, as I explained in this post about online security. And there’s always more stuff than what’s shown on the screen.
For the most part, we never know the complete picture of what’s happening behind the scenes — a lot of it is technical and boring, anyway. Let’s take a specific example regarding your personal information via the simple act of visiting a website.
Online privacy: There’s always hidden stuff
You’re reading this page and probably find it interesting — and it gets better. What you might be unaware of is the following:
You’ve given away your IP address. It’s true. That’s the case when you visit any website or access any online service.
That’s if you know the idea of an IP address which you might not have until now.
From the IP, I, the website owner, can find out where you come from, how long you’ve been on the site, how often you’ve visited it, etc.
Not long or often enough, mind you!
And that’s fine. So far, that’s similar to when you’ve entered a store. You’re still anonymous.
Now, if you have an account with DKT, such as a subscriber, I’d also know your name and email address — you’re no longer anonymous. But that’s still OK. That’s like you’ve decided to buy something at the store using a credit card. You trust me enough.
But here’s where things start to get scary:
Your Wi-Fi router “knows” all that, too. In fact, it can keep tabs on everything you do online, all the websites you’ve visited, and your other activities, such as shopping, streaming, chatting, texting, and so on.
So, if you happen to (accidentally) send a naked picture of yourself to another party, that picture goes through your router. When you have a live chat with your partner, the entire section goes through the router.
In short, everything you do online goes through a router, likely the one you have at home. The router is the gateway to the Internet, so to speak.
Before you get all freaked out: Not everything that goes through the router can be viewed or read by a third party — at least not easily — since data can be encrypted. But the router always has the metadata of all information passing through it.
Many routers allow you to manage what it keeps tabs on and for how long, but you must be the owner — or the controller, to be more precise — to be able to do that.
If you use a router that doesn’t allow direct access to how it works or limited access, you don’t know what it really does with your information. And if you use a router made by a company that forces you to log in via an account before you can manage your network, your privacy is generally at the mercy of that company.
In this case, it’s like you actively report your every move to a third party. And this is the scariest part: That happens completely without your direct knowledge. There’s no visual, warning, or ID checking, not a fist bump or a wink. It’s total unawareness.
The gist is this your home router plays a huge part in your online privacy (and security.) Not all routers are created equal, but if a router is compromised — by design or accident — you and your entire family are at risk of being monitored, scammed, or manipulated. Privacy is among those risks.
If your home router is compromised — by design or otherwise — your entire family are at risk of being monitored, scammed, or manipulated. Privacy is among those risks.
It’s worth noting that the behind-the-scene items I described above are just examples of things that happen when you visit a website. At any given time, there are more parties out there standing by to pry on you, especially when you use a VPN service or a special DNS server.
Online privacy: It’s also a matter of degree
Of the messages bashing me about my take on the eero Pro 6E, many said that data collection is common and happens with all vendors. “There’s no privacy, anyway,” they alluded.
While that might be true, it’s about the degree.
Most networking vendors offer options where users can use their products completely without getting connected to the vendor — in most cases, that’s the default. It’s only when you choose to turn on and use certain features, like online protection or QoS, that you would have to log in with an account or risk sharing data with a remote party.
Generally, all online protection or any traffic-related features require data sharing. It’s like in real life, you can’t have protection without somebody (like a bodyguard) watching over you.
Most importantly, popular networking vendors like Asus, Netgear, TP-Link, Ubiquiti, etc., are independent and relatively small companies. Consequently, their data collection and the collected data are somewhat limited in scope and pervasiveness. Sometimes, that’s purely for technical purposes. Still, data collection is never a good thing.
On the other hand, eero is owned by Amazon, which already has lots of data on its users in different aspects — Amazon is not a networking company. So if you’re an Amazon prime user and use an eero router, your exposure (to Amazon) is much higher than if you have a router from another networking vendor.
Come to think about it, the only reason Amazon bought eero in early 2019 might have been because it wanted the user data the then-boutique networking company had designed its routers to collect. It wanted to hook deeper into the home, so to speak.
