Your WiFi Router Sees Everything, and Your ISP Sells It

The Gateway to Your Digital Life

Your Internet Service Provider can see every website you visit. In the US, they can sell this data to advertisers without your consent. [1]

TP-Link controls 60% of the US home router market, and faces a potential ban over Chinese government security concerns. [2] Microsoft found Chinese state hackers using thousands of compromised TP-Link routers for attacks. [3]

Meanwhile, Amazon's Eero and ISP-provided routers collect data on every device in your home, when you're online, and your network usage patterns. [4]

Your router is the chokepoint through which all your internet activity flows. Everyone wants access to that data.

What Your ISP Sees

Your Internet Service Provider has a complete view of your online activity: [5]

  • Every website you visit: even in incognito mode
  • When you're online: login and logout times
  • How much data you use: and on what
  • What devices are connected: via MAC addresses
  • Your physical location: tied to your account

Even with HTTPS encryption protecting the content of your communications, ISPs can still see which domains you visit and when. [6]

How Long They Keep It

ISPs typically store your browsing history for six months to two years, or longer. [7] This data sits on their servers, available for:

  • Sale to advertisers and data brokers
  • Law enforcement requests
  • Internal marketing and product development
  • Network management and throttling decisions

ISPs Can Sell Your Data Without Consent

In 2017, the FCC's broadband privacy rules were repealed. [1] These rules would have required ISPs to get your consent before selling your data.

Now:

  • ISPs can share your data with third-party advertisers and data brokers
  • They must offer opt-out options, but defaults favor data collection
  • The FCC is forbidden from issuing similar protections in the future

What ISPs Do With Your Data

According to the Federal Trade Commission, three of the six largest US ISPs use web browsing data for advertising purposes. [8]

Your browsing data may be enhanced with demographic data the ISP buys from data brokers, including: [8]

  • Ethnicity
  • Household income
  • Political affiliation
  • Shopping preferences

This creates detailed profiles sold to advertisers who target you across the web.

The TP-Link National Security Crisis

In December 2024, the Commerce Department proposed banning TP-Link routers over national security concerns. [2] This could be one of the biggest consumer tech actions in US history.

The Problem

  • TP-Link holds 60% of the US home router market, up from 10% in 2019 [2]
  • Chinese national security laws can compel companies to share data with the government [9]
  • Microsoft discovered thousands of compromised TP-Link routers being used by Chinese state hackers since 2021 [3]
  • Malicious firmware implants were found targeting European government officials [3]

The Investigation

In August 2024, the House Select Committee on the CCP urged the Department of Commerce to investigate TP-Link. [9] Subsequently, the Departments of Commerce, Defense, and Justice all opened probes.

Microsoft's October 2024 report identified a botnet called "CovertNetwork-1658": thousands of compromised TP-Link routers used for "password spraying" attacks against Microsoft accounts. [3]

TP-Link's Response

TP-Link Systems (the California-based company that sells routers outside China) claims it split from its Chinese parent company in 2022 and has "no affiliation" with the mainland Chinese entity. [9]

If banned, existing owners could continue using their routers, but new sales would be prohibited.

Amazon Eero: Your Network's New Owner

Amazon acquired Eero in 2019. Privacy advocates immediately raised concerns. [4]

What Eero Collects

According to Eero's privacy policy, they collect: [10]

  • Device models and serial numbers
  • Technical details about your network
  • Volume of data sent/received
  • Network speed and performance logs
  • Connected device information
  • Usage patterns (when you're online)

The Amazon Integration Concern

Amazon claims it won't sell Eero customer data. But critics note Amazon's track record: [4]

"They have said that they do not intend to change Eero's privacy policy, but that should not be comforting to consumers. Amazon will probably just wait a few years, like Facebook did with WhatsApp and Instagram."
Christine Bannan, Electronic Privacy Information Center

Even if you opt out of certain data uses, Eero still collects nearly all the same data points: the opt-out only limits how that data can be used. [11]

ISP-Provided Routers: Maximum Surveillance

The router your ISP gave you is the worst option for privacy.

