If you have been following my router reviews -- and you likely have, considering you're reading this -- you'll note that I tend to mention the "online privacy risks" in increasing instances in the past couple of years.
And the case of the eero Pro 6E must have been the crescendo on this front. As I mentioned in the post, I was so concerned about the privacy risks that, for the first time, I didn't even want to test it.
Since that post, I've gotten many messages on the subject. In a good number, folks expressed concerns and asked for advice. Others, from eero fans presumably, got defensive and personal, calling me names at worst or accusing me of "being biased" at best. It's pretty extreme.
Let me break it to you: I was indeed biased in my decision not to test the eero Pro 6E. Privacy is all about being biased -- we only let that special someone in, so to speak. Online privacy, though, has little to do with personal preferences. It's more about awareness.
This post is not another one about the eero. I'll explain in simple terms my take on online privacy and the risks of losing it (when using a Wi-Fi router). Whether or not you agree with me, it can be a fun read on a slow news day.
Dong's note: I first published this post on July 9, 2022, and updated it on August 9 with a FAQ section.
(Real-life) privacy: It’s a matter of degree
To understand online privacy, let's get on the same page on what privacy means in real life -- and I don't mean what the dictionary says.
This subject is complicated, and I'm no shrink. So, keep in mind that everything below is written with a deliberate oversimplification to demonstrate the general idea of online privacy. It might or might not apply to everyone, at all or at the same level.
Privacy: The norm
In my crude opinion, real-life privacy, applicable to this post's topic, is a matter of exposing ourselves to the degree that doesn't irk or offend any involved parties.
It's about being appropriate, which includes the desire to be left alone and the ability to leave others alone.
As such, privacy is nuanced. Let's be a little more specific.
Behind closed doors, anything goes; you do what you want. Alone, you can walk around shirtless, in your underwear, going commando, or even naked. If you're in a relationship, it's probably OK to skinny-deep in a private pool when your partner is around -- you'd hope so anyway. The more intimate the setting, the less privacy apply to the involved parties.
Out of the door, you generally expect to be anonymous to folks you see on the streets, just like they are to you. Generally, you might acknowledge their existence with a smile, a "Hello, how are you?" or a nod and expect the same in return.
Sometimes you might even try to strike up a friendly conversation, introduce yourself, and learn a bit about a stranger. The whole thing may turn into a new friendship or nothing. But everyone goes on their merry way.
To ensure that you don't reveal too much about yourself or bother others, you don't wear your credit card, ID, social security number, or even your name on the back of your shirt, which also means you keep your clothes on.
Sometimes, you need to reveal yourself a bit more, such as when you walk into a store and buy something. Now, you identify yourself via your credit or ID card but only to the party who handles the transaction.
All the while, you know, via visual, that there's nobody following you, watching what you're doing, or how you spend your money. The vendors know what you buy, but only within their particular shop.
In other words, though you've been exposed to the outside world, your privacy is intact because you're comfortable with the exposure.
Privacy: The unexpected
Once in a while, stuff happens.
Like when you're having a me-time in your room and the police barge in because they have a "no-knock" warrant and make a mistake on the address.
Or that time when you walk from the train station to your car under heavy rain only to find it has been broken in.
Or when you're busy writing on a deadline in your home office and your wife walks in asking you to hold your infant baby for an hour because she has "something important" to do.
The last example is a bit of a stretch, but in those cases, you feel bothered or even violated, and rightfully so. It's the level of (unexpected) exposure you're uncomfortable facing.
And it can also happen the other way around. A couple of years ago, I stumbled into a section of the Naturist Beach in Brighton (UK). It made me feel uneasy, and took me a long time to unsee what I had seen.
Wondering or confused about what "naturist" means? My case at the time, exactly!
So again, privacy is a matter of being exposed appropriately. So long as involved parties are comfortable, it's OK -- then it's not a privacy issue.
It’s in the awareness
But to be comfortable or uncomfortable, we first must be aware of what's going on through our senses. And that's generally a given in real life, where things are, well, real.
In any case, when we're not aware, privacy, or the lack thereof, is almost always a security matter -- it's now a risk. Would you walk around your home naked if you know someone -- not anyone in particular -- is peeping? I wouldn't.
And that brings us to online privacy.
Privacy risks occur when you're unaware of your exposure.
