IPExposed
Privacy Guide

Can My ISP See What I Browse?

5 min read · Updated April 2026

Yes — but the details matter. Your Internet Service Provider (ISP) — the company you pay for internet access, such as Comcast, AT&T, Verizon, or BT — sits directly between your device and the rest of the internet. Every connection you make passes through their network first. The real question is not whether they can see your traffic, but what exactly they can see, what they keep, and what they are allowed to do with it.

What Your ISP Actually Sees

When you connect to a website, your device sends a request that travels through your ISP's infrastructure before reaching its destination. Several things happen at the ISP level that are largely invisible to you.

Domain Name System (DNS) lookups. Before your browser can load any website, it must translate the site's name (like example.com) into an IP address. By default, this lookup goes to your ISP's DNS servers — in plain text, with no encryption. Your ISP therefore sees every domain name you look up, with a timestamp. This happens before any HyperText Transfer Protocol (HTTP) or HTTPS connection is established.

Connection metadata. Even when you use encrypted connections, your ISP records the destination IP address you connected to, the time and duration of the connection, and the amount of data transferred. This metadata is often more revealing than the content itself — patterns of behavior can identify visits to health sites, financial services, political forums, or other sensitive categories.

Unencrypted traffic. If you visit a site that still uses plain HTTP (not HTTPS), your ISP can see the full page content, including any text you submit in forms. Most major sites now use HTTPS, but some smaller or older sites do not.

Does HTTPS Hide Your Browsing From Your ISP?

This is one of the most common misconceptions about web privacy: that switching to HTTPS makes your browsing invisible to your ISP. The reality is more nuanced.

HyperText Transfer Protocol Secure (HTTPS) encrypts the content of your connection — the page text, images, and any data you submit. Your ISP cannot read the specific page you loaded or the search terms you typed. That is genuine protection.

However, HTTPS does not hide the domain name of the site you are visiting. The reason is a feature of how encrypted connections are established called Server Name Indication (SNI). When your browser initiates a Transport Layer Security (TLS) handshake with a website, it must tell the server which domain it wants — so the server knows which certificate to present. Until Encrypted Client Hello (ECH) becomes universally adopted, this SNI field is sent in plaintext, before the encryption kicks in.

Mozilla's developer documentation on HTTPS explains the protocol in detail, and the TLS 1.3 specification is documented in RFC 8446 at the IETF. Cloudflare's explanation of SNI covers why the domain name leaks and what ECH aims to fix.

In practical terms: your ISP sees "you connected to facebook.com at 9:14 PM and transferred 4 MB over the next 23 minutes." They do not see which specific posts you read, what you typed in messages, or which profiles you visited. That distinction matters — but so does the amount of behavioral intelligence that metadata alone can provide.

Can Your ISP Sell Your Browsing Data?

In the United States, yes — and many have.

In 2017, the US Congress voted to repeal Federal Communications Commission (FCC) broadband privacy rules that would have required ISPs to obtain customer consent before selling browsing data to advertisers. The FCC's record of the proceeding documents the rule that was eliminated. Following the repeal, several major US ISPs acknowledged selling or sharing aggregated browsing data with marketing firms.

The Electronic Frontier Foundation has documented ISP data-selling practices extensively, including the types of data shared and the legal frameworks (or absence of them) that govern this activity.

In the European Union, the situation is different. The General Data Protection Regulation (GDPR) classifies IP addresses and browsing data as personal data. ISPs operating in EU member states must have a legal basis to process this data — typically either consent or a legitimate interest — and cannot sell it to third parties for advertising without your explicit permission. Data-retention periods are also regulated.

How to Stop Your ISP From Seeing Your Browsing

There are several practical steps you can take, with different trade-offs in effort and effectiveness.

Use a Virtual Private Network (VPN). A VPN creates an encrypted tunnel between your device and a VPN server. Your ISP sees that you connected to a VPN server and the amount of data you transferred — but not the sites you subsequently visited through the tunnel. The VPN provider then sees your traffic instead of your ISP, so the choice of trustworthy provider matters. Check your connection now — we show your ISP's name and whether you are currently connecting through a VPN.

Use encrypted DNS (DNS over HTTPS or DoH). By switching your DNS resolver to a provider that supports DoH — such as Cloudflare (1.1.1.1) or Google (8.8.8.8) — and enabling DoH at the browser or OS level, you prevent your ISP from reading your DNS lookups. This does not hide the destination IP addresses, but it closes the DNS plaintext leak that most users are unaware of.

Use the Tor network. Tor routes your traffic through three volunteer-run relay nodes, encrypting it at each hop. Your ISP sees that you are using Tor but nothing more. Tor provides the strongest anonymity of these options, but at a significant speed cost.

So What Does This Mean for You?

Even if you trust your ISP personally, the legal framework in most countries does not require them to act in your interest. In the US, the rules that would have constrained ISP data sales were deliberately removed. Your browsing habits — aggregated over months and years — represent a detailed record of your health concerns, financial situation, political interests, and personal relationships. That record is collected as a matter of course and, in many jurisdictions, can be monetized without your knowledge.

The tools to limit this exposure exist and are increasingly accessible. The question is whether the potential harm feels abstract enough to ignore — or concrete enough to act on.

Sources