The short answer is tailor-made for the tin-foil hat wearers: potentially, everything.
The more reassuring and realistic answer is: not much, and not for very long. But there are ALWAYS media reports, as well as legislation being drafted at the highest levels of the US government that may prove that the tin-foil hat people are more right than we may care to admit.
In general, there are practical reasons not to be overly concerned: server space and IP allocation is still at a premium for ISPs, so they tend to immediately get rid of any logs that don’t have a direct impact on service or billing. This is even truer for wireless and mobile providers, who generally want to keep their limited spectra as free as possible. In other words, the less data that is transmitted and recorded, the more room there is for more paying customers.
However, under the Electronic Communication Transactional Records Act of 1996, ISPs are required to preserve 90 days of more detailed data when requested to do so by police, or other “governmental entities,” and only as part of a specific investigation. And the Protect Our Children Act of 2008 encourages ISPs (by way of potential six-figure fines) not to throw away anything that could be used against suspected child pornographers.
Seemingly along the same lines, there is currently (at the time of this writing) a controversial bill called, somewhat misleadingly, the “Protecting Children From internet Pornographers Act of 2011.” If passed into law, ISPs would be required to retain everyone’s name, address, phone number, credit card and bank account numbers, and all of the IP addresses in your browsing history for a total of one year (wireless providers originally won an exemption, but the Justice Department insisted that they be included as well).
Also, HR3261, the “Stop Online Piracy Act” (or SOPA), was one of the latest in a long series of attempts by lobbying organizations of intellectual property holders to, among other things, compel ISPs to take stronger action against copyright infringement. In practice, such bills generally encourage or even require ISPs to monitor and retain considerably more personal usage data and to make it available to private companies and organizations without even the dubious safeguard of requiring any official law enforcement or other governmental involvement.
The past year has seen plenty of controversy over mobile providers’ collection and retention of user data, from calling records to GPS location tracking to actual text message contents (Verizon, for instance, hangs on to your texts for 3-5 days). Both Apple and Android were called to testify in front of Congress over location-tracking practices. And most recently, a hacker uncovered a hidden app in smartphones that records every button that’s pressed.
While this doesn’t necessarily mean that ISPs are recording and retaining every website that you visit, the potential is there, the political will is there, and the evidence of past practices is there. So the best possible advice to keep in mind might be: don’t get paranoid, get informed, and make sure your ISP (and your elected representative) knows exactly how much value you place on your internet privacy.