Six U.S. senators, including Ron Wyden and Elizabeth Warren, have sent an urgent letter to the Director of National Intelligence warning that Americans who use commercial VPN services may be unknowingly stripped of their constitutional privacy protections under federal surveillance law.
What the Senators Are Asking
The bipartisan group of lawmakers is demanding answers about how U.S. intelligence agencies treat internet traffic that originates from VPN exit nodes located outside the United States. Their core concern: because a VPN routes a user's traffic through servers in other countries, surveillance systems may automatically classify that traffic as "foreign," triggering collection authorities that were never intended to apply to American citizens.
The letter specifically references Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333, two of the most expansive legal frameworks used by U.S. intelligence agencies to collect communications data. Under these authorities, intelligence agencies can collect communications without a warrant — but only when targeting foreign nationals abroad. The senators argue that VPN users are being caught in this dragnet without their knowledge.
How FISA Section 702 Works
Section 702, reauthorized by Congress in 2024, allows the NSA and other agencies to collect communications of foreign targets without individual warrants. However, it includes protections for U.S. persons — American citizens and permanent residents are not supposed to be deliberately targeted. The problem is that automated systems often cannot distinguish a U.S. citizen using a VPN server in Frankfurt from an actual German national sending communications from the same city.
Executive Order 12333 goes even further — it governs collection of data outside the United States with even fewer legal constraints than Section 702. When an American's VPN traffic exits through a server in a foreign country, that traffic may fall under E.O. 12333 collection, where U.S. person protections are more limited.
The VPN Misclassification Problem
The technical issue is straightforward: intelligence collection systems look at the geographic origin of internet traffic. A VPN masks the user's real IP address and replaces it with the IP address of the VPN server — which is typically located in another country. Automated systems may then classify this traffic as originating abroad, potentially removing the constitutional protections that would otherwise apply.
According to the senators' letter, this creates a perverse situation: a U.S. citizen exercising their legal right to use privacy tools may inadvertently waive the legal protections designed to protect them from government surveillance. This concern is not theoretical — security researchers and civil liberties organizations have raised similar alarms for years.
Scope of the Problem
VPN usage in the United States has grown significantly in recent years. Tens of millions of Americans use VPN services for a range of legitimate purposes: protecting their data on public Wi-Fi, accessing streaming content, maintaining privacy from advertisers, and increasingly, as awareness of surveillance practices grows. If the senators' concerns are accurate, this means a very large number of Americans may currently be receiving fewer legal protections than they realize.
Implications for Privacy and Internet Freedom
The letter arrives at a moment when the relationship between privacy tools and government surveillance is under intense scrutiny worldwide. In this environment, the concern that using a VPN — a tool marketed specifically for privacy — could paradoxically expose users to greater government surveillance is particularly striking.
Civil liberties advocates note that this is exactly the kind of unintended consequence that arises when surveillance authorities designed for foreign intelligence collection are applied without adequate transparency or oversight. Users in the United States and abroad who rely on VPNs to protect their communications are watching this case closely.
