Does a VPN Protect You Against Deep Packet Inspection by ISPs?

Imagine a cheap technology that can stop spam and malware, identify and block illegal downloads, and allow ISPs to prioritize the data they transmit by content as well as by type.

Now imagine a technology that gives network managers and governments the ability to monitor everything you do on the Internet, including reading and recording your e-mail and other digital communications, and tracking your every move on the Web.

The technology called Deep Packet Inspection (DPI) is used by ISPs and other government network providers around the world to monitor all the data transmitted to and from computers; a VPN is great as a layer of protection to prevent ISP snooping, but deep packet inspection technology can beat VPN encryption and can sniff and identify a lot of information from VPN packets.

If your Internet Service Provider utilizes Deep Packet Inspection (aka complete packet inspection), they are analyzing all of your traffic as opposed to basic network connection data such as to which IP addresses you are connecting, what port number, what protocol, and possibly a few other details about the network connection.

You may think you have secured your Internet data from abuse by ISPs and hackers (by using HTTPS and a VPN service) but DPI can still read your Internet traffic, identity patterns and create a fingerprint of you based on those patterns. Sometimes, the pattern-identifying abilities of DPI renders a VPN largely useless, and even though the data itself is encrypted, the VPN traffic has a header that identifies the packet as coming from a VPN client machine.

What Can My ISP See If They Use Deep Packet Inspection (DPI)?

Deep packet inspection is a technology that allows a service provider to analyze network traffic in real time using the payload (IP packet content). DPI gives your internet service provider a lot of information about your connections and internet usage habits. In some cases, the full content of things like SMTP e-mails will be captured.

Your internet service provider is likely hijacking your DNS traffic or running DPI on their network. Most ISPs use DPI to some extent for various reasons, and if they are inspecting your DNS traffic, they can also easily see everything else your computer requests, unless the data or connection is encrypted.

Can Your ISP See the Contents of HTTPS Connections?

The short answer is that your ISP does not necessarily know the contents of your browsing, but they do see from where you are downloading and the size of the download, and they can draw a lot of conclusions from these metadata.

  • DNS-based content filtering allows your ISP to observe where traffic is going, and it uses that information to make an educated guess as to what that traffic might be, and classify it accordingly.
  • If you use HTTPS (DoH), your browser’s DNS requests will be collected, along with any unencrypted links or unencrypted cookies sent incorrectly without HTTPS.
  • A more thorough technique for preventing your web activities from being recorded is to use an encrypted VPN in conjunction with changing your DNS server (to Cloudflare, for example).

Deep Packet Inspection and User Privacy Rights

With the (potential) change in US law about ISP and data privacy, combined with the (potential) loss of net neutrality, ISPs might be able to not only see 100% of your data, they could modify that data, slow or block sites they want, and might be able to sell any or all of your data to a third party.

The larger concern for most people is about data aggregation. By collecting user web browsing information, a data scientist (or your ISP) could create a personalized fingerprint for your Internet usage, and later associate this identity of behaviors with past activities, future activities, or activities from other locations (when you are at work, or are on vacation).

Likewise, your ISP may choose to sell this profile or data to organizations or marketers, where it could then be used against you in many ways. People have an expectation that their communications are private, and collecting this personal data very much goes against that privacy expectation.

So, whom do you trust more — your ISP or the VPN provider?

With DPI, your ISP would be able to see:

  • Your unencrypted DNS queries (what websites you want to connect to).
  • The HTTPS SNI (Server Name Indication), which shows them the name of the site you want to access. So even if you’re using HTTPS-enabled sites which encrypt your traffic, your ISP can still see what web pages you visit.

With that information, they can then use DNS filtering and firewalls to block the sites you’re trying to access.

HTTPS & VPN to Protect Against Invasive DPI

  1. HTTPS would prevent your ISP from being able to read data, but not all services use HTTPS.
  2. Keep in mind that your ISP can read metadata whether the connection is encrypted or not.
  3. A VPN would protect you against DPI performed by the ISP (but not by the VPN provider).
  4. VPNs use an encrypted tunnel to connect you to the ‘exit node’ — all of your traffic within this tunnel is encrypted, and all of the metadata will show packets leaving your computer and going to the VPN server (the actual server you are accessing remains undisclosed).

What Can DPI See, Even When You Utilize HTTPS Connections?

  • DNS information, i.e. if you go to, your ISP performing DPI will see
  • IP address connectivity. If you HTTPS to a website and download a song, your ISP will see you connected to that site and downloaded 100MB of data. They do not know what data you downloaded, but they do know the DNS name, the IP address, and the amount of data downloaded from that site, and those details about every other site you visit.
  • Ads. Ad data are not usually encrypted; this can result in a “mixed encryption” or similar warning from a browser.
  • Lots of other data: Many sites that use HTTPS, use it only for the login page, and the rest of the site is HTTP.
  • Search results: Sites may encrypt your login and search, but not results.
  • Images: many sites won’t encrypt things like their logo or various graphic or video files, thus the “mixed encryption” browser warning again.
  • Non-HTTPS traffic like UDP, mail, SNMP, ftp, telnet, and updates to some software applications might not use HTTPS connections.

Takeaway: DPI can see the entire content of your network traffic. All of it. If it is plain text, then they see everything that you do. With a VPN, they will still see 100% of the data transferred; however, other than the connection to the VPN provider, your ISP will only see encrypted data. So encrypt everything, beginning with your DNS, and choose a VPN you trust.

Recent Posts