Journalists use virtual private networks every day to bypass censorship, to protect their location information, and to defend their traffic against network eavesdropping. And not just journalists — VPNs are privacy tools used by millions of Americans.

This is why we need more government transparency over how U.S. intelligence agencies monitor users of these tools. Are they effectively making an end run around Americans’ right to be free from warrantless surveillance?

It’s also why we need stronger protections for Americans whose communications can be swept up in our government’s foreign spying.

What is a VPN?

For those unfamiliar, a VPN is a service that allows you to encrypt and tunnel your traffic to a remote location before connecting to the web.

Ordinarily, when you visit a website, that website can see your IP address, which is loosely associated with your location. With a VPN, from the perspective of a website, your IP address will appear to come from somewhere else.

This also has the added benefit of securing your web traffic, making it illegible to your local network operators, such as your internet service provider or whoever operates your Wi-Fi.

VPNs are a useful tool for everyone who uses the web, but they are an especially important tool for journalists and newsrooms. Journalists, for instance, may need to obscure their visits to websites to avoid tipping off the subject of a news report or the government about the topics they’re investigating.

Likewise, a VPN can mask sensitive web connections to the ISP, such as visits to websites affiliated with a source or the subject of an investigation. VPNs may also protect sources from having their location information revealed to their local network provider.

Our digital security training team recommends using a VPN when conducting sensitive research to obfuscate your location.

New controversy over VPNs, foreign surveillance powers

Under two legal authorities — Section 702 of the Foreign Intelligence Surveillance Act, as well as Executive Order 12333 — U.S. intelligence agencies claim vast authority to target those overseas for surveillance. The executive order is especially broad, allowing bulk surveillance of foreign communications.

In theory, these surveillance powers are not supposed to be used to spy on Americans. But in practice, we know that under these authorities, the U.S. collects Americans’ data, such as their communications with foreigners. Under current law, it can then search that data without a warrant.

Recently, six legislators have also alerted the public to another way the government may be using its foreign surveillance powers to spy on Americans. In March, the lawmakers wrote a letter to Director of National Intelligence Tulsi Gabbard, asking her to clarify whether using a VPN could subject Americans to warrantless government surveillance.

The problem, as the letter points out, is that it’s not always readily apparent whether VPN traffic is coming from an American or someone abroad. This raises the question: How does the intelligence community currently handle the data of Americans using VPNs?

The lawmakers’ letter notes that the government has taken the position that data of unknown origin should be treated as foreign and, as a result, “subject to few privacy protections.” In other words, the government may be treating all VPN users as “foreign,” exposing Americans using VPNs to government surveillance.

This has a number of important implications.

As the letter notes, VPN users’ data is typically commingled with hundreds or even thousands of other users on one server, so the government could monitor web traffic to see what connections are being made from a VPN. From there, it’s possible to send legal requests to web service providers (e.g., Google) to learn more about users connecting from a given VPN’s IP address.

So we need more transparency to better understand what procedures are in place when or if intelligence officials learn that VPN traffic is tied to an American.

Further compounding the issue, we know that intelligence agencies are collecting large swaths of web traffic and attempting to bypass encryption that protects our online activities from eavesdropping.

Even though modern web browsing traffic is usually encrypted and VPN users enjoy an added layer of encryption, it may nonetheless be collected for later analysis in “harvest now, decrypt later” attacks. This just means attackers may copy encrypted web traffic so that one day they may be able to read it with increasingly powerful computers, namely through quantum computing.

Security researchers at Google have warned industry actors that they should prepare for this potential risk as soon as 2029.

More transparency, stronger protections

Our lawmakers have some insight, but ultimately, even they don’t have the full picture of what data is collected about Americans using VPNs.

Journalists depend on these tools and similar technologies — including in service of stories investigating the government itself. But we all deserve to know more about the policies governing the surveillance our government conducts on U.S. citizens in the name of national security, so that we can make an informed decision about whether that surveillance is proportionate to the inherent risks to our privacy and security.

It’s therefore crucial that the American public has answers about how our intelligence community monitors our VPN traffic.

We also need stronger protections against foreign surveillance powers being used to spy on Americans.

Congress is currently debating whether to reauthorize Section 702 of FISA. Any bill to renew the law must close the backdoor search loophole by requiring the government to get a warrant before it can search the communications of Americans that are collected under Section 702.

It must also close the data broker loophole that currently allows the government to buy sensitive data about Americans that it otherwise would be required to obtain a warrant to access.

The Government Surveillance Reform Act would make these changes, as well as other important reforms to Section 702. Congress must not continue to allow intelligence agencies to play fast and loose with the law, exploiting their foreign intelligence-gathering powers to spy on Americans.