The US Government May Be Treating VPN Users as Foreigners to Spy on Them

Key Takeaways

• Six US senators and representatives sent a letter to Director of National Intelligence Tulsi Gabbard in March 2026, demanding to know whether Americans using VPNs are subject to warrantless government surveillance.
• The NSA's own declassified targeting procedures presume that anyone whose location "is not known" is a non-US person, exposing VPN users to the full force of foreign intelligence collection.
• Under FISA Section 702 and Executive Order 12333, intelligence agencies can conduct mass warrantless surveillance on those classified as foreign, with no requirement to obtain a court order.
• Even encrypted VPN traffic is not safe: intelligence agencies collect traffic in bulk for potential "harvest now, decrypt later" decryption via quantum computing, which Google researchers warn could be viable as early as 2029.

Six Senators and the Question No One Wants to Answer

On March 26, 2026, six legislators sent a letter to Director Gabbard asking a question that the intelligence community has very good reasons to avoid answering. Senators Ron Wyden, Alex Padilla, Elizabeth Warren, and Edward Markey, alongside Representatives Sara Jacobs and Pramila Jayapal, wanted to know whether using a VPN exposes Americans to warrantless government surveillance.

Commercial VPN servers commingle traffic from hundreds or thousands of users simultaneously, all routing through a single shared IP address. From the outside, there is no way to tell whether that traffic belongs to someone in Ohio or someone in Osaka. And the NSA's own declassified targeting procedures handle that ambiguity with a rule that should alarm anyone who has ever connected to a VPN: anyone whose location "is not known will be presumed to be a non-United States person."

The same presumption runs through Department of Defense signals intelligence guidelines under Executive Order 12333. Unknown location equals foreign national equals no warrant required. It’s a written policy, not just some loophole someone found in the fine print, and that’s exactly what makes this matter so serious.

Watching the Watchers Watch You Back

Section 702 of FISA authorizes warrantless targeting of foreigners overseas. Executive Order 12333 goes further, permitting bulk surveillance of foreign communications with minimal restrictions. If the government classifies VPN traffic as foreign by default, both authorities apply, naturally, to every VPN session whose origin cannot be pinned down.

Intelligence agencies can monitor traffic flowing to and from a VPN server's IP address, then send legal demands to web services like Google, asking for identifying information about accounts that connected from that IP during a given window. That covers potentially thousands of users at once, most of whom are ordinary Americans who thought a VPN was keeping their activity private.

The Freedom of the Press Foundation, which trains journalists in digital security, flags this as an active concern for reporters who rely on VPNs daily to protect sources, mask locations, and conduct sensitive research without alerting the subjects of their investigations. If the government's position holds, every one of those sessions may have been treated as foreign intelligence material.

Encryption does not solve this, either. Intelligence agencies have a well-documented history of collecting encrypted traffic in bulk and holding it for future decryption, a practice known as "harvest now, decrypt later." Google's security researchers have warned that quantum computing could make decryption of currently protected traffic viable as early as 2029. The data being gathered today may not stay unreadable.

The Fix Congress Keeps Postponing

Section 702 of FISA is currently up for renewal in Congress. On April 13, 2026, the Freedom of the Press Foundation and a bipartisan group of legislators behind the Government Surveillance Reform Act called for a warrant requirement before any US person's data collected under Section 702 can be searched, along with closing the data broker loophole that lets agencies purchase sensitive American data commercially rather than go through a court.

None of that has passed yet. And in the meantime, the same administration that has been building AI tools for the Pentagon is being asked by six legislators to simply clarify whether a tool recommended by the FBI, NSA, DoD, and FTC is also a trigger for warrantless surveillance of the people using it. The irony is almost too clean. Agencies that tell Americans to use VPNs for security may be using those same VPN connections to classify Americans as foreign surveillance targets.

The NSA's published targeting rules already contain the exact mechanism that makes this possible. The question the senators are asking is whether it is happening right now and at what scale.

The same administration that built an online freedom portal to preach about internet access abroad is the one being asked to explain whether it surveils the tools Americans use to achieve that same freedom at home. If Gabbard responds, the answer is already in the paperwork. And if she doesn't, that silence tells Americans everything they need to know about whose privacy the intelligence community actually considers worth protecting.