## THE TECHNOLOGY BLIND SPOT Sandra Chen has been managing procurement for a mid-sized electronics manufacturer outside Cincinnati since 2018. Every Tuesday morning at 9 AM, she calls her primary components supplier in Taipei to review delivery timelines, negotiate pricing on the next quarter’s order, and flag quality issues from the previous shipment. The calls run about forty minutes. She takes notes in a shared spreadsheet. Nothing in those conversations is classified. Nothing involves national security. She is buying parts. [Sandra Chen is a composite character representing patterns common to procurement professionals at U.S. manufacturers with international supply relationships. No specific individual is depicted. But the social approach to hacking is real and can be used by Good and Bad Actors… especially an overzealous individual needing a job keeping win.] Those Tuesday calls are in an NSA database. Every one of them. She does not know that. Her company’s general counsel does not know that. And if you represent her company, there is a material probability that your privileged communications with that general counsel are in the same database, collected without a warrant, stored indefinitely, and searchable by the FBI with supervisory approval. Section 702 of the Foreign Intelligence Surveillance Act was sold to Congress in 2008 as a precision instrument aimed at foreign terrorists and hostile intelligence services. The structure of the American economy has turned it into something else entirely. When 28% of S&P 500 revenue flows across borders and the information technology sector depends on foreign supply chains for 56 cents of every dollar earned, a foreign intelligence tool becomes a mechanism that reaches into the ordinary work lives of tens of millions of Americans. You do not need to be suspicious. You need to have a supplier. ## How the Database Gets Built Section 702 authorizes the NSA to collect communications of non-U.S. persons located outside the United States without individualized court orders. The statute specifically prohibits targeting Americans. It does not prohibit collecting their communications. The distinction is architectural, not protective. When Sandra calls her Taipei supplier, the NSA collects from the supplier’s end. Sandra’s voice, her emails, her Teams messages, everything she transmitted in that communication arrives on her end as what the government calls incidental collection. No warrant. No probable cause. No notice. The statute permits it because the law aims at the foreign end of the call. The American end is collateral. Once inside the database, Sandra’s communications do not expire. They sit alongside communications from everyone else who ever interacted with her supplier, accumulating indefinitely. The FBI, NSA, CIA, and National Counterterrorism Center can all query that database using search terms associated with U.S. persons. Sandra does not have to be suspected of anything. She just has to be in the database. The Second Circuit confirmed in 2019 that incidental collection itself does not violate the Fourth Amendment. The court relied on the incidental overhear doctrine, the same principle that permits evidence of other crimes caught on a targeted wiretap. Sandra’s constitutional rights were not violated when her communications were collected. They became relevant when the FBI decided to search for her. ## The Scale the Statute Did Not Anticipate Congress debated Section 702 against a backdrop of counterterrorism. The foreign nationals the statute targeted in 2008 were, in legislative imagination, operatives of hostile governments and terrorist networks. The architects of the statute did not model for the Taiwan Semiconductor supply chain. Goldman Sachs analysis shows that foreign sales accounted for 28% of S&P 500 revenues in 2024. For information technology companies, the sector that employs the largest share of white-collar American workers, international exposure reached 56%. Fortune 500 companies employed 30.84 million people globally in 2025. The parts manufacturer in Ohio, the software firm in Austin, the logistics company in Atlanta: all of them maintain standing relationships with foreign counterparties that generate regular digital communications. Those communications are the raw material of incidental collection. Any foreign national on the other end of those interactions who is, or who later becomes, a Section 702 target pulls the American’s communications into the database, including communications that predate the targeting designation. The database does not distinguish between a call made before and after a foreign national became a target. It stores what it has. The supplier call is not exotic. It is the default operating condition of the American economy. ## 7,413 Searches. 