Using Your Own Router

With your own router, the ISP knows: [12]

  • Your account information
  • Your router's MAC address
  • Total internet traffic

The router shields which specific device uses which part of the traffic.

Using ISP-Provided Equipment

With an ISP-provided gateway (modem/router combo): [12]

  • Every device registers with its unique MAC address
  • Each device's traffic is separated and categorized
  • The ISP can see exactly which device visits which sites
  • More detailed data collection is possible

Xfinity WiFi Motion Tracking

Comcast's Xfinity routers now include WiFi motion sensing: detecting movement in your home based on WiFi signal disruption. [13]

Privacy implications raised by tech experts:

  • ISPs could "tell law enforcement/courts whether anyone was home at a certain time" [13]
  • Creates a record of presence and activity patterns
  • Another data point for household surveillance

The Third-Party Data Harvesters

It's not just ISPs and router manufacturers. Companies like Plume partner with ISPs to collect even more data. [14]

Plume's Two Faces

  • To users: Promises enhanced connectivity and network optimization
  • To ISPs: Promises marketing insights based on deep analysis of online behaviors

Plume harvests sensitive data including tracking when you're present in your home, selling these insights to ISPs who partner with them. [14]

The Mesh WiFi Market: Growing Fast

The mesh WiFi market reached $6.8 billion in 2024 and is growing at 11.2% annually. [15]

Market Size

  • $6.8 billion in 2024 [15]
  • 48+ million mesh systems deployed worldwide
  • 33% of connected homes use mesh
  • 27% year-over-year adoption growth

Market Share

  • TP-Link: 60% of US market [2]
  • Top 5 companies: 76% of market volume [15]
  • Google, Eero, Netgear: Major players
  • North America: 38% of global market

Data Collection

  • All major brands collect some user data [16]
  • Data used for marketing (often with third parties)
  • Cloud connectivity = cloud data storage
  • Local-only options are rare

What Routers Can See

Modern routers can capture: [17]

  • DNS queries: Which domains you're trying to reach
  • Connection metadata: Timestamps, data volume, connection duration
  • Device inventory: All devices on your network with MAC addresses
  • Network patterns: When you're active, what times you're online

HTTPS encryption protects the content of your communications, but not the metadata, which is often enough to build detailed profiles.

Deep Packet Inspection

Some routers (especially ISP-provided ones) can perform Deep Packet Inspection (DPI): analyzing the content of your traffic, not just metadata. [17]

With DPI, they can see:

  • Application-level data
  • File types being transferred
  • Streaming content details
  • Potentially even encrypted traffic patterns

Security Vulnerabilities

Beyond privacy, routers have significant security issues.

Outdated Encryption

Approximately 5% of WiFi networks still use WEP or WPA1 encryption, protocols that can be easily exploited. [18]

Default Credentials

Many users never change default passwords, leaving routers open to attack.

Unpatched Firmware

Most consumer routers rarely receive security updates. Known vulnerabilities persist for years.

How to Protect Yourself

Use a VPN

A VPN encrypts all your traffic, hiding it from your ISP and router manufacturer. [6]

  • Choose a reputable, no-log VPN provider
  • Enable it on all devices or at the router level
  • Be aware: VPN providers can now see your traffic instead

Use DNS-Over-HTTPS (DoH)

DNS queries reveal which sites you visit. DoH encrypts these queries: [6]

  1. Enable in your browser settings (Firefox, Chrome, Edge support this)
  2. Or configure at the router/system level
  3. Use providers like Cloudflare (1.1.1.1) or Quad9

Buy Your Own Router

Don't use ISP-provided equipment:

  • Purchase a router from a privacy-respecting manufacturer
  • Consider open-source firmware options (OpenWrt, DD-WRT)
  • Disable cloud features and telemetry where possible

