Your ISP Can See Every Site You Visit. Your State Can Subpoena That.

Every website you visit. Every search you run. Every link you click. Your internet service provider sees all of it. Not the content of encrypted pages — but the domains. The timestamps. The frequency. The patterns.

They do not just see it. They are legally allowed to sell it. And your state can compel them to hand it over.

This is not a conspiracy theory. This is federal law.

What Your ISP Actually Sees

Even with HTTPS encrypting the content of your connections, your ISP still has visibility into a surprising amount of your activity:

HTTPS protects the content. It does not protect the fact that you visited. Your ISP knows you went to a health website, a legal resource, a dating platform, or a political organization. They know how often. They know for how long. They know the pattern.

That metadata is often more revealing than the content itself.

The Law That Made Selling Your Data Legal

In 2017, Congress voted to repeal the FCC's broadband privacy rules under Senate Joint Resolution 34. These rules, finalized in late 2016, would have required ISPs to get your explicit consent before collecting and selling your browsing data.

The repeal passed the Senate 50-48 and the House 215-205. It was signed into law in April 2017.

The practical effect: U.S. internet service providers — Comcast, AT&T, Verizon, Spectrum, and others — can collect your browsing data and sell it to advertisers, data brokers, and other third parties without asking your permission.

Your ISP is not just your internet provider. It is a data broker that happens to give you internet access.

Your State Can Subpoena Your Browsing History

The commercial sale of data is one problem. Government access is another.

Law enforcement can obtain your browsing records from your ISP through several mechanisms:

• Subpoenas — in many jurisdictions, a subpoena (not a warrant) is sufficient to obtain subscriber information and basic connection records from ISPs. No judge needs to approve it.
• Court orders— under 18 U.S.C. § 2703(d), the government can obtain more detailed records with a court order, which requires a lower standard of proof than a warrant.
• Search warrants— for the most detailed data, a warrant is required. But the Fourth Amendment's application to digital records remains contested and varies by circuit.
• National Security Letters — the FBI can issue NSLs without any court involvement, compelling ISPs to hand over subscriber data with a gag order preventing the ISP from disclosing the request.

The data your ISP collects about you is not just a marketing asset. It is a legal liability. Every domain you visit is a record that can be produced in court proceedings — divorce cases, custody battles, employment disputes, insurance investigations.

What ISPs Actually Do With Your Data

ISPs do not just passively collect data. They actively monetize it:

• AT&Toperated "Internet Preferences," a program that tracked customer browsing to serve targeted ads. Customers could opt out — for an extra $29/month.
• Comcast/Xfinity collects browsing data and shares it with advertising partners. Their privacy policy explicitly permits this.
• Verizonwas caught injecting "supercookies" — unique tracking identifiers — into customers' HTTP traffic without consent. The FCC fined them $1.35 million in 2016, but the practice revealed the extent of ISP tracking capabilities.

You pay your ISP for internet access. They then sell records of what you do with that access. You are both the customer and the product.

VPNs Shift the Problem. They Do Not Solve It.

VPNs are the conventional answer to ISP surveillance. Encrypt your traffic, route it through a VPN server, and your ISP can only see that you are connected to the VPN. They cannot see the individual sites you visit.

The problem: a VPN shifts your trust from the ISP to the VPN provider. You are still trusting a single company with your complete browsing history. And VPN providers have their own issues:

• "No-log" claims are often unverifiable.Multiple VPN providers that advertised "no-log" policies have been caught logging user data. IPVanish provided user logs to the FBI in 2016 despite a no-log policy. PureVPN did the same in 2017.
• VPN providers can be subpoenaed too. If your VPN provider keeps any records, those records are subject to the same legal processes as ISP data.
• VPN traffic is increasingly detectable. ISPs can identify VPN connections by their traffic patterns. This matters as VPN-blocking legislation advances.
• CISA has warned against personal VPN use.The U.S. government itself has cautioned that VPNs "simply shift residual risks from the ISP to the VPN provider."

A VPN does not eliminate surveillance. It redirects it. The fundamental problem — a single entity seeing all your browsing — remains.

Browse Like You Are Not There

Browser isolation through Legba solves the ISP surveillance problem at a structural level, not by redirecting your traffic through another provider.

Here is how it works:

When you use Legba, your browsing session executes in a remote, isolated environment. Your local browser connects to the Legba service and receives a pixel stream — the visual output of the remote browsing session. Your ISP sees a connection to the Legba service. That is all.

• No DNS queries leave your network. The isolated environment handles all DNS resolution. Your ISP cannot see which domains you are visiting because those queries never touch your local network.
• No SNI headers to inspect. The TLS connection between your browser and the websites you visit happens in the isolated environment, not on your local connection. Your ISP cannot inspect SNI headers that would reveal hostnames.
• Ephemeral sessions leave no trace. When you close the tab, the isolated environment is destroyed. There is no persistent browsing history, no cookies, no session data. The session existed and then it did not.
• Nothing to subpoena on your ISP. If your ISP has no record of which sites you visited — because those connections never traversed your local network — there is nothing for a subpoena to produce.

This is the structural difference between a VPN and browser isolation. A VPN encrypts the pipe. Browser isolation moves the browsing to a different location entirely. Your ISP cannot log what never happened on your connection.

Your Health Searches Are Not Private

This matters most for the searches you would never want linked to your name. Health information is the most common example.

Researching symptoms, conditions, medications, reproductive health, mental health resources, addiction treatment — all of these create ISP records. Those records can be accessed by:

• Insurance companies — in jurisdictions where data brokers sell ISP data to insurance underwriters.
• Employers — through legal discovery in employment disputes.
• Law enforcement — through the legal mechanisms described above.
• Anyone who buys data broker packages — since ISP data flows into the broader data broker ecosystem.

HIPAA protects health records held by medical providers. It does not protect the fact that you visited WebMD's page on depression, or a local addiction treatment center's website, or a reproductive health clinic's site. That metadata is ISP data, not medical data. It has no legal protection.

One Extension. Zero ISP Footprint.

Legba installs as a Chrome extension. Activate it, and your browsing session executes in a remote, isolated environment. Your ISP sees a single encrypted connection. No domains. No DNS queries. No browsing pattern.

When you close the tab, the session is destroyed. No logs. No history. No persistent data. The browsing happened somewhere else, and now it is gone.

Your ISP can sell what it can see. With browser isolation, it cannot see anything worth selling.

Browse Like You Are Not There

Your ISP watches everything you do online. They sell it to advertisers. Your state can subpoena it. Data brokers package it and resell it. And since 2017, none of this requires your consent.

VPNs shift the surveillance to a VPN provider. Browser isolation eliminates it. The browsing happens in an isolated environment. Your ISP never sees the domains. There are no logs to sell. There is nothing to subpoena. The session is ephemeral. When it is over, it is gone.

Browse like you are not there.