Tips on online privacy
To keep online privacy and security risks low, it’s a good idea to fragment your exposure by using different services or products for different needs.
The more deeply you get into an “ecosystem” — those of Amazon, Apple, Google, or Facebook — the more likely your privacy is compromised, no matter how you feel or believe.
If you want to stay somewhat anonymous, use different (email) accounts for different (sets of) devices or services.
Convenience is generally the antithesis of online privacy.
Here’s the most important thing: If you want to keep something completely private, don’t put it on the Internet!
It’s worth noting that these policies are designed to protect the company legally primarily. They are not necessarily an accurate indication of what the company will or will not do with your data. And a company itself can be hacked; that has happened.
We’ve been talking degrees, but this is absolutely true: Whoever controls your router can keep tabs on everything you do online. It’s only a matter of what they choose to do with that power and to what degree.
Online privacy: Frequently asked questions
Update: Since I first published this post, I’ve gotten many questions about online privacy and security. Below are a few of them and my answers.
Does my Internet service provider (ISP) spy on me?
Technically, an Internet Service Provider can spy on its users, but whether or not it does depends on when that makes sense financially. There are two scenarios.
When you use just the terminal device (ONT or modem)
The first one is when you use a terminal device — an Internet receiver such as a cable modem or a Fiber-optic ONT — and a standard router of your choice. In this case, the ISP has no practical reason to spy on you. It’s a matter of profit.
Since a terminal device is a catch-all device, it lets information in and out at the subscribed rate without specificity.
Consequently, generally, the ISP only knows the owner of the account who pays for the service, the MAC address of the router, and the Internet traffic that flows through the account — specifically, through the WAN IP address registered to the terminal device.
The ISP does not know which person or device uses which part of the traffic — that information is shielded by the router. And an Internet connection is almost always shared between multiple parties. Without knowing which party does what, the information an ISP can collect from the account is of little value.
If the ISP wants to find out more, it’ll have to put in more recourses and target a particular subscriber’s account. But that doesn’t make sense financially.
ISPs, like all companies, are in the business to make money, not to satisfy random curiosity.
When you use an ISP-provided gateway
The second scenario is when you use an ISP-provided gateway — a device that’s a combo of the terminal device (modem, Fiber ONT, etc.) and a Wi-Fi router in a single box.
If you don’t know what a gateway is, as opposed to a router, check out this post on networking basics.
Now it’s a different ball game. In this case, it’d be much easier for the ISP if it wants to collect in-depth information from the account.
That’s because, as mentioned above, everything you do will go through the router part of the gateway. Most importantly, all devices connected to the gateway will register with their unique MAC addresses — each’s online traffic will be separated and categorized accordingly.
That’s not to mention many gateways — such as the xFi lineup of Comcast often advertised to deliver a “layer of advanced security” — allow you to “control” or “manage” your network via a mobile app with a login account. Now, the ISP can know exactly who does what among that bulk of traffic that passes through the WAN IP address without having to move a hair — again, you’re the one who actively reports your every move.
Using a gateway provided by your ISP doesn’t necessarily mean your ISP spies on you. But to repeat the point above, whoever controls your router can easily keep tabs on your online activities.
And big ISPs generally want you to use their gateways. I’d say there are some ulterior motives.
Extra: I use a Cable modem and my own router but still get the DMCA notification from Comcast when I download a movie. What gives?
First and foremost, stop downloading pirated content! Secondly, that’s none of my business.
A DMCA, short for Digital Millennium Copy Right Act, notice is what an ISP might send to a subscriber when it detects illegal downloads of copyrighted content via the subscriber’s WAN IP.
The notice states what was detected and when and asks the user to find the content within their network and delete it. That’s it.
If you get such notices, that doesn’t mean the ISP spies on you. It’s quite simple. Imagine your WAN IP is a freeway. We have this crude analogy:
When you stand on an overpass, you can easily see the traffic underneath. You can tell cars vs trucks vs bikes, etc., and more.
