Using a VPNA virtual private network encrypts traffic between your device and a provider-run server, hiding activity from local networks while shifting trust to the VPN operator.Glossary → Could Change How Section 702 Treats You
A VPN hides your IP address, cuts off your ISP, and helps on bad networks. It does not settle how intelligence agencies classify your traffic. That is the problem raised in March 2026, when Senator Ron Wyden and five other lawmakers publicly asked DNI Tulsi Gabbard for answers on whether Americans using commercial VPNs can be treated as foreign, or simply location-unknown, under Section 702 and Executive Order 12333 rules.
VPNs still work against the threats they were built for. If a surveillance system assumes that location-unknown traffic is foreign, then a privacy tool can collide with a law that relies on foreignness and location. Proton laid out the public warning, and the underlying primary source is the Wyden letter itself.
The rule that matters is not the VPN. It is the presumption attached to unknown location.
Section 702 authorizes surveillance of non-U.S. persons reasonably believed to be outside the United States. Americans cannot be targeted under that authority, but Americans can still be collected incidentally and later queried. The Brennan Center's 2026 resource page describes incidental collection and later querying. EFF's March 2026 warning lists prior abuse examples involving protesters, journalists, lawmakers, and campaign donors.
The March 26 letter adds a newer angle. It says the government has taken the position that if a user's location remains unknown, that person may be treated as foreign for surveillance purposes. The letter states that a person whose location is not known will be presumed to be a non-U.S. person unless identified otherwise. That matters because commercial VPNs are built to obscure location. They make traffic harder to place. They do not prove where the user actually is.
A tool meant to reduce everyday tracking may increase ambiguity inside a legal framework that ties privacy protections to nationality and location. The public record does not prove that every VPN user is currently treated as foreign. It shows lawmakers asking whether that is happening and demanding a public answer.
Why VPN traffic creates ambiguity
Commercial VPNs route your traffic through servers run by the provider. A website sees the VPN server's IP, not yours. In many cases it may also recognize that IP as part of a commercial VPN range. That is enough to know you are using a VPN. It is not enough to know where you are sitting. The letter makes the narrower point directly: VPNs are better at hiding true location than convincingly placing a user in a specific country.
In normal privacy use, uncertainty helps you. It breaks simple location inference. In foreign-intelligence surveillance, uncertainty can cut the other way if the system treats unresolvable location as foreign by default. Nextgov's reporting tied the letter to the broader Section 702 renewal fight and the April 20 deadline.
The public record here is about classification rules, not proof that every VPN user is under active Section 702 collection. Modern routing does not line up neatly with a legal regime built around foreignness. Traffic is relayed, cached, proxied, load-balanced, and mixed across borders constantly. A privacy tool that hides your location from advertisers can also hide it from systems that decide which surveillance rules apply.
| Layer | VPN helps? | What changes |
|---|---|---|
| ISP logging | Yes | Your ISP sees an encrypted tunnel to the VPN, not the sites inside it. |
| Hostile public Wi-Fi | Yes | The hotspot operator loses easy visibility into your traffic contents and destinations. |
| Website geolocation | Yes | Sites see the VPN server IP, which can mask your rough location. |
| Section 702 classification | Unclear | The unresolved issue is whether location-obscured traffic can be treated as foreign or location-unknown for surveillance purposes. |
Section 702 had a query debate before VPN classification became part of it
The VPN question lands in a program that has drawn repeated civil-liberties criticism. Brennan Center describes Section 702 as a law that acquires foreigners' communications abroad while still sweeping in Americans' communications incidentally. EFF argues that Congress is drifting toward another clean extension even though the law has been used to query information tied to protesters, journalists, lawmakers, and campaign donors.
Congress reauthorized Section 702 in April 2024 through RISAA, but only for two years. That shortened runway set up the 2026 renewal fight. By March, EFF was warning against a clean extension without a warrant requirement for U.S.-person queries. If Congress extends the law again without that change, the VPN issue remains unresolved.
Another issue in the 2026 fight is scope. EFF and Brennan Center both oppose a clean extension and call for stronger reform.
PCLOB says the safeguards improved. Critics say the core issue remains unresolved.
The PCLOB's April 2, 2026 report says Section 702 remains highly valuable, that RISAA improved privacy safeguards, and that FBI compliance on querying has moved in the right direction.
PCLOB is focused on whether the program can operate with stronger oversight and still remain useful. The Wyden letter is focused on a narrower issue: whether ordinary privacy behavior changes how users are classified inside surveillance systems. Those are different parts of the same debate.
