A Major U.S. Spy Law Just Lapsed, But Your VPN Traffic Still Isn't Safe From It

The law that lets U.S. agencies search Americans' communications without a warrant lapsed on June 12, 2026. A court order keeps it running through March 2027.
We receive compensation from the products and services mentioned in this story, but the opinions are the author's own. Compensation may impact where offers appear. We have not included all available products or offers. Learn more about how we make money and our editorial policies.

On June 12, 2026, a surveillance law that lets U.S. intelligence agencies search Americans' private communications without a warrant expired for the first time. But the spying hasn't stopped: a separate court order keeps the program running at least through March 2027, and traffic from your VPN can still be treated as a foreign signal subject to warrantless collection.[1]

The law is called FISA Section 702, and most Americans have never heard of it. But according to our latest survey, 60% of Americans actively use VPNs to change their perceived online location, and the same feature that makes a VPN work for privacy may be working against them under this law.

In this article
How Section 702 became a domestic surveillance tool
Why a VPN might flag your traffic as foreign under Section 702
How to reduce your exposure under Section 702
Bottom line

How Section 702 became a domestic surveillance tool

Section 702 expired on June 12, 2026, after the House failed to reauthorize it. But a March 2026 order from the FISA Court keeps warrantless collection running through March 2027, so your exposure hasn't changed.

Section 702 of the Foreign Intelligence Surveillance Act authorizes U.S. intelligence agencies to collect communications from foreign targets overseas by compelling American companies, including Google, AT&T, and Verizon, to hand over calls, texts, and emails. No warrant is required.

The catch is that those foreign targets also communicate with Americans. When they do, Americans' messages get swept in too. The FBI, CIA, and NSA then run what the government calls "backdoor searches" through that collected data to find Americans' communications, also without a warrant. It's a form of government mass surveillance that has drawn bipartisan criticism for years.

The documented history of how that data gets used makes privacy concerns more than theoretical. The Foreign Intelligence Surveillance Court, which oversees the program, has largely approved this practice. But even the FISA Court's own 2022 opinion found the FBI's track record troubling, calling compliance violations "persistent and widespread."

And the abuses are well-documented. Government agencies have been using backdoor searches to look through the communications of political protesters, members of Congress, and approximately 19,000 donors to a U.S. political campaign.

A bipartisan amendment that would have required a warrant before agencies search Americans' data nearly passed in 2024, failing on a tied vote.

The House passed a three-year renewal of Section 702 on April 29 by a vote of 235-191. The Senate rejected that version, and Congress instead passed a 45-day extension on April 30, buying time until mid-June to determine what a longer-term reauthorization would look like.

That deadline arrived without a deal. The Senate failed to advance a reauthorization, and on June 11, the House rejected a short-term extension by a vote of 218-198. Section 702's statutory authorization lapsed at midnight on June 12, marking the first time the program has gone dark since its creation.

The expiration is largely symbolic, at least for now. The Foreign Intelligence Surveillance Court certified the program for another year on March 17, 2026, and those certifications remain in effect through March 2027. That means U.S. companies are still legally required to hand over data, and backdoor searches can continue even after the underlying law has expired.

Into that uncertainty, Sen. Ron Wyden (D-OR) and a group of colleagues sent a formal letter to Director of National Intelligence Tulsi Gabbard asking whether VPN users could be losing their privacy rights under this very law. The letter asks "if these VPN services, which are advertised as a privacy protection … could, in fact, negatively impact their rights against U.S. government surveillance."

No public response has come.

Why a VPN might flag your traffic as foreign under Section 702

More than half of VPN users (52%) say they are mostly or completely confident in their online anonymity when using a VPN, according to a 2026 All About Cookies VPN survey of 1,000 U.S. adults. That confidence doesn't account for Section 702.

The specific risk comes down to how traffic is classified: a VPN works by routing your connection through an encrypted tunnel to a server that could be in the U.S. or abroad. That server location is what masks your real IP address and provides privacy protection.

The government's default position is that data of unknown origin is treated as foreign, subject to few privacy protections. A VPN, by design, obscures the origin of your traffic. But under the logic of a law designed to target foreign communications, that same behavior can make your activity look foreign to an intelligence agency.

There is no VPN setting that shields you from Section 702 collection since the law doesn't target individuals directly. Instead, the law targets the companies that carry your data. If your traffic looks foreign and passes through infrastructure controlled by a U.S. company, it can be collected.

A reform is on the table. The bipartisan Government Surveillance Reform Act, backed by Sen. Wyden (D-OR) and Sen. Mike Lee (R-UT), would require a warrant before agencies run backdoor searches on Americans' data collected under 702. It would also close a separate loophole that currently lets agencies buy Americans' location data and browsing history directly from data brokers, bypassing courts entirely.

That bill didn't pass before Section 702 lapsed on June 12, so no warrant requirement is attached to the program as it continues.

How to reduce your exposure under Section 702

There is no app or browser setting that blocks Section 702 collection. The law operates at the level of U.S. companies and the infrastructure they control, not at your device.

What you can do is reduce how much of your data is stored with American providers that can be legally compelled to hand it over.

For sensitive communications, the mechanism that matters most is end-to-end encryption (E2EE). Unlike standard encryption, E2EE scrambles your messages before they leave your device, and only the intended recipient's device can decrypt them.

That means the company delivering your message can’t read it, which means there is nothing useful to hand over, even under a legal compulsion order.

Here are some examples of products with E2EE:

  • Signal uses E2EE for messaging and calls.
  • Proton Mail uses E2EE for email. Unlike Gmail or iCloud Mail, Proton can’t read your message contents. The Proton ecosystem extends that same principle to calendar, cloud storage, and VPN, all designed so that your data stays inaccessible to third parties, including Proton itself.
  • Tor is worth knowing about as a separate layer. It obscures your IP address and network-level communication patterns, making it significantly harder to attribute traffic to you.

Moving sensitive communications and files from U.S. providers like Google and Apple to the Proton suite is one of the more practical steps available right now.

Learn More
On Proton Unlimited's website
All-In-One
Proton Unlimited
PROMOTION: Get 30% Off
  • Comprehensive security bundle with VPN, email, cloud storage, and password manager
  • Includes Proton VPN, our top privacy VPN, which offers 20,000+ servers high-speed servers
  • Backed by Proton's Swiss privacy protection and end-to end encryption

For VPN users specifically, choosing a provider with a verified no-log policy means there is no stored record of your activity to hand over, even if the company receives a legal demand. Look for providers audited by independent third parties, not just ones that make the promise in their terms of service. Our guide to the best no-log VPNs has a full breakdown of audited options.

A data removal service can also reduce your footprint by scrubbing your personal information from the data broker databases that intelligence agencies can currently purchase without a warrant.

Bottom line

FISA Section 702 expired on June 12, 2026, but the surveillance it authorized continues under a court order that runs through March 2027. Senators have asked publicly whether the VPNs Americans use for privacy are being turned against them by a surveillance law written before that technology existed, and the government still hasn’t answered.

Whatever Congress decides next, the underlying exposure doesn't disappear. The more your data sits with U.S. providers, the more exposure you carry under Section 702. A VPN alone won't close that gap.

Learn More
On Proton Unlimited's website
All-In-One
Proton Unlimited
PROMOTION: Get 30% Off
  • Comprehensive security bundle with VPN, email, cloud storage, and password manager
  • Includes Proton VPN, our top privacy VPN, which offers 20,000+ servers high-speed servers
  • Backed by Proton's Swiss privacy protection and end-to end encryption
Author Details
Kate Quinlan is a Senior Editor at All About Cookies, where she has tested dozens of digital security tools and contributed to more than 370 articles spanning web hosting, VPNs, ad blockers, parental controls, and data security. Before joining AAC, she managed a team of more than 150 writers at SuperSummary, where she developed editorial standards at scale. She holds a B.A. in Professional Writing from Kutztown University.

Citations

[1] Lawmakers question VPN impact on Americans' FISA surveillance protections