Mar 26, 2026 9:32 AM
Using a VPN May Subject You to NSA Spying
US lawmakers are pressing Tulsi Gabbard to reveal whether using a VPN can strip Americans of their constitutional protections against warrantless surveillance
Six Democratic lawmakers are pressing the nation's top intelligence official to publicly disclose whether Americans who use commercial VPN services risk being treated as foreigners under United States surveillance law—a classification that would strip them of constitutional protections against warrantless government spying.
In a letter sent Thursday to Director of National Intelligence Tulsi Gabbard, the lawmakers say that because VPNs obscure a user's true location, and because intelligence agencies presume that communications of unknown origin are foreign, Americans may be inadvertently waiving the privacy protections they're entitled to under the law.
Several federal agencies, including the FBI, the National Security Agency, and the Federal Trade Commission, have recommended that consumers use VPNs to protect their privacy. But following that advice may inadvertently cost Americans the very protections they're seeking.
The letter was signed by members of the Democratic Party’s progressive flank: Senators Ron Wyden, Elizabeth Warren, Edward Markey, and Alex Padilla, along with Representatives Pramila Jayapal and Sara Jacobs.
The concern centers on how intelligence agencies treat internet traffic routed through commercial VPN servers, which may be located anywhere in the world. Millions of Americans use these services routinely, whether to access region-restricted content like overseas sports broadcasts or to protect their privacy on public Wi-Fi networks. Because VPN servers commingle traffic from users in many countries, a single server—even one located in the United States—may carry communications from foreigners, potentially making it a target for surveillance under authorities that allow the government to secretly compel service from US service providers.
Under a controversial warrantless surveillance program, the US government intercepts vast quantities of electronic communications belonging to people overseas. The program also sweeps in enormous volumes of private messages belonging to Americans, which the FBI may search without a warrant, even though it is authorized to target only foreigners abroad.
The program, authorized under Section 702 of the Foreign Intelligence Surveillance Act, is set to expire next month and has become the subject of a fierce battle in Congress over whether it should be renewed without significant reforms to protect Americans' privacy.
Thursday’s letter points to declassified intelligence community guidelines that establish a default presumption at the heart of the lawmakers' concern: Under the NSA's targeting procedures, a person whose location is unknown is presumed to be a non-US person unless there is specific information to the contrary. Department of Defense procedures governing signals intelligence activities contain the same presumption.
Commercial VPN services work by routing a user's internet traffic through servers operated by the VPN company, which may be located anywhere in the world. A single server may carry traffic from thousands of users simultaneously, all of it appearing to originate from the same IP address. To an intelligence agency collecting communications in bulk, an American connected to a VPN server in, say, Amsterdam looks no different from a Dutch citizen.
The letter does not assert that Americans' VPN traffic has been collected under these authorities—that information would be classified—but asks Gabbard to publicly clarify what impact, if any, VPN use has on Americans' privacy rights.
Among those pressing the question is Wyden, who as a member of the Senate Intelligence Committee, has access to classified details about how these surveillance programs operate and has a well-documented history of using carefully worded public statements to draw attention to surveillance practices he is unable to discuss openly.
The letter also raises concerns about a second, broader surveillance authority: Executive Order 12333, a Reagan-era directive that governs much of the intelligence community's foreign surveillance operations and permits the bulk collection of foreigners' communications with even fewer constraints than Section 702.
While 702 is a statute with congressional oversight that requires approval from the Foreign Intelligence Surveillance Court, EO 12333 surveillance operates under guidelines approved by the US attorney general alone.
The letter warns that the same foreignness presumption applies under both authorities, meaning Americans on foreign VPN servers could be exposed not just to targeted collection under 702 but to what the lawmakers describe as “bulk, indiscriminate surveillance of foreigners' communications.”
Americans spend billions of dollars each year on commercial VPN services, many offered by foreign-headquartered companies that route traffic through servers located overseas. The letter notes that these services are widely advertised as privacy tools, including by elements of the US government itself.
Despite the scale of the market, the letter suggests consumers have been given no meaningful guidance on how to protect themselves.
The lawmakers urge Gabbard to “clarify what, if anything, American consumers can do to ensure they receive the privacy protections they are entitled to under the law and the US Constitution.”
Updated at 12:38 pm ET, March 26, 2026: This story has been updated with additional details to clarify the scope of the potential surveillance addressed in the letter.
