Disclosure: Omellody is reader-supported. When you buy through links on our site, we may earn an affiliate commission at no extra cost to you. Learn more
Last Updated: April 20, 2026 | By Sarah Chen
On April 17, 2026, Congress passed a 10-day emergency extension of FISA Section 702 — the controversial surveillance law that allows U.S. intelligence agencies to collect communications of foreign targets without a warrant. The debate is far from over, and VPN users are caught in the crossfire.
Jump to:
- What Is FISA Section 702?
- Why VPN Users Should Care
- Proton's Warning
- Which VPNs Are Safest?
- How to Protect Yourself
- FAQs
What Is FISA Section 702?
The Foreign Intelligence Surveillance Act (FISA) Section 702 authorizes the NSA, FBI, and CIA to collect electronic communications of non-U.S. persons located outside the United States — without individual warrants. Originally passed in 2008, it was designed to target foreign intelligence threats.
The problem: Americans' communications get swept up too. When a U.S. person communicates with a foreign target, that data is collected and stored. The FBI can then search this database — including Americans' emails, messages, and browsing data — without a warrant.
The 2026 Timeline
| Date | Event |
|---|---|
| April 2024 | Section 702 reauthorized for 2 years with reforms |
| March 2026 | Reform provisions expire, debate reopens |
| April 15, 2026 | Proton publishes warning about VPN user surveillance |
| April 17, 2026 | Congress passes 10-day emergency extension |
| April 27, 2026 | Extension expires — full reauthorization vote expected |
What Changed in 2024
The 2024 reauthorization included a controversial expansion: any business that provides equipment or services related to internet infrastructure can be compelled to assist with surveillance. Critics argue this could include VPN providers, data centers, and cloud services operating in the U.S.
Why VPN Users Should Care
If you use a VPN, you might think your traffic is private. But FISA Section 702 creates several risks:
1. U.S.-Based VPN Providers Can Be Compelled to Cooperate
VPN companies incorporated in the United States are subject to U.S. law, including FISA orders. While most reputable VPNs maintain no-logs policies, a FISA order could compel them to:
- Install monitoring equipment on their servers
- Provide real-time access to specific users' traffic
- Hand over any stored metadata or connection logs
Important: FISA orders come with gag provisions. The VPN provider cannot tell you they've been ordered to monitor your traffic.
2. "Incidental Collection" of VPN Traffic
Even if you're a U.S. citizen, your VPN traffic can be "incidentally" collected if it passes through infrastructure being monitored for foreign intelligence purposes. This is especially likely if:
- You connect to VPN servers in countries of intelligence interest
- You communicate with people outside the U.S.
- Your traffic routes through monitored network infrastructure
3. The "Electronic Communication Service Provider" Definition
The 2024 expansion broadened who can be compelled to assist surveillance. Legal experts warn that VPN providers, hosting companies, and even Wi-Fi operators could fall under this definition.
Proton's Warning
On April 15, 2026, Proton (the Swiss company behind ProtonVPN and ProtonMail) published a detailed warning about FISA Section 702's implications for VPN users.
Key points from Proton's analysis:
- VPN users may be classified as "foreign persons" if they connect to servers outside the U.S., making their traffic eligible for warrantless collection
- U.S.-based VPN providers face legal pressure to comply with surveillance orders, even if they claim no-logs policies
- The "upstream" collection program can intercept VPN traffic as it passes through internet backbone infrastructure, regardless of the VPN provider's cooperation
- Swiss and EU-based providers are not subject to FISA, which is why Proton emphasizes its Swiss jurisdiction
What This Means in Practice
If you use a U.S.-based VPN (like Private Internet Access, IPVanish, or StrongVPN), your provider could theoretically be compelled to monitor your traffic under a FISA order — and they wouldn't be allowed to tell you.
If you use a non-U.S. VPN (like NordVPN in Panama, ExpressVPN in the British Virgin Islands, or ProtonVPN in Switzerland), the provider itself is not subject to FISA. However, your traffic could still be collected as it passes through U.S. internet infrastructure.
Which VPNs Are Safest Under FISA?
