What your ISP can see — and what the law lets them do
Your internet provider logs more than you think. Here's exactly what they capture, store, and who they can share it with.
Updated 2026-04-11
What your ISP can actually see
Your ISP sits between your device and every website you visit. Even with HTTPS, they can see every domain you visit — just not the specific pages. They see your IP address, timestamps, data volumes, and DNS queries (the "phonebook lookups" your device makes before connecting to a site). They cannot read the content of encrypted traffic, but the metadata alone paints a detailed picture of your life.
What they store — and for how long
Storage requirements vary by country. In Australia, ISPs are legally required to retain metadata for two years under the Telecommunications (Interception and Access) Act 1979. In the UK, connection records must be kept for 12 months under the Investigatory Powers Act 2016. In the US, there's no federal requirement — but ISPs routinely store data voluntarily, and since 2017 FCC deregulation, they can sell it to advertisers.
Who can access that data
Law enforcement agencies can request or compel access to stored metadata in most countries — often without a warrant for metadata (as distinct from content). In Five Eyes countries, intelligence agencies can share data across borders. This means a request from a US agency can, under certain arrangements, access data held by Australian or UK providers.
What a VPN changes (and what it doesn't)
A VPN encrypts traffic between your device and the VPN server, so your ISP sees only an encrypted tunnel to a single IP address — not the sites you visit. However, the VPN provider now has access to some of that traffic metadata instead. This trades one party for another, so provider trust and jurisdiction matter enormously.
Ready to act on this?
We've reviewed the tools so you don't have to.