In April 2024, the Reforming Intelligence and Securing America Act expanded the legal definition of who can be forced to help the U.S. government intercept communications. The change came after the NSA lost a 2022 court case against a data center that refused a surveillance directive. The episode reveals something structural: the architecture of cloud computing has outpaced the legal categories designed for telephone switches, and Congress responded not by narrowing surveillance authorities but by stretching them to fit.
The Case That Prompted the Fix
In mid-April 2024, the New York Times reported the government sought an updated definition after losing a legal dispute over whether it could secure the cooperation of a cloud computing data center under Section 702. The Foreign Intelligence Surveillance Court (FISC), discussing the case in a partially redacted opinion from 2022, invited Congress to consider updating the definition.
A 2022 FISC decision, affirmed on appeal and released in redacted form, held that an unidentified entity – speculated to be a cloud service provider – did not fall under the definition of an electronic communication service provider and therefore was not obligated to assist the government with Section 702 surveillance. The publicly released versions of the opinions were subjected to extensive use of the government’s black highlighters and do not disclose the type of service the provider offered.
The specifics remain classified, but the outcome was unambiguous: a piece of critical internet infrastructure successfully argued it was not legally compelled to participate in foreign intelligence collection. The NSA had issued a directive. The target said no. The court agreed.
In the wee hours of April 20, 2024, just after the authority had technically lapsed, the Senate voted 60-34 to approve the Reforming Intelligence and Securing America Act, which the president then swiftly signed into law. Section 702 was set to sunset on April 20, 2026. Congress extended the deadline twice in April 2026, with a final 45-day extension passed on April 30, keeping the authority alive through mid-June 2026 while debate over permanent reauthorization continues.
What Changed, and What It Means
Prior to April 2024, Section 702 allowed the government to compel assistance from entities explicitly defined as electronic communication service providers – primarily ISPs, email providers, and telecommunications carriers. The reauthorization added another type of provider: a service provider that has access to equipment that is being or may be used to transmit or store wire or electronic communications, but would not qualify under any of the existing definitions. It also added custodians to the list of individuals who could qualify.
The Times described data centers as centralized warehouses of computer servers that can be accessed over the internet from anywhere in the world that are increasingly operated by third parties that rent out the storage space and computing power that make other companies’ online services work.
Because Section 702 compels electronic communication service providers to provide assistance in carrying out authorized surveillance, these broadened definitions could subject to Section 702 obligations many more companies that may be unaware that they would fall under Section 702. Non-communication service providers who merely have access to the equipment that facilitates communications could be obligated to assist in the collection of communications.
There has been public speculation about whether the expanded definition could bring businesses such as hotels and coffee shops that provide internet connectivity within the scope of Section 702, or companies ranging from data centers to local businesses that offer free internet to their customers.
The Justice Department characterized the change as a technical modification. Sen. Ron Wyden called the new provisions one of the most dramatic and terrifying expansions of government surveillance authority in history. Both statements can be true. The legal mechanics are narrow – a definitional update to match infrastructure evolution. The structural implication is broad: the U.S. government now has statutory authority to compel cooperation from a far wider universe of entities that sit between users and their data.
The Utah Data Center and the Storage Question
The NSA’s own infrastructure offers context for why the government sought this expanded authority. The Utah Data Center, also known as the Intelligence Community Comprehensive National Cybersecurity Initiative Data Center, is a data storage facility for the United States Intelligence Community designed to store data estimated to be on the order of exabytes or larger. It was completed in May 2014 at a cost of 1.5 billion dollars.
Whistleblower William Binney alleged that the Bluffdale facility was designed to store a broad range of domestic communications for data mining without warrants. The facility was expected to store Internet data as well as telephone records from the controversial NSA telephone call database when it opened.
The government operates its own data centers for intelligence collection. But modern cloud architecture means user data often flows through – or rests in – third-party facilities the NSA does not directly control. Government agencies including the IRS, FBI, and Defense Department have taken steps toward outsourcing data center management and transferring assets to the cloud. This places the onus on hyperscalers to physically isolate sensitive data and strengthen security infrastructure accordingly.
When the government itself is a cloud customer, the lines between customer, provider, and surveillance actor blur. When the government also has statutory authority to compel cooperation from infrastructure providers, those lines effectively disappear for anyone whose traffic transits U.S.-controlled equipment.
