Deeplinks

Tech Nonprofits to Feds: Don’t Weaponize Procurement to Undermine AI Trust and Safety

Corynne McSherry — Fri, 03 Apr 2026 17:37:01 +0000

While the very public fight continues between the Department of Defense and Anthropic over whether the government can punish a company for refusing to allow its technology to be used for mass surveillance, another branch of the U.S. government is quietly working to ensure that this dispute will never happen again. How? By rewriting government procurement rules.

Using procurement -- meaning, the processes by which governments acquire goods and services-- to accomplish policy goals is a time-honored and often appropriate strategy. The government literally expresses its politics and priorities by deciding where and how it spends its money. To that end, governments can and should give our tax dollars to companies and projects that serve the public interest, such as open-source software development, interoperability, or right to repair. And they should withhold those dollars from those that don’t, like shady contractors with inadequate security systems .

New proposed rules from the principal agency in charge of acquiring goods, property and services for the federal government, the General Services Administration, are supposed to be primarily an effort to implement one policy priority: promoting steering government funds toward “ideologically neutral” American AI innovation But the new guidelines do far more than that.

As explained in comments filed today with our partners at the Center for Democracy and Technology, the Protect Democracy Project, and the Electronic Privacy Information Center, the GSA’s guidelines include broad provisions that would make AI tools less safe and less useful. If finally adopted, these provisions would become standard components of every federal contract. You can read the full comments here.

The most egregious example is a requirement that contractors and government service providers must license their AI systems to the government for “all lawful purposes.” Given the government’s loose interpretations of the law, ability to find loopholes to surveil you, and willingness to do illegal spying, we need serious and proactive legal restrictions to prevent it from gobbling up all the personally data it can acquire and using even routine bureaucratic data for punitive ends.

Relatedly, the draft rules require that “AI System(s) must not refuse to produce data outputs or conduct analyses based on the Contractor’s or Service Provider’s discretionary policies.” In other words, if a company’s safety guardrails might prevent responding to a government request, the company must disable those guardrails. Given widespread public concerns about AI safety, it seems misguided, at best, to limit safeguards a company deems necessary.

There are myriad other problems with the draft rules, such as technologically incoherent “anti-Woke” requirements. But the overarching problem is clear: much of this proposal would not serve the overall public interest in using American tax dollars to promote privacy, safety, and responsible technological innovation. The GSA should start over.

Note they are also about implementing "anti-woke" tech which is even more stupid. I rewrote to allude to it but really that's a whole other blog post

Double Shot of Privacy's Defender in D.C.

Aaron Jue — Fri, 03 Apr 2026 15:58:34 +0000

You’re invited on a journey inside the privacy battles that shaped the internet. EFF’s Executive Director Cindy Cohn has tangled with the feds, fought for your data security, and argued before judges to protect our access to science and knowledge on the internet.

Join Cindy at two events in Washingtion, D.C. on April 13 and 14 discussing her new book: Privacy's Defender: My Thirty-Year Fight Against Digital Surveillance, on sale now. All proceeds from the book benefit EFF. Find the full event details below, and RSVP to let us know if you can make it.

April 13 - With Gigi Sohn at Busboys & Poets

Join American Association of Public Broadband (AAPB) Executive Director Gigi Sohn, in conversation with EFF Executive Director Cindy Cohn for a discussion about Cindy's work, her new book, and what we're all wondering: Can have private conversations if we live our lives online?

Privacy's Defender at Busboys & Poets
Busboys & Poets - 14th & V
2021 14th St NW, Washington, DC 20009
Monday, April 13, 2026
6:30 pm to 8:30 pm

April 14 - With Women in Security and Privacy (WISP)

Join Women in Security and Privacy (WISP) and EFF for a conversation featuring American University Senior Professorial Lecturer Chelsea Horne and EFF Executive Director Cindy Cohn as they dive into data security, Federal access to data, and your digital rights.

Privacy's Defender with WISP
True Reformer Building - Lankford Auditorium
1200 U St NW, Washington, DC 20009
Tuesday, April 14, 2026
6:00 pm to 8:30 pm

"Privacy’s Defender is a compelling account of a life well lived and an inspiring call to action for the next generation of civil liberties champions."

~Edward Snowden, whistleblower; author of Permanent Record

Can't make it? Look for Cindy at a city (or web connection) near you! Find the latest tour dates on the Privacy’s Defender hub or follow EFF for more.

Part memoir and part legal history for the general reader, Privacy’s Defender is a compelling testament to just how much privacy and free expression matter in our efforts to combat authoritarianism, grow democracy, and strengthen human rights. Thank you for being a part of that fight.

Want to support the cause and get a copy of the new book? New or renewing EFF members can preorder one as their annual gift!

Weakening Speech Protections Will Punish All of Us—Not Just Meta

David Greene — Thu, 02 Apr 2026 22:43:12 +0000

Recently, a California Superior Court jury found that Meta and YouTube harmed a user through some of the features they offered. And a New Mexico jury concluded that Meta deceived young users into thinking its platforms were safe from predation.

It’s clear that many people are frustrated by big tech companies and perhaps Meta in particular. We too have been highly critical of them and have pushed for years to end their harmful corporate surveillance. So it’s not surprising that a jury felt like Mark Zuckerberg and his company, along with YouTube, needed to be held accountable.

While it would be easy to claim that these cases set a legal precedent that should make social media companies fearful, that’s not exactly true. And that’s actually a good thing for the internet and its users.

These jury trials were just an early step in a long road through the court system. These cases will now go up on appeal, where the courts’ rulings about the First Amendment and immunity under Section 230 will likely get reconsidered.

As we have argued many times before, the First Amendment protects both user speech and the choices platforms make on how to deliver that speech (in the same way it protects newspapers' right to curate their editorial pages as they see fit). Features on social media sites that are designed to connect users cannot be separated from the users’ speech, which is why courts have repeatedly held that these features are indeed protected.

So while it may be tempting to celebrate these juries’ decisions as a "win" against big tech, in fact the ramifications of lowering First Amendment and immunity standards on other speakers—ones that members of the public actually like, and do not want to punish—are bad. We can’t create less protective speech rules for Meta and Google alone just because we want them held accountable for something else.

As we have often said, much of the anger against these companies arises from people rightfully feeling that these companies harvest and exploit their data, and monetize their lives for crass economic reasons. We therefore continue to urge Congress to pass a comprehensive national privacy law with a private right of action to address these core concerns.

A Baseless Copyright Claim Against a Web Host—and Why It Failed

Betty Gedlu — Thu, 02 Apr 2026 21:34:53 +0000

Higbee & Associates, a law firm known for sending copyright demand letters to website owners, targeted May First Movement Technology, accusing it of infringing a photograph owned by Agence France-Presse (AFP). The claim was baseless. May First didn’t post the photo. It didn’t even own the website where the photo appeared.

May First is a nonprofit membership organization that provides web hosting and technical infrastructure to social justice groups around the world. The allegedly infringing image was posted years ago by one of May First’s members, a human rights group based in Mexico. When May First learned about the copyright complaint, it ensured that the group removed the image.

That should have been the end of it. Instead, the firm demanded payment.

So EFF stepped in as May First’s counsel and explained why AFP and Higbee had no valid claim. After receiving our response, Higbee backed down.

This outcome is a reminder that targets of copyright demands often have strong defenses—especially when someone else posted the material.

Hosting Content Isn’t the Same as Publishing It

Copyright law treats those who create or control content differently from those who simply provide the tools or infrastructure for others to communicate.

In this case, May First provided hosting services but didn’t post the photo. Courts have long recognized that service providers aren’t direct infringers when they merely store material at the direction of users. In those cases, service providers lack “volitional conduct”—the intentional act of copying or distributing the work.

Copyright law also recognizes that intermediaries can’t realistically police everything users upload. That’s why legal protections like the Digital Millennium Copyright Act safe harbors exist. Even outside those safe harbors, courts still shield service providers from liability when they promptly respond to notices.

May First did exactly what the law expects: it notified its member, and the image came down.

A Claim That Should Have Been Withdrawn Much Sooner

The troubling part of this story isn’t just that a demand was sent. It’s that Higbee and AFP continued to demand money and threaten litigation after May First explained that it was merely a hosting provider and had the image removed.

In other words, the claim was built on shaky legal ground from the start. Once May First explained its role, Higbee should have withdrawn its demand. Individuals and small nonprofits shouldn’t need lawyers just to stop aggressive copyright shakedowns.

Statutory Damages Fuel Copyright Abuse

This isn’t an isolated case—it’s a predictable result of copyright law’s statutory damages regime.

Statutory damages can reach $150,000 per work, regardless of actual harm. That enormous leverage incentivizes firms like Higbee to send mass demand letters seeking quick settlements. Even meritless claims can generate revenue when recipients are too afraid, confused, or resource-constrained to fight back.

This hits community organizations, independent publishers, and small service providers that don’t have in-house legal teams especially hard. Faced with the threat of ruinous statutory damages, many just pay what is demanded.

That’s not how copyright law should work.

Know Your Rights

If you receive a copyright demand based on material someone else posted, don’t assume you’re liable.

You may have defenses based on:

Your role as a hosting or service provider
Lack of volitional conduct
Prompt removal of the material after notice
The statute of limitations
The copyright owner’s failure to timely register the work
The absence of actual damages

Every situation is different, but the key point is this: a demand letter is not the same as a valid legal claim.

Standing Up to Copyright Trolls

May First stood its ground, and Higbee abandoned its demand after we explained the law.

But the bigger problem remains. Copyright’s statutory damages framework enables aggressive enforcement tactics that targets the wrong parties, and chills lawful online activity.

Until lawmakers fix these structural incentives, organizations and individuals will keep facing pressure to pay up—even when they’ve done nothing wrong.

If you get one of these demand letters, remember: you may have more rights than it suggests.

EFF Letter to Higbee and Associates, March 4, 2026

Print Blocking Won't Work - Permission to Print Part 2

Cliff Braun — Thu, 02 Apr 2026 17:57:16 +0000

This is the second post in a series on 3D print blocking, for the first entry check out: Print Blocking is Anti-Consumer - Permission to Print Part 1

Legislators across the U.S. are proposing laws to force “print blockers” on 3D printers sold in their states. This mandated censorware is doomed to fail for its intended purpose, but will still manage to hurt the professional and hobbyist communities relying on these tools.

3D printers are commonly used to repair belongings, decorate homes, print figurines, and so much more. It’s not just hobbyists; 3D printers are also used professionally for parts prototyping and fixturing, small-batch manufacturing, and workspace organization. In rare cases, they’ve also been used to print parts needed for firearm assembly.

Many states have already banned manufacturing firearms using computer controlled machine tools, which are called “Computer Numerical Control or CNC machines,” and 3D printers without a license. Recently proposed laws seek to impose technical limitations onto 3D printers (and in some cases, CNC machines) in the hope of enforcing this prohibition.

This is a terrible idea; these mandates will be onerous to implement and will lock printer users into vendor software, impose one-time and ongoing costs on both printer vendors and users, and lay the foundation for a 3D-print censorship platform to be used in other jurisdictions. We dive more into these issues in the first part of this series.

On a pragmatic level, however, these state mandates are just wishful thinking. Below, we dive into how 3D printing works, why these laws won’t deter the printing of firearms, and how regular lawful use will be caught in the proposed dragnet.

How 3D Printers Work

To understand the impact of this proposed legislation, we need to know a bit about how 3D printers work. The most common printers work similarly to a computer-controlled hot glue gun on a motion platform; they follow basic commands to maintain temperature, extrude (push) plastic through a nozzle, and move a platform. These motions together build up layers to make a final “print.” Modern 3D printers often offer more features like Wi-Fi connectivity or camera monitoring, but fundamentally they are very simple machines.

The basic instructions used by most 3D printers are called Geometric Code, or G-Code, which specify very basic motions such as “move from position A to position B while extruding plastic.” The list of commands that will eventually print up a part are transferred to the printer in a text file thousands-to-millions of lines long. The printer dutifully follows these instructions with no overall idea of what it is printing.

While it is possible to write G-Code by hand for either a CNC machine or a 3D printer, the vast majority is generated by computer aided manufacturing (CAM) software, often called a “slicer” in 3D printing since it divides a 3D model into many 2D slices then generates motion instructions.

This same general process applies to CNC machines which use G-Code instructions to guide a metal removal tool. CNC machines have been included in previous prohibitions on firearm manufacturing and file distribution and are also targeted in some of these bills.

There are other types of 3D printers such as those that print concrete, resin, metal, chocolate and other materials using slightly different methods. All of these would be subject to the proposed requirements regardless of how unlikely doing harm with a gun made out of chocolate would be.

Simple rectangular 3D model for test fit

Part of a 173490 line long G-Code file produced by slicer for simple rectangular model.

Part of a 173,490 line long G-Code file for a simple rectangular part.

How is Firearm Detection Supposed to Work?

Under these proposed laws, manufacturers of consumer 3D printers must ensure their printers only work with their software, and implement firearm detection algorithms on either the printer itself or in a slicer software. These algorithms must detect firearm files using a maintained database of existing models. Vendors of printers must then verify that printers are on the allow-list maintained by the state before they can offer them for sale.

Owners of printers will be guilty of a crime if they circumvent these intrusive scanning procedures or load alternative software, which they might do because their printer manufacturer ends support. Owners of existing noncompliant 3D printers in regulated states will be unable to resell their printers on the secondary market legally.

What Will Actually Happen?

While the proposed laws allow for scanning to happen on either the printer itself or in the slicer software, the reality is more complicated.

The computers inside many 3D printers have very limited computational and storage ability; it will be impossible for the printer’s computer to render the G-Code into a 3D model to compare with the database of prohibited files. Thus the only way to achieve this through the machine would be to upload all printer files to a cloud comparison tool, creating new delays, errors, and unacceptable invasions of privacy.

Many vendors will instead choose to permanently link their printers to a specific slicer that implements firearm detection. This requires cryptographic signing of G-Code to ensure only authorized prints are completed, and will lock 3D printer owners into the slicer chosen by their printer vendor.

Regardless of the specifics of their implementation, these algorithms will interfere with 3D printers' ability to print other parts without actually stopping manufacture of guns. It takes very little skill for a user to make slight design tweaks to either a model or G-Code to evade detection. One can also design incomplete or heavily adorned models which can be made functional with some post-print alterations. While this would be pioneered by skilled users—like the ones who designed today’s 3D printed guns—once the design and instructions are out there anyone able to print a gun today will be able to follow suit.

Firearm part identification features also impose costs onto 3D printer manufacturers, and hence their end consumers. 3D printer manufacturers must develop or license these costly algorithms and continuously maintain and update both the algorithm and the database of firearm models. Older printers that cannot comply will not be able to be resold in states where they are banned, creating additional E-waste.

While those wishing to create guns will still be able to do so, people printing other functional parts will likely be caught up in these algorithms, particularly for things like film props, kids’ toys, or decorative models, which often closely resemble real firearms or firearm components.

What Are The Impacts of These Changes?

Technological restrictions on manufacturing tools’ abilities are harmful for many reasons. EFF is particularly concerned with this regulation locking a 3D printer to proprietary vendor software. Vendors will be able to use this mandate to support only in-house materials, locking users into future purchases. Vendor slicer software is often based on out-of-date, open source software, and forcing users to use that software deprives them of new features or even use of their printer altogether if the vendor goes out of business. At worst, some of these bill will make it a misdemeanor to fix those problems and gain full control of your printer.

File-scanning frameworks required by this regulation will lay the foundation for future privacy and freedom intrusions. This requirement could be co-opted to scan prints for copyright violations and be abused similar to DMCA takedowns, or to suppress models considered obscene by a patchwork of definitions. What if you were unable to print a repair part because the vendor asserted the model was in violation of their trademark? What if your print was considered obscene?

Regardless of your position on current prohibitions on firearms, we should all fight back against this effort to force technological restrictions on 3D printers, and legislators must similarly abandon the idea. These laws impose real costs and potential harms among lawful users, lay the groundwork for future censorship, and simply won’t deter firearm printing.

Print Blocking is Anti-Consumer - Permission to Print Part 1

Rory Mir — Thu, 02 Apr 2026 17:56:48 +0000

This is the first post in a series on 3D print blocking, for the next entry check out Print Blocking Won't Work - Permission to Print Part 2

When legislators give companies an excuse to write untouchable code, it’s a disaster for everyone. This time, 3D printers are being targeted across a growing number of states. Even if you’ve never used one, you’ve benefited from the open commons these devices have created—which is now under threat.

This isn’t the first time we’ve gone to bat for 3D printing. These devices come in many forms and can construct nearly any shape with a variety of materials. This has made them absolutely crucial for anything from life-saving medical equipment, to little Iron Man helmets for cats, to everyday repairs. For decades these devices have been a proven engine for innovation, while democratizing a sliver of manufacturing for hobbyists, artists, and researchers around the world.

