Your ISP is watching: what your provider actually sees

Your internet service provider sits between you and every website you visit. They handle every byte twice — once on the way out, once on the way back. They know everything about the metadata of your internet life. Most users do not understand how much.

This is what they actually see, what they are legally allowed to do with it, and how that varies by country.

What your ISP can see

Three categories. Worth understanding the distinction.

1. DNS queries. Every time you type a domain (or click a link), your computer asks a DNS server for the IP. Most users use their ISP's DNS by default. The ISP sees every domain you look up — google.com, your bank, your dating profile, the medical-symptom site you visited at 3am.

DNS queries are unencrypted by default. Even if you use a third-party DNS resolver (Cloudflare's 1.1.1.1, Google's 8.8.8.8), the ISP can see the destination IP of those requests and infer they are DNS lookups. Encrypted DNS — DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) — hides the queries from the ISP, but adoption is uneven.

2. SNI in TLS handshakes. Every HTTPS connection starts with a TLS handshake. The Server Name Indication (SNI) field tells the server which hostname the client is connecting to — and it is sent in plaintext. So even when the rest of your traffic is encrypted, the ISP sees the hostname of every site you visit at the start of every connection.

Encrypted Client Hello (ECH) is the standard that fixes this. It is being deployed by Cloudflare and supported by Firefox and Chrome behind a flag. Most traffic in 2026 still has plaintext SNI. The ISP knows what sites you visit even when it does not know what you read on them.

3. Connection metadata. Source IP (yours), destination IP (the server's), timestamps, packet sizes, traffic timing patterns. From this, ISPs can identify protocols (BitTorrent, video streaming, VoIP), services (Netflix vs YouTube vs Zoom by traffic shape), and behaviour (when you sleep, when you work, which devices are active).

What ISPs cannot see: the content of encrypted traffic. HTTPS, encrypted messaging, your VPN tunnel — these are unreadable to the ISP. They see that you connected, when, for how long, and to which IP. Not what you said.

What ISPs do with that data

Three things, roughly in order of how widespread:

Operational use. Capacity planning, traffic management, abuse handling, law-enforcement compliance. Every ISP does this. It is not optional.

Commercial monetisation. Selling browsing data to advertising networks, data brokers, and analytics firms. Whether this is allowed depends on country.

Government compliance. Retaining data for fixed periods so authorities can subpoena it. Whether this is mandated depends on country.

United States: ISPs can sell your data

The US has no comprehensive federal privacy law. ISPs are regulated as common carriers under the Communications Act, but the FCC's 2016 broadband privacy rules — which would have required ISPs to get opt-in consent before selling browsing data — were repealed in March 2017 by Congress under the Congressional Review Act.

Since then, US ISPs have been legally allowed to sell browsing data without opt-in consent. Most major ISPs (Comcast, Verizon, AT&T, T-Mobile, Charter/Spectrum) have data-monetisation programs. Verizon's "Custom Experience" and AT&T's "Internet Preferences" are the explicit names; opt-out exists but is buried in account settings most users never visit.

For US users, the assumption should be: if you have not specifically opted out, your ISP is monetising your browsing data. The opt-out exists; finding it takes deliberate effort.

United Kingdom: 12 months of mandatory retention

The Investigatory Powers Act 2016 (the "Snoopers' Charter") requires UK ISPs to retain "internet connection records" for 12 months. ICRs include source IP, destination IP, time, duration. Authorities can request access without a warrant in some categories; with a warrant, they can request more detail.

The IPA also authorises bulk interception capabilities for the intelligence services. The Court of Appeal ruled parts of the 2016 act unlawful in 2018; the government has not fundamentally rewritten the framework.

For UK users, the assumption should be: there is a 12-month rolling window of metadata about your internet activity sitting at your ISP, retrievable by various government bodies under various levels of authorisation.

Australia: 2 years of mandatory retention

The Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 requires Australian ISPs to retain metadata for 2 years. Source/destination, time, duration, account information, location. Access by 21 designated agencies including the AFP and ASIO without warrant for the metadata itself.

Australia has no comprehensive privacy law for ISP commercial data use. ISPs operate under the Privacy Act 1988 plus telecommunications-specific rules; the framework has been criticised for under-protecting users.

Russia: SORM real-time access

Russia operates the Sistema Operativno-Rozysknykh Meropriyatii (SORM) — equipment installed at every Russian ISP since SORM-2 (1995). FSB has direct, real-time access to Russian internet traffic without a court order being shown to the ISP.

The Yarovaya laws (2016, expanded 2019) require ISPs and messaging services to retain user metadata for 6 months and content for up to 6 months, and to provide decryption keys to security services on request.

For Russian users, the assumption should be: every domestic ISP is a direct surveillance pipeline. A VPN out to a non-Russian exit moves the surveillance question from "what FSB can see directly" to "what the VPN provider's jurisdiction allows."

The General Data Protection Regulation (GDPR) limits commercial use of personal data, including ISP browsing data, more strictly than US law. ISPs cannot sell browsing data without explicit consent.

