How your ISP actually sells your browsing data

April 24, 2026 · 10 min read

Most Americans know, in a vague way, that their internet provider collects data on them. Fewer know what that data actually looks like, what ends up in the pipeline that gets sold, and who's buying.

It's worth getting specific, because the vague version lets you feel resigned about it, and the specific version gives you something to do.

The regulatory backdrop, briefly

In 2016 the FCC adopted the Broadband Privacy Rules, which would have required ISPs to get opt-in consent before sharing sensitive customer information. In March 2017, Congress used the Congressional Review Act to repeal those rules before they took effect. That's the legal position US ISPs operate under today: federal privacy rules specific to broadband providers are effectively absent, and state-level rules apply only where enacted (California's CPRA being the most notable).

ISPs are bound by Section 222 of the Communications Act (customer proprietary network information) for voice service, but the courts have not extended that framework to broadband. The practical effect is a patchwork: what your ISP can do with your data depends on your state, your ISP's privacy policy, and whether you know to opt out.

What your ISP actually sees

At the IP layer, your ISP sees:

• Every destination IP address you contact, and when.
• How much data you exchange with each.
• The DNS queries you make, unless you use encrypted DNS that bypasses them.
• Which of your household's devices is doing the contacting (via MAC + DHCP logs).

At the DNS layer specifically, which is the richest data, they see:

• You visited amazon.com at 2:14 PM yesterday, then searched for something immediately after on google.com.
• You checked plannedparenthood.org at midnight on Tuesday.
• You looked up three different gun shop websites over the last week.
• You accessed your employer's single-sign-on portal during business hours.

HTTPS prevents them from reading the page contents, but it does not prevent them from seeing the destination. SNI (Server Name Indication) in TLS handshakes still leaks hostnames in the clear in most deployments, and DNS queries leak them even more completely.

What gets into the sale pipeline

ISPs don't typically sell your individual browsing history to advertisers directly. What they sell looks more like:

• Aggregated "audience segments": "households interested in luxury travel," "households with a new mover in the last 90 days." Your individual entries are anonymized, aggregated with thousands of other households matching similar patterns, and sold to DMPs (data management platforms) and advertising networks.
• Inferred demographics: age bracket, income bracket, ethnicity proxy, political leaning, parenting status. These are inferred from the sites you visit, not declared by you.
• IP-reputation feeds: separate from the audience side, ISPs license their IP-to-household mappings to vendors that sell "residential IP reputation" data to fraud-prevention and ad-tech firms.
• Targeted advertising inventory: some ISPs run their own ad platforms (Verizon is the largest example, AT&T has fluctuated) that let advertisers target specific ISP subscribers based on their browsing.

The legally-tidy lie

ISPs generally claim their data is "de-identified" or "anonymized." In practice, browsing history data is trivially re-identifiable. A 2006 AOL search-log release produced clean de-anonymization of specific users within days of publication. Modern ad-tech operates on the assumption that you can link an "anonymous" IP + device-fingerprint combo back to a real person with very high confidence.

This doesn't mean every piece of ISP-sold data ends up re-identified. It means that the "anonymized" framing is largely cosmetic, and the downstream data buyers treat it accordingly.

What individuals can do

1. Move DNS off-ISP. Use Cloudflare (1.1.1.1), Quad9 (9.9.9.9), or NextDNS. This alone removes ~80% of the signal, because your DNS requests stop flowing through your ISP's resolvers.
2. Encrypt DNS. DoH (DNS-over-HTTPS) or DoT (DNS-over-TLS) means even if your traffic passes through the ISP, they can't inspect your DNS queries. Many modern OSes support this natively; most routers do not.
3. Opt out of your ISP's advertising programs. Comcast, Spectrum, Verizon, AT&T all have privacy portals buried on their websites. Find yours, opt out of everything, then check again in six months because they sometimes reset.
4. Run your traffic through something you control. A commercial VPN shifts the "who sees your DNS and destinations" to whoever runs the VPN. A home-hosted proxy or VPN keeps it with you. Either is better than leaving it with the ISP.
5. Use encrypted DNS upstreams you trust. Pointing your network at Cloudflare, Quad9, or NextDNS over DoH or DoT keeps your queries out of your ISP's logs and out of any third party's logs that you have not chosen.

Where ProxyBox fits

This is the product we built. A small box on your home network that:

• Provides a residential proxy endpoint and a private WireGuard VPN so that when you're away from home, your traffic still originates from your home IP rather than a mobile carrier's (which has its own data practices).
• Lets you keep the entire data path between yourself and a vendor you've chosen. We see that your device exists and that it heartbeats; we don't see what you browse.
• Pairs cleanly with whatever upstream DNS resolver you trust (Cloudflare 1.1.1.1, Quad9, NextDNS), so your queries leave your network encrypted and don't pass through your ISP's resolvers.

None of this is magic. Your ISP still sees that you're sending and receiving traffic. What changes is how much context they have on who you're talking to and what you're asking for. Less context, less monetizable signal.

The bigger point

Your browsing data is the product. Your ISP is one of the vendors. The market is real, and the amounts of money moving through it are not small. Taking thirty minutes to move DNS off your ISP and another ten to opt out of their advertising programs is one of the higher-leverage privacy moves an individual can make in 2026. Routing your remote traffic through a residential endpoint you control raises the floor further.

None of this solves the structural problem. That would take federal privacy legislation, which has been on deck for a decade and shows no sign of landing. In the meantime, individuals control their own endpoints.

Shop ProxyBox