72% Empty. In March 2026, acting FBI Assistant Director Ted Groves sent a letter to Senators Grassley and Durbin disclosing that the FBI had queried Americans’ stored communications under Section 702 seven thousand, four hundred and thirteen times in the twelve-month period ending November 2025. That figure represents a 35% increase over the prior period’s 5,518 queries. The increase matters less than what the queries found. The FBI’s own letter disclosed that only 28% of those queries returned either content or non-content information. Seventy-two percent came up empty. Agents searched the communications of Americans, none of whom had been charged with any crime, none of whom had been the subject of any warrant, none of whom had notice their data was being searched, and found nothing relevant 5,337 times out of 7,413 attempts. The mechanism is not a scalpel. It is a fishing net. And the fish it misses most of the time are Americans whose only connection to the database was a supplier call. ## The Court That Said Stop. The Government That Kept Going. In December 2024, U.S. District Judge LaShann DeArcy Hall issued a ruling in United States v. Hasbajrami, declassified and released January 21, 2025. It was the first time any court had directly ruled that FBI searches of Section 702 data using U.S.-person search terms require a warrant under the Fourth Amendment, unless a specific established exception applies. Judge Hall applied the logic of Riley v. California, which held that searching a lawfully seized phone requires a separate warrant, to the Section 702 database. Collecting Sandra’s communications lawfully does not automatically permit searching those communications at will. The search is a separate Fourth Amendment event. It requires separate Fourth Amendment justification. The government’s response was to appeal. The Second Circuit has not yet ruled. The Supreme Court has never addressed whether a foreign intelligence exception to the warrant requirement exists, or how broadly it extends. While the appeal proceeds, the searches continue under existing authorizations. The 7,413 queries in the period ending November 2025 occurred while this constitutional question remained unresolved. The House of Representatives had the opportunity to resolve it legislatively. An amendment requiring a warrant for U.S.-person queries failed by a tied 212-212 vote. The Senate rejected a modified version by a wider margin. Congress handed the constitutional question back to courts still working through it. ## The Watchdog With No Quorum Every prior Section 702 reauthorization cycle produced an independent analysis from the Privacy and Civil Liberties Oversight Board, a bipartisan watchdog established after September 11 specifically to scrutinize programs like this one. The PCLOB’s Section 702 reports provided the most thorough public accounting of how the program operates and where its safeguards have failed. In January 2025, the administration dismissed three Democratic PCLOB members, leaving the board with a single Republican appointee and no quorum. The board cannot start new investigations. It cannot issue formal reports. Its planned Section 702 oversight report for the 2026 reauthorization cycle, the analysis that would have evaluated whether the RISAA reforms actually improved compliance, will not be produced. The April 20, 2026 reauthorization deadline will pass without the independent analysis that every prior reauthorization received. The administration has requested a clean extension. The FBI’s query volume rose 35% last year. The independent scrutiny has collapsed. ## The National Security Argument Has Substance Section 702 is not theater. Former intelligence officials have testified that it represents the single most valuable foreign intelligence collection authority in the U.S. arsenal. Counterterrorism operations, weapons proliferation investigations, and foreign government intelligence all depend on it in ways that other collection methods cannot replicate. Former officials have warned that allowing the authority to lapse would place the United States at the edge of a self-inflicted national security failure. Incidental collection of American communications is a structural byproduct of targeting foreign actors on shared infrastructure, not evidence of a program designed to surveil Americans. When Sandra’s supplier in Taipei communicates with a foreign intelligence target, Sandra’s communications become relevant to a legitimate national security investigation. The government’s interest in following that thread is real. The Reforming Intelligence and Securing America Act introduced procedural reforms that appear to have measurable effect. The FISC noted in March 2025 that FBI query compliance was improving under the new procedures. The FBI’s total query volume under the reformed counting methodology is lower than historical figures reported under the prior methodology. This piece does not argue that Section 702 should lapse. It argues that the mechanism’s reach has extended far beyond the context that justified it, that procedural safeguards carry a documented history of failure, and that the constitutional question at the center of this program remains unresolved while queries continue. ## What This Analysis Cannot Claim The argument has limits worth stating plainly. Section 702 collection is scoped to communications with targeted foreign persons, not every communication an American has ever sent. Sandra’s emails to her domestic vendors, her calls with the Cincinnati bank, her personal correspondence: none of that is in the Section 702 database unless it touched a foreign target. The Hasbajrami ruling, while significant, has