What your ISP can see that websites can’t
Websites see one visit each. Your internet provider sees all of them. What HTTPS hides, what it doesn’t, and what your provider does with the rest.
6 min read · Reviewed July 2026
A website sees you once. Your internet provider sees everything — every site, every device, every hour of the day, tied to a billing account with your legal name on it. If you’re going to spend privacy effort anywhere, this is the relationship worth understanding.
What HTTPS actually hides
Most of the web is encrypted now, and that genuinely matters. With HTTPS, your provider cannot read page contents, form entries, passwords, or which specific article you’re reading. What it still sees: the domain you’re connecting to, when, how often, and how much data moves. It knows you spent two hours on youtube.com; it doesn’t know what you watched.
Metadata sounds harmless until you accumulate it. Domain history alone reveals your bank, your health concerns (that specialty clinic’s website), your politics, your job hunt, and when you’re home. Nobody needs to read your messages to know you.
DNS: the quiet leak
Every time you visit a site, your device first asks a DNS server to translate the name into an address — and by default, that server belongs to your provider. Even encrypted browsing announces its destinations through DNS. Switching to encrypted DNS (DoH or DoT, offered free by Cloudflare’s 1.1.1.1 and Google’s 8.8.8.8) closes that particular window in about two minutes of settings work. It’s the best privacy-per-effort upgrade most people can make.
What providers do with it
In the US, providers can legally use and share browsing metadata for advertising in ways that would surprise most customers — the FCC rules that would have required opt-in consent were repealed in 2017. Practices vary by company and country, and the details live in privacy policies nobody reads. The honest summary: assume your metadata has commercial value and is treated accordingly.
Providers also keep connection logs — which customer had which IP when — typically for months to a couple of years, and hand them over under legal process. That’s the mechanism that connects an IP address to a name. Websites can’t do that. Your provider can.
If you want to change the balance
Encrypted DNS hides destinations from casual logging. A trustworthy VPN moves the visibility from your provider to the VPN company — worth it if you trust the VPN’s no-logs audit more than your provider’s ad policy, pointless if you don’t. And separating identities helps more than people expect: the provider account is in your name, but guest networks, mobile data, and public Wi-Fi all break the neat one-account-one-history picture.