Do they have the technical ability?  Yes.  Your packets go through their
equipment.  Your packets are identified with your IP address, and they
contain the IP address of the destination; your ISP's routers need to know
the destination IP addresses to be able to route your packets.

The data you send (e.g. passwords, mail message contents, URLs) is all also
easily available, in the body of the packets.  If you use www.anonymizer.com
(in its non-cryptographic mode), the URL you request is still just as
available in the outgoing packets.

If you use some form of encryption, e.g. ssh, they could still at least tell
the destination, even if the contents are unreadable.  In general, encryption
is the only way to render at least the contents unsnoopable, and only then if
the encryption and decryption are both done on machines which the overseers
DON'T control, and plain text not transmitted on any networks on which the
overseers have machines or are able to attach machines.  If you use their
computers (including if you run the encryption program on a unix machine
operated by them), then everything you do is available to them, theoretically.

But perhaps you were asking "*May* my ISP monitor X": is it allowed, is it
ethical.

I think most sysadmins would feel that once there is reasonable suspicion that
you are acting improperly (breaking into computers, violating the acceptable
use policy, etc), that it is ethical for the admins to take a closer look.

It's unlikely that it's *illegal* for them to look at your stuff or what
you're doing, although there are some exceptions.  Under certain court orders
or subpoenas, it may be illegal for them *not* to look at your files or what
you're doing.

Many believe inquiry not in a case of suspicion and not under a court order is
unethical.  This is a potential topic for discussion in comp.security.misc and
comp.security.unix, but posters should refrain from the argument that "they
paid for it, they can do what they like with it" (which is sometimes advanced
in the case of employers or educational institutions).  This is surely false
in general and thus not the basis for a convincing argument.  For example,
if they do something criminal with their equipment, it's a criminal act,
they can be charged criminally, it doesn't matter that they paid for it.
Similarly, if they do something unethical, it's unethical even though they
paid for it.  The whole concept of professional ethics is based on the
idea that ethics transcends legality: the idea that an action can be legal
but unethical.  If "they paid for it" means that all legal acts are ethical,
then you've pretty much defined away the whole idea of professional ethics.
*That* is probably best not attempted on comp.security.misc/unix.