Landlord will be watching my data traffic, as mentioned in the lease agreement

Question

I am moving to Germany, and in the contract I signed I had to accept that all my data traffic can/will be checked by the apartment owner. The contract states:

Flatrate, aber hinter 30GB Tarif priorisiert, aslo etwas langsamer

Ja ich weiss, daß meine Daten überprüft werden.

Which translates to:

That after using an amount of 30GB data, the speed can/will be slower.

And the critical:

Yes, I know that my data is checked/investigated

Later in the contract one can read the following

Im Rahmen der gesetzlichen Bestimmungen (Anti-Terror-Gesetze und TKG) kann das Protokollieren der Daten erfolgen. Im Mietpreis ist eine FLAT-Rate enthalten, dabei können jedoch einzelne Ports gesperrt sein oder bestimmte Verbindungen mittels Traffic-Shapping bevorzugt oder verlangsamt werden. Bestimmte Geschwindigkeiten werden nicht zugesichert. Die Verbindung funktioniert nur, wenn DHCP eingeschaltet ist (z.B. bei Windows IP-adresse automatisch beziehen).

Which translates to:

In accordance with statutory requirements (anti-terror laws and TKG) to log the data can take place. a FLAT rate is in the rental amount, but it can individual ports to be blocked or certain compounds by traffic Shapping preferred or slowed. Certain speeds are not guaranteed. The connection works only if DHCP is enabled (eg automatically when Windows IP address relate).

Since I really needed this apartment I was forced to accept this. But not anywhere does the contract says that I can not make it difficult for the landlord to check my traffic.

So my question is: would it be possible to make it difficult for the person watching my data traffic to see what I am actually doing on the internet? As you probably can tell, I do not know alot in this field.

Internet is provided via LAN, but I am going to use a D-link dir-635 router. And I am running Linux Mint.

I am not familiar with the prices of 4g/LTE in Germany, so I can not say if that is an option yet. I do not think I can get my own internet installed, and since the internet is provided in the rent (whether I want it to or not) it feels redundant to install a personal internet.

Answer 1

FINAL (hopefully) UPDATE: Well after all the very interesting and valuable discussion, it seems to me as though initial thoughts were correct. From the updated question, I would say that the restrictions are pretty standard for Germany.

My recommendation is that you ignore the noise and the concerns and simply make use of the service. Unless you have some very specific security needs that you haven't shared, using HTTPS wherever possible (which is best practice anyway) is sufficient.

In any case, the other options discussed would all add overheads to your traffic which would use up your 30GB even sooner and slow things down.

---

There are several things you can do. Provided that the terms and conditions of use are OK with them.

You don't say what country you are in but you might want to get the terms of use checked by a lawyer since some terms may not be legally permissible anyway.

Here are four of the main ways you can protect your Internet traffic from the prying intermediate.

1. Make sure you always only connect to HTTPS sites

   When you use HTTPS sites, the traffic is encrypted between you and the endpoint. Your landlords infrastructure will not be able to do more than examine the destination IP address, port and DNS. In particular, things like banking and health sites will remain secure.

2. Use a VPN

   A VPN in this case is a 3rd party service that encrypts ALL of the traffic (not just web traffic as in 1) between your machine and the VPN host. This prevents any inspection of the traffic at all and it will appear as though you only talk to the VPN destination.

   Unfortunately, it is possible that common VPN end-points might be blocked or even a smart security system used that will dynamically identify VPN traffic and ban it. Check the terms of use from your landlord carefully.

3. TOR

   TOR is a way to obfuscate connections across the Internet and is often associated with "the dark web". However, it has legitimate uses as well. Unfortunately, it can add quite an overhead to traffic and may be unacceptably slow. Typically TOR will be used for web browsing, other network traffic would not be affected.

4. Use the Mobile network

   If you are fortunate enough to live in an area with a) good (4G/LTE) mobile coverage and b) an affordable data tariff. Then using a 4G/LTE mobile router may be an option. You can get some staggeringly good data rates.

