In 2019, a journalist at Vice paid a bounty hunter $300.
The bounty hunter took a phone number, made a few calls, and came back with a screenshot: a Google Maps pin, accurate to within a few hundred meters, showing exactly where that phone was sitting — in Queens, New York.
The data didn't come from a hack. It didn't come from spyware. It came from T-Mobile, routed through a data broker called Zumigo to a location-data reseller called Microbilt, which sold real-time phone location to bail bondsmen, car salesmen, and debt collectors. No warrant. No court order. No notification to the customer.
About 250 bounty hunters and related businesses had access to AT&T, T-Mobile, and Sprint customer location data through this system. Some of the data ended up on black markets. A US marshal used the same access to track former romantic partners.
The phone companies said they didn't know it was being misused.
That story is about mobile location data. But it points at something most people don't think about until it's too late: your internet provider knows an enormous amount about you — and what they do with that information isn't entirely up to you.
The Company That Sees Everything You Do Online
Your internet service provider is the pipe everything flows through. Before a website can send you anything, and before anything you send can reach a website, it passes through your ISP's network.
That position gives them a view of your online life that no one else — not Google, not Facebook, not any app on your phone — can match. Here's what they can see:
Every website you visit. When you type a domain name into your browser, your device sends a request to translate that name into an address. By default, that request goes to your ISP's servers — in plain text. They can log every domain you've looked up. Not just the site, but the exact time you looked it up, how often you visit, how long you stay.
What you're doing on those sites. HTTPS — the padlock icon in your browser — encrypts the specific content you exchange with a website. Your ISP can't read your messages or see your passwords. But HTTPS doesn't hide which sites you're visiting, or even many of the specific pages. The initial connection still reveals the domain, and network analysis can often infer which pages you viewed from the patterns of data flowing back and forth.
Your location, continuously. If you use a mobile carrier for your internet, your provider knows which cell tower you're connected to at all times. That means they have a continuous record of roughly where you've been — home, work, the doctor's office, a political rally, a house of worship.
Who you communicate with. Call and text metadata — who you called, when, for how long, from where — is logged as a matter of course. The content of a call might be private. The record that it happened is not.
The FTC investigated six of the largest US internet providers in 2021 and found that they collect data across all product lines — mobile browsing, home broadband, cable TV, even smart home devices — and combine it all into a single profile. Some providers explicitly categorized customers into sensitive demographic buckets for advertising targeting purposes. The report listed race and sexual orientation as examples.
The Law That Changed Everything
For a brief moment in 2016, there were rules about this.
The FCC passed broadband privacy regulations requiring ISPs to ask customers for permission before using or selling their sensitive data — browsing history, location, financial information, health-related searches. ISPs had to clearly disclose what they collected and give people a way to opt out.
The rules never went into effect.
In March 2017, Congress voted 50-48 to repeal them, using a procedural mechanism called the Congressional Review Act. President Trump signed the repeal. Under the same law, the FCC was barred from passing "substantially similar" rules in the future.
What that means in practice: your ISP is legally permitted to collect your browsing history and sell it to advertisers, data brokers, financial companies, and anyone else they choose to do business with — without asking you first.
The websites you visit are subject to FTC privacy rules. Your ISP, which sees all of those same websites plus the ones the websites can't see, faces much weaker oversight.
What They've Actually Done With It
The bounty hunter story isn't an isolated case. Here's what's been documented:
AT&T ran a surveillance program for federal drug enforcement for decades. Called Project Hemisphere — later renamed Data Analytical Services — the program maintained a database of call records going back to 1987. By the time it became public, it held more than a trillion records. The DEA paid AT&T to maintain it and embedded AT&T employees directly with drug task forces in Atlanta, Houston, and Los Angeles. Law enforcement could access records from as recently as an hour before submitting a request. The database covered anyone whose call passed through an AT&T switch — not just AT&T customers.
Verizon inserted hidden tracking codes into customer web traffic. Called "supercookies" — technically, unique identifier headers — these codes were added to HTTP requests without customers' knowledge, allowing advertisers to track Verizon subscribers across websites even after they cleared their browser cookies. AT&T ran a similar program. Verizon was fined $1.35 million by the FCC in 2016.
All four major carriers sold real-time location data to third parties. The 2019 Motherboard investigation documented AT&T, T-Mobile, Verizon, and Sprint all participating in this supply chain. The FCC investigated and, in April 2024, fined them a combined $196 million: T-Mobile over $80 million, AT&T over $57 million, Verizon nearly $47 million, Sprint over $12 million. The FCC found that carriers had tried to offload consent obligations onto downstream buyers — effectively, nobody obtained meaningful customer consent.
AT&T called the fine "lacking legal and factual merit."
What HTTPS Actually Protects (And What It Doesn't)
If you've heard "look for the padlock" as privacy advice, it's not wrong — but it's incomplete.