not been upheld by the Second Circuit and carries no binding effect beyond that district. Courts in other circuits have not reached the same result. A Supreme Court ruling, if it comes, could go either direction. What is not contestable: the mechanism exists, the scale is real, the queries are happening, and the independent scrutiny is gone. Those are documented facts from government sources. ## The General Counsel’s Organizational Problem Sandra Chen is one procurement manager at one manufacturer outside Cincinnati. Her employer, a mid-sized company, probably has a few dozen employees with regular international contact. The training problem is manageable. Now run the same analysis at a Fortune 1000 company. IBM operates in 170 countries with roughly 280,000 employees. Cisco has approximately 80,000. Dell employs around 120,000 globally. At companies of that scale, the board gets an annual cyber briefing. The C-suite gets a policy memo and a tabletop exercise. The general counsel and outside counsel get a Section 702 risk analysis. Key executives with foreign counterparties get individual guidance. That coverage reaches perhaps two hundred people. The incidental collection risk lives with tens of thousands more. The procurement analyst calling Taipei. The sales engineer on a daily standup with the Bangalore development team. The accounts payable clerk emailing a Frankfurt vendor about an invoice. The HR manager coordinating with the Mexico City office about a benefits question. The logistics coordinator tracking a Shanghai shipment. None of those employees are executives. None of them appear in the board briefing. None of them have been told that their routine work communications may be in an NSA database. Section 702 exposure follows communication patterns, not org chart seniority. The statute does not distinguish between the CFO on an earnings call with a London analyst and the accounts payable clerk emailing a Stuttgart supplier. Both communications are equally subject to incidental collection if the foreign counterparty is a Section 702 target. The database treats them identically. This creates a training and protection obligation that no Fortune 1000 general counsel has fully solved. Encrypting board communications is a bounded problem with known solutions. Encrypting, training, and protecting every employee with an international communication pattern, at a company where that population may number in the thousands, is a different category of problem entirely. Standard enterprise security programs are built around protecting the network perimeter, the devices, and the privileged users. They are not built around the incidental collection mechanism of a foreign intelligence statute. The compliance gap is structural. Most Fortune 1000 companies have cybersecurity policies. Most have data classification frameworks. Most have export control compliance programs that address what employees can send to foreign nationals. Almost none have a Section 702 awareness program that tells the procurement analyst in Cincinnati that her Tuesday supplier call may be in a government database, that the FBI queried databases like hers 7,413 times last year, and that a court just ruled those queries require a warrant the government is now appealing. For the general counsel of that Fortune 1000 company, the question is no longer whether the board understands the exposure. The question is whether the company can build a proportionate response that reaches the employees who actually generate the exposure, without creating compliance theater that adds cost and friction without addressing the structural mechanism. Catherine’s Fortune 1000 clients are sitting across from general counsels who have not yet framed this as an organizational problem. They have framed it as a board-level risk. The gap between those two framings is where the next wave of exposure lives. ## What Catherine Does Thursday This is not a theoretical risk for attorneys with international practices. It is a client counseling obligation with a deadline. Pull your client roster. Flag every client whose business includes suppliers, vendors, contractors, or counterparties outside the United States. For each flagged client, identify whether you have discussed anything sensitive: deal strategy, settlement posture, case theory, privileged analysis, over standard email or unencrypted calls. That list is your Section 702 exposure map. For every client on that list, identify the employees who regularly communicate with those foreign counterparties. These are the employees who generate the incidental collection risk. These are the employees who need to understand the implications of Section 702. This is not a compliance problem. It is a client counseling problem. It is a problem of advising clients on how to manage a known legal risk. It is a problem of helping clients understand the implications of a statute that has expanded far beyond its original intent. This is not a problem that can be solved with a memo. It is a problem that requires a conversation. It is a problem that requires a plan. It is a problem that requires action. This is what Catherine does Thursday.

Originally published on LinkedIn Newsletter: The Technology Blind Spot