Proton

Section 702 of the Foreign Intelligence Surveillance Act has become notorious as the legal justification allowing federal agencies like the NSA, CIA, and FBI to perform warrantless wiretaps, which sweep up the data of hundreds of thousands of US citizens each year.

In April 2024, US Congress passed the (new window)Reforming Intelligence and Securing America Act(new window), extending Section 702(new window) until 2026 and dramatically expanding(new window) the definition of communications service providers that can be compelled to facilitate surveillance. An amendment that would have required a warrant before conducting surveillance on Americans failed on a 212-212 tie vote(new window) in the House of Representatives and a 58-34 vote(new window) in the Senate.

Section 702 is just one way the US government can spy on people without a warrant. It’s important to understand how US surveillance laws work since so many tech giants (and the data they collect) are subject to US law. Its requirements shape the policies of Big Tech companies like Google, Apple, Meta, and Microsoft, and thus have an outsized impact on the internet.

This article examines some of the most important privacy legislation and law enforcement policies in the US and how they impact privacy online.

The FISA court
The Section 702 loophole
National security letters
US government spying via Big Tech
Buying personal information
Does this impact Proton?

The FISA court

Before we can talk about Section 702, we must explain FISA and the FISA court.

In 1978, Congress passed the Foreign Intelligence Surveillance Act(new window) (FISA), forbidding the CIA and NSA from operating within the US. It also created a special, secret court, known as the FISA court(new window) (or the Foreign Intelligence Surveillance Court or FISC), which reviews requests from the federal government to conduct electronic surveillance on suspected terrorists and spies within the US.

There are several issues with the FISA court. First, it operates in almost complete secrecy(new window), issuing sealed court orders to companies that pressure them to secretly disclose their users’ information, such as the content and metadata of their messages and emails, or face legal consequences. Companies that receive such an order cannot publicly acknowledge receiving it until six months have passed. And companies cannot share even redacted versions of the orders(new window) they receive. All this secrecy makes effective oversight difficult, if not impossible.

This secrecy also exacerbates the second issue, which is that critics claim the FISA court is little more than a rubber stamp(new window) for the government’s surveillance program. Given that its role is to prevent government overreach, you would expect the court to approach each request with skepticism. And yet, in 2022, it only rejected seven out of 354 requests. In 2021, it rejected four of 456 requests. You can see the full statistics in the table below.

YearApplicationsOrders grantedOrders modifiedOrders denied in partApplications denied
202235424987167
2021456318113204

The good news, relatively speaking, is that even though this appears to be mostly a rubber-stamping exercise, FISA requests have trended down over the past several years. Unfortunately, this might be because US government agencies like the FBI can much more easily weaponize Section 702 to spy on Americans.

The Section 702 warrantless wiretap loophole

In 2008, Congress passed the FISA Amendments Act(new window), which includes Section 702. While the FISA court has its issues, most FISA requests are at least considered individually by a judge. However, Section 702 requests, which are a type of FISA request, are simply approved in batches, meaning the federal agencies don’t need to present the case for specific requests(new window).

Section 702 gives the US government the ability to monitor foreign nationals located outside the United States without a warrant; however, a “backdoor” permits warrantless surveillance to be extended to people in the US as well. The NSA (or some other three-letter agency) can simply name a foreign national outside the US as the nominal target. If that person speaks with a US citizen or someone in the US, those communications are swept up as well, even though such collection would normally require specific approval from the FISA court.

Section 702 enables agencies like the NSA to perform warrantless wiretaps on hundreds of thousands of individuals each year. This data is then compiled into one massive, searchable database. Unlike FISA court requests, the number of Section 702 requests are massive, as seen below. (All tables below are based on the Director of National Intelligence’s 2023 Annual Statistical Transparency Report(new window).)

Section 702 targets

20152016201720182019202020212022
94,368106,469129,080164,770204,968202,723232,432246,073

Given the prevalence of Section 702 surveillance, this ends up illegally capturing the communications of thousands of US citizens each year. The FBI’s use of this database shows an agency using this database to conduct mass surveillance without a warrant. The FBI accessed millions of communication records of US citizens and people living in the US, including protesters(new window), political donors(new window), and even a member of US Congress(new window).

Number of US person query terms (phone numbers, email addresses, etc.) the FBI used on Section 702 data, including content data and metadata

Dec. 2019 – Nov. 2020Dec. 2020 – Nov. 2021Dec. 2021 – Nov. 2022
852,8942,964,643119,383

As this shows, Section 702 has essentially given the US government the legal ability to access any communications it wants. The government used Section 702 to establish PRISM(new window), one of the mass surveillance programs exposed by Snowden, and force companies like Yahoo! to participate(new window). It continues to use Section 702 to send legal requests to US-based tech companies (Google, Meta, Apple, etc.) to harvest their users’ data.

Unfortunately, despite the abuses, the US Congress has not only repeatedly reauthorized Section 702, but it has now given spy agencies even more power. Under the latest reauthorization, traditional communications providers like ISPs and email companies could still be forced to participate — in addition to anyone with physical access to a target’s communications infrastructure. That list could include landlords, restaurants that offer WiFi, hotels, and more. Every public router you’ve ever used could be turned into an NSA listening post.

