On June 12, 2026, Section 702 of the Foreign Intelligence Surveillance Act hit its statutory sunset for the first time since the authority was enacted in 2008, after the House left for recess without passing even a three-week extension. The proximate cause was a political standoff: House Democrats refused to reauthorize while objecting to President Trump's appointment of Bill Pulte — a housing-finance official with no intelligence background — as acting Director of National Intelligence. The EFF, which has spent years pushing for a warrant requirement, called the lapse a victory.
The surveillance itself did not stop. As the Cato Institute's Patrick Eddington explains, the Foreign Intelligence Surveillance Court approved the current certifications in March 2026, and those run until roughly March 17, 2027. Existing collection continues; existing databases stay searchable. What lapsed is narrower and, for our purposes, more interesting: the statutory machinery that lets the government serve new directives on US companies — and the liability shield that protected those companies when they complied.
The seam that actually opened
That shield lives in 50 U.S.C. § 1881a(i)(3): "No cause of action shall lie in any court against any electronic communication service provider for providing any information, facilities, or assistance in accordance with a directive issued" under the statute (statutory text). Strip that sentence away and a provider asked to wire up a new tap is no longer indemnified by Congress. It is exposed to the ordinary universe of privacy suits, breach-of-contract claims from users, and shareholder second-guessing — with only the thin comfort of a court certification it cannot fully see.
The law firm Wiley, which advises carriers, warned before the deadline that the absence of clear immunity "underscores the need for robust oversight and compliance mechanisms." Translated: a provider's lawyers now have to guess whether a directive is enforceable, whether compliance is voluntary, and whether a judge will later treat cooperation as lawful or as a tort. Eddington puts the operational reality plainly — the compelled-assistance mechanism, "backed by statutory liability immunity for their cooperation," lapses with Title VII. New cooperation pauses not because surveillance is impossible but because nobody wants to be the test case.
Why a surveillance story is a Section 230 story
This is the same structural question Congress keeps reopening one statute over. Section 230(c)(1) of the Communications Decency Act says: "No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider" (47 U.S.C. § 230). Different domain, identical engineering. Both provisions are load-bearing immunity clauses that let an intermediary act — host speech, or carry a tap — without litigating its lawfulness every single time. Take the clause out and you do not get more accountability by default; you get paralysis, over-caution, and a flood of suits that resolve slowly and inconsistently.
The reformers deserve a fair hearing here. The strongest case for sunsetting Section 230 — made in the bipartisan McMorris Rodgers–Pallone discussion draft that proposed ending the law on December 1, 2025 — is that blanket immunity lets dominant platforms externalize real harms, from non-consensual imagery to fraud, while courts dismiss victims at the pleading stage. That is a genuine grievance. An immunity that never has to answer for anything can ossify into a subsidy for negligence. The 702 critics make a parallel and equally legitimate point: a provider shield with no warrant requirement attached can launder mass surveillance through private infrastructure with nobody on the hook.
But the 702 lapse shows the cost of treating an immunity clause as a switch to be flipped rather than a structure to be tuned. The McMorris Rodgers–Pallone drafters openly admitted their goal was not to let Section 230 expire but to use the cliff edge as leverage to force a deal. The 702 fight just ran that experiment for real — and the result was not a thoughtful new accountability regime. It was uncertainty: collection grinding forward under inherited certifications while the legal basis for fresh cooperation hangs in limbo and providers' counsel tell them to stall.
The proportionate lesson
The pro-innovation position is not that immunity is sacred. It is that immunity shields are precision instruments, and the way you fix an over-broad one is by narrowing the conduct it covers — not by detonating the clause and hoping Congress reassembles something better under deadline pressure. For Section 702, the proportionate fix has always been a warrant requirement for US-person queries, which conditions the shield on a defined legal standard rather than removing it. For Section 230, it is targeted carve-outs tied to specific, provable misconduct — the approach the 2018 FOSTA-SESTA carve-out attempted, for all its flaws — rather than a sunset that would make every platform a defendant for every user's post.
Providers are watching both debates with the same anxiety, because both turn on one question: can a company that follows the rules know, in advance, that it will not be sued for following them? When the answer is no — as it is right now for any carrier handed a fresh 702 directive — the rational move is to do less, slower, and only under court order. That is the chilling effect, and it lands on lawful conduct first. Congress should reauthorize a reformed Section 702 with a warrant requirement and a restored, conditioned immunity, and it should treat the lapse as a free preview of what a Section 230 sunset would feel like at internet scale. The 26 words that built the open internet are not a loophole. They are the same kind of clause whose absence just froze the surveillance state for a week.