For us all to continue benefiting from this grassroots creativity, we need to guard against the type of corporate centralization that has undermined so much of the promise of the digital era. Unfortunately some state legislators are looking to repeat old mistakes by demanding printer vendors install an enshittification switch.

In the U.S, three states have recently proposed that commercial 3D-printer manufacturers must ensure their printers only work with their software, and are responsible for checking each print for forbidden shapes—for now, any shape vendors consider too gun-like. The 2D equivalent of these “print-blocking” algorithms would be demanding HP prevent you from printing any harmful messages or recipes. Worse still, some bills can introduce criminal penalties for anyone who bypasses this censorware, or for anyone simply reselling their old printer without these restrictions.

If this sounds like Digital Rights Management (DRM) to you, you’ve been paying attention. This is exactly the sort of regulation that creates a headache and privacy risk for law-abiding users, is a gift for would-be monopolists, and can be totally bypassed by the lawbreakers actually being targeted by the proposals.

Ghosting Innovation

“Print blocking” is currently coming for an unpopular target: ghost guns. These are privately made firearms (PMFs) that are typically harder to trace and can bypass other gun regulations. Contrary to what the proposed regulations suggest, these guns are often not printed at home, but purchased online as mass-produced build-it-yourself kits and accessories.

Scaling production with consumer 3D printers is expensive, error-prone, and relatively slow. Successfully making a working firearm with just a printer still requires some technical know-how, even as 3D printers improve beyond some of these limitations. That said, many have concerns about unlicensed firearm production and sales. Which is exactly why these practices are already illegal in many states, including all of the states proposing print blocking.

Mandating algorithmic print-blocking software on 3D printers and CNC machines is just wishful thinking. People illegally printing ghost guns and accessories today will have no qualms with undetectably breaking another law to bypass censoring algorithms. That’s if they even need to—the cat and mouse game of detecting gun-like prints might be doomed from the start, as we dive into in this companion post.

Meanwhile, the overwhelming majority of 3D-printer users do not print guns. Punishing innovators, researchers, and hobbyists because of a handful of outlaws is bad enough, but this proposal does it by also subjecting everyone to the anticompetitive and anticonsumer whims of device manufacturers.

Can’t make the DRM thing work

We’ve been railing against Digital Rights Management (DRM) since the DMCA made it a federal crime to bypass code restricting your use of copyrighted content. The DRM distinction has since been weaponized by manufacturers to gain greater leverage over their customers and enforce anti-competitive practices.

The same enshittification playbook applies to algorithmic print blockers.

Restricting devices to manufacturer-provided software is an old tactic from the DRM playbook, and is one that puts you in a precarious spot where you need to bend to the whims of the manufacturer. Only Windows 11 supported? You need a new PC. Tools are cloud-based? You need a solid connection. The company shutters? You now own an expensive paperweight—which used to make paperweights.

It also means useful open source alternatives which fit your needs better than the main vendor’s tools are off the table. The 3D-printer community got a taste of this recently, as manufacturer Bambu Labs pushed out restrictive firmware updates complicating the use of open source software like OrcaSlicer. The community blowback forced some accommodations for these alternatives to remain viable. Under the worst of these laws, such accommodations, and other workarounds, would be outlawed with criminal penalties.

People are right to be worried about vendor lock-in, beyond needing the right tool for the job. Making you reliant on their service allows companies to gradually sour the deal. Sometimes this happens visibly, with rising subscription fees, new paywalls, or planned obsolescence. It can also be more covert, like collecting and selling more of your data, or cutting costs by neglecting security and bug fixes.

With expensive hardware on the line, they can get away with anything that won’t make you pay through the nose to switch brands.

Indirectly, this sort of print-blocking mandate is a gift to incumbent businesses making these printers. It raises the upfront and ongoing costs associated with smaller companies selling a 3D printer, including those producing new or specialized machines. The result is fewer and more generic options from a shrinking number of major incumbents for any customer not interested in building their own 3D printer.

Reaching the Melting Point

It’s already clear these bills will be bad for anyone who currently uses a 3D printer, and having alternative software criminalized is particularly devastating for open source contributors. These impacts to manufacturers and consumers culminate into a major blow to the entire ecosystem of innovation we have benefited from for decades.

But this is just the beginning.

Once the infrastructure for print blocking is in place, it can be broadened. This isn’t a block of a very specific and static design, like how some copiers block reproductions of currency. Banning a category of design based on its function is a moving target, requiring a constantly expanding blacklist. Nothing in this legislation restricts those updates to firearm-related designs. Rather, if we let proposals like this pass, we open the door to the database of forbidden shapes for other powerful interests.

Intellectual property is a clear expansion risk. This could look like Nintendo blocking a Pikachu toy, John Deere blocking a replacement part, or even patent trolls forcing the hand of hardware companies. Repressive regimes, here or abroad, could likewise block the printing of "extreme" and “obscene” symbols, or tools of resistance like popular anti-ICE community whistles.

Finally, even the most sympathetic targets of algorithmic censorship will result in false positives—blocking 3D-printer users’ lawful expression. This is something proven again and again in online moderation. Whether by mistake or by design, a platform that has you locked in has little incentive to offer remedies to this censorship. And these new incentives for companies to surveil each print can also impose a substantial chilling effect on what the user chooses to create.

While 3D printers aren’t in most households, this form of regulation would set a dangerous precedent. Government mandating on-device censors which are maintained by corporate algorithms is bad. It won’t work. It consolidates corporate power. It criminalizes and blocks the grassroots innovation and empowerment which has defined the 3D-printer community. We need to roundly reject these onerous restraints on creation.

Google and Amazon: Acknowledged Risks, and Ignored Responsibilities

Betty Gedlu — Thu, 02 Apr 2026 15:12:50 +0000

In late 2024, we urged Google and Amazon to honor their human rights commitments, to be more transparent with the public, and to take meaningful action to address the risks posed by Project Nimbus, their cloud computing contract that includes Israel’s Ministry of Defense and the Israeli Security Agency. Since then, a stream of additional reporting has reinforced that our concerns were well-founded. Yet despite mounting evidence of serious risk, both companies have refused to take action.

Amazon has completely ignored our original and follow-up letters. Google, meanwhile, has repeatedly promised to respond to our questions. Yet more than a year and a half later, we have seen no meaningful action by either company. Neither approach is acceptable given the human rights commitments these companies have made.

Additionally, Microsoft required a public leak before it felt compelled enough to look into and find that its client, the Israeli government, was indeed misusing its services in ways that violated Microsoft’s public commitments to human rights. This should have given both Google and Amazon an additional reason to take a close look and let the public know what they find, but nothing of the sort materialized.

In such circumstances, waiting for definitive proof is not responsible risk management, it is willful blindness.

Google: Known Risks, No Meaningful Action

Google’s own internal assessments warned of the risks associated with Project Nimbus even before the contract was signed. Major news outlets have reported that Google provides the Israeli government with advanced cloud and AI services under Project Nimbus, including large-scale data storage, image and video analysis, and AI model development tools. These capabilities are exceptionally powerful, highly adaptable, and well suited for surveillance and military applications.

Despite those warnings, and the multiple reports since then about human rights abuses by the very portions of the Israeli government that uses Google’s and Amazon’s services, the companies continue to operate business as usual. It seems that they have taken the position that they do not need to change course or even publicly explain themselves unless the media or other external organizations present definitive proof that their tools have been used in specific violations of international human rights or humanitarian law. While that conclusive public evidence has not yet emerged for all the companies, the risks are obvious, and they are aware of them. Instead of conducting robust, transparent human rights due diligence, Amazon and Google are continually choosing to look the other way.

Google’s own internal assessments undermine its public posture. According to reporting, Google’s lawyers and policy staff warned that Google Cloud services could be linked to the facilitation of human rights abuses. In the same report, Google employees also raised concerns that the company’s cloud and AI tools could be used for surveillance or other militarized purposes, which seems very likely given the Israeli government’s long-standing reliance on advanced data-driven systems to control and monitor Palestinians.

Google has publicly claimed that Project Nimbus is “not directed at highly sensitive, classified, or military workloads” and is governed by its standard Acceptable Use Policies. Yet reporting has revealed conflicting representations about the contract’s terms, including indications that the Israeli government may be permitted to use any services offered in Google’s cloud catalog for any purpose. Google has declined to publicly resolve these contradictions, and its lack of transparency is problematic. The gap between what Google says publicly and what it knows internally should alarm anyone who hopes to take the company’s human rights commitments seriously.

Google’s and Amazon’s AI Principles Require Proactive Action

Even after being revised last year, Google’s AI Principles continue to commit the company to responsible development and deployment of its technologies, including implementing appropriate human oversight, due diligence, and safeguards to mitigate harmful outcomes and align with widely accepted principles of international law and human rights. While the updated principles no longer explicitly commit Google to avoiding entire categories of harmful use, they still require the company to assess foreseeable risks, employ rigorous monitoring and mitigation measures, and act responsibly throughout the full lifecycle of AI development and deployment.

Amazon has similarly committed to responsible AI practices through its Responsible AI framework for AWS services. The company states that it aims to integrate responsible AI considerations across the full lifecycle of AI design, development and operation, emphasizing safeguards such as fairness, explainability, privacy and security, safety, transparency, and governance. Amazon also says its AI services are designed with mechanisms for monitoring, and risk mitigation to help prevent harmful outputs or misuse and to enable responsible deployment across a range of use cases.

Google and Amazon have the knowledge, the leverage, and the responsibility to act now. Choosing not to is still a choice.

Here, the risks are neither speculative nor remote. They are foreseeable, well-documented, and exacerbated by the context in which Project Nimbus operates, which is an ongoing military campaign marked by widespread civilian harm and credible allegations of grave human rights violations including genocide. In such circumstances, waiting for definitive proof is not responsible risk management, it is willful blindness.

Modern cloud and AI systems are designed to be flexible, customizable, and deployable at scale, often beyond the vendor’s direct visibility. That reality is precisely why human rights due diligence must be proactive. Waiting for a leaked document or whistleblower account demonstrating direct misuse, as occurred in Microsoft’s case, means waiting until harm has already been done.

Microsoft’s Experience Should Have Been Warning Enough

As noted above, the recent revelations about Microsoft’s technologies being misused in violation of Microsoft’s commitments by the Israeli military illustrate the dangers of this wait-and-see approach. Google and Amazon should not need a similar incident to recognize what is at stake. The demonstrated misuse of comparable technologies, combined with Google’s and Amazon’s own knowledge of the risks associated with Project Nimbus, should already be sufficient to trigger action.

The appropriate response is to act responsibly and proactively.

Google and Amazon should immediately:

Conduct and publish an independent human rights impact assessment of Project Nimbus.
Disclose how they evaluate, monitor, and enforce compliance with their AI Principles in high-risk government contracts, including and especially in Project Nimbus.
Commit to suspending or restricting services where there is a credible risk of serious human rights harm, even if definitive proof of misuse has not yet emerged.

Waiting Is a Choice, and Not One That Protects Human Rights

Google and Amazon publicly emphasize their commitment to responsible AI and respect for human rights. Those commitments are meaningless if they apply only once harm is undeniable and irreversible. In conflict settings, especially where secrecy and information asymmetry are the norm, companies must act on credible risk, not perfect evidence.

Google and Amazon have the knowledge, the leverage, and the responsibility to act now. Choosing not to is still a choice, and one that carries real consequences for people whose lives are already at risk.

EFF’s Submission to the UN OHCHR on Protection of Human Rights Defenders in the Digital Age

Jillian C. York — Thu, 02 Apr 2026 11:29:13 +0000

Governments around the world are adopting new laws and policies aimed at addressing online harms, including laws intended to curb cybercrime and disinformation, and ostensibly protect user safety. While these efforts are often framed as necessary responses to legitimate concerns, they are increasingly being used in ways that restrict fundamental rights.

In a recent submission to the United Nations Office of the High Commissioner for Human Rights, we highlighted how these evolving regulatory approaches are affecting human rights defenders (HRDs) and the broader digital environment in which they operate.

Threats to Human Rights Defenders

Across multiple regions, cybercrime and national security laws are being applied to prosecute lawful expression, restrict access to information, and expand state surveillance. In some cases, these measures are implemented without adequate judicial oversight or clear safeguards, raising concerns about their compatibility with international human rights standards.

Regulatory developments in one jurisdiction are also influencing approaches elsewhere. The UK’s Online Safety Act, for example, has contributed to the global diffusion of “duty of care” frameworks. In other contexts, similar models have been adopted with fewer protections, including provisions that criminalize broadly defined categories of speech or require user identification, increasing risks for those engaged in the defense of human rights.

At the same time, disruptions to internet access—including shutdowns, throttling, and geo-blocking—continue to affect the ability of HRDs to communicate, document abuses, and access support networks. These measures can have significant implications not only for freedom of expression, but also for personal safety, particularly in situations of conflict or political unrest.

The expanded use of digital surveillance technologies further compounds these risks. Spyware and biometric monitoring systems have been deployed against activists and journalists, in some cases across national borders. These practices result in intimidation, detention, and other forms of retaliation.

The practices of social media platforms can also put human rights defenders—and their speech—at risk. Content moderation systems that rely on broadly defined policies, automated enforcement, and limited transparency can result in the removal or suppression of speech, including documentation of human rights violations. Inconsistent enforcement across languages and regions, as well as insufficient avenues for redress, disproportionately affects HRDs and marginalized communities.

Putting Human Rights First

These trends underscore the importance of ensuring that regulatory and corporate responses to online harms are grounded in human rights principles. This includes adopting clear and narrowly tailored legal frameworks, ensuring independent oversight, and providing effective safeguards for privacy, expression, and association.

It also requires meaningful engagement with civil society. Human rights defenders bring essential expertise on the local and contextual impacts of digital policies, and their participation is critical to developing effective and rights-respecting approaches.

As digital technologies continue to shape civic space, protecting the individuals and communities who rely on them to advance human rights remains an urgent priority.

You can read our full submission here.

Speaking Freely: Jacob Mchangama

Jillian C. York — Thu, 02 Apr 2026 09:17:24 +0000

Interviewer: Jillian York

Jacob Mchangama is a Danish lawyer, human-rights advocate, and public commentator. He is the founder and director of Justitia, a Copenhagen-based think tank focusing on human rights, freedom of speech, and the rule of law. His new book with Jeff Kosseff, The Future of Free Speech: Reversing the Global Decline of Democracy's Most Essential Freedom, comes out on April 7th.

Jillian York: Welcome, Jacob. I'm just going to kick off with a question that I ask everyone, which is: what does free speech mean to you?

Jacob Mchangama: I like to use the definition that Spinoza, the famous Dutch renegade philosopher, used. He said something along the lines, and I'm paraphrasing here, that free speech is the right of everyone to think what they want and say what they think, or the freedom to think what they want and say what they think. I think that's a pretty neat definition, even though it may not be fully exhaustive from sort of a legal perspective, I like that.

JY: Excellent. I really like that. I'd like to know what personally shaped your views and also what brought you to doing this work for a living.

JM: I was born in Copenhagen, Denmark, which is a very liberal, progressive, secular country. And for most of my youth and sort of young adulthood, I did not think much about free speech. It was like breathing the air. It was essentially a value that had already been won. This was up until sort of the mid-naughties. I think everyone was sort of surfing the wave of optimism about freedom and democracy at that time.

And then Denmark became sort of the epicenter of a global battle of values over religion, the relationship between free speech and religion with the whole cartoon affair. And that's really what I think made me think deep and hard about that, that suddenly people were willing to respond to cartoonists using crayons with AK-47s and killings, but also that a lot of people within Denmark suddenly said, “Well, maybe free speech doesn't include the right to offend, and maybe you're punching down on a vulnerable minority,” which I found to be quite an unpersuasive argument for restricting free speech.

But what's also interesting was that you saw sort of how positions on free speech shifted. So initially, people on the left were quite apprehensive about free speech because they perceived it to be about an attack on minorities, in this case, Muslim immigrants in Denmark. Then the center right government came into power in Denmark, and then the narrative quickly became, well, we need to restrict certain rights of hate preachers and others in order to defend freedom and democracy. And then suddenly, people on the right who had been free speech absolutists during the cartoon affair were willing to compromise on it, and people on the left who had been sort of, well, “maybe free speech has been taken too far” were suddenly adamant that this was going way too far, and unfortunately, that is very much with us to this day. It's difficult to find a principled, consistent constituency for free speech.

JY: That's a great way of putting it. I feel like, with obvious differences from country to country, it feels like that kind of polarization is true everywhere, including the bit about flipping sides. I guess my next question, then, is: what do you feel like most people get wrong about free speech?

