What Your ISP Can Actually See — With and Without a VPN

Your internet service provider sits between you and the entire internet. Every request your device makes passes through their infrastructure. But what can they actually see? The answer depends on whether you are using HTTPS, a VPN, both, or neither.

Most VPN marketing exaggerates the threat. Most people underestimate it. This article gives you the accurate picture.

Without HTTPS and without a VPN

This is the worst case, and it is increasingly rare. If you visit a website that uses plain HTTP — no padlock in the address bar — your ISP can see:

• — The full URL of every page you visit
• — The content of the page itself
• — Any data you submit in forms — search queries, login credentials, messages
• — Your DNS queries — the domain names your device looks up
• — Your IP address and the destination server's IP address
• — Timestamps of every connection

In 2026, fewer than 5% of web pages are served over plain HTTP. But some older sites, some IoT devices, and some misconfigured services still use it. On those connections, your ISP sees everything.

With HTTPS but without a VPN

This is how most people browse the internet today. Over 95% of web traffic uses HTTPS, which encrypts the connection between your browser and the website. Here is what changes.

Your ISP can no longer see:

• — The specific pages you visit (only the domain, not the full URL path)
• — The content of the pages
• — Anything you type into forms — passwords, searches, messages
• — The content of file downloads or uploads

Your ISP can still see:

• — Which domains you connect to. They know you visited reddit.com, but not which subreddit or post you read. They know you went to webmd.com, but not which condition you searched for.
• — Your DNS queries. Unless you are using encrypted DNS (DoH or DoT), your ISP sees every domain name your device looks up — even before the connection is established.
• — The IP addresses of the servers you connect to. In many cases, this reveals the service, because large platforms use known IP ranges.
• — Connection timestamps and data volume. They know when you connected, how long you stayed, and roughly how much data was transferred.
• — The SNI field. During the TLS handshake, your browser sends the domain name in plaintext via Server Name Indication (SNI). This is visible to your ISP. Encrypted Client Hello (ECH) is designed to fix this, but adoption is still limited in 2026.

HTTPS protects the content of your communication. It does not hide who you are communicating with. Your ISP builds a detailed map of every service you connect to, when, and how often.

With a VPN (and HTTPS)

When you connect to a VPN, all of your traffic is encrypted and routed through the VPN server before reaching the internet. Here is what your ISP sees now.

Your ISP can see:

• — That you are connected to a VPN server (they can see the VPN server's IP address)
• — The total volume of data transferred
• — The timestamps of your VPN connection
• — That encrypted traffic is flowing — but nothing about its contents or destination

Your ISP can no longer see:

• — Which domains you visit
• — Your DNS queries (these go through the VPN tunnel)
• — The IP addresses of the websites and services you connect to
• — The SNI field or any other connection metadata
• — Anything about what you are doing online — only that you are using a VPN

This is the core value proposition of a VPN, stated accurately: it prevents your ISP from building a log of which services you use and when you use them.

What a VPN does not hide

A VPN shifts the trust from your ISP to the VPN provider. Your ISP can no longer see your browsing metadata — but your VPN provider theoretically can. This is why the VPN company's logging policy and ownership matter more than any feature on their spec sheet.

A VPN also does not protect you from:

• — Tracking by websites you are logged into. If you log into Google, Facebook, or Amazon, those companies know exactly what you do on their platforms regardless of your IP address.
• — Browser fingerprinting. Your browser's configuration — screen resolution, installed fonts, timezone, language settings — creates a fingerprint that can identify you across sites without cookies or IP addresses.
• — Malware or phishing. A VPN encrypts your traffic in transit. It does not scan for malicious content or prevent you from clicking a phishing link.
• — Data you voluntarily share. If you post personal information, fill out forms, or grant app permissions, a VPN does not undo that disclosure.

Why this matters in the United States

In 2017, Congress voted to repeal FCC rules that would have required ISPs to get your consent before collecting and selling your browsing data. As of 2026, your ISP in the United States is legally permitted to:

• — Collect your browsing metadata (which domains you visit, when, how often)
• — Sell that data to advertisers and data brokers
• — Use it for their own targeted advertising

This is not a hypothetical concern. AT&T, Verizon, and Comcast have all been documented using browsing data for advertising purposes. A VPN is one of the few practical tools that prevents this collection at the source.

The accurate summary

Here is what you should take away from this:

• — HTTPS protects content. The substance of your browsing is encrypted on over 95% of the web. Your ISP cannot read your emails, see your passwords, or view the pages you read.
• — HTTPS does not protect metadata. Your ISP sees which domains you visit, when, and how often. This is a detailed behavioral profile, and in the US, they can sell it.
• — A VPN protects metadata from your ISP. It encrypts everything — including DNS queries and domain names — so your ISP sees only that you are connected to a VPN.
• — A VPN shifts trust to the VPN provider. This is why who owns your VPN is the most important question in this entire discussion.

If you decide a VPN is right for you, choose one based on ownership and transparency, not server count or speed test marketing. We have a comparison page that shows where PlanckVPN stands — including where we lose.

Sources

• — US Congress — S.J.Res.34: Disapproval of FCC broadband privacy rules (2017)
• — Jason A. Donenfeld — WireGuard: Next Generation Kernel Network Tunnel (whitepaper)