Can my ISP see the size of a file I download through TOR?
Executive summary
An Internet Service Provider cannot see the contents or exact destination of files downloaded over Tor, but it can observe encrypted traffic patterns, including total bytes transferred and packet sizes/timing that reveal how much data was sent or received — so yes, an ISP can infer the size of a download even if it cannot see the file itself [1] [2] [3].
1. What the question really asks: content vs. metadata
The user is implicitly distinguishing two things: the file’s contents (what the file is, its name and bytes) and the metadata of the transfer (how many bytes moved, when, and in what pattern); Tor is designed to hide content and destination from the ISP but not to make the traffic invisible — ISPs still observe encrypted packets and their sizes and timing, which is the core of what the question targets [1] [3].
2. How Tor hides data and what it leaves visible
Tor routes traffic through multiple relays so that the ISP cannot see HTTP/HTTPS requests or DNS queries and therefore cannot directly read or identify the file being downloaded or the destination server, but the ISP still sees that encrypted Tor traffic is flowing and can measure overall bandwidth and activity levels on the line [1] [4].
3. Packet sizes, totals and inference: the ISP’s telemetry
Because the ISP carries the encrypted tunnel between the user and the first Tor node (or whatever encapsulation is used), it can count packets, observe packet sizes and timing, and sum bytes transferred — these measurements let an ISP determine that a large transfer took place and estimate its size even without seeing file contents [2] [5] [3].
4. Practical limits and sophistication of inference
Simple volume counting gives a reliable estimate of total bytes transferred, but finer-grained forensic claims (for example reconstructing exact file size down to the byte or deducing file type from packet patterns) depend on the attacker’s sophistication and whether additional measures like padding, pluggable transports, or SSH encapsulation are used; some setups (e.g., Tor over SSH) change packet characteristics seen by the ISP but still leak size/time metadata as the outer encapsulation reveals packet length and timing [5] [2].
5. Operational consequences: blocking, throttling and suspicion
Because ISPs can identify Tor usage and measure heavy encrypted transfers, they can choose to block Tor exit nodes, throttle apparent high-bandwidth flows, or single out users for further inspection even if they cannot read the files themselves; some community advice even recommends alternatives like a VPN to avoid obvious Tor fingerprints, though that trade-off has its own privacy and trust implications [2] [6].
6. What the sources agree and where uncertainty remains
Community Q&A and Tor project discussion consistently state that ISPs cannot see HTTP/HTTPS contents or DNS queries through Tor while they can see bandwidth and usage patterns [1] [4]; sources also note that more advanced network-level techniques (DPI, traffic correlation) can detect Tor or make stronger inferences about behavior, but the provided reporting does not supply exhaustive empirical studies about exact byte-level accuracy or specific DPI signatures [3] [5].
Conclusion
In succinct terms: Tor prevents an ISP from seeing what file was downloaded or which site provided it, but not from observing that a download occurred nor from measuring roughly how much data moved — ISPs see encrypted packets, their sizes and timing, and can therefore estimate download size and detect heavy Tor usage, even though they cannot read the file contents [1] [2] [3].