JM: I think there's a tendency—and I'm talking especially in the West, in the traditional free and open democracies—I think there's a huge tendency to take all the benefits of free speech for granted and focus myopically on the harms, real and perceived, of speech. I mean, just the fact that you and I can sit here, you know, I don't know where you are in the world, but you and I can have a direct, live, uncensored conversation…that is something that you know was unimaginable not that long ago, and we just take that for granted. We take it for granted that we can have access to all the information in the world that would previously have required someone to spend years in libraries, traveling the world, finding rare manuscripts.

We take it for granted, but this is the difference between us and say dissidents in Iran or Russia or Venezuela. We take it for granted that we can go online and vent against our governments and say things, and we can also vent things on social issues that might be deeply offensive to other people, but generally we don't face the risk of being imprisoned or tortured. But that's just not the case in many other countries.

So, I think those benefits, and also, I would say, when you look at the historical angle, every persecuted or discriminated against group that has sought and achieved a higher degree of equal dignity, equal protection under the law, has relied on speech. First they relied on speech, then they could rely on free speech at some point, but initially they didn't have free speech right? So whether it's abolitionist the civil rights movement in the United States, you know my good friend Jonathan Rauch, who was sort of at the forefront of of securing same sex marriage in the United States, knows that was a fight that very much relied on speech. And women's rights…fierce women, who would protest outside the White House and burn in effigy figures of the President, would go to prison. Women didn't have political power. They didn't have guns. They didn't have economic power, they had speech, and that's what you need, to petition the government, to shine a light on abuse, to rally other allies and so on. And I think unfortunately, we've unlearned those hugely important precedents for why we have free speech today.

JY: I’m definitely going to come back to that. But first I want to ask you about the new book you have coming out with Jeff Kosseff, The Future of Free Speech: Reversing the Global Decline of Democracy's Most Essential Freedom. I'm very excited, I’ve pre-ordered it.

So, in light of that, I’ve got a two part question: First, what are some of the trends that concern you the most about what’s going on today? And then, what do you think we need to do to ensure that there is a future for free speech?

JM: So first of all, I was thrilled to be able to write it with Jeff, because Jeff is such an authority on First Amendment section 230 issues. But from the personal perspective, you could say that this book sort of continues where my previous book on the history of free speech finishes.

And so, based on the idea that we are living through a free speech recession that has become particularly acute in this digital age, where we see what I term as various waves of elite panic that lead to attempts to impose sort of top down controls on online speech in particular—and this is not only in the countries where you'd expect it, like China and Russia and Iran, but increasingly also in open democracies that used to be the heartland of free speech—there's a tendency, I think, in democracies, to view free speech no longer as sort of a competitive advantage against authoritarian states, or a right that would undermine authoritarians, but as sort of a Trojan horse which allows the enemies of democracies, both at home and abroad, to weaponize free speech against democracy, and so that's why the overwhelming

legislative initiatives and framing of free speech is often “this is a danger.” This is something we need to do something about. We need to do something about disinformation. We need to do something about hate speech. We need to do something about extremism. We need to do something about, you know, we need to have child safety laws. We need age verification. And you know, you know the list all too well.

JY: I do, absolutely.

JM: Where I think where free speech advocates often fall short, is that we're very good at sort of talking about the slippery slope and John Stuart Mill and all these things, and that's important, but very often we don't have compelling proposals to sell to people who are not sort of civil libertarians at heart, and who are generally in favor of free speech, but who are frightened about particular developments at particular manifestations of speech that they think have become so dangerous to you know, freedom, democracy, whatever interest that they're willing to compromise free speech.

And so we try to point to some concrete examples of—giving life to the old cliché—fighting bad speech with better speech. So some of those examples are counter speech. There are some great examples. One of them is from Brazil, where there was a black weather woman who was the first black weather woman to be sort of on a prominent TV channel, and she was met with brutal racism. So, you know, what should have been a happy moment for her became quite devastating. And so there was this NGO that printed billboards of these very nasty racist comments, blurred the identity of the user who had said it, but then put them in the neighborhoods where these people lived. So that was a very powerful way to confront Brazilians with the fact that, you know, racism is alive. It's right here in your neighborhood. And you know they used the N word and everything, and nothing was censored in terms of this racism, which was put right in front of it of everyone, and it actually led to a lot of people sort of deleting their comments and someone apologizing, and led to, I think, a fruitful debate in Brazilian society.

Then you have other types of counter speech. One of them is a Swedish journalist called Mina Dennert. She started the “I am here” movement. So it's a counter speech movement, which I think spans 150,000 volunteers across 15 countries. And they use counter speech online, typically on Meta platforms, I think, where they essentially gather together and push back against hate speech, not necessarily to convince the speaker that they're wrong, but to give support to those who are the victims, but also to essentially convince what is often termed the movable middle, to show them that there are people who disagree with racist hate speech, and there's actually empirical data to suggest that these can be effective strategies. You can also use humor.

Daryl Davis is a very extreme example. He's a black jazz musician who has made it his life mission to befriend members of the KKK. And he has converted around 200 members of the KKK, to essentially leave it and he does that by just having a conversation. Because if your worldview is that blacks are inferior and should not enjoy equal rights, and you have a conversation with someone in a way where it becomes impossible for you to uphold that worldview, because the person in front of you is clearly someone who's intelligent, articulate, who can counter all your your preconceived notions, then it becomes very difficult to uphold that worldview right? And you can imagine that those members who leave the KKK then become agents of change within their former communities.

So there are various counter speech strategies that have shown a promise, and at the Future of Free Speech [think tank] that I direct, we've developed these toolkits, and we do teachings around the world, I think we've translated them into nine or ten languages. So it's not a panacea, obviously, to everything that's going on, but it's something quite practical, I think. And the good thing about it is also that it doesn't depend on an official definition of hate speech. If you're concerned about a particular type of speech, you can use counter speech to counter it. But you're not engaging in censorship, and we don't have to agree on what the definition of hate speech is. In that way, it’s hopefully an empowering tool.

And another example: we talk about how Taiwan has been quite an inspiring case for using crowd sourced fact checking, for using sort of a bottom up approach to fighting disinformation from China, but also around Covid, so zero lockdowns and no centralized censorship, and they’re doing better than a lot of Western democracies that use more illiberal methods and the crowd sourced fact checking pioneered in Taiwan is what inspired Bird Watch on Twitter prior to its being taking over by Elon Musk, and which is now community notes on X, which I actually think for all the things you might dislike about X, is a feature that is quite promising.

JY: Definitely. I absolutely agree with that, and I'm really glad you mentioned your previous book, which I loved, and the idea of a free speech recession.

You’ve done so much of this work all over the world, and have learned from people in different places and tried to understand the challenges they’re facing in terms of free speech. We actually started this project, Speaking Freely, primarily to share those different perspectives and to bring them to our readership, the majority of which comes from the U.S. What I’d like to ask you, then, is what do you feel that we in the “West” or in more open societies have to learn from free speech activists in the rest of the world?

JM: Just…the bravery of say, Iranians who now face complete—and this was even before the attacks by the US and Israel—complete internet bans. But who have also relied on social media platforms and digital creativity to circumvent official propaganda and censorship. I think those types of societies provide sort of a real time experiment, right? You know, okay, we have we have social media, and it's messy, and sometimes it's ugly, and sometimes some of these tech companies do things that we disapprove of, but you know the cure in terms of further government control, for instance, let's say, getting rid of section 230, adding age verification laws, trying to create exceptions to the First Amendment in cyberspace…we have societies where that is happening, albeit, of course, at a very extreme scale. But would you really trade the freedoms, however messy they are, for that kind of society?

And then, I also worry a lot about the state of affairs in Europe, where I'm from, where it's not unusual if you're in Germany, to have the police show up at your door if you've insulted a powerful politician. For the book, I interviewed an Israeli, Jewish woman who lives in Berlin. She's on the far left and very opposed to to Israel's policies, and she's been arrested four times for for protesting with a plaque that says, “as an Israeli Jew, stop the genocide in Gaza.” And again, you can agree or disagree whether there's a genocide, but that's just political speech. Yet the optics of a Jew—an Israeli, Jewish woman—being arrested by German police in Berlin in the name of fighting antisemitism is, I think, absurd, right?

JY: I’m laughing only because I think I’ve said that exact sentence in an interview with the German press.

JM: But this is the reality right now. And I think it's also a good example of the fact that there have been people on the left in Europe who have said, well, we need to do something about the far right. And therefore it's okay to crack down, you know, use hate speech laws and so on. And then October 7 happened, and suddenly you see a lot of minorities and people on the left who are becoming the targets of laws against hate speech or glorification of terrorism and so on and so forth. And I think that's a powerful case for why you want a pretty hard nosed principle of consistent protection of free speech, also online. And, given the priorities of the current administration in the United States, I think that if the First Amendment and section 230 were not in place in the United States, the kind of laws that you have in Europe would be very moldable for the current administration to go after. I mean, it’s already going after its enemies, real and perceived, but it often loses in court exactly because of constitutional protections, including the First Amendment. But if that protection wasn't there, they would be much more successful, I think, in going after speech that they don't like.

JY: That’s such a fantastic answer, and I’m in total agreement. I was actually living in Berlin until quite recently and saw quite a bit of that firsthand. It’s really troubling.

I want to shift course for a moment. We hopefully have some young people reading this as well, and I think right now in this moment where age verification proposals are happening everywhere—which we at EFF are really concerned about—it’s important to speak to them as well. What advice would you give to young readers who are coming of age around the topic of free speech and who are interested in doing this sort of work?

JM: I think young people are obviously immersed in the digital age, and some of them may never have opened a physical book. I don't know. Maybe it's a Boomer prejudice when I say that, but, but, I don't think it's a stretch to imagine that the vast majority of speech and expression that they're confronted with is through devices of a sort. I think it's crucial to understand that, you know, the system of free speech was developed before that, and so not to focus solely on thinking about free speech only through the lens of the digital age. What came before it is really important to give you some perspective.

So that’s one thing, but I also have two kids, aged 13 and 16, so I’ve thought a lot and fought a lot about some of these issues. I understand where some of the age verification concerns come from. I have parental controls on my children's phones and devices, and try to control it as best as possible, because I do think there can be harms if you spend too much time. But on the other hand, I would also say—and this goes back to the harms and benefits—sometimes there's this analogy that people want to make that social media is like tobacco, which I think is such a poor comparison, because, you know, no one in the world would disagree that tobacco is extremely harmful, right? It's cancerous and all kinds of other things. There are no benefits to tobacco, but social media access, I think, is very different. For instance, I moved to the United States with my family three years ago. My children had no problem speaking English, doing well in school because of YouTube. They could speak almost with the accent, they were immersed into cultural idioms, and they could learn stuff. And also in terms of connections, they have friends back home, it would be very difficult for them to stay in touch the same way that they can now and have connections, if it wasn't due to technology. And so I think that social media for minors also has benefits that make it very, very different from the tobacco analogy.

Plus, I also think, and here I'm pointing my finger at Jonathan Haidt, that some of the evidence that is being pushed for these kinds of bans seem not to reflect scientific consensus, and that there's a lot of subject matter experts who actually think that the case is much more muddled than than the message that he has pushed in his best selling book, but which is now going the rounds.

But it amazed me to look at. First of all, let me say I've admired Jonathan Haidt for a long time. I loved his previous work, but I just feel like his crusade on social media for minors and age verification is…in a certain sense, he's gone down some of the roads that he warned against in some of his previous books, in terms of motivated reasoning and confirmation bias and so on. But I saw Jonathan Haidt praise the Minister of Digital Affairs for Indonesia for their age verification bill that is supposed to come into effect now. Indonesia is a country that right now, I think, has a bill in place that will give further powers to the government to ban LGBT content, and what’s the justification? Protecting children. It is a country where someone uploaded a Tiktok video where they said an Islamic prayer before eating pork…two years in prison, right? So it's a country that is in the lower half of Freedom House's Freedom on the Net rankings. So it's amazing to me that a good liberal Democrat like Jonathan Haidt would essentially lend his legitimacy to a country like Indonesia when no one, no serious person, can be in doubt that these kinds of laws will be used and abused by a country like Indonesia to crack down on religious and political, sexual minorities and dissent in general.

JY: Absolutely. And that actually fits really well with something that I've been thinking a lot about too. I know you've written a lot about the Brussels effect and I'm trying to look at the ways in which a similar effect—not necessarily coming from Brussels, of course—is shaping internet regulation in different directions, in terms of laws influencing other laws.

Now, in terms of laws influencing other laws, age verification is, I think, one of the big ones. I mean, seeing these laws modeled after things that the UK or Australia or the U.S. has proposed, and then, just being made so much worse, and then sometimes echoing back here as well. And I think Indonesia is such a great example of that.

JM: Yeah. I mean, Australia sort of opened the Pandora’s box, and everyone is rushing in now, and I think the consequences are likely to be grave, and I think it fits into another issue which I think is even more concerning, that is this rehabilitation or of the concept of digital sovereignty. If you went back 10 years ago and talked about digital sovereignty, you would say, “Well, this is something that they do in China or Russia,” but now digital sovereignty is shouted from the rooftops in Brussels and democracies.

And you know, I could maybe understand, if digital sovereignty meant, yes, we're going to protect our critical infrastructure, or we don't want to be overly reliant on American tech platforms, given the Trump administration's hostility towards Europe. But digital sovereignty now essentially means a concept of sovereignty which asserts that governments and institutions like the European Union have powers to determine what types of information and ideas their citizens should be confronted with. Now look up Article 19 in the Universal Declaration of Human Rights, what does it say? Everyone has the right to free expression, which includes, and I'm paraphrasing here, the right to share and impart ideas across frontiers, regardless of media, right? You know this. So now we're reverting back to an idea of free expression, which says that the government can now control what type of information that…if a foreign government or information that purports to undermine democratic values in a society, then the government has a right to censor it or require that an intermediary take mitigating steps towards it. I mean, I think that is really a recipe for disaster.

JY: I’m so glad you talked about that. I don’t even think everyone talking about digital sovereignty is working with the same definition.

JM: No no, digital sovereignty can mean a lot of things. But there’s no doubt that it’s now being stretched to also include pure information and ideas rather than critical infrastructure or industrial policy where it may have a more benign role to play.

JY: Absolutely. Well, we’ve covered a lot of territory, so I’m going to ask you my favorite question, the one we ask everyone: Who is your free speech hero?

JM: I think my free speech hero would be Frederick Douglass. To me, he’s just someone who epitomizes not only being a principled defender of free speech, but someone who did free speech in practice. In his autobiography—he wrote three, I think—but in one of them there’s a foreword by the great abolitionist William Lloyd Garrison, and he describes watching and listening to Frederick Douglass give one of his first public speeches in Nantucket in 1841 and Garrison describes the impact that Douglass had on this crowd and he says something along the lines of: “I think I never hated slavery so much as in that very moment.” So you can almost feel the impact of Douglass’s speech, and that’s the gold standard, right, for what speech can do and why it should be free.

JY: Such a great answer. Thank you.

JM: Thank you.

Digital Hopes, Real Power: From Revolution to Regulation

Jillian C. York — Wed, 01 Apr 2026 13:20:13 +0000

This is the second installment of a blog series reflecting on the global digital legacy of the 2011 Arab uprisings. You can read the first post here.

From Russia—where wartime censorship and more stringent platform controls have choked dissenting voices—to Nigeria, with its aggressive takedown orders turning social media into political battlegrounds, and to Turkey, where sweeping “disinformation” laws have made platforms heavily policed spaces, freedom of expression online is under attack. Per Freedom House’s 2023 Freedom on the Net Report, 66% of internet users live where political or social sites are blocked, and 78% are in countries where people have been arrested for online posts. New social media regulations have emerged in dozens of countries in the past year alone.

The online landscape looks markedly different than it did fifteen years ago. Back then, social media was still new and largely free from legal restrictions: platforms moderated content in response to user reports, governments rarely targeted them directly, and blocks (when they happened) were temporary, with censorship mostly focused on whole websites that VPNs or proxies could easily bypass. The internet was far from free, but governments’ crude tactics left space for circumvention.

Those early restrictions, as crude as they were, marked the start of a rapid evolution in online censorship. Governments like Thailand, which blocked thousands of YouTube videos in 2007 over critical content, and Turkey, which demanded takedowns from YouTube before blocking the site entirely, tested legal and technical pressures to mute dissent and force platforms’ compliance. By 2011, governments weren't just reacting—they had learned to pressure platforms into becoming instruments of state censorship, shifting their playbooks from blunt blocks to sophisticated systems of control that simple VPNs could no longer reliably bypass. Governments across the region were watching closely, and by the time the 2011 uprisings began, they were prepared to respond.

Looking Back

After learning that a Facebook page—We Are All Khaled Said, honoring a young man killed by police brutality—sparked Egypt’s street protests, Western media hailed online platforms as engines of democracy. Revolution co-creator Wael Ghonim told a journalist: “This revolution started on Facebook.” That claim was debated and contested for years; critically, Facebook had suspended the page two months earlier over pseudonyms violating its real-name policy, restoring it only after advocates intervened.

Once the protests moved to the streets, Egypt’s government—alert to social media’s power—quickly blocked Facebook and Twitter, then enacted a near-total shutdown (more on that in part 4 of this series). As history shows, the measures didn’t stop the revolution, and Egyptian president Hosni Mubarak stepped down. For a brief moment, freedom appeared to be on the horizon. Unfortunately, that moment was short-lived.

Egypt’s Digital Dystopia

Just as the Egyptian military government quashed revolution in the streets, they also shut down online civic space. Today, Egypt’s internet ranks low on markers of internet freedom. The military government that has ruled Egypt since 2013 has imprisoned human rights defenders and enacted laws—including 2015’s Counter-terrorism Law and 2018’s Cybercrime Law—that grant the state broad authority to suppress speech and prosecute offenders.

The 2018 law demonstrates the ease with which cybercrime laws can be abused. Article 7 of the law allows for websites that constitute “a threat to national security” or to the “national economy” to be blocked. The Association of Freedom of Thought and Expression (AFTE) has criticized the loose definition of “national security” contained within the law, as “everything related to the independence, stability, security, unity and territorial integrity of the homeland.” Notably, individuals can also be penalized—and sentenced to up to six months imprisonment—for accessing banned websites.

Articles 25, which prohibits the use of technology to “infringe on any family principles or values in Egyptian society,” and 26, which prohibits the dissemination of material that “violates public morals,” have been used in recent years to prosecute young people who use social media in ways in which the government disapproves. Many of those prosecuted have been young women; for instance, belly dancer Sama Al Masry was sentenced to three years in prison and fined 300,000 Egyptian pounds under Article 26.

Beyond Egypt: Regional Trends

Egypt’s trajectory reflects a wider regional and global pattern. In the years following the uprisings, governments moved quickly to formalize legal authority over digital space, often under the banner of combating cybercrime, terrorism, or “false information.” These laws often contain vaguely worded provisions criminalizing “misuse of social media” or “harming national unity,” giving authorities wide discretion to prosecute speech.

In Qatar and Bahrain, a social media post can result in up to five years in jail. In 2018, prominent Bahraini human rights defender Nabeel Rajab was convicted of “spreading false rumours in time of war”, “insulting public authorities”, and “insulting a foreign country” for tweets he posted about the killing of civilians in Yemen and sentenced to five years imprisonment.

Two years later, Qatar amended its penal code by setting criminal penalties for spreading “fake news.” Article 136 (bis) sets criminal penalties for broadcasting, publishing, or republishing “rumors or statements or false or malicious news or sensational propaganda, inside or outside the state, whenever it is intended to harm national interests or incite public opinion or disturb the social or public order of the state” and sets a punishment of a maximum of five years in prison, and/or 100,000 Qatari riyals. The penalty is doubled if the crime is committed in wartime.

Now, as war has once again reached the region, these laws are being put to the test. Bahraini authorities have arrested at least 100 people in relation to protests or expression related to the war, while Qatar has arrested more than 300 people on charges of spreading “misleading information.”

And in the UAE, at least 35 people—most or all of whom are foreign nationals—have been arrested and “accused of spreading misleading and fabricated content online that could harm national defence efforts and fuel public panic,” according to the Times of India. The arrests fall under the UAE’s 2022 Federal Decree Law No. 34 on Combating Rumours and Cybercrimes which—says Human Rights Watch—is, along with the country’s Penal Code, “used to silence dissidents, journalists, activists, and anyone the authorities perceived to be critical of the government, its policies, or its representatives.”

From Regional Practice to Global Pattern

Today roughly four out of five countries worldwide have enacted cybercrime legislation, a dramatic expansion over the past decade, with many governments adopting or revising such laws in the years following the Arab uprisings.

Outside the region, other nations have repurposed these laws to police speech. In Nigeria, journalists have been detained under the Cybercrime Act, with dozens of prosecutions documented since 2015. Bangladesh’s Digital Security Act has been used in thousands of cases—including hundreds against journalists—while in Uganda, authorities have prosecuted political critics under computer misuse laws for social media posts.

Cybercrime laws are only one piece of a broader toolkit that governments now deploy to control digital spaces. Over the past decade, authorities have introduced sweeping “disinformation” laws, platform liability rules, age verification laws, and data localization requirements that force companies to store data domestically or appoint legal representatives within national jurisdictions. These measures give governments leverage over global technology firms, enabling them to demand faster content removals, obtain user data, or threaten steep fines and throttling if platforms fail to comply. Rather than relying solely on blunt instruments like blocking entire websites, states increasingly govern speech through layered regulatory systems that pressure platforms to police users on the state’s behalf.

The platforms too have changed. The same social media companies that were once championed as tools of democratic mobilization now operate in more constrained environments—and often act as willing participants in repressing speech. Facing financial penalties and the prospect of being blocked entirely, many companies expanded compliance with takedown requests after 2011, as can be seen in the companies’ own transparency reports. They later invested heavily in automated technologies that remove vast quantities of content before it is ever publicly available.

Rights groups around the world, including EFF, have warned that these dynamics disproportionately impact historically marginalized and vulnerable groups, as well as journalists and other human rights defenders. Research by the Palestinian digital rights organization 7amleh and reporting by Human Rights Watch have documented how content moderation policies, government pressure, and opaque enforcement mechanisms increasingly converge—leaving activists, journalists, and human rights defenders caught between state censorship and platform governance.

The New Architecture of Repression

Looking back now, it’s clear that, fifteen years ago, governments were caught off guard. They crudely blocked platforms, shut down networks, and scrambled to contain movements they did not fully understand. But in the years since, states have systematically adapted, transforming what were once reactive measures into durable systems of control.

Today’s controls are embedded in law, outsourced to platforms, and justified through the language of security, safety, and order. Cybercrime statutes, disinformation frameworks, and platform regulations form a layered architecture that allows states to shape online expression at scale while maintaining a veneer of legality. In this system, repression is often procedural, bureaucratic, and continuous.

The question is no longer whether the internet can enable dissent, but whether it can still sustain it under these conditions.

This is the second installment of a blog series reflecting on the global digital legacy of the 2011 Arab uprisings. Read the rest of the series here.

Cindy Cohn on The Daily Show: Learn More About EFF, Privacy's Defender, and Watch the Interview

Jason Kelley — Tue, 31 Mar 2026 03:17:47 +0000

About EFF

The Electronic Frontier Foundation is the leading nonprofit defending civil liberties in the digital world. EFF’s work to protect your rights on the internet is supported by over 30,000 members who have joined our mission by donating just this year.

For over 35 years, our lawyers, activists, and technologists have been thinking about the next big thing in tech before anyone else—whether that’s age verification, AI, or Palantir. Whatever causes you fight for, EFF protects the internet infrastructure you rely on to do so.

JOIN EFF TODAY

To learn more about our work, follow EFF on social media and subscribe to EFF's EFFector newsletter below to learn about the ways the internet and online rights are changing and what that means for you. And join EFF to support our fight—because if you use technology, this fight is yours.

Watch the Interview

Privacy info. This embed will serve content from youtube-nocookie.com

Privacy's Defender: My Thirty Year Fight Against Digital Surveillance, by Cindy Cohn

In Privacy’s Defender: My Thirty-Year Fight Against Digital Surveillance (MIT Press), EFF Executive Director Cindy Cohn weaves her own personal story with her role as a leading legal voice representing the rights and interests of technology users, innovators, whistleblowers, and researchers during the Crypto Wars of the 1990s, battles over NSA’s dragnet internet spying revealed in the 2000s, and the fight against FBI gag orders.

"Let's Sue the Government" T-Shirt

Sometimes our supporters call EFF a merch store with a law firm attached because our stickers, hoodies and shirts are so well known. Our "Let's Sue the Government" shirt tells people: When your rights are at risk, you don’t stay quiet.

Privacy First: A Better Way to Address Online Harms

Our lawmakers seem to be losing the forest for the trees, promoting scattered and disconnected proposals addressing whichever perceived harm is causing the loudest public anxiety in any given moment. Too often, those proposals do not carefully consider the likely unintended consequences or even whether the law will actually reduce the harms it’s supposed to target.

The truth is many of the ills of today’s internet have a single thing in common: they are built on a system of corporate surveillance. Multiple companies, large and small, collect data about where we go, what we do, what we read, who we communicate with, and so on. They use this data in multiple ways and, if it suits their business model, may sell it to anyone who wants it—including law enforcement. Addressing this shared reality will better promote human rights and civil liberties, while simultaneously holding space for free expression, creativity, and innovation than many of the issue-specific bills we’ve seen over the past decade.

Read EFF's Privacy First: A Better Way to Address Online Harms.

EFF's History

In early 1990, the U.S. Secret Service conducted raids tracking the distribution of a document illegally copied from a telecom company’s computer; one of those targeted was an Austin, TX publisher named Steve Jackson, whose computers were seized but later returned without any charges filed. Jackson’s business had suffered, and he discovered that the government had read and deleted his customers’ emails. He sought a civil liberties organization to represent him for this violation of his rights, but no existing organization understood the technology well enough to grasp the free speech and privacy issues at hand.

But a few well-informed technologists did understand. Mitch Kapor, former president of Lotus Development Corp.; John Perry Barlow, a Wyoming cattle rancher and lyricist for the Grateful Dead; and John Gilmore, an early employee of Sun Microsystems, with help from Apple co-founder Steve Wozniak, decided to do something about it – and so the Electronic Frontier Foundation was born in July 1990. The Steve Jackson Games case turned out to be an extremely important one for the early internet: For the first time, a court held that electronic mail deserves at least as much protection as telephone calls.

EFF's original logo, in use from 1990-2018

EFF continued to take on cases that set important precedents for the treatment of rights in cyberspace. In our second big case, Bernstein v. U.S. Department of Justice, the United States government prohibited a University of California mathematics Ph.D. student from publishing online an encryption program he had created. Years earlier, the government had placed encryption on the United States Munitions List, alongside bombs and flamethrowers, as a weapon to be regulated for national security purposes; our lawsuit established that written software code is speech protected by the First Amendment, and the further ruled that the export control laws on encryption violated Bernstein's rights by prohibiting his constitutionally protected speech. Now everyone has the right to "export" encryption software—by publishing it on the Internet—without prior permission from the U.S. government.

Since then we’ve fought against government and corporate abuses of our Constitutional rights, on issues including warrantless wiretapping by intelligence agencies, the panopticon of street-level surveillance that seeks to track everything we do, and the corporate surveillance that turns our clicks into their commodity, as well as issues of antitrust and intellectual property, artificial intelligence, cybersecurity, and much more. We are lawyers, technologists, activists, and lobbyists who work every day for the privacy, security and dignity of all who use technology - and if you use technology, this fight is yours, too.

EFF's Greatest Hits

While many early battles over the right to communicate freely and privately stemmed from government censorship, today EFF is fighting for users on many other fronts as well.

Today, certain powerful corporations are attempting to shut down online speech, prevent new innovation from reaching consumers, and facilitating government surveillance. We challenge corporate overreach just as we challenge government abuses of power.

JOIN EFF TODAY

We also develop technologies that can help individuals protect their privacy and security online, which our technologists build and release freely to the public for anyone to use.

In addition, EFF is engaged in major legislative fights, beating back digital censorship bills disguised as intellectual property proposals, opposing attempts to force companies to spy on users, championing reform bills that rein in government surveillance, documenting police technology and where it's used, helping users protect themselves from surveillance, and much more.

Learn more about some of EFF's most impactful work— Download a PDF of our new catalog, "Now That's What I Call Digital Rights!

EFF's Cindy Cohn on The Daily Show! Tonight Monday, March 30

Jason Kelley — Mon, 30 Mar 2026 15:12:42 +0000

EFF Executive Director Cindy Cohn will be on The Daily Show tonight, Monday March 30, at 11 pm ET and PT, speaking with host Jon Stewart. Cindy will discuss her long history of fighting for privacy online and her new book, Privacy’s Defender: My Thirty-Year Fight Against Digital Surveillance (MIT Press). The book details her own personal story alongside her role representing the rights and interests of technology users, innovators, whistleblowers, and researchers during the Crypto Wars of the 1990s, battles over NSA’s dragnet internet spying revealed in the 2000s, and the fight against FBI gag orders.

You can watch the interview below, and on Comedy Central, and extended episodes are released shortly thereafter on Paramount Plus as well as in segments on YouTube.

Privacy info. This embed will serve content from youtube-nocookie.com

About The Daily Show

The Daily Show is a long-running comedy news show that covers the biggest headlines of the day. It has won 26 Primetime Emmy Awards and has introduced the world to now well-known actors and comedians such as Steve Carell, Samantha Bee, Ed Helms, and Trevor Noah, as well as hosts of their own current shows, Stephen Colbert and John Oliver.

UK Politicians Continue to Miss the Point in Latest Social Media Ban Proposal

Paige Collings — Mon, 30 Mar 2026 15:06:51 +0000

The UK is moving forward with its efforts to ban social media for young people. Ahead of this week’s House of Lords debate on the topic, we’re getting you situated with a primer on what’s been happening and what it all means.

What was the last vote about?

On 9 March, the House of Commons discussed amendments tabled by the House of Lords in the government’s flagship legislation, the Children’s Wellbeing and Schools Bill.

The House of Lords previously tabled an amendment to “prevent children under the age of 16 from becoming or being users” of “all regulated user-to-user services,” to be implemented by “highly-effective age assurance measures,” which effectively banned under-16s from social media. When this proposal came before the House of Commons, MPs defeated it by 307 votes to 173.

Instead, the Commons proposed its own amendment: enabling the Secretary of State to introduce provisions “requiring providers of specified internet services” to prevent access by children, under age 18 rather than 16, to specified internet services or to specified features; and to restrict access by children to specified internet services which ministers provide.

Who does this give powers to?

The Commons proposal redirects power from the UK Parliament and the UK’s independent telecom regulator Ofcom to the Secretary of State for Science, Innovation and Technology, currently Liz Kendall, who will be able to restrict internet access for young people and determine what content is considered harmful…just because she can. The amendment also empowers the Secretary of State to limit VPN use for under 18s, as well as restrict access to addictive features and change the age of digital consent in the country; for example, preventing under-18s from playing games online after a certain time.

Why is this a problem?

This process is devoid of checks or accountability mechanisms as ministers will not be required to demonstrate specific harms to young people, which essentially unravels years-long efforts by Ofcom to assess online services according to their risks. And given the moment the UK is currently in, such as refusing to protect trans and LGBTQ+ communities and flaming hostile and racist discourses, it is not unlikely that we’ll see ministers start restricting content that they ideologically or morally feel opposed to, rather than because the content is harmful based, as established by evidence and assessed pursuant to established human rights principles.

We know from other jurisdictions like the United States that legislation seeking to protect young people typically sweeps up a slew of broadly-defined topics. Some block access to websites that contain some “sexual material harmful to minors,” which has historically meant explicit sexual content. But some states are now defining the term more broadly so that “sexual material harmful to minors” could encompass anything like sex education; others simply list a variety of vaguely-defined harms. In either instance, this bill would enable ministers to target LGBTQ+ content online by pushing this behind an under-18s age gate, and this risk is especially clear given what we already know about platform content policies.

How will this impact young people?

The internet is an essential resource for young people (and adults) to access information, explore community, and find themselves. Beyond being spaces where people can share funny videos and engage with enjoyable content, social media enables young people to engage with the world in a way that transcends their in-person realm, as well as find information they may not feel safe to access offline, such as about family abuse or their sexuality. In severing this connection to people and information by banning social media, politicians are forcing millions of young people into a dark and censored world.

How did each party vote?

The initial push to ban under-16s from social media came from the Conservative Party, who have since accused the UK’s Prime Minister Keir Starmer of “dither and delay” for not committing to the ban. The Liberal Democrats have also called this “not good enough.” The Labour Party itself is split, with 107 Labour Party MPs abstaining in the vote on the House of Lords amendment.

But we know that the issue of young people’s online safety is a polarizing topic that politicians have—and will continue to—weaponize for public support, regardless of their actual intentions. This is why we will continue to urge policymakers and regulators to protect people’s rights and freedoms online at all moments, and not just take the easy route for a quick boost in the polls.

How does this bill connect to the Online Safety Act?

The draft Children’s Wellbeing and Schools Bill that came from the Lords provided that any regulation pertaining to the well-being of young people on social media “must be treated as an enforceable requirement” with the Online Safety Act. The Commons amendment, however, starts out by inserting a new clause that amends the Online Safety Act.

For more than six years, we’ve been calling on the UK government to pass better legislation around regulating the internet, and when the Online Safety Act passed we continued to advocate for the rights of people on the internet—including young people—as Ofcom implemented the legislation. This has been a protracted effort by civil society groups, technologists, tech companies, and others participating in Ofcom's consultation process and urging the regulator to protect internet users in the UK.

The MPs amendment essentially rips this up. Technology Secretary Liz Kendall recently said that ministers intended to go further than the existing Online Safety Act because it was “never meant to be the end point, and we know parents still have serious concerns. That is why I am prepared to take further action.” But when this further action is empowering herself to make arbitrary decisions on content and access, and banning under-18s from social media, this causes much more harm than it solves.

Is the UK alone in pushing legislation like this?

Sadly, no. Calls to ban social media access for young people have gained traction since Australia became the first country in the world to enforce one back in December. On 5 March, Indonesia announced a ban on social media and other “high-risk” online platforms for users under 16. A few days later, new measures came into effect in Brazil that restricts social media access for under-16s, who must now have their accounts linked to a legal guardian. Other countries like Spain and the Philippines have this year announced plans to ban social media for under-16s, with legislation currently pending to implement this.

What are the next steps?

The Children's Wellbeing and Schools Bill returns to the House of Lords on 25 March for consideration of the new Commons amendments. The bill will only become law if both Houses agree to the final draft.

We will continue to stand up against these proposals—not only to young people’ free expression rights, but also to safeguard the free flow of information that is vital to a democratic society. The issue of online safety is not solved through technology alone, especially not through a ban, and young people deserve a more intentional approach to protecting their safety and privacy online, not this lazy strategy that causes more harm than it solves.

We encourage politicians in the UK to look into what is best, not what is easy, and explore less invasive approaches to protect all people from online harms.

US Tech Companies Must be Accountable in US Courts for Facilitating Persecution and Torture Abroad, EFF Urges US Supreme Court

Josh Richman — Fri, 27 Mar 2026 22:07:56 +0000

Cisco Systems Case Has Major Implications for Global Human Rights

SAN FRANCISCO – U.S. technology companies should be legally accountable in U.S. courts for building tools that purposefully and actively facilitate human rights abuses by foreign governments, the Electronic Frontier Foundation argued in a brief filed Friday to the U.S. Supreme Court.

The brief filed in the case of Cisco Systems, Inc., et al., v. Doe I, et al. urges the high court to uphold the U.S. Court of Appeals for the 9th Circuit’s 2023 ruling that U.S. corporations can be held liable under the Alien Tort Statute (ATS) – a law that lets noncitizens bring claims in U.S. federal court for international law violations – for taking actions in the U.S. that aided and abetted persecution and torture abroad.

“This is not a case about a company that merely provided routers or other general-purpose technologies to a foreign government. It is about a company that purposefully and actively assisted in the persecution of a religious group,” the brief says. “There is a growing set of companies—including American companies—that provide surveillance technologies that are vulnerable to, and indeed are being used to, support gross human rights abuses. Because of this, the outcome of this case will have profound implications for millions of people who rely on digital technologies in their everyday lives, including to practice their religion.”

The “Golden Shield” system that Cisco custom-built for the Chinese government was an essential component of persecution against the Falun Gong religious group—persecution that included online spying and tracking, detention, and torture. Victims reported that intercepted communications were used during torture sessions aimed at forcing them to renounce their religion. Falun Gong victims and their families sued Cisco in 2011 and a federal district judge dismissed the case in 2014. The case was delayed three times as the Supreme Court considered three prior ATS cases.

The 9th Circuit appeals court – after proceedings including an amicus brief from EFF – reversed that lower decision, holding that U.S. corporations can be held liable under the ATS for aiding and abetting human rights abuses abroad. It also held that a company does not need to have the “purpose” to facilitate human rights abuses in order to be held liable; it only needs to have “knowledge” that its assistance helped in such abuses. It then held that the plaintiffs’ allegations showed that Cisco’s actions met both standards. The court also held that the fact that a technology has legitimate uses does not shield a company from liability for other uses that led to human rights abuses when the standards of international law are met. Taken cumulatively, Cisco’s actions in the U.S. were sufficient to allow the case to proceed, the 9th Circuit ruled.

Cisco appealed to the Supreme Court, which granted review in January. The case, No. 24-856, is scheduled for argument on April 28.

Cisco Systems is just one of many U.S. companies that make surveillance systems, spyware, and other products used by governments to violate people’s human rights.

“This Court must not shut the courthouse door to victims of human rights abuses that are actively powered by American corporations,” the brief says. “In the digital age, repressive governments rarely act alone to violate human rights. They have accomplices—including technology companies that have the sophistication and technical know-how that those repressive governments lack.”

For EFF’s amicus brief to the U.S. Supreme Court: https://www.eff.org/document/2026-03-27-eff-amicus-brief-cisco-v-doe-scotus

For EFF’s Doe I v. Cisco case page: https://www.eff.org/cases/doe-i-v-cisco

For the U.S. Supreme Court docket: https://www.supremecourt.gov/docket/docketfiles/html/public/24-856.html

Contact:

Sophia

Cope

Senior Staff Attorney

sophia@eff.org

Cindy

Cohn

Executive Director

cindy@eff.org

Traffic Violation! License Plate Reader Mission Creep Is Already Here

Matthew Guariglia — Thu, 26 Mar 2026 20:19:26 +0000

A new report from 404 Media sheds light on how automated license plate readers (ALPRs) could be used beyond the press releases and glossy marketing materials put out by law enforcement agencies and ALPR vendors. In December 2025, Georgia State Patrol ticketed a motorcyclist for holding a cell phone in his hand. According to the report, the ticket read, “CAPTURED ON FLOCK CAMERA 31 MM 1 HOLDING PHONE IN LEFT HAND.”

If you’re thinking that this sounds outside of the scope of what ALPRs are supposed to do, you’re right. In November 2025, Flock Safety, the maker of the ALPR in question, wrote a post about how they definitely are in compliance with the Fourth Amendment to the U.S. Constitution. In this post, which highlighted what ALPRs are and what they are not, the company writes: “What it is not: Flock ALPR does not perform facial recognition, does not store biometrics, cannot be queried to find people, and is not used to enforce traffic violations.” (emphasis added)

Well, apparently their customers never got the memo and apparently the technology’s design does not explicitly prevent behavior the company officially and publicly disavows.

Or at least this used to be the case: Flock now lists six different companies providing traffic enforcement technology on its “Partner program” site. Public records also show that speed enforcement cameras have been connected to Flock's ALPR network.

EFF and other privacy advocates have long warned about mission creep when it comes to surveillance infrastructure. Police often swear that a piece of technology will only be used in a particular set of circumstances or to fight only the most serious crimes only to utilize it to fight petty crimes or watch protests.

We continue to urge cities, states, and even companies to end their relationship with Flock Safety because of the incompatibility between the mass surveillance it enables and its inability to protect civil liberties—including preventing mission creep.

Supreme Court Agrees With EFF: ISPs Don't Have To Be Copyright Enforcers

Betty Gedlu — Thu, 26 Mar 2026 16:31:08 +0000

If your ISP can be liable for huge amounts of money for not terminating your access to the internet because of accusations that you—or someone in your household or college network—has committed copyright infringement, that is dangerous. We live in a world where high speed internet access is a necessity for participation in everyday life. That’s why liability for ISPs for their customers’ actions should not be expanded.

Last fall, EFF filed an amicus brief urging the U.S. Supreme Court to reject an expansive theory of secondary copyright liability that threatened to impose massive damages on internet service providers and other technology companies simply for offering widely used services. Yesterday, the Court agreed.

In Cox v. Sony, the Court reversed a Fourth Circuit decision that had upheld a billion-dollar verdict against internet provider Cox Communications. Writing for the majority, Justice Thomas explained that contributory liability is limited to two situations: when a defendant actively induces infringement, or when it provides a product or service that it knows is tailored for infringement.

This framework closely tracks the approach EFF urged in our amicus brief. As we explained, courts should look to patent law for guidance in defining the boundaries of secondary copyright liability. Patent law recognizes liability where a defendant actively induces infringement, or distributes a product knowing that it lacks substantial non-infringing uses. The Court’s opinion adopts that same basic structure.

EFF also emphasized the broader public interest at stake in preserving these limits. Expansive theories of secondary liability do not just affect large internet providers. They can chill innovation, threaten smaller technology companies, and undermine the development of general-purpose tools that millions of people rely on for lawful speech, creativity, education, and access to information. When liability turns on generalized knowledge that some users may infringe, service providers face pressure to over-police user activity or withdraw useful services altogether.

The Court also made clear that mere knowledge that some customers use a service to infringe is not enough. Copyright holders must show that the provider intended its service to be used for infringement. That intent can be established only through active inducement or by showing that the service is specifically designed for unlawful uses—not simply because the service provider failed to take affirmative steps to prevent infringement.

Applying this standard, the Court held that Cox could not be liable. There was no evidence that Cox encouraged or promoted infringement. The record instead showed that Cox implemented warning systems, suspended service, and in some cases terminated accounts in an effort to discourage unlawful activity.

Nor was Cox’s internet access service tailored to infringement. The Court emphasized that general-purpose internet connectivity is capable of substantial lawful uses. Treating the provision of such services as contributory infringement would improperly expand secondary liability beyond the limits recognized in prior Supreme Court decisions.

The Court also rejected the Fourth Circuit’s broader rule that supplying a service with knowledge it may be used to infringe is itself sufficient for liability. That theory conflicts with decades of precedent warning against imposing copyright liability based solely on knowledge or a failure to take additional preventive steps.

EFF is pleased with yesterday’s opinion. We will continue to advocate for the public’s ability to build, use, and innovate with new technologies.

Link to our amicus brief:
https://www.eff.org/document/us-s-ct-cox-v-sony-eff-et-al-amicus-brief

Link to the opinion:
https://www.supremecourt.gov/opinions/25pdf/24-171_bq7d.pdf

EFF Sues for Answers About Medicare's AI Experiment

Hudson Hongo — Wed, 25 Mar 2026 17:20:02 +0000

Little Is Known About AI That Could Affect Millions of Seniors' Care

SAN FRANCISCO – The Electronic Frontier Foundation (EFF) today filed a Freedom of Information Act (FOIA) lawsuit against the Centers for Medicare & Medicaid Services (CMS) seeking records about a multi-state program that is using AI to evaluate requests for medical care.

"Tasking an algorithm with making determinations about treatment can create unwarranted—and even discriminatory—delays or denials of necessary medical care," said Kit Walsh, EFF’s Director of AI and Access-to-Knowledge Legal Projects. "Given these serious risks, the public requires transparency that it hasn't gotten. We're suing to get badly needed answers about how Medicare's AI experiment works."

Announced by CMS Administrator Dr. Mehmet Oz last year, the pilot program known as WISeR (Wasteful and Inappropriate Service Reduction) uses AI to assess prior authorization requests from Medicare beneficiaries. Previously rare in original Medicare, prior authorization requires medical providers to obtain advance approval from a patient’s health insurer before delivering certain treatments or services as a condition of coverage.

Unfortunately, there is little information about how the AI algorithms used in WISeR work, including what training data they rely on. It remains unclear whether WISeR has any safeguards against systemic flaws such as algorithmic bias, privacy violations, and wrongful denials of care.

Healthcare experts, care providers, and lawmakers have all raised alarms that WISeR may cause serious harm to patients by relying on AI unless it has the necessary safeguards. Despite this widespread criticism, WISeR was rolled out in six states in January, potentially affecting as many as 6.4 million Medicare beneficiaries, according to one estimate.

By design, WISeR incentivizes contracted companies to deny prior approval against the best interests of patients. Vendors are compensated, in part, on the volume of healthcare services they deny and are entitled to as much as 20 percent of the associated savings. Just weeks after WISeR's launch, hospitals and other health care providers started reporting delays in care approval, communication gaps, and administrative strain.

Earlier this year, EFF submitted a FOIA request to CMS asking for records related to WISeR. Among other records, the request sought agreements with software vendors participating in WISeR; records related to any tests for accuracy, bias, or hallucinations in vendors' technology; and records related to any audits, monitoring, or evaluation of WISeR and participating vendors. To date, CMS has not provided any of these records to EFF. EFF's FOIA lawsuit asks for their immediate processing and release.

"The public has a right to know more about the algorithms driving decisions around their healthcare," said Tori Noble, Staff Attorney at EFF. "Without greater transparency, patients, providers, and policymakers will continue to be left in the dark.”

EFF thanks Stanford Law School's Juelsgaard Intellectual Property & Innovation Clinic for their help in preparing this lawsuit.

For the complaint: https://www.eff.org/document/complaint-eff-v-cms-medicare-wiser-foia

Tags:

transparency

artificial intelligence and machine learning

automated decision-making

Contact:

Tori

Noble

Staff Attorney

tori@eff.org

👓 Who's Really Watching What Smartglasses See? | EFFector 38.6

Hudson Hongo — Wed, 25 Mar 2026 15:38:35 +0000

After years of tech industry experiments, smartglasses with embedded cameras and microphones have finally gone mainstream. And, disturbingly, sometimes it's not just their owners who are watching what these devices record. In this week's EFFector newsletter, we're taking a closer look at the privacy implications of Meta Ray-Bans, and sharing all the latest in the fight for privacy and free speech online.

JOIN OUR NEWSLETTER

For over 35 years, EFFector has been your guide to understanding the intersection of technology, civil liberties, and the law. This week's issue covers EFF's new executive director; how publishers blocking the Internet Archive threaten the web's historical record; and why you should think twice before buying or using Meta’s Ray-Bans.

Prefer to listen in? EFFector is now available on all major podcast platforms. This week, we're chatting with EFF Security and Privacy Activist Thorin Klosowski about smartglasses and privacy. And don't miss the EFFector news quiz. You can find the episode and subscribe on your podcast platform of choice:

Privacy info. This embed will serve content from simplecast.com

Want to stay in the fight for privacy and free speech online? Sign up for EFF's EFFector newsletter for updates, ways to take action, and new merch drops. You can also fuel the fight against online surveillance when you support EFF today!

Digital Hopes, Real Power: Reflecting on the Legacy of the Arab Spring

Jillian C. York — Wed, 25 Mar 2026 11:07:48 +0000

This is the first installment of a blog series reflecting on the global digital legacy of the 2011 Arab uprisings.

A new generation of protesters, raised on social media and often fluent in the tools of digital dissent, has taken to the streets in recent months and years. In Bangladesh, Iran, Togo, France, Uganda, Nepal, and more than a dozen other countries, young people have harnessed digital tools to mobilize at scale, shape political narratives, and sustain movements that might once have been easier to ignore or suppress.

The tools at their disposal are vast, allowing them to coordinate quickly and turn local grievances into visible, transnational moments of dissent. But each new tactic is met in turn: governments now implement draconian regulations and deploy sophisticated surveillance systems, content manipulation, and automated censorship to pre-empt, predict, and punish collective action.

This cycle of digital empowerment and repression is not new. In many ways, its roots can be traced to the 2011 uprisings that rippled across the Middle East and North Africa. Often referred to as the “Arab Spring,” these movements didn’t just reshape politics…they transformed how we talk about the internet, and how governments respond in times of protest, crisis, and conflict. Fifteen years later, the legacy of that moment still defines the terms of resistance and control in the digital age.

At the time, we were sold the comforting narrative that the internet would help bring about democracy, that connectivity itself was revolutionary, and that Silicon Valley’s products—particularly social media platforms—were aligned with the people. It was a narrative that tech executives were sometimes happy to amplify and certain Western governments were happy to believe.

But the same networks that helped protesters to organize and broadcast their demands beyond their own borders laid the groundwork for new forms of repression. Over the years, the same tools that were once celebrated as tools of dissent have become instruments for tracking, harassing, and prosecuting dissenters.

This series examines the digital legacy of the 2011 uprisings that shook the region: how governments refined censorship and surveillance after 2011, how platforms alternately resisted and enabled those efforts, and how a new generation of civil society has pushed back.

"Over the years, the same tools that were once celebrated as tools of dissent have become instruments for tracking, harassing, and prosecuting dissenters."

When Tunisian fruit vendor Mohamed Bouazizi set himself on fire on December 17, 2010, after repeated harassment by local officials, he could not have known the chain reaction his act would spark. After nearly twenty-three years in power, President Zine El Abidine Ben Ali faced a public fed up with repression. Protests spread across Tunisia, ultimately forcing him to flee.

In his final speech, Ben Ali promised reforms: a freer press and fewer internet restrictions. He left before either materialized. For Tunisians, who had lived for years under normalized censorship both online and off, the promises rang hollow.

At the time, Tunisia’s internet controls were among the most restrictive in the world. Reporting by the exiled outlet Nawaat documented a sophisticated filtering regime: DNS tampering, URL blocking, IP filtering, keyword censorship. Yet despite that machinery, Tunisians built a resilient blogging culture, often relying on circumvention tools to push information beyond their borders. When protests began—and before international media caught up—they were ready.

Eleven days after Ben Ali fled, Egyptians took to the streets. International headlines rushed to label it a “Twitter revolution,” mistaking a tool for a movement. Egypt’s government drew a similar conclusion. On January 26, authorities blocked Twitter and Facebook. The next day, they shut down the internet almost entirely, a foreshadowing of what we’d see fifteen years later in Iran.

As Egyptians fought to free their country from President Hosni Mubarak’s autocratic rule, protests swept across the region to Bahrain, where demonstrators gathered at the Pearl Roundabout before facing a brutal crackdown; to Syria, where early calls for reform spiraled into one of the most devastating conflicts of the century; to Morocco, where the February 20 Movement pushed for constitutional change. Outside of the region, movements took shape in Spain, Greece, Portugal, Iceland, the United States, and beyond.

In each context, digital platforms helped circulate images, testimonies, and tactics across borders. They created visibility—and, in turn, inspired a playbook. Governments watched not only their own populations but one another, quickly learning how to disrupt networks, identify organizers, and seize back control of the narrative.

Cause and Effect

To be clear, the internet didn’t create these movements. Decades of repression, corruption, labor organizing, and grassroots activism did. Later research confirmed what many in the region already understood: digital tools helped people share information and coordinate action, but they were neither the spark nor the engine of revolt.

But regardless, the myth of the “Twitter revolution” had consequences. The breathless coverage, and rapid policy reactions that followed shaped state strategy around the world. Governments across the region and well beyond invested heavily in surveillance technologies, developed new legal mechanisms, increased their own social media presence, and found ways to influence platforms. Internet blackouts, once rare, became a normalized tool of crisis response. And companies were forced into increasingly public decisions about whether to resist state pressure or comply.

When it comes to the internet, the legacy of the 2011 uprisings that swept the region and beyond is a story about power: how states moved to consolidate control online, how platforms—often under pressure—have narrowed the space for dissent, and how civil society has been forced to evolve to defend it.

This five-part series will take a deeper look at how the internet as a space for dissent and for hope has changed over the past fifteen years throughout the region and well beyond.

Nicole Ozer Named as Electronic Frontier Foundation’s Executive Director

Josh Richman — Tue, 24 Mar 2026 21:00:00 +0000

Ozer, With Decades of Experience in Technology and Civil Liberties Law, Will Succeed Cindy Cohn as Organization’s Leader

SAN FRANCISCO – Nicole Ozer has been appointed as executive director of the Electronic Frontier Foundation effective June 1.

Ozer is a legal expert on privacy and surveillance, artificial intelligence, and digital speech. She currently serves as the inaugural executive director of the Center for Constitutional Democracy at the University of California College of the Law in San Francisco. From 2004-2025, she was founding director of the Technology and Civil Liberties Program at the American Civil Liberties Union of Northern California. Ozer will succeed Cindy Cohn, who has been with EFF for more than 25 years and served as its executive director since 2015.

EFF champions user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development, with a mission to ensure that technology supports freedom, justice, and innovation for all people of the world. The organization celebrated its 35th anniversary in 2025.

"I am honored to lead EFF forward in these critical times. EFF’s global work to defend and advance rights, justice, and democracy in the digital age is fundamental to the future of our countries, our livelihoods, and literally our lives,” Ozer said. “I am ready to hit the ground running with EFF’s exceptional staff, board, and broad base of supporters and ensure that EFF is stronger than ever. Together, we can meet this moment and build a future where technology works for the people.”

“I couldn’t be happier to pass EFF’s reins over to Nicole,” Cohn said. “She has been our stalwart partner for many years in standing up for privacy, free speech and innovation online. I’m confident that she understands both the strong heart and the future potential of EFF especially as our work is more critical than ever.”

“Nicole Ozer is the ideal person to lead EFF during this unprecedented time in our nation’s history,” said EFF Board Chair Gigi Sohn. “She possesses all of the qualities necessary to lead the organization: great vision, strong management skills and deep substantive knowledge. The fact that she has worked alongside EFF for over two decades is icing on the cake. The EFF Board is excited to welcome Nicole and begin a new chapter in our history.”

Over her more than two decades leading public interest technology work, Ozer:

spearheaded passage of the California Electronic Communications Privacy Act – the nation’s strongest electronic surveillance law, requiring a warrant for government access to electronic information;
modernized California law to protect reading records in the digital age by helping to craft the Reader Privacy Act requiring a “super warrant” for government access;
created a groundbreaking model law for local democratic oversight of surveillance systems which inspired 25 laws across the country that help safeguard the rights and safety of more than 17 million people;
litigated civil liberties cases and drafted influential amicus briefs on technology issues at all levels of state and federal court, including the U.S. Supreme Court and California Supreme Court; and
developed multi-year campaigns to strengthen the anti-surveillance policies related to social media surveillance and face recognition of major technology companies and foster stronger privacy and free expression protection for billions of people worldwide.

Ozer is a lecturer at the University of California, Berkeley School of Law; was a 2024-2025 technology and human rights fellow with the Carr-Ryan Center for Human Rights Policy at the Harvard Kennedy School; and in 2019 was a visiting researcher at the Berkeley Center for Law and Technology and a non-residential fellow with the Digital Civil Society Lab at the Stanford Center on Philanthropy and Civil Society.

Ozer's work has earned accolades including the Fearless Advocate Award from the American Constitution Society Bay Area, the James Madison Freedom of Information Award from the Society of Professional Journalists of Northern California, and a 2025 California Senate Members resolution commending her “unwavering dedication to defending and promoting civil liberties in the digital world.” Her writings on privacy and constitutional law have been published widely, and she regularly provides expert testimony for government proceedings, offers commentary in the press, speaks at academic conferences, and presents at national and global forums including South by Southwest and the Centre for European Policy Studies. She holds a law degree from the University of California, Berkeley School of Law and a bachelor’s in American Studies from Amherst College.

"It is incredibly exciting to welcome Nicole Ozer as our new leader at EFF at a time when the organization's mission couldn't be more essential,” said entrepreneur, activist, writer, and EFF Board member Anil Dash. "Nicole's unique skills promise to build on the foundation that Cindy Cohn established as Executive Director, preparing EFF to serve an even more vital role in protecting privacy and innovation."

Cohn first became involved with EFF in 1993 when EFF asked her to serve as the outside lead attorney in Bernstein v. Dept. of Justice, the successful First Amendment challenge to the U.S. export restrictions on cryptography. She served as EFF’s legal director and general counsel from 2000 through 2015, and as executive director since then. She also co-hosted EFF’s award-winning “How to Fix the Internet” podcast. Her memoir, Privacy’s Defender: My Thirty-Year Fight Against Digital Surveillance, was published March 10 by MIT Press, and she is now conducting a national book tour.

EFF's Board of Directors last year assembled a committee which undertook a wide search for Cohn’s successor with assistance from leadership advisory firm Russell Reynolds Associates.

Contact: press@eff.org

Congress Is Dropping the Ball with a Clean Extension of FISA

India McKinney — Fri, 20 Mar 2026 22:20:49 +0000

Two years ago, Congress passed the “Reforming Intelligence and Securing America” Act (RISAA) that included nominal reforms to Section 702 of the Foreign Intelligence Surveillance Act (FISA). The bill unfortunately included some problematic expansions of the law—but it also included a relatively big victory for civil liberties advocates: Section 702 authorities were only extended for two years, allowing Congress to continue the important work of negotiating a warrant requirement for Americans as well as some other critical reforms.

However, Congress clearly did not continue this work. In fact, it now appears that Congress is poised to consider another extension of this program without even attempting to include necessary and common sense reforms. Most notably, Congress is not considering a requirement to obtain a warrant before looking at data on U.S. persons that was indiscriminately and warrantlessly collected. House Speaker Mike Johnson confirmed that “the plan is to move a clean extension of FISA … for at least 18 months.”

Even more disappointing, House Judiciary Chair Jim Jordan, who has previously been a champion of both the warrant requirement and closing the data broker loophole, told the press he would vote for a clean extension of FISA, claiming that RISAA included enough reforms for the moment.

It’s important to note RISAA was just a reauthorization of this mass surveillance program with a long history of abuse. Prior to the 2024 reauthorization, Section 702 was already misused to run improper queries on peaceful protesters, federal and state lawmakers, Congressional staff, thousands of campaign donors, journalists, and a judge reporting civil rights violations by local police. RISAA further expanded the government’s authority by allowing it to compel a much larger group of people and providers into assisting with this surveillance. As we said when it passed, overall, RISAA is a travesty for Americans who deserve basic constitutional rights and privacy whether they are communicating with people and services inside or outside of the US.

Section 702 should not be reauthorized without any additional safeguards or oversight. Fortunately, there are currently three reform bills for Congress to consider: SAFE, PLEWSA, and GSRA. While none of these bills are perfect, they are all significantly better than the status quo, and should be considered instead of a bill that attempts no reform at all.

Mass spying—accessing a massive amount of communications by and with Americans first and sorting out targets second and secretly—has always been a problem for our rights. It was a problem at first when President George W. Bush authorized it in secret without Congressional or court oversight. And it remained a problem even after the passage of Section 702 in 2008 created the possibility of some oversight. Congress was right that this surveillance is dangerous, and that's why it set Section 702 up for regular reconsideration. That reconsideration has not occurred, even as the circumstances of the NSA, Justice Department, and FBI leadership, have radically changed. Reform is long overdue, and now it's urgent.

FCC Chair Carr’s Threats to Punish Broadcasters Are Unconstitutional

David Greene — Fri, 20 Mar 2026 15:08:16 +0000

EFF joined other digital rights and civil liberties organizations in calling out the unconstitutionality of Federal Communications Commission chair Brendan Carr’s recent threats to punish broadcasters for airing statements he disagrees with.

Carr’s recent threats, like his past threats, are unconstitutional efforts to coerce news coverage that favors President Donald Trump. He wrongly claims that the FCC’s “public interest” standard allows him and the commission to revoke the licenses of broadcasters who publish news that is unflattering to the government is anathema to our country’s core constitutional values.

The First Amendment constrains the FCC’s authority to force broadcasters to toe the government’s line, even though broadcast licensees are required to operate in the “public interest, convenience, and necessity.” Imposing restrictions on licensees’ speech, especially viewpoint-based limitations, are still subject to First Amendment scrutiny even if, in some circumstances, that scrutiny differs somewhat from that applied to non-broadcast media. And the “public interest” requirement, as it were, has never been interpreted to allow the type of viewpoint-based punishment that Carr has threatened here.

Everyone agrees that news reporting should strive for accuracy, but Carr’s threats have little do with that. Instead, his allegations of "falsity" are a proxy for retaliation based on (1) Carr’s subjective policy disagreements; (2) any criticism of Trump and the administration broadly; (3) treatment of anything that is not the official US government line about the Iran War as “false.”

We join the call for Carr to withdraw these threats.

Civil Society Letter to FCC Chairman Barr

Bonus Podcast Episode: Privacy’s Defender - Cindy Cohn with Cory Doctorow

Josh Richman — Tue, 17 Mar 2026 08:03:00 +0000

While How to Fix the Internet is on hiatus, we wanted to share a great conversation with you from last week. EFF Executive Director Cindy Cohn spoke with bestselling novelist, journalist, and EFF Special Advisor Cory Doctorow about Cindy’s new book, “Privacy’s Defender: My Thirty-Year Fight Against Digital Surveillance” (MIT Press).

Privacy info. This embed will serve content from simplecast.com

You can also listen to this episode on the Internet Archive or watch the video on YouTube.

Part memoir, part battle cry, “Privacy’s Defender” is the story of Cindy’s fights alongside the visionaries who looked at the early internet and understood that the legal and political battles over this new technology - the Crypto Wars, the NSA’s dragnet, the FBI gag orders - were really over the future of free speech, privacy, and power for all.

Cindy Cohn and Cory Doctorow at City Lights.jpg

This conversation was recorded on Tuesday, March 10 in front of a packed house at San Francisco’s iconic City Lights Bookstore. For more about the book and Cindy’s national book tour - with stops in places including Seattle, Silicon Valley, Denver, Boston, Ann Arbor, Iowa City, Washington DC and New York City - check out https://www.eff.org/Privacys-Defender

And finally, stay tuned to this feed; we’re working on a special podcast series featuring key players and moments from the book!

Resources:

The Crypto Wars: Bernstein v. US Department of Justice
NSA Spying: Hepting v. AT&T
NSA Spying: Jewel v. NSA
EFF’s National Security Letter lawsuits

Blocking the Internet Archive Won’t Stop AI, But It Will Erase the Web’s Historical Record

Joe Mullin — Mon, 16 Mar 2026 19:26:54 +0000

Imagine a newspaper publisher announcing it will no longer allow libraries to keep copies of its paper.

That’s effectively what’s begun happening online in the last few months. The Internet Archive—the world’s largest digital library—has preserved newspapers since it went online in the mid-1990s. The Archive’s mission is to preserve the web and make it accessible to the public. To that end, the organization operates the Wayback Machine, which now contains more than one trillion archived web pages and is used daily by journalists, researchers, and courts.

But in recent months The New York Times began blocking the Archive from crawling its website, using technical measures that go beyond the web’s traditional robots.txt rules. That risks cutting off a record that historians and journalists have relied on for decades. Other newspapers, including The Guardian, seem to be following suit.

For nearly three decades, historians, journalists, and the public have relied on the Internet Archive to preserve news sites as they appeared online. Those archived pages are often the only reliable record of how stories were originally published. In many cases, articles get edited, changed, or removed—sometimes openly, sometimes not. The Internet Archive often becomes the only source for seeing those changes. When major publishers block the Archive’s crawlers, that historical record starts to disappear.

The Times says the move is driven by concerns about AI companies scraping news content. Publishers seek control over how their work is used, and several—including the Times—are now suing AI companies over whether training models on copyrighted material violates the law. There’s a strong case that such training is fair use.

Whatever the outcome of those lawsuits, blocking nonprofit archivists is the wrong response. Organizations like the Internet Archive are not building commercial AI systems. They are preserving a record of our history. Turning off that preservation in an effort to control AI access could essentially torch decades of historical documentation over a fight that libraries like the Archive didn’t start, and didn’t ask for.

If publishers shut the Archive out, they aren’t just limiting bots. They’re erasing the historical record.

Archiving and Search Are Legal

Making material searchable is a well-established fair use. Courts have long recognized it’s often impossible to build a searchable index without making copies of the underlying material. That’s why when Google copied entire books in order to make a searchable database, courts rightly recognized it as a clear fair use. The copying served a transformative purpose: enabling discovery, research, and new insights about creative works.

The Internet Archive operates on the same principle. Just as physical libraries preserve newspapers for future readers, the Archive preserves the web’s historical record. Researchers and journalists rely on it every day. According to Archive staff, Wikipedia alone links to more than 2.6 million news articles preserved at the Archive, spanning 249 languages. And that’s only one example. Countless bloggers, researchers, and reporters depend on the Archive as a stable, authoritative record of what was published online.

The same legal principles that protect search engines must also protect archives and libraries. Even if courts place limits on AI training, the law protecting search and web archiving is already well established.

The Internet Archive has preserved the web’s historical record for nearly thirty years. If major publishers begin blocking that mission, future researchers may find that huge portions of that historical record have simply vanished. There are real disputes over AI training that must be resolved in courts. But sacrificing the public record to fight those battles would be a profound, and possibly irreversible, mistake.

The Foilies 2026

Dave Maass — Sun, 15 Mar 2026 15:41:02 +0000

Recognizing the Worst in Government Transparency

The Foilies were written by EFF's Beryl Lipton, Dave Maass and Aaron Mackey and MuckRock's Dillon Bergin, Kelly Kauffman and Anna Massoglia. Art by Shelby Criswell.

For the last six years, a class of journalism students at the University of Nevada, Reno, has kicked off each semester by filing their first Freedom of Information Act (FOIA) requests.

The assignment: Request copies of complaints sent to the Federal Communications Commission (FCC) about their favorite TV show, a local radio station, or a major broadcast event, such as the Grammys or the Super Bowl halftime show. The students are learning that the federal government and every state have laws establishing the public's right to request and receive public records. It's a bedrock principle of democracy: If a government belongs to the people, so do its documents.

In the past, the FCC always provided records within a few weeks, if not days. But that changed in September when students requested consumer complaints filed against NPR and PBS stations to see if there was absolutely anything at all to merit defunding public media. Seven months later — crickets.

Now the students are learning to persevere even when public officials demonstrate an utter disdain for transparency. And The Foilies are here for it.