Online privacy: Ignorance is (not) bliss
In the cyber world, the notion of general privacy above applies, but the element of awareness doesn't.
That's because everything on your screen is literally fake, as I explained in this post about online security. And there's always more stuff than what's shown on the screen.
For the most part, we never know the complete picture of what's happening behind the scenes -- a lot of it is technical and boring, anyway. Let's take a specific example regarding your personal information via the simple act of visiting a website.
Online privacy: There’s always hidden stuff
You're reading this page and probably find it interesting -- and it gets better. What you might be unaware of is the following:
You've given away your IP address. It's true. That's the case when you visit any website or access any online service.
That's if you know the idea of an IP address which you might not have until now.
From the IP, I, the website owner, can find out where you come from, how long you've been on the site, how often you've visited it, etc.
Not long or often enough, mind you!
And that's fine. So far, that's similar to when you've entered a store. You're still anonymous.
Now, if you have an account with DKT, such as a subscriber, I'd also know your name and email address -- you're no longer anonymous. But that's still OK. That's like you've decided to buy something at the store using a credit card. You trust me enough.
But here's where things start to get scary:
Your Wi-Fi router "knows" all that, too. In fact, it can keep tabs on everything you do online, all the websites you've visited, and your other activities, such as shopping, streaming, chatting, texting, and so on.
So, if you happen to (accidentally) send a naked picture of yourself to another party, that picture goes through your router. When you have a live chat with your partner, the entire section goes through the router.
In short, everything you do online goes through a router, likely the one you have at home. The router is the gateway to the Internet, so to speak.
Before you get all freaked out: Not everything that goes through the router can be viewed or read by a third party -- at least not easily -- since data can be encrypted. But the router always has the metadata of all information passing through it.
Many routers allow you to manage what it keeps tabs on and for how long, but you must be the owner -- or the controller, to be more precise -- to be able to do that.
If you use a router that doesn't allow direct access to how it works or limited access, you don't know what it really does with your information. And if you use a router made by a company that forces you to log in via an account before you can manage your network, your privacy is generally at the mercy of that company.
In this case, it's like you actively report your every move to a third party. And this is the scariest part: That happens completely without your direct knowledge. There's no visual, warning, or ID checking, not a fist bump or a wink. It's total unawareness.
The gist is this your home router plays a huge part in your online privacy (and security.) Not all routers are created equal, but if a router is compromised -- by design or accident -- you and your entire family are at risk of being monitored, scammed, or manipulated. Privacy is among those risks.
If your home router is compromised -- by design or otherwise -- your entire family are at risk of being monitored, scammed, or manipulated. Privacy is among those risks.
It's worth noting that the behind-the-scene items I described above are just examples of things that happen when you visit a website. At any given time, there are more parties out there standing by to pry on you, especially when you use a VPN service or a special DNS server.
Online privacy: It’s also a matter of degree
Of the messages bashing me about my take on the eero Pro 6E, many said that data collection is common and happens with all vendors. "There's no privacy, anyway," they alluded.
While that might be true, it's about the degree.
Most networking vendors offer options where users can use their products completely without getting connected to the vendor -- in most cases, that's the default. It's only when you choose to turn on and use certain features, like online protection or QoS, that you would have to log in with an account or risk sharing data with a remote party.
Generally, all online protection or any traffic-related features require data sharing. It's like in real life, you can't have protection without somebody (like a bodyguard) watching over you.
Most importantly, popular networking vendors like Asus, Netgear, TP-Link, Ubiquiti, etc., are independent and relatively small companies. Consequently, their data collection and the collected data are somewhat limited in scope and pervasiveness. Sometimes, that's purely for technical purposes. Still, data collection is never a good thing.
On the other hand, eero is owned by Amazon, which already has lots of data on its users in different aspects -- Amazon is not a networking company. So if you're an Amazon prime user and use an eero router, your exposure (to Amazon) is much higher than if you have a router from another networking vendor.
Come to think about it, the only reason Amazon bought eero in early 2019 might have been because it wanted the user data the then-boutique networking company had designed its routers to collect. It wanted to hook deeper into the home, so to speak.
Tips on online privacy
To keep online privacy and security risks low, it's a good idea to fragment your exposure by using different services or products for different needs.
The more deeply you get into an "ecosystem" -- those of Amazon, Apple, Google, or Facebook -- the more likely your privacy is compromised, no matter how you feel or believe.
