Are you paranoid about someone
watching your every move?
Some ISPs use a transparent web proxy (i.e. most of the outbound traffic to TCP port 80 gets re-routed through machines running some Inktomi transparent HTTP proxy software).
Naturally, ISPs keeps logs for that traffic (Inktomi boasts that its Traffic Server can write many different log formats), in part to deal with abuse.
As you might expect, privacy policies do not directly cover these logs. They make promises about some very specific types of information, but does not make any general statements that obviously pertain to types of information not covered in the enumerated, specific types. Result: most lawyers would say an ISP could sell access to DoubleClick, the FBI, the FSB (the KGB has changed initials but not staff) or anyone else.
Checking your system
So are you using a proxy, but dont know it? You can check pretty quickly (though I should warn you, while a positive/proxy result is conclusive, a negative/no-proxy result may be a result of the proxy configuration, as the systems can be set up to bypass the proxy for certain sites, or to only use the proxy for certain sites, etc.).
Step 1: whats your address?
Check your current address for whatever network adapter (ethernet card, PPP/dialup device, etc.). On the Mac start by checking the TCP/IP control panel. In Unix or Linux, something like '/sbin/ifconfig eth0' will do; in Micro$oft Windows 9x, run 'winipcfg'; in Windows NT, 'ipconfig'.
Step 2: what address do web sites see?
Go to a URL that will show you the environment variables passed to a env.cgi script, like http://perlprogrammers.com/env.html or http://www.ualberta.ca/htbin/dumpenv.pl. Look at REMOTE_ADDR. Reload several times. Does it change? You might see some other proxy-specific variables like HTTP_CLIENT_IP and HTTP_VIA, depending on the proxy servers configuration.
Step 3: interpreting the results
If you ever see a REMOTE_ADDR value in Step 2 that doesnt match the local address from Step 1, yet you dont have a Manual or Automatic proxy configured in your browser, then congratulations, youre behind a transparent proxy, and should assume that all your web traffic is being logged.
http:// vs https:// For regular HTTP, theres a lot they can conceivably record. The URL. Your cookies. Where you came from. Etc. For https:// its a bit better. All they can do is record where you connected to, and when. Even this information might be deemed valuable, e.g., someone frequently connecting to many banking sites probably isnt eligible for low income tax credits. https:// is somewhat like encrypting your email: they cant tell what youre doing, but they can tell who youre contacting.
Server Side Includes
If a server is SSI (Server Side Includes) enabled, all that needs to be done to call SSI to life from any web page is to give the web page a file name extension of .shtml instead of the usual .html. This will cause the SSI enabled server to display all sorts of user info.