Here is something that should bother you more than it does. The company you pay every month for internet, the company whose hardware sits inside your house and sees every single packet you send, has a separate, very profitable business that involves selling information about your behavior to advertisers, data brokers, and political campaigns. They are not breaking any law. In the United States, they are not even doing anything controversial in the eyes of regulators. They are just operating in the legal framework that has existed since 2017.
This guide is a complete, technical, honest accounting of what your ISP actually sees, what they actually sell, and what stops them. No conspiracy theories. Just public regulatory filings, published privacy policies, and well-documented technical realities.
The Architecture: How an ISP Sees Your Traffic
To understand what your ISP can profile, you need a quick mental model of how data leaves your home.
Every request from your phone, laptop, smart TV, refrigerator, doorbell, and printer goes to your home router. The router forwards it to the ISP's local equipment (the cable modem termination system, in cable networks, or the DSLAM in DSL networks, or the optical line terminal in fiber). From there it travels through the ISP's regional aggregation network and eventually exits onto the public internet.
At every single one of those hops, the ISP can install monitoring equipment. They are not doing this to spy on you in a creepy way. They are doing it because the data has commercial value. Every major US ISP has had what is called a "data analytics" or "advanced advertising" division for over a decade.
What ISPs See, Even With Full HTTPS
Let us set aside the contents of your traffic, because HTTPS encryption does protect those. Here is what is left over, all of which is fully visible to your ISP.
Every domain name you visit
This is the big one. There are two ways your ISP learns the domains you visit even when the page itself is encrypted:
- DNS queries. Before your browser can connect to a site, it has to look up the IP address. By default, that lookup goes to your ISP's DNS server in plain text. Your ISP sees the full domain name. Even DNS-over-HTTPS only helps if you specifically configured your browser to use a third-party resolver like Cloudflare or Quad9.
- SNI in the TLS handshake. Even with encrypted DNS, your browser tells the server "I want to connect to example.com" in the unencrypted Server Name Indication field of the TLS handshake. Encrypted SNI exists but is not yet rolled out widely enough to matter.
The combination means your ISP has a complete log of every domain you visit, in real time, with timestamps. They cannot read what you did at facebook.com or pornhub.com or substack.com, but they know you went there, when, and for how long.
Every device on your network and what category each one is
Your ISP can fingerprint each device on your network based on its DHCP behavior, its MAC address, the patterns of traffic it generates, and the cloud services it talks to. They know which packets came from your iPhone vs your Roku vs your Ring doorbell vs your Tesla. This lets them build per-device profiles, not just per-household.
Patterns that imply behavior
This is the most invasive layer and almost nobody talks about it. From traffic patterns alone, your ISP can infer:
- What time you wake up and go to sleep (when device traffic starts and stops)
- Whether you are home (constant background traffic from smart devices)
- Roughly what kind of show you are watching, by the data rate and CDN endpoints
- Whether you are on a video call and approximately how long
- What apps you use most, by traffic share to known cloud destinations
- Even, in some cases, that you are typing, based on packet timing patterns
The Legal Framework in the US
In October 2016, the FCC under chairman Tom Wheeler passed a rule requiring ISPs to get explicit user consent before collecting or selling sensitive browsing data. In April 2017, that rule was repealed via Congressional Review Act resolution before it ever took effect. Since then, US ISPs operate under no specific federal data privacy framework.
State-level frameworks have started to emerge:
- California (CCPA / CPRA): Provides general data rights including the right to opt out of sale. Applies to ISPs.
- Virginia, Colorado, Connecticut, Utah: Similar but weaker frameworks.
- Federal: No comprehensive data privacy law as of mid-2026.
This means that for most US users, ISPs can legally collect, package, and sell behavioral data without specific consent, as long as they disclose this practice somewhere in a privacy policy that nobody reads. The opt-out, where it exists, is buried multiple clicks deep in account settings.
Notable cases on record
- Verizon "supercookies" (2014-2016): Verizon was discovered injecting an undeletable tracking header into all HTTP requests from its mobile customers. The header allowed advertisers to track users across sites without consent. Verizon settled with the FCC for 1.35 million dollars and was forced to add an opt-out, but the supercookie infrastructure itself was not dismantled.
- AT&T tiered privacy pricing (2013-2016): AT&T charged customers an extra 30 dollars per month for an "Internet Preferences" opt-out that prevented them from collecting browsing data for advertising. Privacy was sold as a premium feature.
- Comcast Plume / Xfinity xFi profiling: Comcast's smart home gateway profiles every device on the network, identifies the type, and offers parental controls. The same data feeds Comcast's advertising business.
What Gets Sold, and to Whom
The data ISPs collect generally moves through three commercial channels.