You can even point out vehicles violating traffic laws, such as driving on the shoulder or in the wrong lane. But you have no idea how to identify that automobile (against others of the same make, model, and paint color) or the driver.
And that’s the level of “spying” the ISP has when sending out that notice. (That’s also the level it has in general when a subscriber uses a terminal device.)
Read the DMCA notice carefully, you’ll note that the ISP doesn’t accuse the account owner of doing anything wrong — it can’t prove that.
Just because an Internet connection has been used for illegal stuff doesn’t mean it’s the owner who’s done it. And it’s generally impossible to prove (beyond a reasonable doubt) who did it. Again, an Internet connection can be shared between many people, sometimes without the owner’s knowledge or approval. That happens quite often.
Suppose the subscriber uses the ISP’s gateway(*), their situation might be a bit more precarious. But even then, proving that they are the ones who have done something illegal online still requires a lot of work.
(*) Using the same freeway analogy, your observation of the traffic is now similar to those working for a tollbooth with cameras and license plate readers, etc., instead of someone standing on the overpass.
But, in any case, it’s not a good idea to download illegal content. Among other things, you might end up with unpleasant surprises.
I use a VPN, so I’m safe?
If you want to avoid those pesky DMCA notices above, using a VPN will help. Or if you’re physically at one place and want to appear on the Internet that you’re somewhere else, VPN is the best tool.
But the notion that virtual private networks (VPNs) are good for privacy or security is about as true as ISPs always spy on their users.
I detailed VPNs in this post, but generally, VPNs have little or nothing to do with security or privacy. It’s just a matter of convenience or location spoofing. Privacy or security might or might not apply.
In fact, using VPN is a double-edged sword. You’re at the mercy of the VPN providers. In most, if not all, cases, they are the ones that spy on you (while your ISP doesn’t).
Specifically, when you’re home and use your office VPN, your boss can spy on you. If you use a third-party VPN service — there are many of them — that service will likely collect your online activities and sell the information to advertisers.
The point is, if you believe a VPN keeps you safe, you’re fooling yourself. That depends. The question is a bit irrelevant since, a gain, VPNs have little or nothing to do with online security or privacy.
When you hear a VPN provider invoke online privacy or security to prop up its service, it’s likely lying to you.
My router has auto firmware updates and regular security patches. It’s better than those that don’t, right?
Frequent firmware updates and security patches are another nonsense that certain hardware vendors use to prop up their products. (Again, the notorious actor, in this case, is eero.)
Let’s get one thing straight: Security patches mean the product is bad. Good hardware (or firmware) shouldn’t need any security patches. (That makes sense, no?)
But this is a matter of degree. No hardware can be completely free of vulnerabilities, so once in a while, a patch is necessary.
The point is there’s nothing glorious in having security patches. It’s a nuisance at best — your network is unavailable during a firmware update — and not something anyone should brag about. In fact, if your device needs patches frequently, you should get rid of it — it’s about as good as a vulnerable device with no patch. Clearly, those patches don’t work.
If your bathtub keeps leaking, you’d get rid of it or hire a new plumber. Having to get it patched regularly — no matter how easily each time — is in no way a good indication of the tub’s or the patching work’s quality.
Another thing to note is that the auto-firmware update approach is evil. It takes away the user’s freedom to choose and allows the vendor to control the device completely and, most of the time, for worse. Even when well-intentioned, a shoddy firmware version can break things, and what if you want to skip one?
How would you feel if somebody, no matter how good a person, kept coming to your home and making changes, no matter how “wonderful” the improvement, with a complete disregard for your opinion? And if you wonder “how can they get in, in the first place?”, you catch my drift.
Auto-firmware updating allows the vendor to add, remove, or change things in a home network without the user having any say. (Often, that comes with a notice of changes in the “User Agreement” that most users would just agree to since they have no choice anyway.)