Transparency Reports and the Limits of Disclosure
On March 18, 2026, FBI Director Kash Patel confirmed to Congress that the FBI is buying Americans’ data from data brokers, including location histories, to track American citizens. The 2025 reconciliation law allocated an unprecedented 178 billion dollars to the Department of Homeland Security. Immigration and Customs Enforcement
received 75 billion dollars to be spent over four years — roughly eight times its previous annual budget.
Major cloud providers publish transparency reports detailing government data requests. Transparency reports from major cloud providers indicate that U.S. authorities are rarely given access to enterprise content stored in Europe or the UK under the U.S. CLOUD Act. In the second half of 2024, Microsoft received 173 global law enforcement requests for enterprise cloud customer data.
While Microsoft receives tens of thousands of law enforcement demands each year, well under 1 percent of those legal demands seek enterprise customer data. When Microsoft receives a demand for enterprise data, the company always seeks to redirect the requesting authority to seek the data from the enterprise itself.
But transparency reports have a structural limitation: they cannot disclose what they are legally prohibited from disclosing. All government requests for data, including any that were accompanied by non-disclosure orders, are included in transparency reports. The number is disclosed. The specifics often are not. FISA Section 702 directives fall under national security authorities that restrict how much companies can reveal.
The result is a disclosure paradox. Companies can tell you how many orders they received in aggregate bands – zero to 499, for instance – but not which specific types of infrastructure are being tasked, under what factual predicates, or how often the expanded definition is invoked. The FBI has conducted warrantless searches of Section 702-acquired information to access communications of Black Lives Matter protestors, U.S. government officials, journalists, political commentators, and 19,000 donors to a single congressional campaign.
Email Architecture and Jurisdictional Exposure
Email does not live in one place. A message sent from Berlin to Paris may transit servers in Virginia, rest briefly in an Amsterdam data center operated by a subsidiary of a U.S. parent company, and be replicated for backup in Singapore. Data location is no longer the whole story. Even where data is stored abroad, U.S. legal authorities tied to provider jurisdiction, access, and control can still create meaningful compelled-access and surveillance risk.
For years, privacy-focused services have emphasized jurisdiction and server location. Switzerland. Iceland. Germany. The implicit promise: data beyond the reach of U.S. intelligence agencies. The April 2024 expansion complicates that promise. If an email provider – wherever incorporated – routes traffic through infrastructure that falls under the expanded FISA definition and that infrastructure is within U.S. jurisdiction or operated by a U.S.-controlled entity, the exposure exists regardless of where the server is nominally located.
Privacy, espionage, and economic controls are increasing tensions, pushing data centers to the front lines of geopolitical competition. Department of Defense bids now emphasize that data centers have an installed and active perimeter monitoring system, making robust perimeter protection a critical factor for compliance and business growth.
The architecture that makes modern email reliable – redundancy, geographic distribution, third-party infrastructure – also makes it illegible under traditional notions of jurisdiction. The legal regime has adapted not by creating new limits but by asserting broader authority over the infrastructure layer itself.
Threat Models and Design Choices
Threat modeling for email in 2026 must account for the possibility that infrastructure providers are compelled participants, not merely passive conduits. This has design implications. End-to-end encryption ensures that even if infrastructure is compromised or compelled, message content remains opaque. But metadata – who sends to whom, when, from which IP address – transits in cleartext by necessity of email’s design.
Tor hidden services eliminate the IP address exposure for sender and receiver. Contemporary mass surveillance relies upon annual presidential executive orders declaring a continued State of National Emergency, first signed by George W. Bush on September 14, 2001 and then continued on an annual basis during the presidencies of Barack Obama, Joe Biden, and Donald Trump, with it still being active as of January 2026.
Post-quantum cryptography implementations address a different vector: the risk that encrypted data stored now will be retroactively decrypted when quantum computing matures. Open-source implementations under AGPL-3.0 – such as PQCServer – allow verification of cryptographic claims without relying on proprietary assurances. Both design choices – Tor routing and post-quantum encryption – rest on the assumption that adversaries have or will have access to infrastructure, either through legal compulsion or technical capability. The April 2024 FISA expansion confirms that assumption is not paranoia. It is an accurate description of statutory authority.
In April 2024, Congress passed the Reforming Intelligence and Securing America Act, which reauthorized Section 702 for two years. The authority expires again in April 2026. Section 702, as reauthorized in 2024, runs through April 2026, and House leadership is now pressing for another extension.
The debate will return. The infrastructure will remain complicit unless the statute is rewritten or allowed to lapse. For email users whose threat model includes state-level surveillance, the relevant question is no longer whether a provider is trustworthy. It is whether the infrastructure that provider depends on can be compelled, and whether the architecture assumes that it already has been.