Jurisdiction matters more than ever. Here's how the top VPNs stack up:
| VPN | Jurisdiction | Subject to FISA? | No-Logs Audit | Our Rating |
|---|---|---|---|---|
| NordVPN | Panama | ❌ No | ✅ Deloitte | 9.2/10 |
| ExpressVPN | British Virgin Islands | ❌ No | ✅ PwC, Cure53 | 9.0/10 |
| ProtonVPN | Switzerland | ❌ No | ✅ Securitum | 8.8/10 |
| Surfshark | Netherlands | ❌ No (EU) | ✅ Deloitte | 8.7/10 |
| Mullvad | Sweden | ❌ No (EU) | ✅ Assured AB | 8.5/10 |
| Private Internet Access | United States | ⚠️ Yes | ✅ Deloitte | 7.5/10 |
| IPVanish | United States | ⚠️ Yes | ❌ None | 7.0/10 |
Our Recommendation
For maximum privacy protection in the current surveillance landscape:
- Choose a VPN outside the U.S. and Five Eyes — Panama (NordVPN), BVI (ExpressVPN), or Switzerland (ProtonVPN) are the strongest jurisdictions
- Verify the no-logs policy is independently audited — Claims mean nothing without third-party verification
- Use RAM-only servers — NordVPN and ExpressVPN run servers entirely in RAM, meaning no data survives a reboot
- Enable the kill switch — Prevents traffic leaks if the VPN connection drops
How to Protect Yourself
Step 1: Audit Your Current VPN
Check your VPN provider's:
- Jurisdiction: Is it in the U.S. or a Five Eyes country?
- No-logs policy: Has it been independently audited?
- Transparency reports: Does the provider publish warrant canary or transparency reports?
- Server infrastructure: RAM-only or disk-based?
Step 2: Switch If Necessary
If you're using a U.S.-based VPN and privacy is a priority, consider switching to:
- NordVPN — Panama jurisdiction, audited no-logs, 6,000+ servers
- ExpressVPN — BVI jurisdiction, TrustedServer (RAM-only)
- ProtonVPN — Swiss jurisdiction, open-source apps
Step 3: Layer Your Privacy
A VPN alone isn't enough. Consider:
- Use end-to-end encrypted messaging (Signal, not SMS)
- Enable DNS-over-HTTPS in your browser
- Use a privacy-focused email provider (ProtonMail, Tutanota)
- Minimize metadata: Use Tor for sensitive browsing, VPN for everyday use
Step 4: Stay Informed
The FISA debate is ongoing. The 10-day extension expires April 27, 2026. Follow:
- EFF (Electronic Frontier Foundation) for legal analysis
- Proton's blog for VPN-specific implications
- Our VPN news page for updates
The Bigger Picture: Surveillance Trends in 2026
FISA Section 702 is just one piece of a larger surveillance puzzle:
- EU Chat Control: The EU is pushing for client-side scanning of encrypted messages
- UK Online Safety Act: Requires platforms to scan for illegal content, potentially breaking encryption
- Australia's Assistance and Access Act: Already allows compelling tech companies to break encryption
- Mandiant M-Trends 2026: Reports that nation-state actors are exploiting vulnerabilities an average of 7 days before patches are released
The trend is clear: governments worldwide are expanding surveillance capabilities. VPNs remain one of the most accessible tools for protecting your privacy, but choosing the right provider — in the right jurisdiction — has never been more important.
FAQs
Can the government see my VPN traffic?
Under FISA Section 702, U.S. intelligence agencies can collect communications that pass through U.S. internet infrastructure, including VPN traffic. However, if your VPN uses strong encryption (AES-256) and doesn't log your activity, the content of your traffic remains encrypted and unreadable.
Is it illegal to use a VPN in the U.S.?
No. Using a VPN is completely legal in the United States. FISA Section 702 doesn't target VPN users specifically — it targets foreign intelligence threats. However, your VPN traffic may be incidentally collected as part of broader surveillance programs.
Should I switch from a U.S.-based VPN?
If privacy is your primary concern, yes. U.S.-based VPN providers are subject to FISA orders and cannot disclose when they've been compelled to cooperate. Non-U.S. providers in privacy-friendly jurisdictions (Panama, Switzerland, BVI) offer stronger legal protections.
Does a no-logs policy protect me from FISA?
A genuine no-logs policy means there's nothing to hand over. However, FISA orders can compel providers to start logging or install monitoring equipment going forward. This is why jurisdiction matters — a Swiss provider can't be compelled by a U.S. FISA order.
What about the Five Eyes alliance?
The Five Eyes (US, UK, Canada, Australia, New Zealand) share intelligence. VPN providers in these countries may be subject to similar surveillance laws. For maximum privacy, choose a provider outside the Five Eyes — and ideally outside the extended Fourteen Eyes alliance.
Will FISA Section 702 be renewed?
The 10-day extension expires April 27, 2026. Congress is expected to vote on full reauthorization, likely with some reforms. The outcome is uncertain — privacy advocates are pushing for warrant requirements for U.S. person queries, while intelligence agencies argue the program is essential for national security.
Bottom Line
FISA Section 702 is a real threat to VPN users' privacy, especially if you use a U.S.-based provider. The good news: you have options. Choose a VPN in a privacy-friendly jurisdiction, verify their no-logs claims are audited, and layer your privacy tools.
The surveillance debate will continue. Your privacy shouldn't wait for Congress to get it right.
Related: Best VPN Services 2026 | NordVPN Review | Best VPN for China | How to Choose a VPN