Your VPN Could Be a Surveillance Backdoor

The Warning

On Thursday, March 26, six Democratic lawmakers — Senators Ron Wyden (D-OR), Elizabeth Warren (D-MA), Edward Markey (D-MA), and Alex Padilla (D-CA), along with Representatives Pramila Jayapal (D-WA) and Sara Jacobs (D-CA) — sent a letter to Director of National Intelligence Tulsi Gabbard demanding the government publicly disclose whether Americans who use commercial VPN services risk being reclassified as foreign nationals under U.S. surveillance law, according to a report by Wired.

The concern, as laid out in the three-page letter, is fundamental: VPNs are supposed to protect your privacy. But they may inadvertently trigger the very surveillance they're meant to guard against.

How a Privacy Tool Becomes a Privacy Risk

Here's the mechanism. When you connect to a commercial VPN, your internet traffic is routed through a server operated by the VPN company — often located in another country. That server may simultaneously carry traffic from thousands of users spread across dozens of nations, all of it appearing to originate from the same IP address.

To an intelligence agency intercepting communications in bulk, an American using a VPN server in Amsterdam looks no different from a Dutch citizen using the same server.

That distinction matters enormously under U.S. law. The NSA's declassified targeting procedures under Section 702 of the Foreign Intelligence Surveillance Act state explicitly: "A person known to be located outside the United States or whose location is not known will be presumed to be a non-United States person unless such person is identified as a United States person, or the circumstances otherwise give rise to a reasonable belief that such person is a United States person." (NSA Targeting Procedures, 2023, via Office of the Director of National Intelligence.)

In plain English: if your location is unknown, the NSA presumes you're foreign. And if you're foreign, you have no Fourth Amendment protection against warrantless surveillance.

What Section 702 Actually Does

Section 702 of the Foreign Intelligence Surveillance Act is the legal authority that allows the NSA, FBI, and other intelligence agencies to conduct warrantless surveillance of non-U.S. persons located outside the United States. It was originally authorized to target foreign intelligence threats, but critics have long noted it operates as a dragnet.

Because a single VPN server commingles traffic from users across many countries, a surveillance operation targeting that server doesn't need to filter out American traffic. Under the NSA's own targeting procedures, the presence of American communications on a foreign-flagged server doesn't automatically confer protection.

The FBI is also authorized to search communications collected under Section 702 — without a warrant — even though the program is legally structured to target foreigners abroad. Privacy advocates, including the American Civil Liberties Union, have documented that this effectively exposes Americans whose communications were swept up in bulk collection.

An additional, broader concern raised in the lawmakers' letter is Executive Order 12333, a Reagan-era directive governing foreign intelligence operations that applies even fewer constraints than Section 702. Unlike Section 702, which requires approval from the Foreign Intelligence Surveillance Court, EO 12333 surveillance operates under guidelines approved solely by the U.S. attorney general. The lawmakers warned that the same "foreignness presumption" applies under EO 12333, potentially exposing Americans on foreign VPN servers to what they described as "bulk, indiscriminate surveillance of foreigners' communications."

The Irony: The Government Told You to Use a VPN

The bitter irony is that several of the same agencies that may be conducting this surveillance have actively encouraged Americans to use VPNs. The Federal Trade Commission, the FBI, and the NSA itself have all recommended commercial VPN services as tools to protect privacy — particularly on public Wi-Fi networks. The NSA and the Cybersecurity and Infrastructure Security Agency (CISA) jointly published guidance in 2021 on selecting and hardening remote access VPNs.

The lawmakers' letter explicitly notes this contradiction, asking Gabbard to clarify "what, if anything, American consumers can do to ensure they receive the privacy protections they are entitled to under the law and Constitution" given that following federal advice on VPN use may render that advice counterproductive.

Section 702 Expires April 20 — and Nobody Agrees on What Comes Next

The timing of this letter is not incidental. Section 702 was last reauthorized in April 2024 by the Reforming Intelligence and Securing America Act (RISAA), which extended the authority for two years — setting a new sunset date of April 20, 2026, according to Congress.gov. The House is expected to vote on reauthorization in the coming weeks.

The path forward is deeply contested. A bipartisan coalition — including Senators Wyden, Warren, Markey, Sanders, Baldwin, Heinrich, and Republicans Daines and Lummis — has backed the SAFE Act, which would require warrants for U.S. person queries. The Brookings Institution, in a February 2026 analysis, described the reauthorization outlook as "unclear," noting that historically, reform efforts have repeatedly failed.

Senator Wyden, who sits on the Senate Intelligence Committee and has access to classified details about these programs, has a documented history of using carefully worded public statements to signal classified concerns he cannot discuss openly. His inclusion as the lead signatory on this letter — alongside the specific, technically precise framing — suggests the lawmakers may have seen classified evidence that VPN-based collection is already occurring, though the letter itself makes no such assertion directly.

The American Prospect reported on March 23, 2026 that the House is expected to take up Section 702 reauthorization "in the coming weeks," with reform advocates pushing for the warrant requirement provision that intelligence officials and the executive branch have opposed.

What Hasn't Been Confirmed

The lawmakers' letter explicitly does not assert that American VPN traffic has in fact been collected under Section 702 or EO 12333 — that information would be classified. The letter asks DNI Gabbard to publicly clarify what impact, if any, VPN use has on Americans' privacy rights. As of publication, Gabbard's office had not responded to requests for comment, according to PCMag.

What is confirmed via declassified government documents: the NSA's targeting procedures contain the presumption-of-foreigner rule. What remains unknown: whether, and to what extent, intelligence agencies have used or are using VPN server traffic as a collection vehicle under these authorities.

What This Means for Ordinary Users

Tens of millions of Americans use commercial VPN services for a range of purposes: accessing region-restricted content, protecting data on public networks, or simply maintaining digital privacy. If the NSA is treating VPN servers — particularly those located outside the U.S. — as legitimate bulk collection targets, users connecting through those servers may have no more Fourth Amendment protection than a foreign citizen would.

The practical implication is that the very act of trying to protect your privacy online could, under the current legal framework, strip you of the constitutional protection you were trying to preserve. That's not spin or speculation — it's a direct reading of the NSA's own publicly available targeting procedures, which the lawmakers themselves cite in their letter.

The April 20 deadline for Section 702 reauthorization will determine whether Congress forces a change to that framework — or lets the current rules, ambiguities and all, run another term.