   Don't expect to be free of restrictions though. Many tariffs don't allow device sharing, you'll need a special tariff for mobile data. You might not be allowed to use all services (like VPN's) and you are more likely to have national-level restrictions applied such as the UK's national "firewall".

---

It goes without saying (so I will say it anyway!) that you should ensure that you are staying within the letter of the laws of your locality & the legitimate terms of use of the landlords network. However, none of the above are illegal in most countries (well in most Western countries anyway) as long as you are not using them to do illegal activities. TOR and VPN's may possibly be illegal or at least get you unwelcome attention in certain countries.

---

UPDATE: Without question, the most security would be provided by a VPN.

However, that will only be useful if the landlords network allows VPN traffic. In addition, VPN's also carry an overhead so things like real-time traffic (Skype voice/video for example) and online gaming would be impacted quite significantly.

In addition, VPN's will normally come at a cost though there are some discount codes around that might help.

It is possible to set up your own VPN if you have a server on the Internet to run it on. Most VPS hosts wont allow it but some will as long as you keep it private.

The real question is - do you really need to be bothered? That's why I mentioned HTTPS first. Since this protects your information to sites and since all decent online services already use HTTPS, you might find that this is a storm in a teacup.

---

UPDATE 2: As some others have pointed out. There are many flavours of VPN. A commercial service will be the easiest to consume but you need to do your homework to find the best for your region. Commercial VPN's can also be relatively easily blocked both by end point and by traffic inspection. Some VPN's require specific ports to be open on the network and these might not be available. Test before you buy. In general, those offering SSL-based or OpenVPN-based are likely to offer more options and be easier to get through any blocks.

Another form of VPN is to use an SSH client such as PUTTY (for Windows) connected to an SSH server (perhaps on your own or a friends VPS). You can throw in a local SOCKS proxy client and then you will have a very configurable private VPN service. Not especially easy to set up though if you don't understand the terminology. Note that many VPS services ban their use for even private VPNs.

Another thing to note is that there are several ways for security infrastructure to spot VPN traffic and therefore block it. Known end points for commercial services and known ports for VPN types are the easiest but it is possible to examine traffic patterns and work out that even apparent SSL traffic (e.g. if using port 443 for VPN) isn't actually.

Answer 2

I don't want to write about the technical details because I think the options have been clearly defined by the other posts. But I'd like to contribute some thoughts on the legal stuff.

Disclaimer: I'm not a lawyer, please understand my following words as a translation of readily available texts on German laws. Before taking real actions, I strongly recommend to consult an experienced lawyer

In my opinion, the attempt of your landlord getting a blank cheque for reading your traffic is illegal. I'll explain why.

Germany has a very strict law for the protection of private data (Bundesdatenschutzgesetz aka BDSG). It prohibits not only the collection of any data without consent of the concerned persons it also shows hard and reasonable limits even if consent was given.

In detail: §3a demands "Datensparsamkeit", which translates into austerity in collection of any data. This means, anybody wanting to collect private data related to identifiable persons has to restrict this attempt to the minimum amount necessary to fulfil either legal necessities or duties from a contract with the concerned people.

Neither of these applies here. There are no legal obligations for your landlord to store or evaluate data. TKÜ (Telekommunikationsüberwachung = telecom intercept) was always in duty of the public authorities in Germany. To refer to the TKG to insiinuate anything different is a blatant lie.

The so called Vorratsdatenspeicherung (VDS, an obligation for ISPs to store connection related data for police investigations) was declared void by the highest court in Germany twice. A modified version passing legislation is still far away. Anyways this law only applies to ISPs and I doubt your landlord can be deemed as an ISP. Furthermore the VDS would only enforce the storage of IP-Addresses and connection times, never any content.

The remaining, rather difficult issue could have been the so called "Störerhaftung" which made everyone who gives other people access to the internet over his own accont liable for any damage caused by the one given access. But this specimen of case law has been toppled by the German Bundestag on 6/1/2016. Still even if liability for giving access was still in effect it would empower your landlord only to store IP addresses and connection times.

