How Your ISP Tracks Your Online Activity (And What to Do)

Your ISP is the pipe through which everything flows. Before it reaches Google, before it hits your VPN server, before any third-party tracker sees it — your ISP sees it first. And they've been building a detailed picture of your activity since the moment you signed up.

What Your ISP Can See

Every DNS query your device makes goes through your ISP's resolver by default. That's a timestamp and a domain name for every site you visit. Even if you're on HTTPS — even if the content of your browsing is encrypted — the DNS query reveals the domain. Your ISP knows you visited a mental health site at 2am, a recruitment site on Monday morning, and a political forum three times this week.

Beyond DNS, your ISP sees the IP addresses your device connects to, the volume of data transferred, and the timing. With this metadata alone — no content required — they can often identify which services you're using. Netflix traffic has a recognisable pattern. BitTorrent has a recognisable pattern. Even an encrypted VPN tunnel has a recognisable pattern.

Deep Packet Inspection

Some ISPs deploy deep packet inspection (DPI) — hardware that inspects the actual content of unencrypted traffic in real time. DPI can identify applications, extract unencrypted data, throttle specific traffic types, and in some countries, censor specific content. Telecoms-grade DPI hardware processes tens of gigabits per second.

The shift to HTTPS has reduced what DPI can read, but not what it can observe. Encrypted traffic still has metadata — packet sizes, timing, connection patterns — that DPI systems can analyse for traffic classification.

The Legal Framework They Operate Under

In the US, a 2017 Congressional resolution rolled back FCC privacy rules that would have required ISPs to get explicit consent before selling browsing data. The result is that US ISPs can legally sell anonymised browsing data to advertisers. In the EU, GDPR provides stronger protections but doesn't stop ISPs from retaining traffic metadata for law enforcement purposes.

Here's the thing — most ISPs have mandatory data retention obligations imposed by government. In the UK, it's 12 months. In many EU countries, court rulings have rolled back blanket retention requirements, but targeted retention on specific users can still be ordered.

What Actually Helps

DNS-over-HTTPS removes the DNS visibility your ISP had. A no-logs VPN removes the IP and content visibility. Together, they reduce your ISP to seeing encrypted traffic going to your VPN server — metadata-only, and not much useful metadata at that. Neither solution is magic, and neither replaces understanding what you're actually protecting.