Can your internet service provider see your browsing history?

The answer is yes. Your ISP (Internet Service Provider) can see your search history. Exactly how much of your search history your ISP can see depends on your service agreement, where you live, and the web pages you visit.

Updated on: March 20, 2024

What your internet service provider (ISP) can really see

All ISPs track their customers’ data. In fact, if you live in the US, UK, EU, or Canada, the ISP is legally obliged to monitor your internet activity and retain it for a specific period (more about this later). 

If you want to check how much of your internet browsing data your ISP can see, read the privacy policy first. It’s likely to be attached to your service agreement, or you can view it online.

AT&T is the most popular ISP in the US, together with Verizon. We had a look at its privacy policy to understand just how much customer browsing activity, together with other data, it collects. Here’s what we found.

In addition to personal information needed to start using its services (account information), AT&T collects extensive data on your equipment, network performance and usage, location, and biometric information. The paragraph on web browsing and app information is the longest one by far. In it, we read that AT&T logs the websites you visit, the apps you use on your mobile phone, your IP address, how much time you spend and the ads you click, the search terms you enter, and they even have a peek into your shopping cart. That’s a lot of data. 

Note that the company does not “decrypt information you transmit using a secure website or app.” This means that there are ways in which you can hide your browsing traffic. To find out how to do that, you can jump right here.
Verizon’s privacy policy is very similar, if slightly more vague. In addition to screen recordings and cursor movements, it also records “other attributes” which are not specified.

Can your mobile data provider see your browsing history?

Your mobile data provider is just another internet service provider. It can see all your online activity and browsing history the same way your home ISP does. Have a look at the privacy policy of your mobile data provider to learn just how much data it collects. 

What do internet service providers (ISPs) usually see?

Your ISP owns or rents the infrastructure through which all of your web traffic passes. It allows data packages to travel between your device and the internet. Therefore, it has easy access to your internet browsing history. Here’s the online data most ISPs have access to and what is often referred to as ISP tracking. 

The websites you visit

Your ISP can see the websites you visit, like theoceancleanup.com or wikipedia.org. That said, if you only browse HTTPS websites, it will not see which pages you visited or what you did there. This is because your ISP doesn’t have access to encrypted web traffic. In practice, whenever you’re on a secure URL (starting with https://), your ISP cannot see what exactly you do there. 

Your browsing history after you deleted it

Even after a user deletes their browsing history, internet service providers may retain certain records of their online activity. ISPs can store metadata, such as DNS records, which include the domain names and IP addresses associated with previously visited websites. While traces of specific page content may be deleted from the user’s browser, records of domain visits and IP addresses remain in the ISP’s logs. 

Incognito browsing history?

Incognito browsing enhances privacy on your device by, among other things, deleting your browsing history once you close the incognito mode tab or window. This way, the websites you visited are not stored by your browser. However, your ISP logs them just the same, together with your IP address.

Search queries

The majority of search engines use the HTTPS protocol to encrypt the connection between users and their services. This means your search queries are not visible to your ISP, even if you type them into the address bar of your browser.

That said, even on an encrypted connection, metadata connected to your search activity may be visible, such as the domain of the search engine used, the timing of the query, and the frequency of data exchanges. This metadata can provide some insights into user behavior.

YouTube videos you watch 

As YouTube is an HTTPS-encrypted website, your ISP will see that you visited youtube.com, when you visited, and how much time you spent there but will not see the content you watched.

Social media 

Your ISP can see that you’re engaging with social media because it logs the web pages you visit. However, the specific content of your interactions on social media, including your posts, messages, and comments, is encrypted when using HTTPS connections. The same is true when you connect to social media using an app on your phone.

It’s important to note that social media companies themselves have access to the content of your interactions on their platforms, as they provide the services and manage the data.

IP address

Your ISP can see your IP address. Your IP address is essential to how data packets are routed on the internet. When you connect to the internet, your ISP assigns you an IP address, which is used to identify your device and route data to and from it.

Downloads

Provided you download files from websites protected by HTTPS, the ISP cannot see the contents of your downloads or the names of the files you’re downloading. ISPs do, however, monitor the amount of data you are downloading to evaluate network usage. Based on this information, they may charge you more or reduce your bandwidth (the latter is called bandwidth throttling).

DNS requests

DNS, or the Domain Name System, acts as the internet’s address book, translating human-readable domain names into numerical IP addresses. By monitoring DNS requests, ISPs can discern the websites users visit, which can reveal their web activity and interests. Additionally, ISPs may track DNS server interactions, which, in turn, may expose specific DNS settings used by individuals. However, if you visit HTTPS web pages exclusively, your ISP cannot see anything beyond the domain, main page, time, and frequency of your visits.

Metadata

ISP monitoring encompasses collecting various types of metadata, including details about the timing and frequency of data exchanges, data usage, connection logs, and, sometimes, device information.

Why does the ISP have access to my browsing history?

ISPs need access to their customers’ internet history for management and security purposes. Here’s what they use it for:

• Network management: ISPs use data to optimize their networks, ensuring efficient data transmission and minimizing congestion, ultimately leading to better customer service quality.

