ISP (Internet Service Provider)

An ISP is an Internet Service Provider: the company that provides internet connectivity to a residence or business, and (in mobile contexts) the cellular carrier providing data service. The structural privacy actor that sees every internet connection the user makes from the connected network: every DNS query (without encrypted DNS), every destination IP address, every connection timing pattern, and (for unencrypted traffic) every payload. The first-party privacy-relevant party in the user’s network experience.

What it means in practice

The ISP’s privacy posture varies dramatically by jurisdiction and by individual provider. In the US since the 2017 broadband-privacy regulatory rollback, ISPs are permitted to collect and sell browsing data without opt-in consent; AT&T, Verizon, Comcast, and major others operate documented advertising-data businesses derived in part from ISP-level browsing data. In the UK under the Investigatory Powers Act, ISPs are required to retain Internet Connection Records (one year of customer browsing logs) for law-enforcement access. In the EU, GDPR provides stronger constraints but ISPs still retain significant data and remain subject to lawful-intercept process. The structural defense is the same regardless of jurisdiction: VPN-always-on encrypts traffic between the device and the VPN endpoint, removing the ISP’s visibility of destinations, and encrypted DNS removes the ISP’s DNS-query visibility. The ISP still sees that you are connected to a VPN, but not what you do over the VPN.

Who it affects, and how

Affects: every internet user, with the data sensitivity varying by user and context. For most users, ISP-level browsing-data sale produces ad-targeting that is annoying but not threatening. For high-target users (journalists, activists, professionals with sensitive client matters, anyone in adversarial jurisdictions), ISP visibility is a structural threat: the ISP sees the operator’s contacts, sources, research patterns, and movement (mobile ISP location data). For UK users specifically, the ICR requirement creates documented one-year browsing-log exposure that does not exist in most other jurisdictions. The Predaxia operational frame: VPN-always-on is the structural defense that removes ISP visibility; the choice between defending and not defending is mostly a question of whether the user has configured the VPN, since the cost of VPN deployment is low and the benefit is significant.

What you can change today

Three operational steps. First, deploy VPN-always-on: Mullvad or Proton VPN configured to connect on device boot and stay connected, on every device that connects to the internet. The ISP-level visibility is removed for traffic that traverses the VPN; the small subset of traffic that does not (some captive-portal interactions, some carrier-provisioning flows) remains exposed but is structurally limited. Second, deploy encrypted DNS even when the VPN is not active: iOS Settings, Private DNS, Quad9 or Mullvad; Android equivalent; browser-level DoH on Firefox and Chrome. The encrypted DNS removes ISP visibility of DNS queries even on the small traffic categories that bypass the VPN. Third, awareness that ISP-level mobile location data is structurally collected by cellular carriers and reachable on legal process; the defense for that category is to leave the phone elsewhere or use a burner not associated with your identity, since VPN does not address the cellular-network location-data layer.

Related articles