Good hardware should give users options, not forcing the vendor’s will on them. And many routers allow users to turn the auto update on or off, among other things.
Some hardware allows for manual firmware updates, meaning you can use older versions or even open-source alternatives, such as Merlin or DD-WRT. That’s not all good or user-friendly, but at least you know you have a choice.
Having no freedom to choose is the worst vulnerability.
In any case, security patches have little to do with the quality of a product — they are irrelevant — and auto-firmware updating only means convenience at best. And as mentioned earlier, convenience is the antithesis of online privacy. Keep that, and the matter of degree, in mind.
Regarding online privacy, I’ve heard many saying that they “have nothing to hide,” so it doesn’t matter. That’s like saying it’s OK to streak as long as you’re unaware or comfortable with the fact that you’re naked. And I’m nobody to judge.
Unlike running naked, there are real consequences to getting overexposed in the cyber world. And I’m not sure if anyone can be conformable with nasty surprises.
Our social circles are similar to an onion with layers that define different levels of intimacy. No matter how open-minded or comfortable you are inside your skin, you might not want to have that instant meaningless zero degree of separation with a stranger whose intention is to benefit themselves at your expense.
And that might be what’s happening right now. To different degrees. Depending on which router you’re using. Whether or not you’re aware of or happy with it.
Comments are subject to approval, redaction, or removal.
It's generally faster to get answers via site/page search. Your question/comment is one of many Dong Knows Tech receives daily.
(•) If you represent a company/product mentioned here, please use the contact page or a PR channel.
15 thoughts on “Your Router and Online Privacy Risks: Be Aware of that Hidden Potential Danger”
> Let’s get one thing straight: Security patches mean the product is bad. Good hardware (or firmware) shouldn’t need any security patches. (That makes sense, no?)
I appreciated most of your article but have an issue with this section. There are always going to be new security issues discovered in a world of open source software, and there will always be a need to patch them in a world of botnets that can sweep the internet for such vulnerabilities. Android and iOS receive monthly patches for such issues, not necessarily because Google or Apple dropped the ball in implementation (though that can be the case too) but because the reality we live in is that there are common libraries that regularly have new vulnerabilities registered and fixed. Linux, Windows, and Mac are regularly patched for the same reason. Our routers are the one device we own that will receive the vast brunt of attacks given their persistent internet connections and frankly because most router manufacturers are not patching regularly so it is more likely that problems that were fixed long ago are still present on a good number of routers. All that to say: I firmly disagree that any router that is not receiving regular security updates is good, and that routers that do receive them are bad. It’s the opposite.
You read into it, Peter, yet missed the point entirely. I only meant that if there’s a need for a security patch, then the hardware is bad. That applies to *all* of them. The point here is that there’s nothing glorious or bragging-worthly about security patches. Some hardware (and software) have more vulnerabilities than others; that’s always been the case.
But yes, if the hardware has vulnerability and no patch, then that’s even worse (this is the notion I didn’t mention.) Make sure you read the entire post, not one or two sentences, and then make assumptions.
Thanks for the great info. I would like to shorten the range to my apartment. I live on the third floor, but my wifi reaches and is accessible on the third floor. Someone in my building is hacking me. How can I shorten my wifi range?
I would appreciate your help.
I wouldn’t worry about some extra range, Nesa. Just make sure you have a good password for your Wi-Fi network — change it if you think it’s been leaked. Some routers, such as those from Asus, Netgear, Synology, or TP-Link have an option for you to lower the broadcasting power, but still, that’s not necessary. But if you’re super paranoid, then you just have to stop using Wi-Fi at all. There’s no way to contain radio signals precisely within an area.
Amazon Alexa on Asus ET12 router?
Aloha Dong, yes just got my single ET12 unit and excited setting it up and saw a login for Amazon Alexa skill.
Glad I didnt log in because of what I read in your article mentioning the Eero from Amazon. I do have a few Alexa speakers around the home and a Ecobee Premium with Alexa I already am logged in to.
