Six Democratic lawmakers are pressing the nation's top intelligence official to publicly disclose whether Americans who use commercial VPN services risk being treated as foreigners under United States surveillance law—a classification that would strip them of constitutional protections against warrantless government spying.
In a letter sent Thursday to Director of National Intelligence Tulsi Gabbard, the lawmakers say that because VPNs obscure a user's true location, and because intelligence agencies presume that communications of unknown origin are foreign, Americans may be inadvertently waiving the privacy protections they're entitled to under the law.
Several federal agencies, including the FBI, NSA, and FTC, have recommended that consumers use VPNs to protect their privacy. But following that advice may inadvertently cost Americans the very protections they're seeking.
The letter was signed by members of the Democratic Party’s progressive flank: Senators Ron Wyden, Elizabeth Warren, Edward Markey, and Alex Padilla, along with Representatives Pramila Jayapal and Sara Jacobs.
The concern applies specifically to Americans who connect to VPN servers located in other countries—something millions of users do routinely, whether to access region-restricted content like overseas sports broadcasts, or simply because their VPN app selected a foreign server by default. When they do, their internet traffic can become indistinguishable from that of a foreigner.
Under a controversial warrantless surveillance program, the US government intercepts vast quantities of electronic communications belonging to people overseas. The program also sweeps in enormous volumes of private messages belonging to Americans, which the FBI may search without a warrant, even though it is authorized to target only foreigners abroad.
The program, authorized under Section 702 of the Foreign Intelligence Surveillance Act, is set to expire next month and has become the subject of a fierce battle in Congress over whether it should be renewed without significant reforms to protect Americans' privacy.
Thursday’s letter points to declassified intelligence community guidelines that establish a default presumption at the heart of the lawmakers' concern: Under the NSA's targeting procedures, a person whose location is unknown is presumed to be a non-US person unless there is specific information to the contrary. Department of Defense procedures governing signals intelligence activities contain the same presumption.
Commercial VPN services work by routing a user's internet traffic through servers operated by the VPN company, which may be located anywhere in the world. A single server may carry traffic from thousands of users simultaneously, all of it appearing to originate from the same IP address. To an intelligence agency collecting communications in bulk, an American connected to a VPN server in, say, Amsterdam looks no different from a Dutch citizen.
The letter does not assert that Americans' VPN traffic has been collected under these authorities—that information would be classified—but asks Gabbard to publicly clarify what impact, if any, VPN use has on Americans' privacy rights.
Among those pressing the question is Wyden, who as a member of the Senate Intelligence Committee has access to classified details about how these surveillance programs operate and has a well-documented history of using carefully worded public statements to draw attention to surveillance practices he is unable to discuss openly.
The letter also raises concerns about a second, broader surveillance authority: Executive Order 12333, a Reagan-era directive that governs much of the intelligence community's foreign surveillance operations, and permits the bulk collection of foreigners' communications with even fewer constraints than Section 702.
While 702 is a statute with congressional oversight that requires approval from the Foreign Intelligence Surveillance Court, EO 12333 surveillance operates under guidelines approved by the US attorney general alone.
The letter warns that the same foreignness presumption applies under both authorities, meaning Americans on foreign VPN servers could be exposed not just to targeted collection under 702 but to what the lawmakers describe as "bulk, indiscriminate surveillance of foreigners' communications."
Americans spend billions of dollars each year on commercial VPN services, many offered by foreign-headquartered companies that route traffic through servers located overseas. The letter notes that these services are widely advertised as privacy tools, including by elements of the federal government itself.
Despite the scale of the market, the letter suggests consumers have been given no meaningful guidance on how to protect themselves.
The lawmakers urge Gabbard to "clarify what, if anything, American consumers can do to ensure they receive the privacy protections they are entitled to under the law and the US Constitution."
