Your VPN Is a Wiretap: How the NSA Legally Spies on Americans Using the Privacy Tools They Recommended

Millions of Americans use VPNs believing they protect their privacy online. But a bombshell letter from six members of Congress reveals that your VPN may be doing the opposite — routing your data through foreign servers where the NSA can legally intercept it without a warrant. The very tool you trust to keep you private could be handing your communications to the surveillance state on a silver platter.

The Letter That Blew It Open

On March 26, 2026, six Democratic lawmakers — Senators Ron Wyden, Alex Padilla, Ed Markey, and Elizabeth Warren, along with Representatives Sara Jacobs and Pramila Jayapal — sent an urgent letter to Director of National Intelligence Tulsi Gabbard demanding she warn the American public that using commercial VPNs "may cause them to forfeit their rights against warrantless surveillance."¹

Read that again: forfeit their rights against warrantless surveillance. Not "might slightly reduce privacy." Forfeit. Their. Rights.

The lawmakers demanded Gabbard clarify whether VPN users are inadvertently waiving their Fourth Amendment protections, and what Americans can do to maintain their constitutional safeguards while using VPNs. The letter was deliberately timed ahead of the April 2026 Section 702 FISA reauthorization debate — the same surveillance authority the NSA uses to hoover up foreign communications.²

How Your VPN Makes You "Foreign"

Here’s the trick — and it’s breathtakingly simple.

Under U.S. surveillance law, there’s a critical distinction between domestic and foreign communications. If you’re a U.S. person on U.S. soil, the government needs a warrant to intercept your communications. That’s the Fourth Amendment at work. But if your communications appear to originate from outside the United States, they’re classified as foreign — and the NSA can collect them without a warrant under Section 702 of FISA or Executive Order 12333.³

When you connect to a VPN, your internet traffic is encrypted and routed through a server in another country. That’s literally the product — it’s what you’re paying for. But to the NSA’s surveillance systems, your traffic now appears to originate from Amsterdam, Singapore, London, or wherever your VPN exit node is located.

Here’s the critical legal detail: NSA targeting procedures contain a "foreignness presumption." If the location of a person is unknown, that individual is presumed to be a non-U.S. person — a foreigner — unless specific information proves otherwise. Your VPN strips away every geographic indicator that would identify you as American. To the NSA, you’re just another foreign target.⁴

Non-U.S. persons abroad have no Fourth Amendment rights under U.S. law. By making yourself look foreign through a VPN, you may be volunteering to give up yours.

Two Laws, Zero Warrants

The surveillance apparatus that can target VPN users operates under two overlapping legal authorities, both of which bypass the warrant requirement:

Section 702 of FISA

Enacted in 2008, Section 702 authorizes the NSA to target non-U.S. persons reasonably believed to be located outside the United States — without a warrant. U.S. persons may not be deliberately targeted, but their communications are routinely "incidentally" collected when they communicate with foreign targets. The FBI can then search this incidentally collected material without a warrant — so-called "backdoor searches."⁵

In 2024, a House amendment to require warrants for backdoor searches of Americans’ data failed in a 212-212 tied vote — one vote short of passing.⁶

When your VPN makes you appear foreign, you could shift from incidental collection to direct targeting. That’s not a hypothetical — it’s how the system is designed to work.

Executive Order 12333

Signed by President Reagan in 1981, EO 12333 is the foundation of the NSA’s overseas signals intelligence operations. It permits bulk collection of foreigners’ communications with far fewer constraints than Section 702 — no FISA Court oversight, no congressional approval required, only attorney general sign-off.⁷

The Brennan Center for Justice has documented that EO 12333 programs "constitute the largest and potentially most intrusive of the nation’s surveillance activities" and that Americans’ data is routinely routed through or stored on overseas infrastructure, making it vulnerable to collection.⁸

Your VPN doesn’t just risk exposing you to targeted 702 collection. It could dump your data straight into the NSA’s broadest, least-supervised bulk surveillance programs.

What Snowden Already Showed Us

This isn’t speculation. The Snowden disclosures revealed the NSA’s specific capabilities against VPN users:

• XKEYSCORE, the NSA’s mass internet surveillance system, can identify VPN users, process decrypted VPN traffic, and target individuals based on their use of privacy technologies. NSA training slides describe using XKEYSCORE to fingerprint and crack OpenVPN connections via X.509 certificates.⁹
• Leaked documents indicated the NSA aimed to "decrypt and reinject data of 100,000 VPN users per hour" as of 2011.¹⁰
• The NSA catalogued over 200 commercial VPN providers, studying their server infrastructure for exploitation opportunities.¹⁰
• XKeyscore rules specifically flag users who search for or visit Tor and Tails websites, classifying them as persons of interest for indefinite "full take" content surveillance. Using privacy tools doesn’t just fail to protect you — it paints a target on your back.¹¹

Security technologist Bruce Schneier noted that the absence of VPN-specific rules in some leaked documents doesn’t mean immunity: "The NSA possesses a lot of capabilities against VPNs."¹¹

The Five Eyes Problem

It gets worse. The Five Eyes alliance — the United States, United Kingdom, Canada, Australia, and New Zealand — shares raw signals intelligence between member agencies. If your VPN provider is headquartered in a Five Eyes country, it may be subject to government data demands, and that data can be shared across all five nations.¹²

Historically, Five Eyes members have spied on each other’s citizens and shared the results — effectively outsourcing surveillance that would be illegal domestically. Your VPN provider in the UK can be compelled to hand over data that the NSA couldn’t legally collect directly from you as an American citizen.¹³

NordVPN operates servers in 167+ countries. ExpressVPN spans 105 countries. Mullvad covers 50 countries. Every one of these foreign exit nodes is a potential collection point for signals intelligence agencies.¹⁴

The Government’s Absurd Double Standard

Perhaps the most infuriating aspect: the FBI, NSA, and FTC have all recommended that consumers use VPNs for privacy protection. The same agencies that operate the surveillance frameworks treating VPN users as foreign intelligence targets are telling Americans to use the very tools that could strip them of constitutional protections.¹⁵

Senator Wyden’s letter specifically called out this contradiction. The government cannot simultaneously recommend VPNs for security and exploit them for surveillance. Yet that is precisely what appears to be happening.

What’s at Stake: April 2026

Section 702 was reauthorized in April 2024 via the Reforming Intelligence and Securing America Act (RISAA) — but only for two years, the shortest extension in the program’s history. That means it sunsets again in April 2026, just weeks from now.⁶

The SAFE Act, introduced for the 2026 debate, would require warrants for FBI searches of Americans’ incidentally collected communications, close the data broker loophole, narrow the expanded definition of "communications service providers," and enhance FISA Court oversight.¹⁶

The VPN surveillance question is now inseparable from the 702 reauthorization fight. If Congress renews Section 702 without addressing the foreignness presumption, every American using a VPN remains a potential warrantless surveillance target.

What Can You Actually Do?

The Electronic Frontier Foundation recommends evaluating VPNs based on third-party audits, verified no-log policies, business model transparency, and use of modern protocols like WireGuard or OpenVPN. For stronger anonymity, the EFF notes that Tor provides better protection than VPNs — though Snowden’s documents showed the NSA targets Tor users too.¹⁷

The uncomfortable truth: there may be no perfect solution within the current legal framework. The problem isn’t the technology — it’s the law. As one Privacy Guides community member put it, correcting the Wired headline: "Using a VPN will subject you to NSA spying, not ‘may.’"¹⁸

The real fix requires Congress to close the foreignness presumption loophole, mandate warrants for all surveillance of Americans’ communications regardless of routing, and bring EO 12333 under meaningful judicial oversight. Until then, the tool millions of Americans trust to protect their privacy may be the very thing that exposes them.

Sources

1. Sen. Wyden Press Release — Lawmakers’ Letter to DNI Gabbard on VPN Surveillance
2. Wired — Using a VPN May Subject You to NSA Spying (March 26, 2026)
3. ProPublica — NSA Data Collection FAQ
4. ACLU — Does Using Privacy Tools Expose You to Warrantless NSA Surveillance?
5. ACLU — Warrantless Surveillance Under Section 702 of FISA
6. Lawfare — FISA Section 702 Reauthorized for Two Years
7. NSA — Executive Order 12333 Signals Intelligence
8. Brennan Center — Overseas Surveillance in an Interconnected World
9. Wikipedia — XKeyscore
10. Hacker 10 — Snowden Documents: NSA Spying on VPN Users
11. Bruce Schneier — NSA Targets Privacy-Conscious Users
12. Wikipedia — Five Eyes Intelligence Alliance
13. ProtonVPN — Five Eyes Global Surveillance Explained
14. Android Authority — VPN and Government Surveillance
15. GadgetReview — Your VPN Might Be a Government Surveillance Magnet
16. State of Surveillance — SAFE Act and FISA 702 Reform 2026
17. EFF — Surveillance Self-Defense: Choosing a VPN
18. Privacy Guides — Community Discussion on VPN and NSA Spying