• Security: Monitoring data helps ISPs detect and mitigate security threats, such as malware, phishing attempts, or denial-of-service attacks, to protect customers and maintain network integrity.

• Billing: ISPs track data usage for billing purposes. The goal is to ensure that customers are accurately charged for the data they consume.

• Compliance: ISPs may collect data to meet legal requirements and cooperate with law enforcement or government agencies in investigations, including responding to subpoenas or court orders.

• Marketing and advertising: ISPs may use, share, and store data to deliver targeted advertising or content. 

If you have concerns about the potential use of your browsing history, you’re not the only one. In addition to collecting and monitoring your online activity, some IPSs share the information they collect without users’ consent.    

The information your ISP can legally share (and sell)

ISP data sharing, just like data storage, varies from country to country. 

United States

In the US, ISPs can share customer data with third parties under certain conditions, subject to compliance with federal laws. This includes sharing data with:

• Government agencies: for law enforcement, national security, and regulatory purposes.
• Affiliates: ISPs can share data with affiliated companies, such as subsidiaries or corporate partners, for business purposes.
• Third-party advertisers: ISPs can share customer data with third-party advertisers and data brokers, but they must offer opt-out options to customers.
• Service providers: ISPs may share data with service providers who assist with network management, billing, or other operational aspects.

As some of this information is very valuable, you may wonder if ISPs in the US also try to profit from selling it to third parties. Sadly, the answer is yes. The Federal Communications Commission (FCC) law preventing ISPs from selling users’ data without their consent was repealed in 2017. Furthermore, the FCC is forbidden to issue similar consumer privacy protections in the future.

Canada

Canada did not follow the US’s lead in terms of data privacy. In Canada, ISPs can only share your browsing history and other internet usage data with your express permission. In addition, Canadian providers can share information with government agencies for law enforcement purposes and service providers.

European Union and United Kingdom

The General Data Protection Regulation (GDPR) places strict controls on data sharing. The UK implemented the EU GDPR as part of its national law through the Data Protection Act 2018. This legislation ensures that GDPR data protection and privacy standards remain in effect in the UK even after Brexit. According to these standards, your personal information cannot be collected without your permission, and selling it is illegal.

In the EU and the UK, ISPs may share data with:

• Government agencies: data sharing with government agencies is subject to stringent legal requirements and oversight.
• Service providers: sharing data with service providers for network management and operational purposes is allowed and common under the GDPR but must comply with data protection principles.

Your internet service provider can keep your data long after you unsubscribe

The information your internet service provider (ISP) legally shares with third parties is subject to data retention laws. These laws vary from country to country but generally specify how long an ISP can store your personal data.

Data retention laws are designed to protect your privacy by preventing ISPs from storing your personal information indefinitely. However, these laws also allow governments to request access to customer data in criminal investigations. In the United States, for example, ISPs must retain all subscriber information for one year after they cancel their service.

That said, some ISPs hold on to users’ data for much longer than that, with AT&T retaining it for seven years.

In the European Union, the Data Retention Directive requires ISPs to retain all subscriber information for at least six months and no more than 24 months after they cancel their service. The law was repealed in 2014, but many countries still have similar laws in place.

How to stop ISP tracking

There are several ways in which you can limit ISP tracking. Some level of network monitoring is necessary for ISPs to deliver their services, which is why it’s impossible to stop ISP tracking completely. That is unless you decide to start providing internet access yourself (which is possible). 

Here are a few tried and tested options.

Using a virtual private network

Using a virtual private network (VPN) is one of the most effective ways to limit ISP tracking. With a VPN service, your internet traffic is encrypted and routed through a VPN server, which masks your actual IP address and makes it more difficult for your ISP to track your online activity. A VPN connection creates an encrypted tunnel between your device and the internet. All of your browsing activity passes through this tunnel, meaning that any transmitted data is encrypted and, therefore, hidden from your ISP. This means that your ISP can still see the overall amount of data you send over your internet connection but has no records of the domains and pages you visit.

Private browsers

Private browsers also play a role in limiting the visibility of your browsing history. Some, like the Brave browser or the Tor browser, offer encrypted connections by default at the device level. Others (Firefox, Oracle, and Google Chrome) will connect to HTTPS websites only if you enable a HTTPS forcing mode. To determine which private browser is the best option for your needs, read our recommendations here.

Private search engines

Most private search engines use encryption protocols and anonymization techniques to prevent the tracking of users’ IPs. One crucial aspect is limited data retention. Unlike mainstream search engines that may store user browsing history for extended periods, a private search engine typically does not retain or collect personally identifiable information or search history data. 

The future of internet privacy

As technology advances, so does the potential for more sophisticated tracking and data collection methods. While governments and regulatory bodies recognize the need to protect individuals’ online privacy rights, the implementation of stronger privacy laws and data protection measures in some regions is lagging. In the meantime, we must proactively ensure the privacy of our online activities, including browsing history, by using the tools at our disposal: a VPN service, a privacy-focused browser, a private search engine, as well as being mindful of the data we share online.

FAQ