If you want to stay somewhat anonymous, use different (email) accounts for different (sets of) devices or services.
Convenience is generally the antithesis of online privacy.
Here's the most important thing: If you want to keep something completely private, don't put it on the Internet!
It's worth noting that these policies are designed to protect the company legally primarily. They are not necessarily an accurate indication of what the company will or will not do with your data. And a company itself can be hacked; that has happened.
We've been talking degrees, but this is absolutely true: Whoever controls your router can keep tabs on everything you do online. It's only a matter of what they choose to do with that power and to what degree.
Online privacy: Frequently asked questions
Update: Since I first published this post, I've gotten many questions about online privacy and security. Below are a few of them and my answers.
Does my Internet service provider (ISP) spy on me?
Technically, an Internet Service Provider can spy on its users, but whether or not it does depends on when that makes sense financially. There are two scenarios.
When you use just the terminal device (ONT or modem)
The first one is when you use a terminal device -- an Internet receiver such as a cable modem or a Fiber-optic ONT -- and a standard router of your choice. In this case, the ISP has no practical reason to spy on you. It's a matter of profit.
Since a terminal device is a catch-all device, it lets information in and out at the subscribed rate without specificity.
Consequently, generally, the ISP only knows the owner of the account who pays for the service, the MAC address of the router, and the Internet traffic that flows through the account -- specifically, through the WAN IP address registered to the terminal device.
The ISP does not know which person or device uses which part of the traffic -- that information is shielded by the router. And an Internet connection is almost always shared between multiple parties. Without knowing which party does what, the information an ISP can collect from the account is of little value.
If the ISP wants to find out more, it'll have to put in more recourses and target a particular subscriber's account. But that doesn't make sense financially.
ISPs, like all companies, are in the business to make money, not to satisfy random curiosity.
When you use an ISP-provided gateway
The second scenario is when you use an ISP-provided gateway -- a device that's a combo of the terminal device (modem, Fiber ONT, etc.) and a Wi-Fi router in a single box.
If you don't know what a gateway is, as opposed to a router, check out this post on networking basics.
Now it's a different ball game. In this case, it'd be much easier for the ISP if it wants to collect in-depth information from the account.
That's because, as mentioned above, everything you do will go through the router part of the gateway. Most importantly, all devices connected to the gateway will register with their unique MAC addresses -- each's online traffic will be separated and categorized accordingly.
That's not to mention many gateways -- such as the xFi lineup of Comcast often advertised to deliver a "layer of advanced security" -- allow you to "control" or "manage" your network via a mobile app with a login account. Now, the ISP can know exactly who does what among that bulk of traffic that passes through the WAN IP address without having to move a hair -- again, you're the one who actively reports your every move.
Using a gateway provided by your ISP doesn't necessarily mean your ISP spies on you. But to repeat the point above, whoever controls your router can easily keep tabs on your online activities.
And big ISPs generally want you to use their gateways. I'd say there are some ulterior motives.
Extra: I use a Cable modem and my own router but still get the DMCA notification from Comcast when I download a movie. What gives?
First and foremost, stop downloading pirated content! Secondly, that's none of my business.
A DMCA, short for Digital Millennium Copy Right Act, notice is what an ISP might send to a subscriber when it detects illegal downloads of copyrighted content via the subscriber's WAN IP.
The notice states what was detected and when and asks the user to find the content within their network and delete it. That's it.
If you get such notices, that doesn't mean the ISP spies on you. It's quite simple. Imagine your WAN IP is a freeway. We have this crude analogy:
When you stand on an overpass, you can easily see the traffic underneath. You can tell cars vs trucks vs bikes, etc., and more.
You can even point out vehicles violating traffic laws, such as driving on the shoulder or in the wrong lane. But you have no idea how to identify that automobile (against others of the same make, model, and paint color) or the driver.
And that's the level of "spying" the ISP has when sending out that notice. (That's also the level it has in general when a subscriber uses a terminal device.)
Read the DMCA notice carefully, you'll note that the ISP doesn't accuse the account owner of doing anything wrong -- it can't prove that.
Just because an Internet connection has been used for illegal stuff doesn't mean it's the owner who's done it. And it's generally impossible to prove (beyond a reasonable doubt) who did it. Again, an Internet connection can be shared between many people, sometimes without the owner's knowledge or approval. That happens quite often.