What is your advice on all these logged in devices? I am looking to add a door bell camera and exterior cameras. I always like to self monitor but it looks like no matter what you get if you are connected to the internet my old VPN really does nothing for privacy.
As always Mahalo for keeping us Teched Up.
I’d not use Alexa for the router. I mentioned that once a long time ago in the review of the Blue Cave. (https://dongknows.com/asus-blue-cave-router-review/).
There’s no absolute privacy, it’s about the degree and how to fragment your exposure as mentioned in the Tips above.
Hi! Excellent article topic! Thanks for keeping it simple. I am curious as to where or if using an apple HomeKit router fits into all of this. Is there much added benefit when choosing this? Can the same level of privacy be achieved through settings changes on another router? I have seemingly plenty of HomeKit questions, and high hopes that it will one day make sharing or hiding personal information more transparent and easier protect. Is it all that it seems to be and more, or is it apple putting its magical marketing spin on it. Maybe a good future article to break down what it is and isn’t? Thanks!
Anything that you have to log in with an account to use will spy on you, Frank. So fragment your devices to minimize the exposure, as mentioned in the tips.
Thank you, I don’t exactly know what that means to fragment my devices. Is that for example shop on my iPad and not on my phone? Is there a setting to change on my router that does this. Sorry, unfortunately I’m out of my league when it comes to this kind of thing and a lot of this goes over my head.
I explained that in the second paragraph of the tips. But that means don’t use the same ecosystem for everything. It’s nuanced. For example, you can use an Apple iPad and a Google phone, a smart lock from one company and an IP camera from another. etc.
To be honest, you’re part of the demographics most vulnerable to vendor data collection, etc. Take some time to do some serious reading. You’ll get above it.
Dong, as usual, you tell it like it is. Thanks for the easy to follow primer on privacy. It really does boil down to convenience v privacy. I’ve been telling people that for years. There’s really no such thing as privacy anymore. But being careful seems prudent to me.
One more thought – Medical information.
I think medical information should be shared more than it is. (And it’s getting better with on line health care sharing between providers and their patients. Also between providers and other providers (that are preapproved by the patient.)
Health Care Providers need to know our medical history. But I can never remember every surgery that I’ve had, or every illness, or the dates of my last vaccination or tetanus shot etc. It would eliminated the problems and errors with forgetting these things or telling one provider one thing and another provider another. It would also reduce the number of questionnaires that you have to fill out every time you see a doctor or visit a walk in clinic or go to the ER.
I’m sure some people will adamantly disagree, but it make good sense to me. Safeguards would have to be in place for the patient to still be the ultimate “controller” of their own data.
Just my 2 cents.
And PS – I either do or don’t like walking around naked in my house … it depends on who’s watching. 😊
Sure, Edgar. I’m glad you caught my drift. Hope you get to walk around the house naked comfortably more often than not. 🙂
As for medical information, I think it’s OK to share it anonymously. Revealing your medical record with your ID attached can put you in grave danger from unscrupulous parties. And it’s actually hard to avoid the latter.
Wonderful and necessary information Dong. We need to educate our family and friends and look out for our Elders who arent as tech savvy and most vulnerable.
As far as medical information. How do we share it and protect it like its the last drop of water on Earth. Being a military family. No matter where we go around the world as long as we see a military facility they have records from day 1 over 20 plus years ago. Their systems are getting better but in the past didnt play nice with other systems in the Federal government from different Vendors. Those Vendors make millions on those contracts for not proven or fully working systems. Go figure.
What will the future look like? Will we all be micro chipped to ensure we are who we are and where we are supposed to be.
The rights of privacy weighed against being able to protect and save lives. Unfortunately it seems the main spying and privacy breeches are for financial or political gain.
For us Tech lovers we should all protect our routers and data, just like we lock our doors at night and keep our kids away from strangers.
You like running naked. We got it, Dong! J/K. Thanks for the great content and the no-bullshit approach!
Ha! So you’re that peeping Tom!
Thanks, Tom. 🙂