You open your laptop.
Type a website into your browser.
Press Enter.
It feels simple.
Behind the scenes, that action creates multiple layers of data, across different systems owned by different parties. A data trail that can be used by governments or malicious actors to track and surveil you. Knowing what exactly happens as you to understand how countermeasures like VPN or the Tor Browser can help you.
Let’s walk through what actually happens.
Step 1: Your device prepares the request
Before anything leaves your computer, your device assembles information:
- Your local IP address
- Your operating system
- Your browser version
- Time and date
- The domain you’re trying to reach
This information is packaged into network packets.
Those packets contain addressing information, like the IP address of the destination server so that the internet can route them.
At this point, data already is assembled, even before the website loads.
Step 2: The local network creates logs
Your computer connects to the Wi-Fi network through a router, which then connects to the broader internet infrastructure. In most cases, your Internet Service Provider (ISP) supplies the router.
The ISP is like a door to the internet. If you don’t have it, your device won’t be able to access websites or online services. Whenever you go online, all of your data traffic first goes from your device to the router, and then to the internet service provider (ISP) connected to that router.
The router can record:
- When your device connected
- An identifier of your device which is unique world-wide
- When and how long it stayed connected
- Which external IP addresses it communicated with
- How much data was transferred
On a home network, this data usually stays inside your equipment.
However, on public networks like a public wifi it belongs to the network operator and is usually stored and analyzed.
Step 3: Your ISP routes the traffic
After you router has processed your data traffic, your request leaves your local network and enters your Internet Service Provider’s network. The ISP is responsible to forward you traffic to an Internet Exchange Point (IXP), where your data reaches the wider, global internet.
To route traffic properly, the ISP sees:
- The public IP address of your local router
- The destination IP address
- Time of connection
- All data you are transmitting and receiving
If the website uses an encrypted communication protocol like HTTPS or when you communicate via an encrypted messenger like Signal, the ISP cannot read the data you are transmitting but still has access to the metadata:
- The destination is visible.
- The timing is visible.
- The volume is visible.
Step 4: DNS queries are generated
Of course, we don’t use IP addresses when we browse the internet. Instead we use domain names like flokinet.is. In order to request the website, your device therefore first needs needs to learn the IP address that is associated with the domain name
To do that it sends a DNS request, asking a DNS Server:
“What is the IP address for this domain?”
That DNS request creates:
- The domain name you requested
- The time of the request
- Your IP address
- The DNS resolver handling it
! DNS stands for Domain Name System. It’s basically the phonebook of the internet. DNS translates the human-friendly domain name into the numeric IP address so your computer knows where to connect. When you type a website like search.com into your browser, computers don’t actually understand that name. They communicate using IP addresses.
DNS is one of the clearest indicators of browsing activity. Even if the content is encrypted, the lookup itself reveals intent and is often unencrypted.
Additionally, DNS servers are typically operated by internet service providers and organizations, with commercial interests. The resolver you use, can see all domain names that you are querriyng. It therefore makes sense to choose a DNS resolver conciously. For example, public resolvers like quad9 (http://quad9.org) do not track or save DNS requests.
Encrypted DNS protocols such as DNS over TLS (DoT) and DNS over HTTPS (DoH) secure DNS traffic by encrypting the connection between the client and the resolver. This prevents intermediaries on the network from observing or modifying DNS queries. However, while the connection is encrypted in transit, the resolver itself still processes the requests and can therefore see which domain names are being queried
Step 5: The website receives your request
When the website’s server receives your request, it generates logs.
Typical server logs include:
- Visitor IP address
- Page requested
- Timestamp
- Browser type
- Referrer (e.g., the url of the website on which you clicked a link)
These logs exist for operational reasons:
- Security
- Debugging for maintainance and error recovery
- Performance monitoring
- Abuse prevention
But they are still records of your visit.
If you log into an account, the server logs may be tied to your identity. What was once just data traffic becomes account-linked activity in this way, tying the address of your router to your online account.
Step 6: Additional third-party requests
Many websites load resources from other services:
- Analytics providers
- Content delivery networks
- Embedded media platforms
- Advertising networks
Each additional connection creates more data:
- New IP requests
- New timestamps
- Device and browser fingerprints
- Session identifiers
From a single page load, each of those 3rd party systems may now have records of your activity.
Step 7: Metadata is created invariably
Even if everything is encrypted, metadata is still generated.
Metadata includes:
- Who is communicating with whom
- The time the communication took place (timestamp)
- The IP addresses involved
- The duration of the communication
- The amount of data transferred
Encryption only protects the data content of your request.
Encryption does not protect the additional data needed for your request to reach its destination and for the response to be returned to you.
Without this routing information, the internet simply could not function.
Step 8: Data accumulates over time
One visit says little. But metadata about your browsing patterns from repeated visits can reveal patterns that can be used to identify you:
- Regular login times
- Frequent connections to specific services
- Device changes
- Geographic movement
- Behavioral routines
Advertising companies identify those patterns to provide targeted add to you and state actors use this data to surveil you.
What information does a hosting provider see?
What a hosting provider can access depends largely on how the service is configured and where encryption is terminated.
In general, hosting providers operate the infrastructure where websites and applications run. This means they may have visibility into the data processed by the servers they control.
However, the level of visibility varies depending on the type of hosting environment.
Shared Hosting
On shared hosting platforms, the web server is typically operated and managed by the hosting provider.
This means that TLS termination, the point where encrypted HTTPS traffic is decrypted so the web server can process, is done by the hosting provider.
In such a case the shared server handling the request may process data such as:
- Passwords entered into forms
- The contents of messages submitted through the website
- Payment details transmitted through secure checkout pages
- Data exchanged between a user and the web application
- The response status (200, 404, etc.)
- The user agent (browser and operating system type)
- Data transfer volume
This does not mean providers routinely inspect this information, but the server infrastructure must handle the decrypted data in order to run the application.
Reverse proxies and application-level filters
Some services, such as reverse proxies or Layer-7 protection systems, sit between the visitor and the origin server.
In these cases, the proxy may terminate TLS first and inspect the traffic before forwarding it to the destination server.
Examples include:
- Web application firewalls
- Reverse proxy services
- Layer-7 DDoS protection systems
Because these systems decrypt traffic to analyze requests, they may also technically process the application data contained in those requests.
VPS and Dedicated Servers
When operating a VPS or dedicated server, the situation is different.
In this setup, the customer controls the operating system and the web server configuration. TLS termination typically occurs inside the server environment managed by the user.
This means:
- The hosting provider operates the infrastructure (hardware and virtualization layer).
- The customer controls the software that processes encrypted traffic.
The key principle
Encryption protects data while it travels across the network.
But at some point, the data must be decrypted so the application can process it.
Where that decryption happens, and who controls that system, determines which infrastructure layer technically has access to the data.
Understanding this distinction is essential when evaluating privacy and infrastructure design.
Key takeaway
When you go online, multiple independent layers generate data:
- Your device
- Your local network
- Your ISP
- DNS infrastructure
- Destination servers
- Third-party services
No single layer necessarily sees everything. But each layer sees something.
Understanding which layer sees which part of your activity is the foundation of digital privacy literacy.
The question is not: “Is data created when I go online?”
It always is.
The more useful questions are:
- Which systems create it?
- Who controls those systems?
- How long is it retained?
- What can be inferred from it?
Clarity comes before control.
And meaningful privacy begins with understanding the infrastructure.
In the following articles, we will explore ways to maximize your privacy online. If you’d like to learn more right away, check out our articles on the Tor network, building a private VPN, and bypassing internet censorship:
