Closing the Door on Executive Branch Surveillance of Congress's Calls

Sen. Wyden Highlights Cell Phone Use Risks, Urges Fixes

May 21, 2025

A shadowy figure looks at a web of phone calls and texts

Members of Congress must do more to protect themselves against surveillance by foreign governments and the Executive branch, Sen. Wyden warned in a May 21, 2025 letter. He highlights at risk information that includes mobile phone data revealing the locations and contacts for Members of Congress and their staff.

What's at Stake

The whereabouts and contacts of senators and their staff are highly valued information. It is exactly the kind of information obtained by the Chinese government as part of the Salt Typhoon hack. This intrusion compromised both 2024 presidential campaigns and high-level Senate offices.

It is also the kind of data the Executive branch has sought to obtain for illegitimate purposes. For example, a 2024 Justice Department Inspector General Report revealed the agency used a compulsory process to obtain non-content communications records of two Members of Congress, forty-three congressional staffers, and eight reporters from CNN, the New York Times, and the Washington Post. The DOJ obtained congressional information as part of an effort to identify journalistic sources.

As the law currently stands, any federal, state, or local law enforcement agency can request telephone companies provide information about the location and participants of phone calls and texts made by members of Congress. The records of phone calls and texts – who communicated, and when – can be obtained by subpoena without a judge's blessing, although location data requires a court order. Judges routinely grant gag orders preventing the communication provider from informing the people they target. Typically speaking, technology companies will attempt to inform the people affected, but phone companies will not.

We can only expect further misuse of this surveillance authority as the Executive Branch ramps up pressure to undermine Congressional authority.

What is at stake is the ability of members of Congress to communicate with each other, with legislative branch experts, civil society, whistleblowers, journalists, foreign governments, and the general public. Many people will be less likely to communicate with Congress about Executive branch activities if they believe those communications are monitored. Rightly, they fear retaliation or exposure. Similarly, it will be difficult for Congress to connect with witnesses and sources out of fear they will expose them to retaliation.

Law and Practice

A 2020 law attempted to protect Senate communications from surveillance. (It is codified at 2 USC 6628.) It declared that Senate data held by third parties is Senate data and thus cannot be sold or shared by those third parties without Senate permission.

A Senate office shall be deemed to retain possession of any Senate data of the Senate office, without regard to the use by the Senate office of any individual or entity described in paragraph (2) for the purposes of any function or service described in paragraph (2).

In addition, third parties – such as phone companies and internet providers – cannot be gagged from telling the Senate about government demands for the data.

(c) Notification Notwithstanding any other provision of law or rule of civil or criminal procedure, the Office of the SAA, any officer, employee, or agent of the Office of the SAA, and any provider for a Senate office that is providing services to or used by a Senate office shall not be barred, through operation of any court order or any statutory provision, from notifying the Senate office of any legal process seeking disclosure of Senate data of the Senate office that is transmitted, processed, or stored (whether temporarily or otherwise) through the use of an electronic system established, maintained, or operated, or the use of electronic services provided, in whole or in part by the Office of the SAA, the officer, employee, or agent of the Office of the SAA, or the provider for a Senate office.

Finally, it allowed for any senator to go to court to quash any subpoena or court order for Senate data.

(d) Motions to quash or modify Upon a motion made promptly by a Senate office or provider for a Senate office, a court of competent jurisdiction shall quash or modify any legal process directed to the provider for a Senate office if compliance with the legal process would require the disclosure of Senate data of the Senate office.

The law was flawed, however. It did not require companies to tell the Senate about legal demands for the information they held.

To address that issue, the Senate Sergeant at Arms updated telecom contracts with AT&T, Verizon, and T-Mobile to require notification when information is requested. Yet, the major carriers still failed to notify the Senate of law enforcement requests for records concerning Senate communications.

Sen. Wyden has reminded the carriers of the law and their contractual requirements to provide the Senate notice of surveillance efforts. They have agreed to implement those provisions. However, the legal and contractual protections only extend to devices provided by the Senate. This is a problem because most senators use cell phones paid for privately or by their campaigns for official business, and those devices are not covered by the letter of the law.

Senate Ethics Rules allow senators to use privately paid-for devices because they are not allowed to use official devices for campaign purposes. Otherwise, they would have to carry two or three cell phones to be in compliance with the law.

T-Mobile indicated it will provide notice of surveillance of personal and campaign phones to congressional customers so long as the Senate Sergeant at Arms provides a list of applicable phone numbers. AT&T and Verizon will not. Three other carriers, Google Fi Wireless, U.S. Mobile, and Cape, automatically notify all customers about government demands.

Unfortunately, should the Executive branch seek to conceal notice of surveillance and gag the companies, the 2020 law requiring telecom providers to provide notice to Congress would not apply for non-official devices.