I'd suggest the following: Sign the contract and send the contract information to the responsible federal office. (Bundesdatenschutzbeauftragter / Landesdatenschutzbeauftragter) Let the relevant authorities crack down on this moron of a landlord.

In Germany it can be considered "contra bonos mores" to chisel your basic rights out of you in way like this. Having signed such a contract does not sanctionise the unlawful parts. They are simply spoken void. You can even get a temporary restraining order at a court prohibiting your landlord from performing any surveillance tasks on your connection. Prior to this you can file a reminder, but you may need an lawyer with certain expertise in this field.

addendum

Some of you may think, "why is Ariser so rabid about a landlord who is sooo nice that it lets you use its internet uplink. It's just a contract, they can write in it whatever they like, and who cares what they can see when logging?".

Because it's basically the same as saying: "To prevent our tenants from throwing used condoms, rags and hygiene products into the toilet, they agree we have a camera installed in the bowl". You all would easily refuse to sign a contract not because anybody has a problem with the prevention of clogged sewers, but because noone wants to be stared on the buttocks or genitals when washing hands. Think of it how often we have our pants down in our digital conversation figuratively. And in this case the landlord even had a personal interest because plumbers are expensive. But we won't let him watch either. In the origignal case there's nothing to bother for the landlord. The content of the transmission is absolutely of no concern for the landlord.

Answer 3

HTTPS, TOR and VPN have all been mentioned already. Yet, there another two viable solutions: proxying and plain tunneling (non-VPN tunneling).

Proxying

A proxy is just a server that you connect that will relay your connection to the actual destination. If you use a proxy which allows for the traffic between the proxy and you to be under TLS (e.g. HTTPS) then from the perspective of your landlord you are always connecting to the same server.

Caveat: A TLS proxy is (somewhat) vulnerable to sslstrip since you are always HTTPS connecting to the same place. And a proxy without TLS is useless to hide traffic.

Plain tunneling

This is my favourite. Assuming that you have a server (or just a simple VPS) running outside of the premises of your landlord (e.g. in some data center) you can SSH tunnel traffic between your machine and that server. This has two advantages over VPN:

• No one can complain that you're connecting through SSH to your server.
• Does not require anything special from the router on the way between you and your server.

Assuming *nix OSes, you can do a simple:

ssh -Y user@server firefox

And browse the internet (or use a chat program, or whatever) whilst your landlord can only see SSH traffic.

For better security it is wise to perform SSH login with RSA keys (instead of typing the password each time), and keep a note of the fingerprint in the known_hosts. No sslstrip problems because you are not using CAs.

Caveat: This may be slightly expensive in some parts of the world (VPSs are expensive in Asia and Oceania, and you need the server to be close to you to have reasonable speed); and this is slightly slower than all other options but TOR, since you are sending X11 updates over the network instead of plain HTTP(S).

---

Extra notes

• Both of these possibilities are pretty similar. You are connecting to a single point which is relaying the traffic. You can even combine them (for a speed increase) by running your own proxy on your VPS.

• A simple SOCKS proxy can be made with ssh -D <port> (sshd on the server side will act as a SOCKS proxy). This is useful for plain browsing but you need to configure the browser to use the proxy. You will need to configure the proxy settings to localhost and the port used in the ssh -D call. Ask Ubuntu has a great answer about the proxy configuration from a ssh -D call.

• Remember to configure DNS to go through the proxy. That is often not the default setting (at least it isn't in Firefox). Allowing the DNS to go through the normal network will reveal your browsing habits to your landlord.

Answer 4

General

Make sure obfuscating and encrypting your internet traffic isn't illegal where you live.

HTTPS

This is not a solution. Not only because you will have to access websites which aren't secured via SSL but also because your landlord can still see which servers you're connecting to even when HTTPS is used.

Your landlord probably won't take a look at the contents of your internet traffic anyways but will merely look at what servers you connect to. HTTPS doesn't protect you from them doing this. Your landlord can still see which servers you connect to.

TOR

Tor is awesome and your landlord will have no idea which servers you connetc to but there are many websites for which you have to solve captchas all the time if you access them via TOR. This can get annoying, soon. Furthermore, your email provider may prevent you from accessing your emails via TOR.

