They are also probably collecting DNS records from millions of customers too or inspecting SNI on TLS handshakes to know what sites each customer is visiting.

ECH and DOH people!

None of that requires messing with the connection though. You can't draw just passively observe and get the same info.

They most certainly are. Large ISPs use Nokia Deepfield or Kentik for network monitoring, observability and user metrics. Both work due to volumes of metadata from net flows and DNS.

My gut tells me the broken intercept is a Nokia product.

This is correct, it's even open source: https://github.com/deepfield/dnsflow.

> "Encrypted Client Hello (ECH) - Enabled, limited effect"

Not sure what TFA means with this, reads like ECH doesn't help

Coincidentally, this article's webpage breaks copy & paste in its tables for presumed reasons of being "cutesy" with table click behavior. Can people please stop doing idiotic shit like this?