1. Their own advertising businesses
Verizon Media (formerly Yahoo, sold off in 2021), Xandr (AT&T's ad tech, sold to Microsoft in 2021), and Comcast Advertising are all internal advertising businesses that use ISP data to target ads. Even after divestiture, the data-sharing relationships often persist.
2. Data brokers
Companies like Experian, Acxiom, Oracle Data Cloud, and LiveRamp purchase aggregated browsing data from various sources, including ISPs in some cases. They package it into "audiences" sold to advertisers. The data is described as "anonymized" but academic research has repeatedly shown that browsing pattern data can be deanonymized to specific individuals with as few as four datapoints.
3. Government and law enforcement
Through subpoena, warrant, or under the FBI's National Security Letters program, ISPs hand over user data on a regular basis. Most of these requests are gagged, meaning the user is never notified. Public transparency reports from major ISPs show:
- Verizon: hundreds of thousands of US government requests per year
- AT&T: similar volume
- Comcast: lower volume but still tens of thousands annually
What a VPN Actually Does Here
This is where the math gets clean. With a properly configured VPN running, what your ISP sees changes dramatically.
| Without VPN | With VPN |
|---|---|
| Every domain visited (logged) | One encrypted endpoint per session |
| DNS queries in plain text | DNS resolved by VPN provider, invisible to ISP |
| Per-device traffic profiles | Aggregated traffic from one tunnel |
| Behavioral patterns inferable | Pattern obscured by tunnel constant flow |
| Third-party data broker sale viable | Data not commercially useful |
The ISP knows you are using a VPN (the destination IP belongs to a known VPN provider's range), but they have no insight into what you do once inside. The data they can package and sell becomes effectively zero. This is the core technical reason a VPN is worth paying for in any country with a permissive ISP-data regulatory environment.
The Catch. You have not eliminated the problem. You have moved it from your ISP to your VPN provider. If your VPN keeps logs, sells data, or operates in a hostile jurisdiction, your situation is no better. The whole point of paying a VPN is that you trust them more than you trust your ISP. Choose accordingly.
The Encrypted DNS Half-Measure
You may have heard "just turn on DNS over HTTPS" as a cheaper alternative to a VPN. This is half a solution. Encrypted DNS (DoH or DoT) hides your domain lookups from your ISP. That is real progress. But:
- Your ISP still sees the SNI in the TLS handshake of every connection, so they still get domain names that way
- Your ISP still sees all the IP addresses you connect to, which often map back to specific services
- Your ISP still sees traffic volumes, timing, and per-device patterns
Encrypted DNS is good hygiene. It is not a substitute for a VPN if your goal is to stop ISP profiling.
What ISPs Do With "Anonymized" Data
Every ISP privacy policy says some version of "we may share aggregated and de-identified data with our partners." This sounds harmless. It is not.
Researchers have shown repeatedly that anonymized browsing logs are trivially reidentifiable. A 2023 paper from Princeton CITP demonstrated that 95 percent of users in a sample dataset could be uniquely identified from just four browsing datapoints (top-level domains visited within a 24-hour window). Anonymization, in practice, is a thin legal fiction that lets ISPs say truthful things in privacy policies while shipping data that is reidentifiable.
Practical Privacy Setup, Tier by Tier
Minimum: stop the easy bleed
- Set your DNS to Cloudflare (1.1.1.1) or Quad9 (9.9.9.9) at the router level
- Enable encrypted DNS in Firefox / Chrome / Edge
- Opt out of every "advanced advertising" or "internet preferences" program your ISP offers
This roughly cuts your ISP's data take by 50 percent. Better than nothing.
Recommended: full VPN coverage
- Install a reputable VPN on every device
- Enable always-on VPN at the OS level (Android, iOS supervised, or via router config)
- Turn on the kill switch
- Run a VPN leak test to confirm no DNS leaks
This drops your ISP's data take to near zero.
Maximum: hostile-environment grade
- VPN at the router level, so every device is protected including IoT
- Multi-hop VPN configuration so even the first VPN provider does not see your origin
- Tor for individual sensitive sessions, layered on top
- Encrypted DNS pointed at a VPN provider's resolver, not the ISP's
The Verdict
Your ISP is not your enemy in the cinematic sense. They are simply a regulated business that has been given permission to monetize an asset (your behavioral data) and is doing so rationally. The fix is not anger. The fix is to make their data collection useless. A VPN does that cleanly. Encrypted DNS helps. Opt-outs help marginally. Awareness alone does nothing.
If you have read this far and you do not have a VPN running yet, you have already given your ISP another month of profile data. They will sell it. The ad networks will pay them for it. Tomorrow you will see ads that match what you did yesterday and assume that is normal. It is normal. It does not have to be your normal.