Established in 2015, The Foilies are an annual project by the Electronic Frontier Foundation and MuckRock to recognize the agencies, officials and contractors that thwart the public's right to know. We give out these tongue-in-cheek "awards" during Sunshine Week (March 15-21), a collective effort by media and advocacy organizations to highlight the importance of open government.

This year, we've got a few "winners" whose behavior defies belief.

But it's not all negative. Those same Reno students are also assigned to file public records requests for restaurant health inspections. This semester, the records started to show up in their inboxes within 20 minutes.

If every agency followed Northern Nevada Public Health's example, we could sunset this Sunshine Week project.

Quick links:

The Love Letters Award - Gov. Greg Abbott
The Surcharge, Eh? Award - Vancouver, B.C.
The Shady Screenshot Award - Department of Homeland Security
The Discardment of Government Efficiency Award - DOGE
The Secret Eyes in the Sky Award - Chula Vista Police Department, Calif.
The City of Darkness Award - Richmond, Va.
The Flock You Awards - Multiple Winners
The Database Deletion Award - Muneeb and Sohaib Akhter, formerly of Opexus

The Love Letters Award - Gov. Greg Abbott

Last spring, the office of Texas Gov. Greg Abbott withheld communications between himself and one of the state’s most powerful business figures, Elon Musk. The office claimed that the communications were exempt from public records law because they would reveal confidential legal and policy discussions, including how the state entices private companies to do business in Texas, or “intimate and embarrassing” information.

The claims were unelaborated boilerplate language based on exemptions in Texas’ public records law. But if you’re wondering what "intimate" and “embarrassing” exchanges Abbott and Elon Musk shared over email, you may be waiting a while.

Last fall, the Office of the Texas Attorney General ordered Texas Gov. Greg Abbott’s office to release nearly 1,400 pages of communications between Abbott and Musk. About 1,200 of those pages were fully redacted–just sheets of gray obscuration. The records that were released don’t reveal much more than an invitation to a happy hour or a reminder of the next SpaceX launch.

The Surcharge, Eh? Award - Vancouver, B.C.

Vancouver residents must now pay twice for public records. Despite taxes already funding the creation and storage of government records, the City Council approved charging people $10 Canadian (about $7.33 in the United States) every time they ask for “non-personal” public records.

Officials claim the fee is necessary to deter misuse and cover some administrative costs. The only people abusing anything, however, are the officials who imposed this tax on the public. The message Vancouver is sending is as crisp as a newly minted $10 note: Secrecy is a higher priority than public accountability.

The Shady Screenshot Award - Department of Homeland Security

The Department of Homeland Security’s banner year of lawlessness included backsliding on its transparency obligations.

In response to a request from the nonprofit American Oversight, DHS stated that it was no longer automatically archiving text messages sent between officials. The department clarified that it had a new, and much worse, records retention policy. Instead of archiving officials’ text messages as the agency had done before, DHS now asks officials to take screenshots of any text messages conducting government business on their work phones.

It’s hard to see the change as anything more than a giant middle finger to the public, especially because the Federal Records Act requires agencies to retain all records officials create while conducting their public duties, regardless of format. We won’t hold our breath waiting on DHS officials to dutifully press the volume and power button on their phones to record every text message they send and receive.

The Discardment of Government Efficiency Award - DOGE

As the Trump administration took over last year, there was a looming threat over government transparency: the so-called Department of Government Efficiency, also known as DOGE.

Billionaire Elon Musk, soon to be the de facto leader of DOGE, proudly claimed “there should be no need for FOIA requests” and “all government data should be default public for maximum transparency.” What quickly became apparent was there may be no need for FOIA requests, because there may be no FOIA officers to fulfill those requests.

DOGE quickly went to work slashing through the federal government, including seizing control of the U.S. Institute of Peace. Part of the takeover included restricting access to the agency’s FOIA system and firing the employees responsible for fulfilling FOIA requests, according to a letter sent to Bloomberg reporter Jason Leopold. Meanwhile, when CNN filed a FOIA request with the Office of Personnel Management (OPM) for information about Musk and DOGE's security clearance, they were told: "Good luck with that," because the FOIA officers had been fired.

DOGE also argued that its own records are exempt from FOIA under the Presidential Records Act, meaning records cannot be accessed until five years after President Donald Trump is out of office.

While DOGE “doesn’t exist” anymore according to the OPM, there remains a lasting dark mark on the state of FOIA and records management.

The Secret Eyes in the Sky Award - Chula Vista Police Department, Calif.

In 2021, Arturo Castañares at La Prensa San Diego filed a request with the Chula Vista Police Department for copies of videos taken by drones responding to 911 calls as part of the city's "drone as first responder" program. One of the goals was to evaluate the technology’s efficacy and risks to civil liberties.

The city worked overtime to maintain the secrecy of the footage at the same time officials publicly touted the drones as a revolution in policing. That’s some impressive trust-us-but-don’t-verify chutzpah.

The city argued that every second of every video recorded by its drones was categorically off limits because they were law enforcement investigative records. They even got a trial court to initially buy the argument.

But an appellate court ruled that the investigatory records exemption is more limited, shielding only drone footage that is part of a criminal investigation or evidence of a suspected crime. Footage of wildfires, car wrecks, wild animal sightings and the like are not criminal investigations and must be disclosed.

The California Supreme Court rejected both of CVPD's appeals and a trial court bench slapped the city for inaccurate and incomplete court filings. In the end, the city had to shell out north of $400,000 to its outside lawyers, and then paid Castañares’ lawyers more than $500,000 when he prevailed.

So what were Chula Vista police hiding? A bunch of routine service calls, such as unverified reports of a vehicle fire and a vehicle collision.

Now, according to La Prensa's reporting, officials are trying to raid a public safety fund created by voters to reimburse the city for the cost of its ill-advised secrecy.

The City of Darkness Award - Richmond, Va.

Richmond’s creation of a new FOIA Library may seem like a step toward transparency, but there are questions about the city’s commitment after it left the same officials subject to records requests in charge of curating which records might be released.

Faced with a plan to post all of the city’s eligible public records released under Virginia’s “sunshine” law, the Richmond City Council instead opted to go with the mayor’s alternative proposal. That plan lets the mayor’s administration — the same one that might be the subject of those records — decide what’s worth posting to the library.

Instead of providing access to all public records that the city released under the Virginia Freedom of Information Act, the library will only contain a subset that officials believe meet certain criteria, including records that the administration deems "relevant" to city business or that would aid "accountability.” The city cites concerns that "transparency without context" might be too confusing for the average citizen. Forgive us for having more faith in Richmond residents than its leaders do.

The city’s secrecy shenanigans extend beyond the FOIA library.

In an ongoing legal battle, attorneys representing Richmond asked a judge to prohibit former city FOIA officer Connie Clay from filing FOIA requests seeking information about her firing, and sought a gag order to prevent her from talking about the case. Clay alleges she was fired for insisting the city comply with public records law, describing what she calls a “chaotic and mismanaged” and illegal FOIA request process. Rather than agree to a $250,000 settlement, Richmond has spent more than $633,000 in taxpayer funds on legal costs. The trial and the FOIA library launch are both slated for the summer of 2026.

The Flock You Awards - Multiple Winners

If you live in one of the 5,000 cities where surveillance vendor Flock Safety claims to have established relationships with local cops, you may have noticed the sudden installation of little black cameras on poles by the side of the road or at intersections. These are automated license plate readers (ALPRs), which document every vehicle that passes within view, including the license plate, color, make, model and other distinguishing characteristics. The images are fed to Flock's servers, and the company encourages police to share the images collected locally with law enforcement throughout the country. Each year, law enforcement agencies across the country conduct tens of millions of searches of each other's databases.

In 2025, journalists and privacy advocates started filing public records requests with agencies to get spreadsheets called a "Network Audit," which shows every search, including who ran it and why. Accessing these audits uncovered abuse of the system including: investigating a woman who received an abortion, targeting immigrants, surveilling protesters, and running racist searches targeting Roma people.

In response, some cities have terminated their contracts with Flock Safety. Other law enforcement agencies, and Flock itself, have gone a different direction:

Taunton Police Department, Mass.: The police department told the ACLU of Massachusetts to cough up $1.8 million if the organization wanted its network audit logs–the highest public records fee we documented this year. The civil liberties group filed requests with agencies throughout the state for the audits, and most agencies handed over the spreadsheets for free and with little fanfare. Taunton, however, said it would take 20,000 hours to process the request, at $86.57 an hour.

Orange County Sheriff's Department, Calif.: The Orange County Sheriff gave a number of reasons it wouldn't release the network audit logs in response to a public records request. The most inane (and misspelled one): It would "disincentive law enforcement from conducting such research." Aren't cops the ones who say if you’re not doing anything wrong, you've got nothing to hide? Well, well, well, how the tables have turned.

Flock Safety: The company responded to criticisms of its ALPR network by sending legal threats aimed at trying to silence its critics. First, the company used a bogus trademark claim to threaten DeFlock.me–a crowdsourced map of ALPR. (EFF represented its creator.) Then it hired a company to try to get the hosts of HaveIBeenFlocked.com, which hosts an interface for searching these network audits, to remove the site from the internet.

The Database Deletion Award - Muneeb and Sohaib Akhter, formerly of Opexus

Brothers Muneeb and Sohaib Akhter are accused of essentially hitting delete on government data, destroying access to information contained in millions of records.

The government hired a federal contractor called Opexus, which hosts data and provides services to dozens of federal agencies. The company employed the Akhter siblings, though in February 2025, Opexus learned about the brothers’ previous convictions for wire fraud and obstructing justice. Soon after, the company fired the pair. But, according to prosecutors, the two decided to double down on being wildly unsuited for administrative access to government records systems.

The Akhters immediately turned around and retaliated “by accessing computers without authorization, issuing commands to prevent others from modifying the databases before deletion, deleting databases, stealing information, and destroying evidence of their unlawful activities," according to the U.S. Department of Justice.

The two have been accused of deleting 96 government databases, many of which contained FOIA records and sensitive investigative files. Their indictment alleges that a minute later, one brother queried an artificial intelligence tool for “how to clear system logs following the deletion of databases.” The brothers are also charged with stealing government records and conspiracy to commit computer fraud.

The Brothers Akhter allegedly took mere moments to destroy untold amounts of information that belonged to the public. Though they could face decades in prison, the public may never know the extent of the damage.

Want more FOIA horror stories? Check out The Foilies archives!

EFF Launches New Fight to Free the Law

Corynne McSherry — Fri, 13 Mar 2026 19:02:58 +0000

EFF has filed a new lawsuit against the Consumer Product Safety Commission (CPSC) to ensure that the public has full access to the laws that govern us.

Our client Public.Resource.Org (Public Resource), a tiny non-profit founded by open records advocate Carl Malamud, has a mission that’s both simple and powerful: to make government information more accessible. Public Resource acquires and makes available online a wide variety of public documents such as tax filings, government-produced videos, and federal rules about safety and product designs. Those rules are initially created through private standards organizations and later incorporated into federal law. Such documents are often difficult to access otherwise, meaning the public cannot read, share, or comment on them.

Working with Harvard Law School’s Cyberlaw Clinic, Public Resource has been submitting Freedom of Information Act requests to the CPSC requesting copies of the legally binding safety codes for children’s products—an area of law of intense interest to child safety advocates and consumer advocates, not to mention the families who use those products. But CPSC says it can’t release the codes, because the private association that coordinated their initial development insists that it retains copyright in them even after they have been adopted into law. That’s like saying a lobbyist who drafted a new tax law gets to control who reads it or shares it, even after it becomes a legal mandate.

Faced with similar claims, some courts, including the Court of Appeals for the Fifth Circuit, have held that the safety codes lose copyright protection when they are incorporated into law. Others, like the D.C. Circuit (in a case EFF defended on Public Resource’s behalf), have held that even if the standards don't lose copyright once they are incorporated into law, making them fully accessible and usable online is a lawful fair use.

Now EFF has teamed up with the Cyberlaw Clinic to continue the fight. We’re asking a court to rule that copyright is no barrier to accessing and sharing the rules that are supposed to ensure the safety of our built environment and the products we use every day. With the rule of law under assault around the nation, it is more important than ever to defend our ability to read and speak the law, without restrictions.

A.B. 1043’s Internet Age Gates Hurt Everyone

Hayley Tsukayama — Thu, 12 Mar 2026 19:59:13 +0000

EFF has long warned against age-gating the internet. Such mandates strike at the foundation of the free and open internet. They create unnecessary and unconstitutional barriers for adults and young people to access information and express themselves online. They hurt small and open-source developers. And none of the available age verification options are perfect in terms of protecting private information, providing access to everyone, and safely handling sensitive data.

Last year, EFF raised concerns about A.B. 1043 as one of several bills in the California legislature that took the wrong approach to protecting young people online—by focusing on censorship rather than privacy. Now that A.B. 1043 is set to go into effect in 2027, we've received a lot of questions about its possible effects.

A.B. 1043’s Censorship Trap

Even proposals that may not explicitly mandate age verification, such as A.B. 1043, can still create many of the same censorship problems. A.B. 1043 requires all operating systems and app stores to create age bracketing systems that will segment their users based on their ages. Users are then required to provide operating systems and apps their birth date or age so that they can be placed in their respective age bracket. A.B. 1043 also requires application and software developers to collect this age bracket information when a user want to use that software or application.

A.B. 1043 treats the age-bracket signal sent by a user as giving the application or service actual knowledge of users’ ages. Knowledge that the user is a minor could provide the basis for liability under other laws, such as California Age-Appropriate Design Code.

The result is a recipe for censorship. Applications and software developers for operating systems may interpret A.B. 1043 and its potential enforcement by the California Attorney General as requiring them to exclude users who say they are minors or who don’t fit in a specific age bracket they believe is acceptable to use their application or software. But minors have a First Amendment right to access the vast majority of these apps and services. What California has done is essentially outsource censorship to developers, who are likely to lean into over-censorship.

Broad Language Undercuts Policy Goals

A.B. 1043’s one-size-fits-all approach is also problematic because it disregards the many ways in which we make and use digital tools. It assumes the internet and digital devices begin and end with the dominant technology companies and device makers, when we know that’s not the case. Additionally, many families share devices, especially in low-income households. These proposals do not account for situations where there is more than one user of a device.

Additionally, broad proposals that demand the implementation of such censorship tools under the guise of protecting young people's safety force developers to reach for imperfect solutions—or risk being found non-compliant and pushed out of markets. Many of these mandates imagine technology that does not currently exist. Such poorly thought-out mandates, in truth, cannot achieve the purported goal of age verification. Often, they are easy to circumvent and many also expose consumers to real data breach risk.

Squeezing Small and Open-Source Developers Hurts Everyone

A.B. 1043’s burdens fall particularly heavily on developers who aren’t at large, well-resourced companies, such as those developing open-source software. Not recognizing the diversity of software development when thinking about liability in these proposals effectively limits software choices—which is especially harmful at a time when computational power is being rapidly concentrated in the hands of the few. This harms users' and developers' right to free expression, their digital liberties, privacy, and ability to create and use open platforms. It also, perversely, entrenches the dominance of major operating system developers and device makers.

A.B. 1043 and similar proposals also raise considerable implementation issues because they cast a potentially wide net. A.B. 1043, for example, carves out “broadband internet access service," "telecommunications service,” and the “use of a physical product,” whereas “mobile devices” and “computers” are covered. However, so many devices could fall into these categories; people consider smart watches to be computers, for example. Virtually every digital device that runs software built in the past three decades could fall into that category. This means that consumers may have to submit age information to more companies than ever, again increasing the possibility of data misuse and data breach.

**There Is Still A Better Way**

Legislators do not need to sacrifice their constituents' First Amendment rights and privacy to make a safer internet, but they can address many of the harms these proposals seek to mitigate. Many lawmakers have recognized these approaches, such as data minimization, in their proposals. Rather than creating age gates, a well-crafted privacy law that empowers all of us—young people and adults alike—to control how our data is collected and used would be a crucial step in the right direction.

Rep. Finke Was Right: Age-Gating Isn’t About Kids, It’s About Control

Rindala Alajaji — Thu, 12 Mar 2026 19:32:55 +0000

When Rep. Leigh Finke spoke last month before the Minnesota House Commerce Finance and Policy Committee to testify against HF1434, a broad-sweeping proposal to age-gate the internet, she began with something disarming: agreement.

“I want to support the basic part of this,” she said, the shared goal of protecting young people online. Because that is not controversial: everyone wants kids to be safe. But HF1434, Minnesota’s proposed age-verification bill, simply won’t “protect children.” It mandates that websites hosting speech that is protected by the First Amendment for both adults and young people to verify users’ identities, often through government IDs or biometric data. As we’ve discussed before, the bill’s definition of speech that lawmakers deem “harmful to minors” is notoriously broad—broad enough to sweep in lawful, non-pornographic speech about sexual orientation, sexual health, and gender identity.