VPN

This is the solution you're looking for.

Many routers provide tunneling connections to the internet through VPN. You can sign up for a VPN service, some of which don't require you to state personal details and even letting you pay for example in bitcoin. This will typically cost a few euros per month.

Setting this up on your router is the best solution because this makes sure your landlord cannot see the contents of your data transfers. However, they can still see that they're happening, when they're happening, and how much data is transferred. But the cannot read the contents and they cannot figure out which servers you're talking to. From their perspective, you'll always be talking to the VPN service provider.

If your router doesn't support VPN, maybe buy a new one. I got one for 40 € which supports tunneling all traffic through VPN. I got another one for 250 € which doesn't support that.

If your router doesn't support it and you don't want to buy a new one, check for alternative firmware for it.

If even that's not possible, you should use VPN on your computer and your phone. Note that this has to be done for every device of which you intend to obfuscate the internet traffic of and you have to set up VPN again if you reinstall the operating system or install a different one, whereas setting VPN up on your router obfuscates the internet traffic of all your devices so there's less to be done wrong.

Setting VPN up should be very easy on most desktop operating systems. The necessary software is already installed on most Linux distros.

If OpenVPN is used, just do a quick

sudo apt-get install openvpn

VPN is used by people to access the servers at their workplaces to it's probably very easy to set up for Windows and OSX, too. It can be used on Android but you probably have to install an app to do so.

Answer 5

You have a series of options depending on how much money you are willing to spend, how much work you are willing to do, your technical expertise and how much speed you need.

• You should be using HTTPS Everywhere to begin with - this will make sure that you use HTTPS on every side that supports it, so that the content of your communications cannot be monitored. However he will still see where the traffic goes, so with just this, he will know what sites you visit, but not what pages you look at in them or what you do.
• Get a VPN. It's better to pay for a reputable one (in a jurisdiction where they can be sued on your behalf) to avoid the risk of the VPN operator spying on you. Route all traffic through VPN, block everything else, your neighbor will see you only ever connecting to one domain/set of IPs and sending encrypted packets he can't read.
• Use Tor for everything. It will be slow, and while I think you can route things like torrent traffic through it (there's guides online) I doubt it would be worth it due to the slow speed. Tor is kind of like a VPN, except it's more decentralized - the differences mainly relate to security from governments, irrelevant in your case.
• Connect your phone to the computer, tether, turn off wifi and turn on data through the mobile network, use that. Completely bypasses landlord's connection, but slow and you need unlimited data on your plan.
• Get your own internet connection.

Answer 6

To explain this, first some background information: As confirmed in the comments, the described situation is for an apartment in a so called "Studentenwohnheim", a student residence supplied by organizations connected to the university, usually the so called "Studentenwerk".

For the most part, these are residential complexes with many small renting units, to keep costs low for the students living there. Very often, as also seems to be the case here, these renting units are wired with LAN and run an intranet spanning the entire complex, sometimes interconnecting with the networks of other "Studentenwohnheim"-locations in the area and/or the actual university network.

Thus these networks are actively managed to some degree to keep them under control. While it can be assumed that there is no malicious intent on your landlords side (remember it's not a singular person running the show, but an organisation), be aware that you are connected to an intranet and may be exposed to other residents network traffic and/or expose yours to them. The grade of isolation from other residents may vary from one Studentenwohnheim to another.

If you choose to actually connect a router to that network, be VERY careful how you configure it. Some ban the usage of almost any personal network equipment (just imagine what happens if unexperienced residents decide to plug in some cheap SOHO routers to a building-wide physical network, spamming it with various DHCP services), or even any network services, monitoring tools, sniffers or whatever.

I won't go into detail regarding methods to protect your privacy on that network, as the other answers here already did a great job describing your options. But if you decide to go for a VPN provider, choose one where you can use non-standard ports for establishing the connection, as those may be blocked by your network.

I am not familiar with the prices of 4g/LTE in Germany, so I can not say if that is an option yet.