Suppose the subscriber uses the ISP's gateway(*), their situation might be a bit more precarious. But even then, proving that they are the ones who have done something illegal online still requires a lot of work.
(*) Using the same freeway analogy, your observation of the traffic is now similar to those working for a tollbooth with cameras and license plate readers, etc., instead of someone standing on the overpass.
But, in any case, it's not a good idea to download illegal content. Among other things, you might end up with unpleasant surprises.
I use a VPN, so I’m safe?
If you want to avoid those pesky DMCA notices above, using a VPN will help. Or if you're physically at one place and want to appear on the Internet that you're somewhere else, VPN is the best tool.
But the notion that virtual private networks (VPNs) are good for privacy or security is about as true as ISPs always spy on their users.
I detailed VPNs in this post, but generally, VPNs have little or nothing to do with security or privacy. It's just a matter of convenience or location spoofing. Privacy or security might or might not apply.
In fact, using VPN is a double-edged sword. You're at the mercy of the VPN providers. In most, if not all, cases, they are the ones that spy on you (while your ISP doesn't).
Specifically, when you're home and use your office VPN, your boss can spy on you. If you use a third-party VPN service -- there are many of them -- that service will likely collect your online activities and sell the information to advertisers.
The point is, if you believe a VPN keeps you safe, you're fooling yourself. That depends. The question is a bit irrelevant since, a gain, VPNs have little or nothing to do with online security or privacy.
When you hear a VPN provider invoke online privacy or security to prop up its service, it's likely lying to you.
My router has auto firmware updates and regular security patches. It’s better than those that don’t, right?
Frequent firmware updates and security patches are another nonsense that certain hardware vendors use to prop up their products. (Again, the notorious actor, in this case, is eero.)
Let's get one thing straight: Security patches mean the product is bad. Good hardware (or firmware) shouldn't need any security patches. (That makes sense, no?)
But this is a matter of degree. No hardware can be completely free of vulnerabilities, so once in a while, a patch is necessary.
The point is there's nothing glorious in having security patches. It's a nuisance at best -- your network is unavailable during a firmware update -- and not something anyone should brag about. In fact, if your device needs patches frequently, you should get rid of it -- it's about as good as a vulnerable device with no patch. Clearly, those patches don't work.
If your bathtub keeps leaking, you'd get rid of it or hire a new plumber. Having to get it patched regularly -- no matter how easily each time -- is in no way a good indication of the tub's or the patching work's quality.
Another thing to note is that the auto-firmware update approach is evil. It takes away the user's freedom to choose and allows the vendor to control the device completely and, most of the time, for worse. Even when well-intentioned, a shoddy firmware version can break things, and what if you want to skip one?
How would you feel if somebody, no matter how good a person, kept coming to your home and making changes, no matter how "wonderful" the improvement, with a complete disregard for your opinion? And if you wonder "how can they get in, in the first place?", you catch my drift.
Auto-firmware updating allows the vendor to add, remove, or change things in a home network without the user having any say. (Often, that comes with a notice of changes in the "User Agreement" that most users would just agree to since they have no choice anyway.)
Good hardware should give users options, not forcing the vendor's will on them. And many routers allow users to turn the auto update on or off, among other things.
Some hardware allows for manual firmware updates, meaning you can use older versions or even open-source alternatives, such as Merlin or DD-WRT. That's not all good or user-friendly, but at least you know you have a choice.
Having no freedom to choose is the worst vulnerability.
In any case, security patches have little to do with the quality of a product -- they are irrelevant -- and auto-firmware updating only means convenience at best. And as mentioned earlier, convenience is the antithesis of online privacy. Keep that, and the matter of degree, in mind.
Regarding online privacy, I've heard many saying that they "have nothing to hide," so it doesn't matter. That's like saying it's OK to streak as long as you're unaware or comfortable with the fact that you're naked. And I'm nobody to judge.
Unlike running naked, there are real consequences to getting overexposed in the cyber world. And I'm not sure if anyone can be conformable with nasty surprises.
Our social circles are similar to an onion with layers that define different levels of intimacy. No matter how open-minded or comfortable you are inside your skin, you might not want to have that instant meaningless zero degree of separation with a stranger whose intention is to benefit themselves at your expense.
And that might be what's happening right now. To different degrees. Depending on which router you're using. Whether or not you're aware of or happy with it.