Lawmakers Demand Transparency from DNI Regarding Surveillance Risks for American VPN Users

A coalition of six high-profile Democratic lawmakers has formally requested that the Office of the Director of National Intelligence (ODNI) clarify whether American citizens utilizing Virtual Private Networks (VPNs) are being inadvertently subjected to warrantless government surveillance. In a detailed letter addressed to Director of National Intelligence Tulsi Gabbard, the lawmakers expressed grave concerns that the very tools recommended by federal agencies to protect digital privacy may, in practice, strip Americans of their constitutional protections. The inquiry highlights a critical tension between modern cybersecurity practices and the broad authorities granted to intelligence agencies under United States surveillance law, specifically regarding how the government classifies the nationality and location of internet users.

The correspondence, dispatched on Thursday, was signed by a group representing the progressive wing of the Democratic Party, including Senators Ron Wyden of Oregon, Elizabeth Warren of Massachusetts, Edward Markey of Massachusetts, and Alex Padilla of California. Joining them were Representatives Pramila Jayapal of Washington and Sara Jacobs of California. The lawmakers argue that because VPNs mask a user’s true geographic location and IP address, intelligence agencies may be applying a "presumption of foreignness" to domestic traffic, thereby allowing the collection and analysis of American communications without the warrants typically required by the Fourth Amendment.

The Technical Conflict: Privacy Tools vs. Surveillance Presumptions

At the heart of the lawmakers’ concern is the technical mechanism by which commercial VPNs operate and how that mechanism interacts with the National Security Agency’s (NSA) targeting procedures. A VPN functions by creating an encrypted "tunnel" between a user’s device and a remote server operated by the VPN provider. This server can be located anywhere in the world. When an American user connects to a server in a foreign jurisdiction—such as Germany, Japan, or the Netherlands—their internet traffic appears to originate from that foreign IP address rather than their actual home or office in the United States.

According to declassified intelligence community guidelines, the NSA and other agencies operate under a default presumption: if a person’s location is unknown or cannot be positively identified as being within the United States, they are presumed to be a non-U.S. person located abroad. This classification is pivotal because U.S. surveillance law distinguishes sharply between "U.S. persons" (citizens and legal residents) and foreigners. While the former are protected by constitutional safeguards against unreasonable searches and seizures, the latter are subject to broad electronic intercept programs designed to gather foreign intelligence.

The lawmakers point out that commercial VPN servers often commingle the traffic of thousands of users simultaneously. A single server in a domestic or foreign data center may route the data of an American student, a French businessman, and a Brazilian journalist through the same gateway. To an intelligence agency monitoring bulk data flows, these users are indistinguishable. Consequently, an American following best practices for cybersecurity may be "misidentified" as a foreign target, potentially leading to the wholesale interception of their private communications.

The Paradox of Federal Privacy Recommendations

The letter highlights a striking contradiction in federal policy. For years, various arms of the U.S. government have actively encouraged the public to adopt VPNs to safeguard their personal data. The Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Federal Trade Commission (FTC) have all issued guidance recommending VPN use, particularly when accessing public Wi-Fi networks or protecting against cybercriminals and foreign state actors.

For instance, the FTC has long warned consumers that unencrypted public Wi-Fi is a goldmine for hackers and has suggested VPNs as a primary line of defense. Similarly, the NSA and the Cybersecurity and Infrastructure Security Agency (CISA) have released technical sheets on "selecting and hardening" VPNs for remote work. The lawmakers argue that the government is essentially setting a trap for its own citizens: advising them to use tools that protect them from criminals while simultaneously using those same tools as a justification to bypass their legal rights. "Americans should not be forced to choose between securing their data from hackers and maintaining their constitutional rights against government overreach," the letter suggests.

Section 702 and the Looming Congressional Battle

The timing of the lawmakers’ demand is significant, as it coincides with a heated legislative debate over the reauthorization of Section 702 of the Foreign Intelligence Surveillance Act (FISA). Section 702 is a controversial authority that allows the U.S. government to compel American electronic communication service providers—such as Google, Microsoft, and AT&T—to hand over the communications of non-U.S. persons located abroad for intelligence purposes.