Mandatory data retention for law-enforcement purposes is more complicated. The 2006 Data Retention Directive was struck down by the European Court of Justice in 2014 (Digital Rights Ireland case) for being overly broad. Member states have implemented their own retention laws since, with varying degrees of court challenge. Germany's retention law was also struck down in 2010.

The current state varies by EU member: France retains for 1 year, Italy for varying periods, the Netherlands has been pushed back from earlier retention regimes by court rulings. The general direction has been toward more restrictive retention than the US/UK/Australia model.

Other notable cases

China. Internet traffic routes through state-mandated infrastructure with comprehensive monitoring. ISPs are direct extensions of state surveillance. The Great Firewall provides the filtering layer; the monitoring layer is broader.

Iran. Comprehensive ISP-level monitoring under the Cyberspace Supreme Council and the Filtering Committee. Documented prosecutions of dissidents using ISP-level metadata.

Singapore. The PDPA limits commercial use; the Computer Misuse Act and various other laws authorise broad investigatory access.

Most of Latin America and Africa. Less formal mandatory retention; commercial ISP data monetisation varies; governmental access varies enormously by political environment.

What a VPN actually changes

A VPN encrypts the connection between your device and the VPN provider. From the ISP's perspective, all your traffic becomes a single encrypted tunnel to one IP — your VPN provider's exit server.

What the ISP sees with a VPN active:

Source: your IP
Destination: the VPN provider's exit IP
Volume: how much data flowed through the tunnel
Duration: when the tunnel was up

What the ISP does not see:

Which sites you visited (no SNI, no DNS queries leaking out)
What protocols you used (BitTorrent, streaming, gaming all look the same)
What you wrote, watched, or downloaded

This shifts the trust question. Instead of trusting your ISP, you are trusting your VPN provider. The VPN provider can see what your ISP saw before: your DNS queries, your SNI, your destinations. The relevant questions become:

Does the VPN provider log this data? A genuinely no-logs provider does not.
What jurisdiction is the VPN provider in? Some jurisdictions can compel logs.
Has the no-logs claim been independently verified? Audits exist for some providers.
What is the payment trail? Crypto payment limits the link between your account and your real identity.

A VPN does not eliminate trust. It moves it. Whether the move is worth it depends on whether your VPN provider is genuinely more trustworthy than your ISP for your specific threat model.

What a VPN does not change

Worth being honest about:

Logged-in services still know who you are. Google, Facebook, your bank — they identify you by login, not IP. A VPN does not anonymise you to services where you are signed in.
Browser fingerprinting still works. Tracking pixels, cookies, browser characteristics all still identify you across sites. A VPN is a network-layer privacy tool, not an application-layer one.
Your local network is still your local network. Anyone on your home Wi-Fi sees your DNS queries before they hit the VPN tunnel (depends on configuration). The kill switch matters here.

For most users, the relevant scope of VPN is: ISP cannot see your activity. That is what most users want, and that is what a VPN delivers.

Where Fexyn fits

We are a VPN provider. We are biased about whether you should use a VPN — we sell them. We are honest about what we can and cannot offer:

No browsing history logs, no DNS query logs, no traffic content logs
Crypto payment as an option for users who want minimal account-to-identity linkage
Wyoming (US) jurisdiction — we acknowledge this is Five Eyes; the no-logs structure is the mitigation
WFP-based kernel kill switch on Windows so DNS queries never leak around the tunnel
VLESS Reality with Vision flow for users in countries where standard VPN protocols are blocked

We have not yet completed an independent third-party audit. Planned for 2026. For users who require third-party validation today, ProtonVPN and Mullvad have current audited claims that we do not yet match. We say that openly.

Frequently asked

Can my ISP see what I do on HTTPS sites?

Partially. They see the hostname (via SNI), the destination IP, traffic patterns. They do not see the page contents. Encrypted Client Hello (ECH) is being deployed to fix the SNI part; most traffic in 2026 still leaks SNI.

Can my ISP see what I do over a VPN?

No, beyond the existence of the VPN tunnel itself. They see encrypted traffic to your VPN provider's IP. They do not see what is inside.

Can my ISP block VPN use?

Some try. Most do not. ISPs in censorship-heavy countries (China, Iran, Russia, UAE) actively block known VPN protocols. ISPs in most democracies do not block VPN traffic, though some throttle it during peering disputes or congestion.

Does my ISP sell my data?

In the US, probably yes unless you have specifically opted out. In the UK and Australia, less commercial use but mandatory government-access retention. In the EU, GDPR limits commercial use. Country specifics vary.

Should I use a VPN at home?

If you care about ISP visibility into your browsing, yes. If you do not, you do not need one for ISP-privacy reasons. There may be other reasons (geo-bypass, protection on public Wi-Fi when travelling, censorship circumvention) that do or do not apply to you.

Try Fexyn free for 7 days — no card required for the trial. The no-logs policy entry covers what "no-logs" actually means; the data brokers piece covers what happens to ISP data after they collect it.

Last reviewed 2026-05-09.