Members of Congress are pressing federal agencies to explain whether Americans who route their internet traffic through overseas VPN servers risk falling under a weaker surveillance regime, one that gives the National Security Agency far more latitude to collect data without a warrant. The concern centers on a gap between two legal frameworks: the Foreign Intelligence Surveillance Act, which imposes court oversight on domestic collection, and Executive Order 12333, which governs intelligence gathering abroad with fewer restrictions. If a VPN makes an American’s data appear to originate outside the United States, lawmakers want to know whether that data could be swept up under the looser overseas rules.
Two Legal Regimes, One Privacy Gap
The distinction between domestic and foreign surveillance law sits at the heart of this debate. FISA Section 702 allows intelligence agencies to target foreigners reasonably believed to be abroad, using methods that include both upstream collection from internet backbone infrastructure and the PRISM program that pulls data from tech companies. When Americans’ communications get caught up in that process, known as incidental collection, a set of minimization procedures and oversight mechanisms is supposed to limit how that data is queried and used.
Executive Order 12333 operates on different terms. Signed during the Reagan administration and later discussed in a presidential speech on intelligence activities, the order serves as the primary legal authority for intelligence activities conducted largely outside the statutory FISA framework. The National Archives has codified the text of the order, which the NSA describes as a foundational basis for overseas signals intelligence collection. Because EO 12333 collection happens abroad, it is not subject to the same judicial approval process that FISA requires. That difference matters when a VPN endpoint in another country causes American internet traffic to travel through foreign infrastructure, potentially placing it within reach of collection programs that answer to the executive order rather than to the FISA Court.
Bipartisan Alarm Over Foreign VPN Apps
Congressional attention to VPN-related risks has been building across party lines. Sen. Ron Wyden, D-Ore., and Sen. Marco Rubio, R-Fla., jointly asked the Department of Homeland Security to open an inquiry into foreign VPN software. Their request reflects a specific worry: that VPN services operated by companies in adversarial nations could expose user data to foreign intelligence services or, by routing traffic overseas, shift the legal framework under which American agencies themselves collect that data.
The bipartisan nature of the request is telling. Wyden, a longtime critic of surveillance overreach, and Rubio, who has generally supported broad intelligence authorities, rarely align on privacy questions. Their joint action signals that the VPN issue cuts across the usual partisan divide on surveillance, touching both civil-liberties concerns and traditional national-security anxieties about foreign exploitation of American data.
NSA Data Purchases Raise Parallel Concerns
The VPN question does not exist in isolation. Wyden separately released documents confirming that the NSA has been buying browsing information about Americans from commercial data brokers, bypassing the warrant process entirely. The senator argued that the intelligence community should stop purchasing data obtained unlawfully from brokers and instead adhere to the same constitutional standards that apply to direct collection.
That disclosure illustrates a broader pattern: agencies obtaining sensitive information about Americans through channels that sidestep traditional legal safeguards. Whether the mechanism is a commercial data purchase or the geographic reclassification of traffic through a VPN endpoint, the effect is similar. Data that would require a warrant to collect domestically becomes accessible through alternative pathways. For the tens of millions of Americans who use VPNs precisely because they want more privacy, the implication is counterintuitive. A tool designed to shield browsing activity from prying eyes could, depending on where it routes traffic, place that activity under a legal regime with fewer protections against government surveillance.
Section 702 Reforms and Oversight Gaps
Congress has been wrestling with the boundaries of surveillance authority through the 702 reauthorization process. A Congressional Research Service report on 2024 changes details how legislators debated key issues including U.S.-person queries, incidental collection, and oversight mechanisms. Those debates produced changes meant to tighten controls on how agencies search databases of 702-collected information for American identifiers, adding new documentation and approval requirements for some queries.
Yet compliance remains uneven. A Justice Department Inspector General audit of FBI querying practices under Section 702 flagged significant compliance issues, including failures to meet internal standards for documenting searches involving U.S. persons. The findings raised questions about whether existing safeguards work as intended even within the more regulated FISA framework. If protections break down inside the system designed to have the strongest oversight, the weaker guardrails of EO 12333 collection offer even less assurance.
Courts have grappled with these tensions as well. In a Tenth Circuit ruling in United States v. Muhtorov, judges addressed constitutional and statutory challenges to Section 702 surveillance, examining how protections apply to U.S. persons whose communications are caught in cross-border collection. The case illustrates the legal uncertainty that surrounds surveillance of data that moves between domestic and foreign networks, exactly the kind of movement a VPN creates by design.
Why Current Oversight May Not Keep Pace
Most existing surveillance oversight was built for a world in which geography and jurisdiction closely tracked one another. Domestic communications were assumed to travel largely within U.S. borders, while foreign intelligence collection focused on traffic that clearly moved overseas. VPNs, content delivery networks, and cloud infrastructure have scrambled that picture. Today, a user in Ohio can appear to be in Frankfurt or Singapore with a few clicks, and data may transit multiple countries even when the sender and recipient are both in the United States.
Oversight rules, however, still depend heavily on where a person is “reasonably believed” to be located and where the collection technically occurs. If an American chooses a foreign VPN endpoint to access streaming content or evade local throttling, agencies might plausibly treat that traffic as foreign for targeting or collection purposes, even though the underlying user is a U.S. person on U.S. soil. The law does not clearly explain how such scenarios should be handled, leaving room for internal interpretations that Congress and the public rarely see.
Executive Order 12333 adds another layer of ambiguity. Because it governs collection conducted outside the United States, it has often been described as more permissive than FISA, especially for bulk acquisition of communications transiting foreign cables and switches. Minimization procedures and internal guidelines exist, but they are largely classified and are not subject to the same kind of adversarial testing that occurs in a court. When VPNs push American traffic into that overseas environment, the question becomes whether those internal safeguards are robust enough to substitute for judicial oversight.
What Lawmakers Want to Know
Members of Congress are now asking agencies to clarify how they treat VPN-routed traffic at each stage of the surveillance pipeline. Among the questions lurking beneath their letters and public statements: Do targeting rules treat an American using a foreign VPN server as if they are abroad? Are there internal policies that prohibit relying on EO 12333 to reach data that would require a warrant if collected domestically? And when agencies query large repositories of data, do they distinguish between Americans whose traffic reached those databases because of VPN routing and those whose communications were collected under more traditional circumstances?
Lawmakers are also probing the interaction between commercial data purchases and VPN use. If data brokers aggregate information about VPN users’ browsing patterns and sell it to government customers, that could create a backdoor around both FISA and EO 12333 limits. Wyden’s disclosures about the NSA’s reliance on brokered data underscore the possibility that even if VPN traffic is not directly intercepted under overseas authorities, related metadata and behavioral profiles might still end up in government hands through the marketplace.
Implications for Users and Policy
For ordinary users, the immediate takeaway is not that VPNs are inherently unsafe, but that they are entangled in legal structures most people never see. Choosing a provider based in a jurisdiction with strong privacy laws, understanding where its servers are located, and avoiding services linked to foreign intelligence services are all practical steps. Yet individual choices cannot resolve the underlying policy problem: the mismatch between technical routing and legal definitions of “foreign” and “domestic.”
That gap is what Congress is beginning to confront. Clarifying how VPN-routed traffic is treated under FISA and EO 12333, tightening limits on data purchases from brokers, and demanding more transparency about internal rules could all narrow the space in which agencies rely on geography as a workaround. Until those questions are answered, Americans who send their data on virtual trips overseas may find that the price of a foreign IP address is a weaker set of protections against government surveillance.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
