Congress Can Ensure AI Doesn’t Turbocharge Mass Surveillance

On June 12, the law our government uses to spy on Americans expired. While intended to target foreign individuals, Section 702 of the Foreign Intelligence Surveillance Act (FISA) has a loophole that allows agencies to search through Americans’ private communications.

Now, as the Trump Administration pushes Congress to reauthorize Section 702 of FISA, members from Congress and a coalition of civil society organizations are pushing back. Without reform, they warn, AI will amplify mass surveillance and threaten democracy.

This moment provides a chance for both parties to unite in upholding constitutional values of due process and freedom of expression. On multiple votes this year, Republicans and Democrats have joined together to block FISA Section 702 extensions that didn’t include necessary reforms.

The bipartisan and bicameral Government Surveillance Reform Act (GSRA) of 2026 is an apt reauthorization bill because it would not only close the Section 702 loophole, but also other federal privacy loopholes that make it easier for the government to spy on Americans. Whether through the GSRA or another vehicle, Congress must work together to pair a reauthorization of the surveillance authority with warrant requirements.

The federal government takes advantage of two major loopholes in federal law to circumvent warrant requirements: the backdoor search loophole and the data broker loophole.

The backdoor search loophole—Section 702 of FISA—authorizes warrantless surveillance of foreign individuals abroad. As Americans routinely communicate with foreigners, this surveillance inevitably sweeps up Americans’ communication content into Section 702 databases. In 2021 alone, the FBI conducted 3.4 million queries on Americans via this warrantless search process.

Not only is this a violation of due process, but queries are also often used to surveil First Amendment-protected activities. In 2020, FBI personnel used FISA’s Section 702 to conduct “141 queries of identifiers associated with activists who were arrested in connection with protesting the murder of George Floyd in Washington, DC… despite the lack of any reason to believe there would be information on these individuals in Section 702 databases.” The FBI has also used Section 702 to conduct improper batch queries on congressional campaign donors, a local political party, political commentators, and journalists.

Gaps in the Electronic Communications Privacy Act (ECPA) compound this problem by creating a data broker loophole.

The ECPA prohibits disclosing data to the government without judicial processes—but not to private entities. This means that data brokers can buy data, analyze it, and then sell it to another entity, including the government.

The ECPA only applies a disclosure restriction to cell phone, email, and remote computing providers, not to many of the apps that collect personal data. These app developers share users’ sensitive data, including geolocation data, behavioral and usage data, purchase history, and health data, with the government and data brokers that facilitate its aggregation and resale.

For example, in 2020, the U.S. military paid for access to a tool that included users’ location data from Muslim prayer and dating apps. The location data was sold in bulk by the apps to Babel Street, a data broker and creator of Locate X, a tool that allows real-time and historical location tracking. The U.S. military’s Special Operations Command then bought access to Locate X for use in its counterrorism and counterinsurgency operations.

The Supreme Court has acknowledged the threats that government access to data poses to individuals’ rights. In 2018, the Supreme Court ruled on whether law enforcement agencies could obtain cell-site location information through a court order under the Stored Communications Act in the ECPA.

In Carpenter v. U.S., the federal government argued that customers voluntarily disclosed their sensitive information to cellular companies through their use of cellphones and thus their information was no longer protected under the Fourth Amendment. The Supreme Court, in its decision, emphasized that the use of online services and cellphones is “indispensable in modern society,” so disclosure to cellular companies cannot be accurately described as voluntary. The ruling stated that law enforcement needs probable cause and a warrant to compel companies to disclose cell site records.

Despite this ruling, the courts have yet to extend protections to other data types. Agencies continue to exploit the data broker loophole to collect Americans’ sensitive data. For example, the Defense Intelligence Agency does “not construe the Carpenter decision to require a judicial warrant endorsing purchase or use of commercially-available data for intelligence purposes.”

In 2024, following investigations of the FBI’s misuse of Section 702 databases, Congress passed the Reforming Intelligence and Securing America Act (RISAA). RISAA restricts the FBI’s access to Section 702 databases, permitting queries only when the targeted individual is connected to an open national security investigation. Its guardrails require the FBI to get attorney pre–approval for queries of U.S. persons, and require the DOJ National Security Division (NSD) to review those queries within 180 days.

However, RISAA merely codified internal agency procedures that had already proven to be insufficient in preventing systemic abuse. Months after RISAA passed, the National Security Division (NSD) of the DOJ discovered that the FBI was using an “advanced filter function” that effectively bypassed the protections enshrined in RISAA. Less than two years after this NSD finding and the discontinuation of the filter function, the New York Times reported that the FBI had developed a new tool that performed the same function and was actively using it to support its investigations.

Despite court rulings, internal reviews, and codified reform attempts, agencies find workarounds to continue accessing sensitive data with little to no oversight. The GSRA stops agencies from buying data they have not obtained through legal due process. Unlike the current system, the GSRA would require agencies to obtain an individualized warrant from a judge to search databases using Americans’ identifying information.

While mass surveillance is not new, its scope and scale will be unprecedented with AI.

Research has demonstrated that, in mere seconds, AI can rapidly conduct “matching what would take hours for a dedicated human investigator.” AI-enabled re-identification through inference, pattern matching, and data fusion can create detailed profiles of individuals’ lives. This makes data analysis cheaper, faster, and easier. AI-powered analytics can analyze people and their actions in bulk and without individualized suspicion, violating the civil liberties that the Fourth Amendment was designed to preserve. Data brokers can and do sell their AI-aggregated data and models to federal agencies, leading to an increase in unchecked surveillance.

For example, the Department of Homeland Security has spent millions of dollars procuring AI tools for its immigration enforcement operations. These AI tools, developed by Palantir and Babel Street, combine social media monitoring and visa status tracking to produce automated threat assessments of foreign individuals on visas.

This surveillance doesn’t just apply to foreign individuals. U.S. Immigration and Customs Enforcement (ICE) is acquiring contracted services that can use machine learning to scan social media for negative posts about ICE, then build profiles on the people who posted them, including:

“full legal name, date of birth, any aliases, Social Security Number (SSN), probable address(es), any relevant recent address(es), phone numbers, e-mail, work affiliations, vehicle registration information […] photograph, partial legal name, partial date of birth, possible city, possible work affiliations, possible school or university affiliation, and any identified possible family members or associates.”

The Pentagon’s recent falling out with Anthropic exposed the potential for the Department of Defense to conduct AI-enabled surveillance. The New York Times reported that people briefed on the negotiations said the DoD’s Chief Technology Officer “wanted the company to allow for the collection and analysis of unclassified, commercial bulk data on Americans, such as geolocation and web browsing data,” a use Anthropic was not willing to allow.

These practices underscore how federal privacy loopholes that enable expansive data collection, combined with advanced AI analytics, amplify mass surveillance and profiling.

As the government acquires new AI technologies, FISA Section 702 and other federal privacy loopholes threaten Americans’ civil liberties. AI enables the aggregation and analysis of seemingly harmless information, transforming it into detailed, comprehensive profiles of Americans’ lives.

But there is a way to close these loopholes. Congress should include warrant requirements to access Americans’ data in the reauthorization of FISA Section 702. As Congress faces pressure to reauthorize the FISA surveillance program, lawmakers have an opportunity to enact necessary surveillance reform.

The bipartisan Government Surveillance Reform Act of 2026 would be the most comprehensive FISA reauthorization bill for privacy reform, as it closes both the backdoor search and data broker loopholes while strengthening privacy protections for modern technologies and business records. Its passing would better ensure the long-term protection of Americans’ constitutional rights, especially in the age of AI.