HTTPS encrypts the data flowing between you and a website. Your ISP can't read the specific article you're reading, the form you filled out, or the password you typed. That matters.
But HTTPS doesn't make you invisible. Your ISP can still see:
- Which sites you visit. The initial connection still reveals the domain name through a mechanism called Server Name Indication (SNI). Before any encrypted data flows, your browser announces which website it's trying to reach — in plain text.
- When and how often you visit. Connection timestamps and frequency are metadata, not content. They flow outside the encrypted tunnel.
- How much data you transfer. The size and timing of packets can reveal quite a bit about what you're doing — researchers have demonstrated the ability to identify specific websites from encrypted traffic patterns with surprisingly high accuracy.
- Your DNS requests. Unless you've specifically configured encrypted DNS (most people haven't), the domain names you look up go to your ISP's servers in plain text before HTTPS ever comes into play.
HTTPS made the web dramatically more private than it was ten years ago. But it wasn't designed to hide what you're doing from your internet provider. That's a different problem.
So What Can You Do?
You can't opt out of having an ISP. But you can limit what they see.
Turn on encrypted DNS. Most major browsers now support DNS-over-HTTPS, which encrypts the domain names you look up so they don't go to your ISP in plain text. In Chrome, it's under Settings → Privacy and Security → Security → Use secure DNS. In Firefox, it's under Settings → Privacy & Security → Enable DNS over HTTPS. It takes two minutes and blocks one of the most significant visibility windows your ISP has.
Review your social media and app privacy settings. Your ISP isn't the only one building a profile. Limiting what you share publicly reduces the data available to be combined with what your ISP already has.
Understand what you're agreeing to. Your ISP's privacy policy explains — in language designed to be ignored — exactly what they collect and what they're allowed to do with it. The summary: it's a lot, and the protections are weak.
Use a VPN. This is the most direct answer to the ISP surveillance problem. A VPN creates an encrypted tunnel between your device and a server operated by the VPN provider. From your ISP's perspective, all they see is that you're connected to a VPN server — not the websites you're visiting, not your DNS queries, not the content of your traffic.
Your ISP can still tell that you're using a VPN, and they can see how much data you're moving. But they can't see where it's going or what it is.
One important note: using a VPN moves trust from your ISP to your VPN provider. A trustworthy VPN provider has a verified no-logs policy — meaning they don't record which sites you visit either. NordVPN and ExpressVPN are among the most established options, both with independent audits of their no-logs policies. Both work on phones, laptops, and tablets with no technical setup required — it's essentially the same experience as installing any other app.
A VPN won't protect you from tracking by sites where you're logged in (Google and Facebook know who you are regardless), and it's not a cure-all for every privacy concern. But for the specific problem of your ISP seeing your browsing history, it's the most direct solution available.
The Pipe Knows
There's a reason ISPs lobbied hard against the 2016 FCC privacy rules and celebrated their repeal. The data flowing through their networks is worth money — to advertisers, to data brokers, to anyone who benefits from knowing where you go and what you look at online.
For most people, this is invisible. You pay your monthly bill, your connection works, and you have no idea that a detailed record of your online life exists in a database somewhere — or that someone just paid to access it.
The $300 bounty hunter story ended with T-Mobile, AT&T, and Sprint announcing they'd stop selling location data to third parties. The FCC eventually fined them $196 million.
None of the customers whose locations were sold were notified. None of them received any of the fine money. Most of them still don't know it happened.
Your ISP knows more about your daily life than almost anyone. It's worth knowing what they do with it.
To report concerns about ISP data practices, contact the FTC at ReportFraud.ftc.gov. To check what your IP address reveals about your network, use FindMyIP's IP Lookup tool.
Sources:
- Vice/Motherboard: "I Gave a Bounty Hunter $300. Then He Located Our Phone" (2019) — vice.com
- Vice/Motherboard: "Hundreds of Bounty Hunters Had Access to AT&T, T-Mobile, and Sprint Customer Location Data" (2019) — vice.com
- FCC: Fines for Selling Customer Location Data, April 2024 — fcc.gov
- FTC Staff Report: "A Look at What ISPs Know About You" (October 2021) — ftc.gov
- Upturn: "What ISPs Can See" (2016) — upturn.org
- AT&T Project Hemisphere / Data Analytical Services — EFF, TechCrunch, New York Times
- FCC: Verizon Supercookie Fine, 2016 — fcc.gov
- 2017 FCC Broadband Privacy Rules Repeal — TechCrunch, Harvard JOLT
- Cloudflare: "Encrypt it or lose it: how encrypted SNI works" — blog.cloudflare.com
- Verizon Transparency Report H1 2024 — verizon.com
- Comcast Transparency Report H1 2023 — xfinity.com