Actual 4G/LTE in terms of speed is still kind of expensive, if you plan to use more than 5GB in a month you would be better off getting a DSL contract on your own with an ISP of your choice, cutting your landlords network out of the picture. Just ask them before if that is an option, but usually it is since the Studentenwerk networks don't offer phone services but rental offers in Germany have to offer you access to landline phone service providers somehow (as far as I know).

Answer 7

Since you are not techincally savvy, you might find TOR a little difficult to set up.

If you, you should find it easier to use the Java Anon Proxy (here the English ane the German Wikipdeia entries).

It is a German universtiy project, so should get you reasonable speeds.

Aaargh! my company firewall won't let me access the site in order to qupote from it, so here is some info from Wikipedia (I won't quote the German version).

Java Anon Proxy, also known as JAP or JonDonym, is a proxy system designed to allow browsing the Web with revocable pseudonymity.[3] It was originally developed as part of a project of the Technische Universität Dresden, the Universität Regensburg and Privacy Commissioner of Schleswig-Holstein. The client-software is written in the Java programming language.

Cross-platform, free and open source, it sends requests through a cascade and mixes the data streams of multiple users in order to further obfuscate the data to outsiders.

JonDonym is available for all platforms that support Java. Furthermore, ANONdroid is a JonDonym proxy client for Android.[4][5]

Cost, name change and commercial service

Use of JonDonym has been (and still is) free, but since financial backing of the original research project ran out on 22 June 2007, a startup, Jondos GmbH, was founded by members of the original project team. Jondos GmbH has taken over development and continues to work on an improved blocking resistance function that would make it easier for users from restrictive countries to get a connection to the system[citation needed]. To cover costs of running mix cascades and increase speed as well as anonymity, Jondos and other Internet firms[who?] launched a commercial version of the anonymizing proxy.

As a consequence, the JAP client has been renamed to JonDo and the service itself from AN.ON to JonDonym.[6] JonDonym mix cascades are mostly operated by SMEs in multiple countries and mix cascades always include three mix servers for advanced security. As contractors of Jondos GmbH must ensure sufficient throughput of their mixes, anonymous web browsing at standard DSL speeds is possible[citation needed]. Cost free Cascades are still in operation, although they do not offer the low latency, multiple Mixes per Cascade or guaranteed bandwidth the commercial ones do. Privacy

The online activities of the user can be revealed if all Mixes of a cascade work together by keeping log files and correlating their logs.[7] However, all Mix operators have to sign a voluntary commitment not to keep such logs, and for any observer it is difficult to infiltrate all operators in a long cascade.

In July 2003, the German BKA[8][9] obtained a warrant to force the Dresden Mix operators to log access to a specific web address, which was hosting child pornography. AN.ON then decided to introduce a crime detection function in the server software in order to make this possible. The feature was made transparent by publishing the changed source code on August 18, 2003, and subsequently criticized by many users. For the Dresden Mix, the feature continues to be part of their software until today. Tracing activities back in the past is still technically not possible for the operators, but anonymity now extends only to the timepoint that a surveillance court order is issued.[10] It was pointed out though that the new feature was covered by the AN.ON threat model and not a security leak by itself.

As a reaction to the threat from local authorities, the system has spread internationally. If the Mixes of a cascade are spread over several countries, the law enforcement agencies of all these countries would have to work together to reveal someone's identity.[11] AN.ON publishes every year the number of successful and unsuccessful surveillance court orders.[12] Further research is being done by AN.ON to make the crime detection functionality more privacy-friendly.[3]

Since May 2005, JonDonym can also be used as a client for the Tor network and since 2006 also for the Mixminion network.[13] These features are still in an early stage and only available in the beta version of the software.

Answer 8

I doubt that Ja ich weiss, daß meine Daten überprüft werden. means that particularly your traffic is inspected.

I understand from your question such that the landlord offers you internet service, and thus, by German law, is acting as an ISP and thus has to follow the regulation for ISPs, including everything regarding lawful interception, data preservation, etc.

If I were you I wouldn't bother too much.

