What your ISP can actually see, and how to limit it
Your internet provider sits between you and everything you do online, so it is worth understanding what that position actually reveals. The honest answer in 2026 is: less than it used to, more than many people assume, and a clear set of steps narrows it further. Here is what your provider can see, what it cannot, and what to do about it.
What they can see
Even with modern encryption, your provider can observe a few things by the nature of routing your traffic.
They can see which servers you connect to, at the IP address level, and roughly when and how much data you exchange. They can often see the domain names you look up if you use their default DNS, and in many cases the hostname of the site you visit even over an encrypted connection, because that name has historically been sent in the clear during connection setup. They know your account, so all of this ties to you rather than to an anonymous stream.
What that adds up to is a metadata picture: the sites you visit and the timing, if not the contents.
What they cannot see
HTTPS, which now covers the overwhelming majority of the web, encrypts the actual contents of your traffic. Your provider cannot read the pages you view, the messages you send, your passwords, or what you type into a form on an encrypted site. They see that you connected to a domain, not what you did once you were there. This is a genuine improvement over a decade ago, when far more traffic was readable in transit.
So the accurate framing is not that your provider reads your browsing, but that it can build a list of where you go and when.
The steps that limit it
A few concrete changes shrink that metadata picture, in rough order of effort to payoff.
Turn on encrypted DNS. Most current browsers and operating systems support DNS over HTTPS or DNS over TLS, which stops your provider from seeing your domain lookups through its default resolver. Pointing your device at a privacy-respecting resolver takes a few minutes and removes one of the clearest signals.
Make sure Encrypted Client Hello is enabled where your browser supports it. This is the piece that closes the old gap where the destination hostname was visible during connection setup. It depends on both the site and your browser supporting it, so it is not universal yet, but it is worth having on.
Use a VPN if you want to move the visible endpoint. A VPN sends all your traffic through an encrypted tunnel to the provider’s server, so your internet provider sees only that you connected to the VPN, not the sites beyond it. You are choosing to trust the VPN provider instead, which is why picking a trustworthy one matters, and we cover the ones that hold up. A VPN is the biggest single reduction in what your provider can observe, at the cost of that shifted trust.
Keeping it in perspective
None of this means your provider is spying on your every move, and treating it as a crisis leads to bad decisions. In many places providers are limited in what they may retain or sell, though the rules vary and change, which is worth following in our security news. The reasonable goal is to give away less metadata by default, not to assume the worst.
If you do one thing, enable encrypted DNS today. If you want to go further, add a reputable VPN and turn on Encrypted Client Hello. That combination covers what your provider can realistically see for the effort involved. For the wider picture of reducing what you leak, see our realistic privacy guide, and read our disclosure for how we handle links.