DoH is an actual improvement, that’s true. But at the same time it’s a meaningless one, since the ISP can just do a reverse DNS lookup of the IPs you are contacting, and there isn’t really an option to hide the IP, unless you are using TOR or a VPN, but TOR sucks in real-world usage (and can also not really be trusted) and VPNs have been discussed before.

I worked on the “evil” side for ~7 years, in a company that made internet monitoring devices. Originally I was told it’s only for debugging ISP network problems, but after a few years, when I was trusted enough in the company, they told me that a significant portion of our customers are actually secret services all around the world.

The foreign ones usually wouldn’t just say that they are secret service, but they’d buy through other companies, which lead to some weird requests. For example, one time a small little British bakery asked for network monitoring equipment for their business. But they wanted the solution to be able to handle ~100 TBit/s, which was at that time roughly the total bandwidth of the whole UK plus some margin.

Some secret services, though, talked to us completely openly.

I’ve been at one ISP quite a few times at the department that handled secret service requests. I asked that guy what they do with our products, and he showed me the full suite that they are using. He entered a random phone number into the system, and an overview over the last year’s activities of that guy showed up. It had a list with timestamps of every site he accessed. It had all emails (of his ISP account and also emails that were sent unencryped) and SMS that that guy sent and received. It had a full movement profile of that guy for the whole last year, including his visits to other countries. The system allowed the operator to easily find contacts of that guy, even through the movement profile. So you could e.g. list all users that were close to that user at a given time, or all users that are frequently close to that guy.

Tbh, it was a little shocking and eyeopening.