By Michael Benavides
•
July 19, 2026
The Router Is Not the Problem. The Company Upstream Is. There is a popular version of this story where police park outside your house and read your Wi-Fi. That is mostly not what happens, and consumer routers mostly cannot do it anyway. The real collection happens somewhere less cinematic and far more consequential — at your internet provider, and at the companies that make the devices in your home. Ava asked attorney Michael Benavides what is actually being kept. Ava Asks, Michael Answers — ISP Records, Plain English Ava: What does an internet provider actually have? Michael, Esq.: More than most people assume. Subscriber identity and billing details. IP assignment logs — which account held which IP address at which moment. Connection logs with timestamps and visited domains, sometimes full URLs. The DNS queries your devices make, which is effectively a list of every service your household reached out to. And any traffic that is not encrypted travels through them in the clear. Ava: Does encryption fix it? Michael, Esq.: Partly, and the distinction matters. Modern web traffic is largely encrypted, so a provider generally cannot read the contents of what you did on a site. But they can still see that you connected, when, and for how long. Encryption protects the letter. It does not hide that you went to the post office, or how often. Ava: How long is it kept? Michael, Esq.: It varies by carrier and by record type. Reported ranges for IP assignment logs run roughly six months to two years — Comcast is commonly described around 180 days, Verizon around eighteen months. Do not treat those numbers as legal certainties; retention policies change and are not uniform. The practical point is that the window is long enough that something from last year is often still there. Ava: What legal process do investigators use? Michael, Esq.: Federally, it is tiered under the Stored Communications Act. Content of communications generally requires a warrant under 18 U.S.C. section 2703(a). Non-content records — subscriber information, session logs, IP-to-account mapping — can commonly be obtained with a subpoena or a court order under section 2703(d). That is a materially lower bar than probable cause, and it is how a great deal of routine internet investigation actually proceeds. Ava: And in California? Michael, Esq.: As we covered in the previous article, CalECPA changes that calculus for California state and local agencies, because Penal Code section 1546 defines electronic communication information to include an IP address and section 1546.1 requires a warrant, consent, or an emergency. The federal tiering and the California rule can produce different answers on the same record. Ava: What about the smart devices in the house? Michael, Esq.: Same structure, different companies. Device makers generally require a warrant or user consent for content — recordings, video. Non-content data such as subscriber information, purchase history and service usage can often be obtained on a subpoena or court order. And several vendors maintain emergency request channels that let law enforcement ask for data without a warrant and without the user's consent, on the company's assessment that an emergency exists. That is a real and under-discussed pathway. Ava: Now the part you said matters most. What is the attribution gap? Michael, Esq.: An IP address identifies an account. It does not identify a person. Those are different things and the distance between them is where a lot of cases live and die. Ava: Walk me through that. Michael, Esq.: The provider produces records showing that a particular account held a particular IP at a particular time. That gets investigators to a house. It does not get them to a hand on a keyboard. A household has roommates, spouses, children, guests, contractors. Networks get shared. Passwords get reused and given out. Some networks are open or poorly secured. Devices get borrowed and stolen. Ava: So what closes the gap? Michael, Esq.: Something other than the IP record. Physical surveillance, device forensics establishing that a specific machine did a specific thing, witness statements, or an admission. That additional proof is the case. Where it is thin, the IP record is doing work it cannot legitimately do, and that is a defense. Ava: Does a VPN change the analysis? Michael, Esq.: It changes what your provider can see, because your traffic is tunneled. It does not make you invisible, it shifts the question to what the VPN provider logs and whether that provider can be reached with legal process. I would not want anyone reading this to treat a VPN as legal protection. It is a technical measure with technical limits. Ava: What should someone do if they learn their records were obtained? Michael, Esq.: Find out three things: which agency, under what legal process, and covering what time period. Those three answers determine almost everything — whether CalECPA applied, whether the process matched the record type, and whether the scope was particular enough. Keep any notice you received. And do not try to reconstruct your own network history from memory; get the records. What to Do Internet providers retain substantial data: subscriber and billing information, IP assignment logs, connection logs with timestamps and visited domains, DNS queries, and any unencrypted traffic. Reported retention ranges run roughly six months to two years, with Comcast commonly described near 180 days and Verizon near eighteen months, though policies vary and change. Encryption protects content but not the fact and timing of connections. Federally, the Stored Communications Act requires a warrant for content under 18 U.S.C. section 2703(a) but permits subpoenas or court orders for non-content records under section 2703(d); in California, CalECPA (Penal Code sections 1546 et seq.) requires a warrant, consent, or an emergency for California government entities, and expressly includes IP addresses. Device manufacturers follow a similar content/non-content split and several maintain emergency channels that bypass both warrant and user consent. The critical limit is attribution: an IP address identifies an account, not a person, and investigators must independently establish who was actually using the connection through forensics, surveillance, witnesses, or admission. Shared households, guests, and open networks all live in that gap. If your internet records were obtained, determine which agency acted, under what process, and for what period — a Blue Data consultation in Sacramento, Stockton, or Modesto can work through it. Next in this series: your router can detect motion, falls, and breathing through walls — and the Supreme Court case that governs it was written about a thermal imager in 2001. Blue Data Law | V2K & RF Defense | Michael Benavides, Esq., CA Bar No. 270714 | Sacramento, Stockton & Modesto | 707-362-4166 | attorneymichaelbenavides.com ATTORNEY ADVERTISING. Blue Data and V2K & RF Defense are content brands of the law practice of Michael Benavides, Esq., California State Bar No. 270714. Ava is an editorial brand voice, not an attorney; only Michael Benavides, Esq. provides legal analysis. General information only — not legal advice; no attorney-client relationship is formed by reading this. Authority referenced (18 U.S.C. §§ 2701–2712, particularly § 2703; Cal. Penal Code §§ 1546 et seq.) is as of July 2026 — confirm current law before acting. Retention periods described are drawn from public reporting, vary by carrier and record type, and are subject to change; they are not legal representations about any provider. This article describes general principles only and does not reference any actual client or pending matter. Prior results do not guarantee a similar outcome.