FISA Section 702 Is Expiring: What It Means for Your Business
On April 19, 2026, Section 702 of the Foreign Intelligence Surveillance Act is set to expire unless Congress passes a renewal. Capitol Hill is deadlocked between lawmakers pushing for a clean extension and those demanding reform before they vote yes. The outcome is uncertain as of this writing.
Most small business owners will read a headline about a surveillance law expiring and assume it has nothing to do with them. That assumption is worth examining.
What Section 702 Actually Does
Section 702 authorizes U.S. intelligence agencies to collect the communications of foreign nationals located outside the United States without a warrant. The stated purpose is counterterrorism and national security. The practical operation is broader.
Collection happens through two primary channels. The first is upstream collection: agencies tap directly into the fiber-optic infrastructure of the internet to intercept data as it moves across the network. The second is what's known as PRISM: the government serves legal directives to major technology companies — Microsoft, Google, Meta, and others — compelling them to hand over communications stored on their servers.
The problem for American users is what the law calls "incidental collection." If you send an email or file to someone abroad, or if your traffic routes through foreign servers, that communication can be swept into the collection. Once it's in the database, agencies including the FBI can search it using your name, phone number, or email address — without obtaining a warrant.
According to the Brennan Center for Justice, the FBI conducted 57,000 of these warrantless "backdoor searches" in 2023 alone. A March 2026 FISA Court opinion — though classified — was reported by the New York Times to show that the use of querying tools to access Americans' communications is an issue across the intelligence community, not just the FBI, and that the problem the DOJ claimed to have fixed in early 2025 is in fact ongoing.
This isn't a partisan issue. Lawmakers on both sides of the aisle have flagged the Fourth Amendment implications. It's also not hypothetical — the targets of past warrantless searches have included political donors, journalists, members of Congress, and civil rights protesters. Whether your business communications are at risk depends on what you're communicating, with whom, and through which platforms.
Where a VPN Helps
When surveillance is in the news, VPN advertising floods the internet with promises of total anonymity. The honest picture is more useful than the marketing version.
A VPN creates an encrypted tunnel between your device and a VPN server, and your traffic travels across the internet through that tunnel. For upstream collection specifically — the interception of data moving across the network backbone — a properly implemented VPN provides real protection. If someone intercepts your traffic at the network layer, they see encrypted data they cannot read.
A VPN also masks your IP address and origin. If a data broker, a malicious actor, or a surveillance system is trying to correlate specific network traffic back to your business's location or identity, the trail ends at the VPN's server rather than your router.
For small businesses handling client data, financial records, or legally privileged communications, that protection has genuine value. If you're not running a VPN on your business network, that's a conversation worth having with whoever handles your IT.
Where a VPN Falls Short
A VPN only protects data in transit. It does nothing to protect data stored on a third-party server.
The PRISM mechanism is the clearest example of why this matters. If you use a VPN to access your email through Gmail or Outlook, the VPN hid how that email traveled across the internet. It did not encrypt the content of the email sitting on Google's or Microsoft's server. When the government serves a Section 702 directive to those providers, they comply. The VPN isn't part of that equation.
The practical takeaway: a VPN addresses network-level interception. It does not address content-level access at the provider. Both are real threat surfaces, and they require different tools.
What a Layered Approach Looks Like
For businesses with genuine sensitivity concerns — legal practices, medical offices, financial services, any operation handling confidential client data — a VPN is one layer of a multi-part strategy, not the whole strategy.
End-to-end encryption is the piece that addresses what a VPN cannot. When data is encrypted end-to-end, it's encrypted on your device before it leaves, and only the intended recipient can decrypt it. The service provider in the middle holds encrypted data they cannot read and therefore cannot hand over in readable form, even under a legal directive. Signal for messaging is the most widely cited example. For file storage and collaboration, zero-knowledge cloud providers — those that encrypt your data before it reaches their servers — offer the same structural protection.
For businesses evaluating where their core data lives, the question worth asking is whether the providers you currently use can read your data. If they can, a government or legal process can compel them to hand it over. If they can't, because you're using end-to-end or zero-knowledge encryption, that vector is closed.
That evaluation is part of what a vCIO engagement covers in a structured way, starting with what data you have, where it lives, who can access it, and what exposure that creates. Our support services can also handle the implementation side — setting up VPN infrastructure, evaluating encrypted communication tools, and making sure the configuration actually provides the protection it's supposed to.
Whatever Congress decides about Section 702 in the next two weeks, the underlying threat model doesn't change. Communications that move across the internet unencrypted are vulnerable. Data stored with providers who hold the decryption keys is accessible. Those are structural facts about how the technology works, independent of any specific law.
Frequently Asked Questions (FAQ)
Q: Does FISA Section 702 target small businesses directly?
A: No. Section 702 is designed to target foreign nationals outside the United States, not domestic businesses. The risk to American users and businesses is incidental: if your communications are with foreign parties, or routed through foreign infrastructure, they can be swept into the collection. The concern isn't that the government is watching your business specifically. It's that the collection is broad enough that business communications can end up in a searchable database without anyone intending to target you.
Q: If I use a VPN, am I protected from Section 702 collection?
A: Partially. A VPN encrypts your traffic as it moves across the network, which provides real protection against upstream collection at the network layer. It does not protect content that's stored on a third-party provider's servers. If you use a VPN to send an email through Gmail, the VPN protected the email in transit, but the email still lives on Google's servers in readable form. A government directive to Google is not affected by your VPN.
Q: What should I look for in a business VPN?
A: Independent third-party audits are the most important factor. A VPN's no-logs claim is only meaningful if it's been verified by outside auditors, not just stated in a privacy policy. Avoid free VPNs, which frequently monetize user data. Look for a provider that can demonstrate audit results and has a clear, specific privacy policy about what they do and don't retain.
Q: Do attorneys and medical professionals need to be more concerned about this?
A: Yes. Legal privilege and HIPAA confidentiality obligations don't automatically protect data from government collection if it's sitting unencrypted on a third-party server. Law firms and medical practices handling sensitive client data have regulatory and ethical reasons to evaluate their encryption posture beyond what most small businesses need to consider. If you're in either of those categories and haven't reviewed where your data lives and who can read it, that review is overdue.
Q: What happens to my data if Section 702 expires without renewal?
A: Expiration of the statute doesn't immediately delete existing government databases or terminate active collection orders. Per the Congressional Research Service, FISA Court orders authorizing collection under Section 702 remain valid through their expiration dates even if the underlying statute lapses. The longer-term outcome depends on what Congress does next. The practical answer for your business is the same either way: the protections you put in place don't depend on how Congress votes.
SUMMARY
The Section 702 debate is a policy question, but the underlying privacy problem it exposes is a technology question. Unencrypted data is accessible data, whether the mechanism is government collection or something else.
If your business handles sensitive client communications and you don't have a clear picture of where that data lives and who can read it, our vCIO service is built to answer exactly that.
Get in touch at thetechgents.com/contact and we'll start with your current setup.