Router Settings to Change

  1. Change default admin password immediately
  2. Disable remote management unless needed
  3. Update firmware regularly
  4. Use WPA3 encryption (or WPA2 minimum)
  5. Disable WPS (WiFi Protected Setup), it's insecure
  6. Turn off UPnP to prevent automatic port forwarding
  7. Check for telemetry settings and disable if possible

Privacy-Focused Router Options

  • Synology RT6600ax: Clearly states it doesn't collect personal data from users' traffic; local web interface instead of cloud [11]
  • OpenWrt-compatible routers: Install open-source firmware with no built-in tracking
  • Firewalla: Privacy-focused with local processing
  • Ubiquiti: Enterprise-grade with more control (though requires more setup)

Advanced: Pi-hole + VPN

For maximum privacy:

  1. Install Pi-hole on your network to block tracking at the DNS level
  2. Run a VPN to encrypt all traffic leaving your network
  3. Use your own router with custom firmware
  4. Segment IoT devices on a separate network

What About "Private Browsing"?

Incognito mode and private browsing do NOT hide your activity from: [5]

  • Your ISP
  • Your router
  • Your employer (if on company network)
  • Websites you visit (they still see your IP)

Private browsing only prevents local storage of history, cookies, and form data on your device. Everyone upstream can still see your traffic.

The Bottom Line

Your ISP sees everything you do online. They can sell this data without your consent. And your router (whether from TP-Link, Amazon, or your ISP) is collecting even more.

TP-Link faces a potential US ban over Chinese government concerns. Microsoft found thousands of compromised TP-Link routers used for state-sponsored attacks. Amazon's Eero collects network data that could eventually be integrated with your shopping profile.

The 2017 repeal of FCC privacy rules means ISPs can sell your browsing history to advertisers and data brokers. They store this data for up to two years.

To protect yourself:

  1. Use a VPN to encrypt traffic from your ISP
  2. Enable DNS-over-HTTPS in your browser
  3. Buy your own router: don't use ISP equipment
  4. Consider open-source firmware for more control
  5. Change default passwords and keep firmware updated
  6. Disable telemetry and cloud features where possible

Your router is the gateway to your digital life. Right now, that gateway is wide open to ISPs, manufacturers, advertisers, and potentially foreign governments. Taking control of it is one of the most important privacy steps you can take.

References

  1. Comparitech - How to Stop Your ISP Tracking Your Browser History
  2. Krebs on Security - Drilling Down on Uncle Sam's Proposed TP-Link Ban (November 2025)
  3. Malwarebytes - TP-Link faces US national security probe, potential ban on devices (December 2024)
  4. TechCrunch - What Amazon's purchase of Eero means for your privacy
  5. Top10VPN - Can Your ISP See Your Browsing & Search History?
  6. Safety Detectives - How to Hide Your Browsing History From Your ISP in 2025
  7. Incogni - Can your internet provider see your search history?
  8. BroadbandNow - ISP Tracking: What Your Internet Provider Can See
  9. CBS News - U.S. mulls ban on Chinese-made TP-Link routers over security concerns
  10. Eero - Privacy Notice
  11. History Tools - Why You Should Avoid Amazon Eero Mesh WiFi Routers
  12. Dong Knows Tech - Online Security and Privacy Risks: Watch Your Wi-Fi Router!
  13. Cybernews - Xfinity router is now a WiFi motion sensor: some users worried about their privacy
  14. Proton - The spies in your home: How WiFi companies monitor your private life
  15. Wise Guy Reports - Mesh Wifi Router Market: Future Outlook and Trends 2035
  16. BGR - Your Wi-Fi Router Might Be Spying On You
  17. ExpressVPN - How to Delete Wi-Fi Router History
  18. Cybernews - Your WiFi and Bluetooth devices are mapping you for everyone to see