Limited Scope

No similar surveillance protection is afforded to Members and staff in the House of Representatives or in Legislative branch agencies. This leaves the door wide open for federal, state, and local law enforcement surveillance of Legislative branch communications.

An effort to provide equivalent protection to the House of Representatives in the FY 2025 appropriations bill was thwarted because of a Trump world hissy-fit concerning members of the now-defunct January 6th committee. The threat is particularly acute considering the dangers from Executive branch overreach.

No legal or contractual provision that I am aware of would provide notice of surveillance that targets staff working at Congress's support agencies. That means that communications to GAO, CRS, the Office of Congressional Workplace Rights, and many others could be surveilled. For example, confidential communications to the OCWR about member misconduct could be tracked to identify the complainant.

Protection against the selling of their communications data, surveillance by the Executive branch, and other activities should be extended to all of their official devices and, in many instances, to their personal and campaign devices as well.

What to do: Statutory Fixes

The entirety of the Legislative branch should be notified when the Executive branch requests information about their contacts and location. Furthermore, Congress should be afforded the opportunity for counsel to quash the request for information. In addition, all congressional information held by the telecommunications companies should be deemed the property of Congress and not able to be sold to data brokers and thus purchasable by the Executive branch.

As it is, the existing statutory language is not strong enough. It should also:

Prohibit the use of subpoenas (which bypass judicial review) for congressional phone records, raising the standard to the same court order required for email metadata.
Require the government to disclose to judges when they are seeking congressional records, and provide Congress with prior notice and an opportunity to object.
Extend protections to all Legislative branch staff, not just senators and their staff.
Add a cross-reference elsewhere in the U.S. Code to the gag order statute at 2 USC § 6628, ensuring the agencies are aware of the limitation.

Senator Wyden requested the Senate support three appropriations requests addressing cybersecurity and surveillance.

A pilot to expand cybersecurity assistance for senators and senate employees
Expanded data broker protection options for senate staff
An evaluation of an end-to-end encrypted communications tools

The House should consider adopting the Senate language, amending the text to fix the problems identified above, and expanding it to apply to the entirety of the Legislative branch.

The American Governance Institute is a strong supporter of improving Legislative branch cybersecurity. We submitted testimony to Senate appropriators, alongside the R Street Institute and Demand Progress Action, calling for additional support for Senate cybersecurity.

What to do: Non-statutory Fixes

Even without legislation, Congress can still act to protect itself:

First, all new contracts with information providers within the House, Senate, support offices and support agencies should include language that requires notice to Congress of government data demands and affirm Congress's ownership of the data.

Second, Congress should favor telecom providers that automatically notify users about surveillance. Priority should be given to transferring contracts to Google Fi Wireless, U.S. Mobile, and Cape, which do this by default. T-Mobile is willing to provide notice to a list of covered numbers, but that may be administratively burdensome for Congress to operationalize. Congress should consider winding down all contracts with AT&T and Verizon unless their policies change. This will partially protect Members and staff who conduct official communications over private or campaign-funded devices.

Third, Legislative branch staff should be encouraged to use telecom providers that notify them of surveillance.

Finally, Members of both chambers should request the latest Government Accountability Office public report on cyber and surveillance threats. GAO told Wyden the report is available to any senator upon request. Staff may contact GAO's Congressional Relations Office at (202) 512-4400 or congrel@gao.gov.

Senator Wyden has rendered Congress a great service through his investigation. Thanks to him, we know that at least one carrier provided Senate data to law enforcement without notice.

We also owe a debt of gratitude to Senate and House appropriators, who consistently have included bill text and report language in their appropriations bills to provide increasing levels of protection to the Legislative branch. In large part, it is because of their efforts that cybersecurity is addressed and funded across the Legislative branch and that they have promoted Legislative branch-wide collaboration.

Further improvements are needed, however. Any law enforcement agency — federal, state, or local — can currently obtain communications data about Members of Congress and their staff. This can no longer be allowed. Congress must act to protect the Legislative branch.

learnin4life

May 21

I certainly agree with your basic premise that the legislative branch is perhaps today facing its greatest risk of unbridled surveillance since the invention of the cell phone. Some protections seem in order to restrain temptations to use the information gathered to manipulate legislation or individual members. Introducing requirements for carriers to at a minimum notify sitting members of governmental requests for information about their communications seem appropriate.

I would assume that if protected communications became the subject of a criminal case involving a member a federal judge of requisite authority could hold an in camera session with attorneys to evaluate the relevance of the communication to the government's case. After review the judge could either allow or disallow use of the communication in connection with the criminal investigation. Presumably, in non-criminal cases a similarly situated judge could also render decisions on any motions by defense counsel to quash release or use of communications released by carriers.

Expand full comment

First Branch Forecast

Discussion about this post