The Foreign Intelligence Surveillance Act was passed in 1978, in the aftermath of the Church Committee revelations about widespread domestic surveillance by the CIA and FBI. Its core mechanism was a secret court — the FISA Court — that would approve intelligence collection targeting foreign powers and their agents on US soil. The intent was to add judicial oversight to what had previously been unchecked executive action.
Section 702 was added thirty years later, in the FISA Amendments Act of 2008, and it fundamentally changed the law's character. Where the original FISA focused on targeting foreigners inside the United States (where Fourth Amendment protections apply), Section 702 authorizes collection targeting foreigners outside the United States — with no individual warrant required. US persons are, in theory, protected. In practice, the protections are weaker than they appear.
How the Collection Actually Works
Under Section 702, the Director of National Intelligence and the Attorney General can certify categories of foreign intelligence targets — not specific individuals. The NSA then compels US-based electronic communication service providers to assist in collection. The Snowden disclosures in 2013 confirmed that this program, internally called PRISM, involved major providers including Google, Microsoft, Apple, Facebook, Yahoo, and others.
There are two primary collection methods:
- PRISM (downstream collection): The government compels providers to produce communications from specific targeted accounts. The provider receives legal process and complies.
- Upstream collection: The NSA collects directly from internet backbone infrastructure, intercepting communications as they transit US networks. This captures communications to or from a targeted selector (like an email address), not just communications stored by a provider.
The targeting rules require that the foreign target be outside the United States and that foreign intelligence be a "significant purpose" of the collection. But because communications are inherently two-sided, collecting a foreign target's communications means collecting whoever they communicate with — including US persons — as "incidental" collection.
If you email someone the NSA has targeted under Section 702, your email is collected. You were not targeted. You have no legal notice. "Incidental" collection is not accidental — it is a predictable and routine result of how the program operates.
Backdoor Searches: The Warrant-Free Window into American Data
The most contested aspect of Section 702 is what are called "backdoor searches" — or more formally, US person queries. The 702 collection database contains vast amounts of data, including communications involving Americans collected incidentally. The FBI is permitted to query this database using search terms that are "reasonably likely to return foreign intelligence information or evidence of a crime" for Americans.
Until 2023, the FBI could conduct these queries without any individual judicial approval. The FISA Court reauthorization in April 2024 introduced a new requirement: for criminal investigations (as opposed to national security investigations), FBI agents must obtain court approval before reviewing the content of 702-collected communications involving Americans. This is a partial reform, not a warrant requirement — and it does not apply to all query types.
The scale of querying has been significant. An Inspector General report released in 2023 documented repeated compliance incidents, including FBI agents running queries related to January 6 defendants, George Floyd protesters, and members of Congress — uses far outside any plausible "foreign intelligence" purpose.
What Services Are Subject to 702
Section 702 applies to "electronic communication service providers" — a category that includes email providers, messaging platforms, cloud storage services, and video conferencing. Any company with significant infrastructure in the United States falls within this framework.
| Service Type | 702 Exposure | Notes |
|---|---|---|
| Gmail, Outlook, iCloud Mail | High | US companies; known PRISM participants |
| WhatsApp, iMessage, Signal | Moderate | US companies; E2EE limits content exposure but metadata collected |
| ProtonMail | Low–moderate | Swiss entity; but has US infrastructure and routes email through global internet |
| Non-US E2EE services | Lower | Not directly subject to 702; may be subject to equivalent laws in their jurisdiction |
| Self-hosted infrastructure | Lowest | No compellable third party; highest operational burden |
End-to-end encryption significantly limits what 702 collection can access. If a service genuinely cannot read message contents, a 702 order can compel metadata (sender, recipient, timestamps, IP addresses) but not content. This is why what end-to-end encryption actually protects matters so much in a legal context: content and metadata have very different legal treatment under 702.
The 2024 Reauthorization and What Changed
Section 702 requires periodic reauthorization by Congress. In April 2024, it was renewed for two years with some reforms and one significant expansion.
The expansion — added as a last-minute amendment — broadened the definition of "electronic communication service provider" to include entities that have "access to equipment" through which electronic communications are transmitted or stored. Civil liberties organizations including the EFF and ACLU argued this language could be read to compel almost any business with wifi, cloud services, or internet-connected equipment to assist in 702 collection. The exact scope of this expansion remains to be defined by implementation guidance and, likely, litigation.
The reforms included the partial warrant requirement for FBI criminal queries described above, and enhanced oversight requirements. These are meaningful but incremental — the fundamental structure of the program, including warrantless collection and the incidental-collection mechanism, remained intact.
What This Means for Users Outside the United States
If you are not a US citizen or resident, Section 702 provides you essentially no privacy protection at all. Foreign nationals outside the United States can be targeted directly under the program with no judicial individualization — you do not need to be suspected of wrongdoing, only be assessed as a source of "foreign intelligence information," an extraordinarily broad category.
US surveillance law effectively divides the world's population into "US persons" (limited protections) and "everyone else" (essentially no protections). The internet's architecture, which routes traffic through US infrastructure regardless of where sender and recipient are located, makes this global in scope.
European users in particular should be aware that data flowing through US-based services — even those with European data centers — may transit US networks and US-based infrastructure that falls under 702 jurisdiction. The EU-US Data Privacy Framework attempts to address this at a policy level, but its legal durability has been repeatedly challenged (Max Schrems has challenged two previous versions successfully at the CJEU).
Practical Implications for Threat Modeling
Section 702 is not a reason for average users to panic — the program is ostensibly targeted at foreign intelligence threats, not ordinary people. But it is highly relevant to specific populations:
- Journalists with foreign sources, where communication metadata could expose those sources
- Lawyers with international clients, where attorney-client communications may be incidentally collected
- Activists and dissidents who communicate with people in countries of intelligence interest
- Business executives whose competitive intelligence could be incidentally swept up
- Anyone outside the US who uses US-based services
For these users, the relevant question when evaluating a communication service is not just "is it encrypted?" but "where is the company incorporated, where does the infrastructure operate, and what legal framework governs it?" These are the questions that determine who can be compelled to produce what. See also our analysis of ECPA's surveillance gap for the domestic law equivalent.
End-to-end encrypted services limit the damage from 702 collection by ensuring that even if communications are intercepted, the content is unreadable to the collector. Metadata remains exposed, however — and metadata about who you communicate with, when, and how often can be highly revealing even without message content.