While Section 702 is technically aimed at foreigners, it is well-documented that the program "incidentally" collects vast quantities of communications belonging to Americans. Once this data is in government databases, the FBI and other agencies can perform "backdoor searches" to find information on U.S. citizens without a warrant, provided the search is reasonably likely to return foreign intelligence information or evidence of a crime.

The program is set to expire next month, and its renewal has become a flashpoint in Congress. A bipartisan coalition of privacy advocates has demanded significant reforms, including a requirement for warrants before searching the data for information on Americans. The intelligence community, however, maintains that Section 702 is a vital tool for preventing terrorism and cyberattacks. The revelation that VPN use might further expand the scope of "foreign" traffic—and thus the volume of data eligible for collection—adds a new layer of complexity to the reauthorization debate.

Executive Order 12333 and Bulk Collection

Beyond Section 702, the lawmakers’ letter raises alarms about Executive Order 12333 (EO 12333). Established during the Reagan administration, EO 12333 serves as the primary authority for the intelligence community’s foreign surveillance operations conducted outside the United States. Unlike Section 702, which involves oversight from the Foreign Intelligence Surveillance Court (FISC) and statutory reporting to Congress, EO 12333 operates largely under the executive branch’s internal guidelines, approved by the Attorney General.

Under EO 12333, the government engages in the bulk, indiscriminate collection of communications that transit international cables. The lawmakers warn that because the "foreignness presumption" applies even more broadly under this executive order, Americans using foreign-hosted VPNs are at an even higher risk of having their data swept into massive, unregulated government repositories. They argue that this lack of judicial and legislative oversight makes EO 12333 a "black box" for privacy rights, where the distinction between a foreign target and a domestic user is dangerously thin.

A History of Calculated Transparency

Senator Ron Wyden, one of the lead signatories, has a long history of challenging the intelligence community’s interpretations of the law. As a senior member of the Senate Intelligence Committee, Wyden has access to classified information regarding how these programs function in practice. He has frequently used public letters and hearings to signal to the public when the government’s private legal interpretations differ significantly from the public’s understanding.

This pattern of "calculated transparency" was famously seen in 2013, when Wyden asked then-Director of National Intelligence James Clapper whether the NSA collected data on millions of Americans. Clapper’s denial was later proven false by the Edward Snowden leaks. By pressing Director Gabbard to clarify the status of VPN users, Wyden and his colleagues are likely attempting to force a public admission about a practice they may already know to be occurring within classified channels.

The Economic and Social Scale of VPN Usage

The implications of this policy are far-reaching, given the scale of the VPN industry. The global VPN market is currently valued at tens of billions of dollars and is projected to continue growing as digital privacy concerns mount. Millions of Americans utilize these services daily, not only for security but also for legitimate professional and personal reasons. This includes journalists protecting their sources, business travelers accessing corporate intranets, and consumers attempting to bypass regional content restrictions on streaming platforms.

Furthermore, many of the most popular VPN providers are headquartered outside the United States to avoid domestic data retention laws. These providers often route traffic through extensive networks of servers in Europe and Asia. If the U.S. government treats all traffic exiting these foreign servers as "foreign," then a significant portion of the American public’s daily internet activity is being funneled into a legal "gray zone" where constitutional protections are effectively suspended.

Conclusion and the Path Forward

The lawmakers have requested that Director Gabbard provide a public response detailing whether the intelligence community considers VPN use as a factor in determining if a person is a "non-U.S. person." They have also asked for specific guidance that American consumers can use to ensure they do not lose their legal rights when attempting to secure their digital lives.

As the deadline for FISA reauthorization approaches, the response from the DNI will likely play a pivotal role in the legislative process. If the intelligence community confirms that VPN users are being treated as foreigners, it could provide the necessary momentum for reformers to pass strict new warrant requirements. Conversely, a refusal to clarify the matter may only deepen the distrust between the public and the agencies tasked with their protection.

In an era where digital tools are essential for modern life, the debate over VPNs and surveillance represents a fundamental question about the future of the Fourth Amendment: whether constitutional rights are tied to a person’s physical identity or merely to the digital footprint they leave behind. For now, the six lawmakers are insisting that the government provide an honest accounting of how it treats the millions of Americans who have taken their privacy into their own hands.