Congress is about to renew warrantless surveillance. And VPN users are caught in the middle

As Congress moves toward renewing Section 702 of the Foreign Intelligence Surveillance Act (FISA), the debate is starting to encroach upon something far more familiar: the tools people use to protect themselves online.

VPNs(ventana nueva), used by millions to keep their internet activity private, route traffic through servers around the world. But that basic function raises a question lawmakers are only beginning to confront: What happens when protecting your privacy makes your activity look foreign?

A surveillance law that was never meant for you

Section 702 allows US intelligence agencies to collect communications from foreigners abroad without a warrant. In practice, that boundary has never held.

The system routinely pulls in Americans’ emails, messages, and calls when they interact with foreign targets or pass through global infrastructure.

Civil liberties groups, lawmakers, and even courts have raised concerns for years about how often that data is searched without a warrant. Now the law is up for renewal again, with an April deadline fast approaching. And despite repeated evidence of overreach, there is a push in Washington to extend these powers with minimal changes.

Support for surveillance is bipartisan, but so is the backlash. Jim Himes, the top Democrat on the House Intelligence Committee, recently faced protesters at a town hall(ventana nueva) raising concerns about Section 702.

The VPN problem no one accounted for

A new letter(ventana nueva) from senators including Ron Wyden raises a different risk — one that didn’t exist when Section 702 was written. 

VPNs obscure a user’s location(ventana nueva) by routing traffic through servers around the world(ventana nueva). But under current surveillance rules, that same behavior can make an American look like a foreigner.

Lawmakers are asking whether intelligence agencies treat VPN traffic as “foreign” by default — a classification that could strip users of constitutional protections and place them inside the Section 702 surveillance pipeline. 

A renewal without reform expands the risk

There are proposals on the table to fix this. Mark Warner, who chairs the Senate Intelligence Committee, has said lawmakers will address concerns around the expanded definition of “electronic communication service providers” (ECSPs).

That expansion widened who can be forced to assist in surveillance. It no longer stops at telecoms or email providers. It can include anyone with access to the systems your data passes through, from cloud services to public WiFi networks. Surveillance moves closer to the infrastructure of the internet, increasing the number of places where data can be collected under Section 702.

The bipartisan Government Surveillance Reform Act(ventana nueva) would go further. Backed by lawmakers including Ron Wyden and Mike Lee, the bill would require a warrant before agencies can search Americans’ data collected under Section 702 and close a loophole that allows the government to buy personal data from brokers instead of going to court.

That loophole matters because information that would normally require a warrant, like location data or browsing history, can be purchased on the open market with no judicial oversight.

The bill would also roll back some of the most controversial recent changes, including how broadly the government can force companies or infrastructure providers to assist with surveillance.

These changes target a known issue: surveillance systems built for foreign intelligence have been turned inward through technical loopholes and broad interpretations. As Ron Wyden has warned, Americans would be “stunned(ventana nueva)” to learn how these authorities are actually being used.

Without reform, those gaps stay open. And as VPN use becomes more common, more ordinary behavior risks being swept into foreign intelligence collection.

Where Proton stands

At Proton, we build tools that give people control over their data without exposing them to hidden tradeoffs. Privacy should not depend on how your traffic is classified by a surveillance system. It should be the default.

Using a VPN still protects you. It encrypts your internet traffic and prevents your provider, network operator, or anyone on the same connection from seeing what you do online. That protection matters, and it works. But encryption alone does not fix how surveillance laws are written. If your activity falls outside that protection, or is collected elsewhere, it can still be swept into systems like Section 702.

This also raises a broader issue. Privacy should not stop at national borders. People should not be subject to surveillance simply because they are not American. Legal protections may vary. The principle does not.

As lawmakers debate the future of Section 702, the stakes extend beyond intelligence policy. They shape what protection actually means in practice, and who receives it.