National security letters are another warrantless wiretap tool

National security letters (NSLs) allow the FBI to request data without ever getting a warrant or submitting that request to judicial review. To pass the FBI’s internal standard to issue an NSL, an FBI agent just has to attest that the information it seeks is relevant to national security.

NSLs also include gag orders, preventing the companies that receive them from disclosing the request. Again, the secrecy surrounding NSLs makes oversight difficult and almost ensures overreach. The FBI only allows 7% of reviewed NSLs to be made public, continuing an unnecessary veil of secrecy that all but ensures their misuse. An FBI internal audit(new window) found over 1,000 violations where FBI agents received more information than they were legally allowed to. The FBI uses ambiguous language(new window) in their requests in an attempt to get companies to overshare rather than risk a protracted fight with the Bureau.

While less common than Section 702 requests, thousands of NSLs are sent to Big Tech companies each year.

US government conducts spying via Big Tech

In many ways, the US government has effectively outsourced its surveillance to Big Tech companies and data brokers. Because of the fact that Big Tech companies are all American companies, they are subject to all the US laws mentioned above. Combined with the fact that all Big Tech companies have large-scale data harvesting as a critical part of their business models, the US government has ready access to the largest mass surveillance system ever devised. You can see how much data the US government requests from Big Tech companies and the tools it uses to do so by looking at Big Tech transparency reports.

Google(new window), Meta(new window), and Apple(new window) have all broken out FISA requests and NSLs in their transparency reports. Because of the secrecy surrounding these tools, they can only give broad ranges of how many of each request the company received (they can only provide a range of how many accounts were affected and cannot disclose this information until at least six months after the request was received). For simplicity’s sake, the table below shows the absolute minimum number of accounts that have been affected by surveillance. While this is likely an undercount, it still represents a massive invasion of privacy.

Corporate-assisted surveillance in 2022

 FISA (non-content) requests FISA content requestsNSLs
Google50,000200,0003,000
MetaNA290,000500
Apple74,00068,0001,004
Non-content requests refer to metadata. Content requests refer to access to actual messages, emails, and other communications.

In some cases, these companies push back on government overreach, but unfortunately the US legal system doesn’t give these companies much of an option.

US agencies buy data to avoid seeking warrants

The proliferation of surveillance capitalism pioneered by Google and Facebook has also led to the rise of data brokers, which store and sell all kinds of sensitive personal information, including location data. This massive amount of data available for sale means US government agencies no longer need to obtain warrants for data, when they can simply just buy it. Departments that have been caught buying this information include the US Treasury(new window), NSA(new window), FBI(new window), Department of Homeland Security(new window), Immigration and Customs Enforcement(new window), and many others.

Much of this data would normally require a warrant to access under the Fourth Amendment, but data purchasing has become a billion dollar business that the federal government actively participates in. And because these data brokers compile their information from dozens of sources, they can be impossible to avoid.

Does this impact Proton?

Proton is based in Switzerland(new window), which has a long history of neutrality; is located outside of US, EU, and NATO jurisdictions; and is not a member of any binding intelligence-sharing agreements, such as the Five Eyes, Nine Eyes, or Fourteen Eyes agreements(new window) or NATO intelligence programs(new window). Proton’s Swiss domicile means we are not subject to any of the US laws mentioned above in this article.

We believe this neutrality is important in ensuring that all users on Proton are protected, irrespective of any geopolitical considerations. Proton’s use of end-to-end encryption(new window) also further ensures that Proton cannot be used to spy on behalf of governments, as we ourselves don’t have access to your data.

We have also been actively strengthening privacy protections of the Swiss laws that we are subject to. For example, in 2021, we won an important court case(new window) that ruled that email services aren’t telecom providers and thus aren’t subject to their data retention requirements. Proton VPN(new window) is similarly shielded from logging obligations and cannot be forced to log.

In the current legal environment, it’s impossible for a US service provider to offer meaningful privacy guarantees. Companies in neutral jurisdictions such as Switzerland will always be able to offer greater privacy than an American tech firm. 

But that doesn’t mean it’s not worth fighting for the right to privacy. If you live in the US, you should challenge your representatives and senators to block renewal of Section 702. As the latest reapproval battle has shown, people are now demanding an end to mass surveillance. Proton will continue to join their voices.

Related articles

The cover image for a Proton Pass blog comparing SAML and OAuth as protocols for business protection
SAML and OAuth help your workers access your network securely, but what's the difference? Here's what you need to know.
Proton Lifetime Fundraiser 7th edition
Learn how to join our 2024 Lifetime Account Charity Fundraiser, your chance to win our most exclusive plan and fight for a better internet.
The cover image for a Proton Pass blog about zero trust security showing a dial marked 'zero trust' turned all the way to the right
Cybersecurity for businesses is harder than ever: find out how zero trust security can prevent data breaches within your business.
How to protect your inbox from an email extractor
Learn how an email extractor works, why your email address is valuable, how to protect your inbox, and what to do if your email address is exposed.
How to whitelist an email address and keep important messages in your inbox
Find out what email whitelisting is, why it’s useful, how to whitelist email addresses on different platforms, and how Proton Mail can help.
The cover image for Proton blog about cyberthreats businesses will face in 2025, showing a webpage, a mask, and an error message hanging on a fishing hook
Thousands of businesses of all sizes were impacted by cybercrime in 2024. Here are the top cybersecurity threats we expect companies to face in 2025—and how Proton Pass can protect your business.