[philip1209]

They're presumably not MITMing SSL, so they have access to every host you visit, e.g. foo.com, via DNS. On SSL they cannot see the URL - e.g. https://foo.com/secret

[elliotanderson]

If not DNS, then via Server Name Indication (SNI)

http://en.wikipedia.org/wiki/Server_Name_Indication

[DrStalker]

They also know the volume of data being moved and the times it occurred, which could be useful information.

[zaroth]

Often the byte count is enough to determine the URL. It's also a key component of how BEAST et al are able to extract session keys.

[johnvschmitt]

You're absolutely correct. However, when you combine host + time + location data, all at once, on your phone, then your carrier indeed has TONS of data to spy on you, regardless of the encryption on the phone itself.

All good points, & my only point was that while we strengthen each link in the chain, we can't assume we're secure while weaker links exist.