· 7 min read

Is Digital Privacy a Myth?

cybersecurity compsci

When people first start learning networking, one common idea appears very quickly:

If I use HTTPS, my ISP cannot see what I am doing.

That is partly true, but not fully true.

HTTPS protects the actual content of the website you are visiting. Your ISP should not be able to read your passwords, private messages, exact pages, forms, or the data being exchanged between your browser and the website.

But the bigger question is:

Can your ISP still know which websites you are visiting?

The answer is more interesting than most people expect.

The First Building Block: DNS

Before your browser can visit a website, it needs to know where that website lives.

For example, when you type a domain name like:

saksham.lol

your device needs to resolve that name into an IP address. This is done through DNS, or Domain Name System.

By default, many users rely on the DNS resolver provided by their ISP.

That means the ISP will most likely be able to see the domains being requested.

Some people solve this by switching to public DNS resolvers like Google, Cloudflare, Quad9, or others. Some go further and enable Secure DNS, DNS over HTTPS, or DNS over TLS.

At this point, many people think:

Now my DNS is encrypted, so my ISP cannot know what websites I visit.

But that is where things get more complicated.

Why This Matters

This matters because the internet is not just about entertainment.

It is also about access to information, privacy, research, education, communication, and freedom.

If a network provider can observe or control what people access online, that becomes powerful.

Sometimes this power is used for normal network management. Sometimes it is used for blocking harmful content. But sometimes, depending on the region and situation, it can also be used for censorship, surveillance, profiling, or restricting access to information.

And the scary part is not always that monitoring exists.

The scary part is when users do not even know what is visible.

"But I Use Public DNS. Am I Safe?"

Not completely.

Using public DNS can reduce what your ISP sees through traditional DNS queries. If you use encrypted DNS properly, your ISP may not directly see your DNS lookup in plain text.

But DNS is not the only place where website information can leak.

Even after DNS resolution, your device still needs to connect to the destination server. Your ISP still routes your traffic. That means it can still see things like:

SNI stands for Server Name Indication. It is part of the TLS handshake and is used when multiple websites are hosted on the same IP address. It helps the server know which certificate to present.

The problem is that traditional SNI is visible in plaintext.

So even if your DNS is encrypted, the domain name may still appear somewhere else during the connection process.

If you want to see this yourself, you can capture a test browsing session with a tool like Wireshark and inspect what still appears in the handshake. In many normal setups, privacy settings can hide DNS while the domain still leaks through SNI.

In simple words:

Encrypted DNS hides one signal, not all signals.

"What If I Use Secure DNS in My Browser?"

That helps, but it does not make you invisible.

Secure DNS is useful. It is better than sending DNS queries in plain text. It protects your DNS requests from some forms of observation and manipulation.

But it does not automatically hide the destination IP address. It also does not automatically hide every part of the TLS handshake. If SNI is still exposed, the domain can still leak.

So yes, Secure DNS is good. It helps defend against DNS spoofing, tampering, and casual DNS-level observation.

But Secure DNS is not the same as full browsing privacy.

"What About TLS 1.3?"

TLS 1.3 is a major improvement for web security. It encrypts more of the handshake than older versions and improves both security and performance.

But TLS 1.3 alone does not fully solve the website-visibility problem.

The Server Name Indication field can still expose the domain unless Encrypted Client Hello, or ECH, is properly supported and active.

This is where ECH becomes important.

ECH is designed to encrypt the ClientHello part of the TLS handshake, including sensitive SNI information. In theory, this closes one of the biggest metadata leaks left in HTTPS.

But in real life, ECH depends on support from the browser, the DNS setup, the website, and the hosting provider. If the website or infrastructure does not support it properly, then you may still be exposed.

So technically, ECH is a great solution.

Practically, it is not universal yet.

So What Can Your ISP Actually See?

Depending on your setup, your ISP may see different levels of information.

If you use normal DNS, your ISP may see the domains you query.

If you use encrypted DNS, your ISP may not see DNS queries directly, but it can still see the IP addresses you connect to along with exposed SNI.

If SNI is not encrypted, which is still common, your ISP may see the domain name during the TLS handshake.

If ECH is supported and working, the domain leakage through SNI can be reduced, but that does not guarantee total privacy.

Even then, traffic analysis is still possible. Your ISP may not know the exact page you opened, but it may still infer some activity from:

This is why online privacy is not one single switch.

It is layers.

Then What Is the Solution?

If you do not trust your ISP with this information, the most practical solution for many people is usually a VPN.

But even that needs to be understood correctly.

A VPN does not magically remove trust from the equation.

It moves trust.

Instead of your ISP seeing your traffic patterns directly, your VPN provider becomes the party that can potentially observe more of your traffic metadata.

