Connection Logs: IP and Timing Data
Every device that connects to the internet receives an IP address from your ISP via DHCP. ISPs log which customer account was assigned which IP address at what time — this record is what law enforcement uses to identify who made a particular connection. These records are typically retained for 6 months to several years depending on jurisdiction and ISP policy.
Beyond the customer-to-IP mapping, ISPs can log every connection your devices make: destination IP addresses, connection timestamps, data volumes, and protocol types. This metadata reveals which services you use, even when the content is encrypted — your ISP knows you connected to Netflix's servers for 2 hours even if they cannot see what you watched.
DNS Query Logs
DNS (Domain Name System) queries translate domain names (example.com) into IP addresses. By default, your router sends DNS queries to your ISP's DNS resolvers. Your ISP can see every domain name you look up — a comprehensive record of every website you visit, every app that makes a network request, and every service your smart home devices contact.
DNS query logs are arguably the most privacy-sensitive data ISPs collect. A complete DNS history reveals browsing patterns, health conditions searched, news sources read, and services used. Switching to encrypted DNS (DNS over HTTPS or DNS over TLS) to a non-ISP resolver prevents your ISP from reading DNS queries, though they can still see the destination IP addresses of your connections.
Deep Packet Inspection (DPI)
Deep packet inspection is a technique where network equipment examines the payload (content) of data packets, not just their headers. ISPs use DPI for legitimate purposes: detecting malware traffic, enforcing usage policies, and classifying traffic for Quality of Service (QoS) prioritization. Some ISPs also use DPI for behavioral advertising, building profiles based on what sites you visit and what content you view.
HTTPS encryption limits DPI to header information — the ISP can see the destination domain (via TLS SNI, the server name indication in the TLS handshake) and the IP, but not the page content or what you typed. A VPN prevents DPI entirely at the ISP level by encrypting all packets before they leave your device.
Legal Requirements and Data Requests
ISPs in many countries are legally required to retain certain data for specified periods and to provide it to law enforcement upon legal request (warrant, court order, or national security letter depending on jurisdiction). In the EU, the Data Retention Directive previously required metadata retention; after it was struck down, individual member states implemented their own rules. In the US, ISPs retain data based on their own policies and provide it in response to legal process.
Understanding the distinction between the data ISPs collect technically (because they can) and what they actively log and retain (based on law and policy) matters for privacy assessment. Many ISPs collect more than they disclose in their privacy policies, and privacy policies can change without meaningful notice.
ISP Data Collection Summary
| Data Type | Collected By ISP? | Encrypted Traffic Hides It? | VPN Prevents Collection? |
|---|---|---|---|
| DNS queries (domains you visit) | Yes (if using ISP DNS) | No (DNS is plaintext by default) | Yes (DNS goes through VPN tunnel) |
| Destination IP addresses | Yes | No (IPs are in packet headers) | Partially (ISP sees VPN server IP) |
| Connection timestamps and duration | Yes | No | Partially (VPN connection still visible) |
| Data volume per connection | Yes | No | Partially (total VPN volume visible) |
| Page content (HTTP) | Yes (if HTTP) | Yes (HTTPS encrypts body) | Yes |
| Page content (HTTPS) | No | Yes | Yes |
| Customer-to-IP mapping | Yes | No | No (ISP still knows your account) |
| TLS SNI (domain in HTTPS handshake) | Yes (unless ESNI/ECH used) | Partial (SNI often unencrypted) | Yes |
Frequently Asked Questions
Can I stop my ISP from collecting my data?
You can limit collection significantly. Use encrypted DNS (DoH or DoT) to hide domain queries; use a VPN to hide destination IPs and encrypt all traffic; use HTTPS-only browsing (most modern browsers enforce this by default); and use a browser with encrypted client hello (ECH) support to hide even the domain name from the TLS handshake. You cannot prevent your ISP from recording that you are connected to the internet or from seeing your VPN connection.
Do ISPs sell your browsing data?
In the US, ISPs are permitted to sell anonymized aggregate data under FCC rules, though regulations have changed over time. Some ISPs have operated opt-out targeted advertising programs that use browsing data. In the EU, GDPR restricts selling personal data without explicit consent. Check your ISP's privacy policy and look for opt-out options for marketing or data sharing programs.
Does a VPN completely hide my internet activity from my ISP?
A VPN hides the content and destination of your traffic — your ISP sees only encrypted traffic going to the VPN server. However, your ISP still knows: your IP address (assigned by them), that you are using a VPN (visible from the connection to the VPN server), and your total bandwidth consumption. They do not know which websites you visit inside the VPN tunnel.
What is encrypted DNS and should I use it?
Encrypted DNS (DNS over HTTPS or DNS over TLS) sends your domain name lookups through an encrypted channel to a DNS resolver that is not your ISP. This prevents your ISP from reading which domain names you query. Configure it in your browser (Firefox and Chrome support DoH natively) or on your router to protect the entire home network. Use a reputable resolver like Cloudflare (1.1.1.1), Google (8.8.8.8), or NextDNS.