Claims went viral that T-Mobile had mailed customers a warning about visiting “questionable” websites and set off another familiar panic about carrier surveillance. The letters were fake and did not represent its policies, according to T-Mobile. But the episode raised a larger question with tangible stakes for anyone on a mobile network: what exactly can carriers see, and where do they draw the line?
The short answer is that carriers store information about your connectivity and can be part of opt-in personalization programs. The longer answer is more complicated and tied up with encryption, advertising practices and longtime telecom rules.
What Carriers See and Don’t See on Encrypted Browsing
Mobile providers oversee the pipes, and so they end up inevitably flashing on network metadata: your device identifiers; your IP addresses; any calls or texts you make or receive — and who you are in contact with by any method of communication (names, street addresses); which cell site tower is connecting you at a point in time; when your sessions start and stop based on cell connection events. They also perform DNS lookups, unless you change resolvers, which can leak the domains you try to reach.
But the great majority of browsing is encrypted. More than 90 percent of web page loads on Chrome now use HTTPS, which means all the data exchanged between our browser and The Times’s servers is encrypted in both directions — keeping thieves from reading your article before you do — and carriers are generally not able to read or store the actual pages you view or any personal information you submit. They can still see destination IPs and traffic patterns, so while roughly indicative, they don’t get a clear view of content.
Carriers also use network security tools that effectively blacklist known malicious domains or phishing sites. That might seem like monitoring to you, but it usually relies on domain reputation data and DNS filtering, rather than deep inspection of what you see or read.
What Policies Allow and How Data Gets Used
Every major carrier details how it uses data for operations, security and marketing. T-Mobile’s privacy documentation mentions automated profiling in order to personalize support or offers. Custom Experience and Custom Experience Plus programs are offered by Verizon; Personalized Plus is available from AT&T. These programs can harness info like app use, website signals, location or Customer Proprietary Network Information to customize communications and ads. They are supposed to be optional and have controls that can be used to opt out of them.
It’s critical to differentiate individual tracking and aggregated analytics. Carriers explain that they slice and dice data for insights and advertising audiences, not to keep a dossier on every place you visit. Nevertheless, the array of inputs is wide enough that some privacy advocates encourage consumers to look at defaults and curtail sharing of data they do not need.
There are also telecom-specific rules. Carriers under federal CPNI laws are required to protect privacy-sensitive usage records and provide consumers with a means to opt out of marketing use. Those responsibilities sit alongside more general privacy protections that are enforced by agencies like the Federal Communications Commission and the Federal Trade Commission.
Law Enforcement and Old Controversies in Telecom
“Spying” implies warrantless content surveillance. (American carriers comply with lawful intercepts under the Communications Assistance for Law Enforcement Act, which mandates court orders for content and a process of subpoenas and gag orders for metadata.) Compliance with a legal process is not the same thing as always-on monitoring, but it does mean carriers are in a position to deliver data if ordered.
History indicates where the lines have been crossed. Verizon’s program, 10 years ago, used a unique header injected into web traffic for ad targeting; after public outcry, regulators responded, and Verizon backed off. Subsequent investigative reporting showed that the real-time location data shared by several carriers had wound up at data brokers; the F.C.C. subsequently proposed more than $200 million in fines for failure to protect that data. Stories like these are why skepticism continues to swirl, despite carriers’ insistence they don’t read your browsing.
Civil society organizations like the Electronic Frontier Foundation and the Center for Democracy and Technology still urge tighter controls on location and browser history-based data, noting that even pseudonymous data sets can be re-identified.
Network Protection Versus Monitoring on Mobile Networks
Threat blocking, scam call filtering and safeguards for families are common among the offerings. Such services usually depend on domain and number reputation lists, sandboxing, and identifying anomalies to stop malware or phishing before it makes its way through. In response to the mailed-letter scam, T-Mobile has reconfirmed that it does not filter sites and its defenses revolve around established bad players and scams. That attitude is consistent with the way most providers weigh safety against privacy.
In practice, this means a carrier might block you from accessing a site it believes to be unsafe or alert you that a call appears sketchy — but it is not judging the articles and videos you are reading and viewing.
How to Minimize Carrier Insight into Your Activity
See if your carrier’s privacy dashboard gives you the option to opt out of optional personalization programs, such as Custom Experience Plus or Personalized Plus, if you want to share less data. Also adjust CPNI marketing preferences.
Use encrypted DNS (like DNS over HTTPS) or a well-operated VPN to minimize domain-level visibility.
Devices running Apple operating software can obscure IP and DNS for Safari traffic using iCloud Private Relay. No tool can make you invisible, but these steps will help narrow what intermediaries and other observers can learn about you.
Audit app permissions, especially location. The F.T.C. cautioned that precise location data could provide a detailed portrait of someone; restricting access to While Using and turning off background sharing also limits what gets collected and resold outside the carrier ecosystem.
The bottom line: Mainstream carriers are not looking into the contents of your browsing, but they are collecting and using metadata and signals that can paint a broad picture of your activity. With some changes in settings and third-party software, you can materially reduce that picture.