What reform would actually change this
The fix discussed in the current debate is procedural and legal rather than technical. EFF, Brennan Center, and the lawmakers behind the March 26 letter are all pressing different parts of the same problem. One part is the warrant question. If agencies search Americans' communications in a Section 702 database, critics want a warrant requirement. The second part is classification. If agencies rely on unknown location as a reason to treat a user as foreign, the public needs a clear published rule on how that decision is made.
That second part matters because the VPN issue is otherwise impossible to evaluate from the outside. A consumer can choose a server, change a provider, or stop using a VPN entirely, and still not know what rule the intelligence system applies when location is obscured. The Wyden letter asks for basic transparency on that point.
The broader reform agenda around Section 702 is about how much collection and querying power the government should keep without new limits. The VPN question sits inside that same fight. Privacy rights can change depending on how the system classifies the traffic in front of it, not on what the user intended when they opened the laptop.
- Warrant requirement: critics want agencies to get a warrant before searching Americans' communications in Section 702 databases.
- Published classification rules: lawmakers want the DNI to explain how location-unknown VPN users are handled.
- Narrower surveillance scope: reform groups want Congress to avoid another clean extension and add real constraints.
What to do if you still want VPN protection
Keep using a VPN if it fits your threat model. A VPN solves one class of problem: local and network-level visibility. It does not answer how government systems classify a user whose location has been deliberately obscured.
If you want the VPN part done properly, start with Anonymous VPN Setup: Mullvad Guide. Then read The Five Eyes Problem so you understand why provider jurisdiction still matters even when the product is technically sound. If your threat model is broader than coffee-shop Wi-Fi or ISP logs, read Government Surveillance Resistant Infrastructure next.
A few practical rules follow from the current record:
- Use a VPN for the threats it actually addresses. ISP logging, hostile networks, and crude geolocation remain valid reasons.
- Do not assume your traffic is legally domestic because you are physically domestic. That is the exact point lawmakers want clarified.
- Separate privacy tools by job. A VPN, a hardened browser, and identity compartmentalization solve different leaks.
- Track the reform fight alongside product updates. A software update will not fix a statute or a targeting procedure.
A VPN still helps with local and network-level privacy. Section 702 still leaves an unresolved classification problem. The public debate now turns on how systems treat users whose location is deliberately obscured.
Sources
- Wyden Letter to Gabbard on Commercial VPN, March 26 2026
- Wyden press release, March 26 2026
- Proton: FISA renewal debate raises new questions about VPN users and warrantless surveillance
- EFF: Congress Is Dropping the Ball with a Clean Extension of FISA
- Brennan Center: Section 702 of FISA, 2026 Resource Page
- PCLOB: Report on the Surveillance Program Operated Pursuant to Section 702, April 2 2026
- Nextgov: Lawmakers question VPN impact on Americans' FISA surveillance protections
Frequently Asked Questions
Does this mean I should stop using a VPN?
No. A VPN still protects against ISP logging, hostile Wi-Fi, and basic location inference by websites and apps. The new concern is legal classification. Lawmakers asked whether intelligence agencies may treat location-unknown VPN traffic as foreign under Section 702 and Executive Order 12333. That is a surveillance-law problem, not a failure of VPN encryption.
What exactly did lawmakers warn about in March 2026?
A group led by Senator Ron Wyden asked DNI Tulsi Gabbard to warn Americans that commercial VPN use may affect their rights against warrantless surveillance. Their letter said the government may presume a user is a non-U.S. person when the user's location is unknown. Because VPNs hide location, lawmakers asked whether Americans could lose protections that depend on being recognized as U.S. persons in the United States.
Does Section 702 allow the government to target Americans directly?
No. Section 702 is supposed to target non-U.S. persons reasonably believed to be outside the United States. The problem is incidental collection and later database searches. Americans' communications can still be swept in even though Americans are not supposed to be the direct targets.
Would choosing a U.S. VPN server fix the problem?
Public sources do not answer that clearly. The concern raised by lawmakers is not just which exit node you choose. It is whether agencies can reliably determine your location and status at all. Until the government explains how it handles location-unknown users, there is no public basis to claim that a U.S. exit node restores full protections.
What reform matters most here?
Two things. First, a warrant requirement before agencies search Americans' communications in Section 702 databases. Second, public rules on how the government treats VPN users and other location-obscured traffic. Those two issues sit at the center of the current reform debate.