Answer 9

I appreciate all the other answers which go out of their way to explain TOR etc., but let's be realistic here.

We are talking about a small dormitory bureaucracy in 2016 Germany, not some dictatorship that sends men to knock down your door in the night because you sent a mail with the word "freedom" in it. The OP very likely is not going to buy weapons in the darknet or something like that.

Your landlord is acting like an ISP for you, so it has (or thinks it has) some legal obligations in that respect, which may or may not be "good" but are certainly not "evil" in the sense that you will get thrown into a dank cellar until you rot. Very likely they do not have a dedicated lawyer to write those sentences in your contract, so they tend to err on the tougher side, from their point of view.

Simply treat your internet connection like you would a public WLAN, or a company internet connection with limited private usage, and you will be fine. Obviously use HTTPS for all "interesting" connections (banking etc. - they won't offer anything else, anyways); make sure your POP3/IMAP client uses TLS or similar so your passwords (and mails, obviously) do not go over the wire unencrypted. You should find some option for that in the settings of your mail client, no need to get fancy with VPNs.

As they mention that ludicrous 30GB limit, they are very likely mainly concerned about people stuffing up the lines with endless movie downloads. They probably could not care less about any legality issues there, but they likely do not have an extremely wide uplink and want to avoid people complaining that network access is very much slower than advertised, all the time.

If you absolutely want to access some sites that nobody else should know about, then get an auxiliary UMTS/LTE stick and go crazy over that connection, keeping your landlords line for general Youtube consumption or whatever.

Answer 10

Additional idea: it could be useful, if you together with your VPN traffic, you also make a lot of normal, non-problematic, neutral traffic as well. It also solves the problem of the significant overhead of the tor.

It is also useful if you are using such a VPN, whose protocol is normal TSL connection, for example because it is embedded in HTTPS. OpenVPN can do this quite useful. If you can do this on a TCP port 443, nobody will be able to ever differentiate that you aren't only a regular visitor of a high-traffic https site.

There is also a possibility, that you are using a tor gateway, but not in your home, but on your remote server. It would protect you also from the possible eavesdropping of your hosting provider (which has, in my opinion, a much higher chance, as in the case of your landlord).

It is also important to hide your DNS traffic as well, because the site names you queried may say too much from your real communication channels. Everything should be embedded into your "normal" "https" connection.

Answer 11

There are a few ways you could make the landlord not want to look or regret looking at your logs.

Setup a honeypot, a webpage that when visited by someone without your credentials (browser header info ect.) then it delivers a malicious code/program (this could be as simple and benign as an infinite alert or something really malicious). You then visit it lots (make it serve to you as little data as possible, if any data at all to save your data limits) and then if your landlord visits it, they regret it.

Do the same as above but with rather than malicious content, just have content that the landlord would not want to see, something like lemon party or tubgirl.

Have a program that will put random noise into the logs by visiting lots of websites/making lots of connections, this could be a simple web crawler. The only issue with this is that it will use up your data allowance but this is just an option

If your bandwidth only gets reduced at 30GB (side note: track your own data usage and see if it is 30GB or 30Gb as B is bytes and b is bits and in networking you usually work in bits not bytes which are usually 8 bits. If they are limiting your data at 30Gb when the contract says 30GB then you may have them for breach of contract) rather than getting reduced at 30GB and then reduced more and more, the more you use it. Once you get slowed down, you could just try and use as much of the bandwidth as you can to try and fill up whatever storage media that they use to store the traffic, this can be done many ways. depending on the system, once the storage is full, it will either stop collecting new data (unlikely) or will remove older data faster thus giving them less time to review it. This method is unlikely to work as storage is cheap and bandwidth is small but its worth a try.

These are just some silly ideas. They are not meant to be taken 100% seriously.

Answer 12

SOCKS has been mentioned but I'd like to add redsocks which makes all your traffic go through your SOCKS proxy (presumedly provided by ssh -D). This has an Android version too. I find this much easier to set up than a VPN. Finally, you can use sslh on the server end to make your SSH available at port 443 (if your server doesn't have a web page then of course you can just put SSHD on 443).