To your ISP, your traffic mostly looks like an encrypted connection to a VPN server. That is good.

But now you need to trust the VPN provider.

That is why choosing a VPN provider carefully matters. You should look for providers with strong privacy policies, independent audits, no-log claims that have been tested, good transparency, and a clear business model.

Personally, the names I would research first are Proton VPN and Mullvad.

Not because any provider should be trusted blindly, but because privacy tools should be judged by transparency, audits, jurisdiction, technical design, and long-term behavior.

But Even VPNs Are Not Magic

At this point, someone might say:

Okay, then I will just use a VPN and everything is solved.

Not exactly.

A VPN is useful, but it is not a magical invisibility cloak. What it mainly does is shift trust from your ISP to your VPN provider.

Without a VPN, your ISP can see that your device is connecting to different servers across the internet.

With a VPN, your ISP mostly sees that you are connected to a VPN server. That is better for privacy against your ISP.

But now the VPN provider becomes an important trust point.

If the VPN provider keeps logs, has weak infrastructure, lacks transparency, or does not follow strong data protection practices, then your privacy can still be at risk.

In some situations, data may be handed over due to legal pressure. In other situations, information may be exposed because of poor security, misconfiguration, or a data breach.

So the question is not only:

Am I using a VPN?

The better question is:

Who am I trusting with my traffic now?

A good provider should have:

Free VPNs especially deserve extra caution. If a service is free, we should ask how it survives.

Sometimes the cost is not money.

Sometimes the cost is data.

As people often say: if something is free, then you might be the product. So please stay alert and safe.

Can We Apply Zero Trust to Internet Privacy?

In cybersecurity, zero trust means we do not automatically trust anything just because it is inside our network or part of our system.

Every request, identity, and device should be verified.

But when we talk about general internet privacy, applying perfect zero trust is almost impossible.

Why?

Because the internet itself depends on many layers of trust.

You trust your device. You trust your browser. You trust your operating system. You trust DNS resolvers. You trust certificate authorities. You trust websites. You trust ISPs. You may trust VPN providers. You may trust app developers. You may trust cloud platforms.

Your data travels through many systems before it reaches its destination. At every layer, metadata can exist. Even when the content is encrypted, some information around the communication may still be visible.

Quick CIA triad note: encryption can help with confidentiality and integrity, but availability is a different problem. If the physical networks, cables, platforms, or providers you depend on are disrupted or blocked, privacy tools alone will not solve that.

So in real life, digital privacy is not about trusting nothing.

It is about reducing unnecessary trust.

It is about asking:

That is the more practical mindset.

What About Onion Routing?

If someone wants stronger anonymity, onion routing is one of the most important ideas to understand.

Tor is the most popular example of onion routing.

Instead of sending your traffic directly through one provider, onion routing sends it through multiple relays. Each relay only knows part of the path.

In a simplified way:

This layered structure makes tracking harder because no single relay is supposed to know both the original user and the final destination.

That is a big privacy improvement.

But again, it is not perfect magic.

Tor can be slower. Some websites block Tor traffic. Logging into personal accounts through Tor can reveal your identity. Browser fingerprinting can still be a problem. Downloading files carelessly or changing unsafe settings can also break privacy.

So onion routing is powerful, but it needs proper understanding.

Final Conclusion

Digital privacy is not dead.

But blind and easy privacy is definitely a myth.

Using HTTPS, DNS, and Secure DNS does not make you fully invisible. Using TLS 1.3 does not always hide every useful metadata point. Using a VPN does not remove trust. It only moves trust. Using Tor can improve anonymity, but even that requires careful behavior.

The real lesson is this:

Privacy is not one tool. It is a layered strategy that requires understanding, careful choices, and realistic expectations.

You need to understand what each tool protects, what it does not protect, who you are trusting at each layer, and whether you are comfortable with that tradeoff.

For most normal users, HTTPS, secure DNS, privacy-respecting browsers, and a trustworthy VPN may be enough.

For higher-risk situations, stronger tools like Tor may be needed.

But no matter what tool you use, the mindset should stay the same:

Do not assume you are invisible just because your traffic is encrypted.

Encryption protects content.

But privacy also requires protecting metadata, reducing trust, choosing better providers, and understanding the limits of every tool you use.

So the next time someone says:

Just use Cloudflare DNS, Google DNS, or a VPN and nobody can track you.

The better answer is:

That helps, but the story does not end there.


If you found this useful, feel free to leave a supportive reaction wherever you found this.

If you have anything to add, correct, or discuss, I would genuinely like to hear your thoughts.

And if you enjoy topics like networking, cybersecurity, privacy, Linux, and how the internet actually works, you can connect with me or simply say hi.

I also write more technical notes and blogs on my other spaces linked below.

Further Reading

← Back to All Writings