[GoofballJones]

Legit question: What can an ISP collect when most of the time I'm going to secure "https:" websites? I mean, they can only see the website I'm going to, but not what is going on there, right?

Is just collecting where people are going that lucrative to sell?

[Spooky23]

The DNS data is super useful for developing a demographic profile.

For example, they could pretty trivially assert with high confidence that a pregnant woman is in your home or that you’re shopping for a car. The tinfoil hat scenarios are interesting as well.

[lordofgibbons]

There's what websites/apps you use, but also your behavior patterns. Are you a night owl? How often do you check some website or app. I'm sure there's a lot of other information they do gather based on the "metadata"

[eviks]

Vpns wouldn't hide the fact you're a night owl, though? The fact of traffic+time is still visible to the ISP?

[wiseowise]

VPN will hide what you’re doing at night, though.

[112233]

Not what they can, what they MUST as required by law. Assuming US, see DTA aka CALEA - at any time little green men with a warrant can ask for tranparrent packet capture of ISP client's traffic.

Also, in many places (Europa) there is collection and retention requirements for ISPs.

[agieocean]

That + other data can be used to build a behavorial profile so it's not what your ISP is doing necessarily but what the people they sell the data to are doing with it (or the people they sell to)

[eptcyka]

DNS records and net flow data. They can also inject JS in http sites, hijack domaijs to do the same, do traffic shaping. But I am biased, I work for a VPN company.