Your internet provider sits between your device and everything else. Here is exactly what they log, what changes when you use HTTPS, and what a VPN actually hides.
8 min read
Your Internet Service Provider is the company that sells you internet access. Comcast, AT&T, Spectrum, BT, Vodafone. Whatever the name, they operate the physical infrastructure your traffic travels through: the cables, the routers, the DNS resolvers.
Because every packet you send goes through their network before it reaches the internet, they have a structural view of your traffic that no website, advertiser, or app can match. They see everything at the network level, before encryption at the application layer has any chance to help you.
Without any additional protection, your ISP can see:
Every domain you visit: When your device wants to reach a website, it first asks a DNS resolver to translate the domain name into an IP address. Unless you are using encrypted DNS, that query travels in plaintext. Your ISP operates the default DNS resolver for most customers, so they see every domain lookup you make.
The IP addresses you connect to: Even if a DNS query were encrypted, the connection itself still goes to a destination IP. Your ISP routes that connection and can see where it is going.
Timestamps and connection duration: They know exactly when you connected to a service and for how long. Patterns of when you use certain services are themselves a form of data.
How much data you transfer: Volume to specific destinations. Streaming a lot of video to one IP at a consistent time every evening is identifiable behaviour.
Your assigned IP address: They gave it to you. They have a record of which customer held which IP at which time.
Some ISPs also deploy Deep Packet Inspection (DPI), hardware that can read the content of unencrypted traffic in real time. DPI is used to shape bandwidth, identify protocols, and in some jurisdictions to comply with government surveillance requirements.
HTTPS encrypts the content of the connection between your browser and a website. Your ISP cannot read the page content, your login credentials, your search queries on that site, or any data you submit in forms. This is meaningful and important.
What HTTPS does not hide is the destination. When your browser opens a TLS connection, it sends a Server Name Indication (SNI) field in the handshake.1 The SNI contains the hostname in plaintext so the server knows which certificate to present. Your ISP sees that field. They know you connected to reddit.com. They do not know which subreddit you visited or what you read or wrote.
This is a real and significant gap. Knowing that someone visits a medical information site every day, or a support forum, or a news outlet from a particular country, reveals meaningful information even without the page content.
There is a newer standard called Encrypted Client Hello (ECH) that encrypts the SNI field.6 Browser and server support is still limited, so for most connections today the hostname remains visible to your ISP even over HTTPS.
A VPN creates an encrypted tunnel between your device and a VPN server. All of your traffic goes through that tunnel before reaching the internet. From your ISP's perspective:
Destinations are hidden: Your ISP sees traffic going to the VPN server's IP address. They do not see which sites or services you are connecting to beyond that.
DNS queries are hidden: A VPN routes your DNS lookups through its own resolver. Your ISP no longer handles your DNS, so the domain names you look up are not visible to them.
Content is encrypted: Everything inside the tunnel is encrypted. DPI cannot read it.
Individual connection timing is obscured: Your ISP sees one persistent connection to a VPN server, not individual connections opening and closing to different destinations.
This is where DNS over HTTPS2 and DNS over TLS3 are relevant even without a VPN. They encrypt your DNS queries so your ISP cannot see the domain lookups. They do not hide the destination IPs or provide an encrypted tunnel for your traffic, but they close the DNS gap specifically.
A VPN is not invisible. Your ISP can still see:
That you are using a VPN: Your ISP sees traffic going to a VPN server. The IP range, port, and traffic pattern are identifiable. We cover this more in the next section.
Total data volume: They know how much data you transferred in total, even if they cannot see where it went.
When you are connected: They know when the VPN tunnel was active. Presence and duration are still visible.
Your own IP address: Your ISP assigned it. They know it.
There is also the question of what happens beyond your ISP. Websites and services you log into still know who you are. Google, if you are signed in, still sees your activity. Advertisers using browser fingerprinting can still identify your device. A VPN shifts the visibility problem away from your ISP but does not eliminate it.
This is why the EFF describes a VPN as a tool that replaces trust in your ISP with trust in your VPN provider.4 If the VPN provider logs your activity, you are in a similar position. The no-logs policy and its honest enforcement are what matter.
Yes, with high reliability. VPN protocols use recognisable characteristics: WireGuard runs over UDP on port 51820 by default. OpenVPN uses UDP or TCP on port 1194 by default, though it can be configured to run on port 443. IKEv2 uses UDP ports 500 and 4500. These are known patterns.
ISPs and network administrators also maintain lists of IP addresses known to belong to VPN providers. Traffic going to those IPs is identifiable as VPN traffic even without inspecting the protocol.
Deep Packet Inspection can distinguish VPN-shaped traffic from regular HTTPS traffic even when a VPN is configured to run on port 443. The traffic patterns, packet sizes, and timing characteristics differ enough to be statistically identifiable.
In most countries, using a VPN is legal and your ISP knowing you use one carries no consequence. In countries with restrictive internet policies this is different, which is why some VPN providers offer obfuscation modes that disguise VPN traffic as ordinary HTTPS. BuycatVPN is available in countries where VPN use is legal.
What your ISP can technically see and what they are required to keep are different questions, and the answer varies by country.
In the United Kingdom, the Investigatory Powers Act 2016 requires ISPs to retain internet connection records (the domains visited and services used) for 12 months.5 These records are accessible to a wide range of government agencies without a warrant in some circumstances.
In the United States, there is no current federal law requiring ISPs to retain browsing data for a minimum period. However, the FCC's 2016 broadband privacy rules, which would have restricted how ISPs could use and sell browsing data, were repealed by Congress in 2017. ISPs can and do use traffic data for ad targeting and sell aggregated data to brokers.
In the European Union, the Data Retention Directive was struck down by the Court of Justice in 2014 as incompatible with fundamental rights. Individual member states have varied in how they implemented replacement frameworks. The practical result is that data retention obligations differ significantly across EU countries.
D. Eastlake, IETF, January 2011. Defines Server Name Indication, which exposes the hostname you're connecting to during the TLS handshake.
P. Hoffman & P. McManus, IETF, October 2018.
Z. Hu et al., IETF, May 2016.
Electronic Frontier Foundation. Guidance on evaluating VPN providers and understanding what VPNs protect against.
Requires UK ISPs to retain internet connection records (ICRs) for 12 months.
Cloudflare, 2023. Explains how ECH closes the SNI hostname leak that persists with standard TLS.
More in Foundations