Rep. Finke, an openly transgender lawmaker, next raised a point that her critics have since tried to distort: age-verification laws like the Minnesota bill are already being used to block young LGBTQ+ people from exercising their First Amendment rights to access information that may be educational, affirming, or life-saving. Referencing the Supreme Court case Free Speech Coalition v. Paxton, she noted that state attorneys general have been “almost jubilant” about the ability to use these laws to restrict queer youth from accessing content. “We know that ‘prurient interest’ could be for many people, the very existence of transgender kids,” she added, referring to the malleable legal standard that would govern what content must be age-gated under the law.

But despite years’ worth of evidence to back her up, Finke has faced a wave of attacks from countless media outlets and religious advocacy groups for her statements. Rep. Finke’s testimony was repeatedly mischaracterized as not having young people’s best interests in mind, when really she was accurately describing the lived reality of LGBTQ+ youth and advocating in support of their access to vital resources and community.

In fact, this backlash proves her point. Beyond attempting to silence queer voices and to scare other legislators from speaking up against these laws, it reveals how age-verification mandates are part of a larger effort to give the government much greater control of what young people are allowed to say, read, or see online.

Rep. Finke was also right that these proposals are bad policy; they prevent all young people from finding community online, and that they violate young people and adults' First Amendment rights.

Why FSC v. Paxton Matters

Rep. Finke was similarly right to bring up the Paxton case, because beyond the troubling Supreme Court precedent it produced, Texas’s age-verification law also drew eager support from an extraordinary number of amicus briefs from anti-LGBTQ organizations (some even designated hate groups by the Southern Poverty Law Center).

In FSC v. Paxton, the Supreme Court gave Texas the green light to require age verification for sites where at least one-third of the content is sexual material deemed “harmful to minors,” which generally means explicit sexual content. This ruling, based on how young people do not have a First Amendment right to access explicit sexual content, allows states to enact onerous age-verification rules that will block adults from accessing lawful speech, curtail their ability to be anonymous, and jeopardize their data security and privacy. These are real and immense burdens on adults, and the Court was wrong to ignore them in upholding Texas’ law.

But laws enacted by other states and Minnesota HF 1434 go further than the Texas statute. Rather than restricting young people from accessing sexual content, these proposals expand what the state deems “harmful to minors” to include any speech that may reference sex, sexuality, gender, and reproductive health. But young people have a First Amendment right to both speak on those topics and to access information online about them.

We will continue to fight against all online age restrictions, but bills like Minnesota’s HF 1434, which seek to restrict young people from accessing speech about their bodies, sexuality, and other truthful information, are especially pernicious.

EFF and Rep. Finke are on the same page here: age verification mandates create immense harm to our First Amendment rights, our right to privacy, as well as our online safety and security. These proposals also fully ignore the reality that LGBTQ young people often rely on the internet for information they cannot get elsewhere.

But the Paxton case, and the coalition behind it, illustrates exactly how these laws can be weaponized. They weren’t there just to stand up for young people’s privacy online—they were there to argue that the state has a compelling interest in shielding minors from material that, in practice, often includes LGBTQ content. Ultimately, these groups would like to age-gate not just porn sites, but also any content that might discuss sex, sexuality, gender, reproductive health, abortion, and more.

Using Children as Props to Enact Censorship

The coalition of organizations that filed amicus briefs in support of Texas’s age verification law tells us everything we need to know about the true intentions behind legislating access to information online: censorship, surveillance, and control. After all, if the race to age-gate the internet was purely about child safety, we would expect its strongest supporters to be child-development experts or privacy advocates. Instead, the loudest advocates are organizations dedicated to policing sexuality, attacking LGBTQ+ folks and reproductive rights, and censoring anything that doesn’t fit within their worldview.

Below are some of the harmful platforms that the organizations supporting the age-gating movement are advancing, and how their arguments echo in the attacks on Rep. Finke today:

Policing sexuality, bodily autonomy, and reproductive rights

Many of the organizations backing age-verification laws have spent decades trying to restrict access to accurate sexual health information and reproductive care.

Groups like Exodus Cry, for example, who filed a brief in support of the Texas AG in the SCOTUS case, frame pornography as part of a broader moral crisis. Founded by a “Christian dominionist” activist, Exodus Cry advocates for the criminalization of porn and sex work, and promotes a worldview that defines “sexual immorality” as any sexual activity outside marriage between one man and one woman. Its leadership describes the internet as a battleground in a “pornified world” that has to be reclaimed. Another brief in support of the age-verification law was filed by a group of organizations including the Public Advocate of the United States (an SPLC-designated hate group) and America’s Future. America’s Future is an organization that was formed to “revitalize the role of faith in our society” and fiercely advocates in favor of trans sports bans.

These groups see age-verification laws as attractive solutions because they create a legal mechanism to wall off large swaths of content that merely mentions sex from not only young people but millions of adults, too.

Attacking LGBTQ+ Rights

Several of the most prominent legal advocates behind age-verification laws have also led the crusade against LGBTQ+ equality. The internet that these groups envision is one that heavily censors critical and even life-saving LGBTQ+ resources, community, and information.

The Alliance Defending Freedom (ADF), for instance (which is another SPLC-designated hate group), built its reputation on litigation aimed at rolling back LGBTQ+ protections—including allowing businesses to refuse service to same-sex couples, criminalizing same-sex relationships abroad, and restricting transgender rights.

The internet that these groups envision is one that heavily censors critical and even life-saving LGBTQ+ resources, community, and information.

Then there’s other groups like Them Before Us and Women’s Liberation Front, both of which submitted amici in support of the Texas Attorney General and are devoted to upending LGBTQ+ rights in the United States. Them Before Us says it’s “committed to putting the rights and well-being of children ahead of the desires and agendas of adults.” But it’s also running a campaign to “End Obergefell,” the 2015 Supreme Court case that upheld the right to same-sex marriage, and has been on the cutting edge of transphobic campaigning and pseudoscientific fearmongering about IVF and surrogacy. The Women’s Liberation Front, on the other hand, is an organization that has a long track record of supporting transphobic policies such as bathroom bills, bans on gender-affirming healthcare, and efforts to define “sex” strictly as the biological sex assigned at birth.

Through cases like FSC v. Paxton, groups like these three continue to advance a vision of society that creates government mandates to enforce their worldviews over personal freedom, while hiding behind a shroud of concern for children’s safety. But when they also describe LGBTQ+ people as “evil” threats to children and run countless campaigns against their human rights, they are being clear about their intentions. This is why we continue to say: the impact of age verification measures goes beyond porn sites.

Expanding censorship beyond the internet into real-life public spaces

As we’ve said for years now, the push to age-gate the internet is part of a broader campaign to control what information people can access in public life both on- and offline. Many of the same organizations advancing these proposals claim to be acting on behalf of young people, but their arguments consistently use children as props to justify giving the government more control over speech and information.

Many of the organizations advocating for online age verification have also supported book bans, attacks on DEI policies and education, and efforts to remove LGBTQ+ materials from schools and libraries. Two of the organizations who supported the Texas Attorney General, Citizens Defending Freedom and Manhattan Institute, have led campaigns around the country to “abolish DEI” and ban classical books like “The Bluest Eye” by Toni Morrison from school libraries. These efforts are not different from the efforts to restrict access to the internet—they reflect a broader strategy to restrict access to ideas or information that these groups find objectionable. And they discourage free thought, inquiry, and the ability for people to decide how to live their lives.

These campaigns rely on the same core argument, that certain ideas are inherently dangerous to young people and must therefore be restricted. But that framing misrepresents an important reality: if lawmakers genuinely want to address harms that young people experience online, they should start by listening to young people themselves. When EFF spoke directly with young people about their online experiences, they overwhelmingly rejected restrictions on their access to the internet and came back with nuanced and diverse perspectives. Once that principle—that certain ideas are inherently dangerous—is accepted, the internet, once a symbol of free expression, connection, creativity, and innovation, becomes the next logical target.

Once that principle—that certain ideas are inherently dangerous—is accepted, the internet, once a symbol of free expression, connection, creativity, and innovation, becomes the next logical target.

This also wouldn’t be the first time a vulnerable group is used as a prop to advance internet censorship laws. We’ve seen this playbook during the debate over FOSTA/SESTA, where many of the same advocates claimed to speak for trafficking victims/survivors and sex workers, while pushing legislation that ultimately censored online speech and harmed the very communities it invoked. It’s a familiar pattern: you invoke a vulnerable group, frame certain speech as a threat, and use that as a way to expand government control over the flow of information. And as we said in the fight against FOSTA: if lawmakers are serious about addressing harms to particular communities, they should start by talking to those communities. This means that lawmakers seeking to address online harms to young people should be talking to young people, not groups who claim their interests.

Rep. Finke Was Not Radical. She Was Right.

The Paxton case, and the coalition backing age verification laws in the U.S., shows us exactly why the messaging around these laws draws superficial support from parents and lawmakers. But we’ve heard the quiet part said out loud before. Marsha Blackburn, a sponsor of the federal Kids Online Safety Act, has said that her goal with the legislation was to address what she called “the transgender” in society. When lawmakers and advocacy groups frame queer existence itself as a threat to young people, age-verification laws become ideological enforcement instead of regulatory policy.

When lawmakers and advocacy groups frame queer existence itself as a threat to young people, age-verification laws become ideological enforcement instead of regulatory policy.

In defending free speech, privacy, and the right of young people to access truthful information about themselves, Rep. Leigh Finke was not radical—she was right. She was warning that broad, ideologically driven laws will be used to erase, silence, and isolate young people under the banner of child protection.

What’s at stake in the fight against age verification is not just a single bill in a single state, or even multiple states, for that matter. It’s about whether “protecting children” becomes a legal pretext for embedding government control over the internet to enforce specific moral and religious judgments—judgments that deny marginalized people access to speech, community, history, and truth—into law.

And more people in public office need the courage of Rep. Finke to call this out.

Certbot and Let's Encrypt Now Support IP Address Certificates

Jacob Hoffman-Andrews — Wed, 11 Mar 2026 22:32:56 +0000

(Note: This post is also cross-posted on the Let's Encrypt blog)

As announced earlier this year, Let's Encrypt now issues IP address and six-day certificates to the general public. The Certbot team here at the Electronic Frontier Foundation has been working on two improvements to support these features: the --preferred-profile flag released last year in Certbot 4.0, and the --ip-address flag, new in Certbot 5.3. With these improvements together, you can now use Certbot to get those IP address certificates!

If you want to try getting an IP address certificate using Certbot, install version 5.4 or higher (for webroot support with IP addresses), and run this command:

sudo certbot certonly --staging \
  --preferred-profile shortlived \
  --webroot \
  --webroot-path <filesystem path to webserver root> \
  --ip-address <your ip address>

Two things of note:

This will request a non-trusted certificate from the Let's Encrypt staging server. Once you've got things working the way you want, run without the --staging flag to get a publicly trusted certificate.
This requests a certificate with Let's Encrypt's "shortlived" profile, which will be good for 6 days. This is a Let's Encrypt requirement for IP address certificates.

As of right now, Certbot only supports getting IP address certificates, not yet installing them in your web server. There's work to come on that front. In the meantime, edit your webserver configuration to load the newly issued certificate from /etc/letsencrypt/live/<ip address>/fullchain.pem and /etc/letsencrypt/live/<ip address>/privkey.pem.

The command line above uses Certbot's "webroot" mode, which places a challenge response file in a location where your already-running webserver can serve it. This is nice since you don't have to temporarily take down your server.

There are two other plugins that support IP address certificates today: --manual and --standalone. The manual plugin is like webroot, except Certbot pauses while you place the challenge response file manually (or runs a user-provided hook to place the file). The standalone plugin runs a simple web server that serves a challenge response. It has the advantage of being very easy to configure, but has the disadvantage that any running webserver on port 80 has to be temporarily taken down so Certbot can listen on that port. The nginx and apache plugins don't yet support IP addresses.

You should also be sure that Certbot is set up for automatic renewal. Most installation methods for Certbot set up automatic renewal for you. However, since the webserver-specific installers don't yet support IP address certificates, you'll have to set a --deploy-hook that tells your webserver to load the most up-to-date certificates from disk. You can provide this --deploy-hook through the certbot reconfigure command using the rest of the flags above.

We hope you enjoy using IP address certificates with Let's Encrypt and Certbot, and as always if you get stuck you can ask for help in the Let's Encrypt Community Forum.

Government Spying 🤝 Targeted Advertising | EFFector 38.5

Christian Romero — Wed, 11 Mar 2026 14:50:26 +0000

Have you ever seen a really creepy targeted ad online? One that revealed just how much these companies know about your life? It's unsettling enough to see how much companies know about you—but now we have confirmation that the government is also tapping the advertising surveillance machine to get your data. We're explaining the dangers of targeted advertising and location tracking, and the latest in the fight for privacy and free speech online, with our EFFector newsletter.

JOIN OUR NEWSLETTER

For over 35 years, EFFector has been your guide to understanding the intersection of technology, civil liberties, and the law. This issue covers a victory for protesters seeking to hold police accountable, a troubling conflict over the Department of Defense's use of AI, and how advertising surveillance enables government surveillance.

Prefer to listen in? Big news: EFFector is now available on all major podcast platforms! In this episode we chat with EFF Staff Attorney Lena Cohen about how targeted advertising can reveal your location to federal law enforcement. You can find the episode and subscribe in your podcast player of choice:

Privacy info. This embed will serve content from simplecast.com

Copyright Bullying vs. Religious Freedom

Kit Walsh — Tue, 10 Mar 2026 23:06:19 +0000

The government should not help a religious institution to punish or deter members from inquiring about their faith. Yet, once again, the Watch Tower Bible and Tract Society is trying to use flimsy copyright claims to exploit the special legal tools available to copyright owners in order to unmask anonymous online speakers. And, once again, EFF has stepped in to urge the courts not to give Watch Tower’s attempts the force of law, with the help of local counsel Jonathan Phillips of Phillips & Bathke, P.C.

EFF’s client, J. Doe, is a member of the Jehovah’s Witnesses who became interested in the history of the organization’s public statements, and how they’ve changed over time. They created research tools to analyze those documents and ultimately created a website, JWS Library, allowing others to use those tools and verify their findings through an archive that included documents suppressed by the church. Doe and others discovered prophecies that failed to come true, erasure of a leader’s disgrace, increased calls for obedience and donations, and other insights about the Jehovah’s Witnesses’ practices. Doe also used machine translation on a foreign-language document to help the community understand what the church was saying to different audiences and also to help understand potential changes in the organization’s attitudes towards dissent.

Within the church, dissent or even asking questions has often been punished by labeling members as apostates and ostracizing—or “disfellowshipping”— them. As a result, Doe and others choose to speak anonymously to avoid retaliation that could cost them family, friend, and professional relationships.

There is no law against questioning the Jehovah’s Witnesses. Instead, Watch Tower argues that Doe’s activities constitute copyright infringement and seeks to use the special process provided in the Digital Millennium Copyright Act (DMCA) to unmask them. It sent DMCA subpoenas to Google and Cloudflare, seeking information that would help them uncover Doe’s identity.

The problem for Watch Tower is that Doe’s research and commentary are clear fair uses allowed under copyright law. The First Amendment does not permit the unmasking of anonymous speakers based on such weak claims. Indeed, the First Amendment protects anonymous speakers precisely because some would be deterred from speaking if they faced retribution for doing so.

EFF stands with those who question the claims of those in power and who share the tools and knowledge needed to do so. We urge the judges in the Southern District of New York to quash these improper subpoenas and not allow copyright to be used to suppress important, legitimate speech.

Think Twice Before Buying or Using Meta’s Ray-Bans

Thorin Klosowski — Tue, 10 Mar 2026 21:02:41 +0000

Over the last decade or so, the tech industry has tried, and mostly failed, to make “smart glasses”—tech-infused glasses with cameras, AI, maps, displays, and more—a thing. But in the past year, products like Meta’s Ray-Ban Display Glasses and Oakley’s Meta Glasses have gone from a curious niche to the mainstream.

Before you strap a dashcam to your face and sprint out into the world filming everything and everyone in your life, there are some civil liberties and privacy concerns to consider before buying or using a pair.

Meta is the biggest company that makes these sorts of glasses and their partnerships with Ray-Ban and Oakely are the most popular options, so we’ll be mostly focusing on them here. Others, like models from Snapchat are similar in form but far less ubiquitous. But Meta won’t hold this space for long. Google’s already announced a partnership with Warby Parker for their “AI-powered smart glasses,” and there are rumors around a competing product from Apple.

With that, let’s dive into some of the considerations you should make before purchasing a pair.

If You’re Thinking About Buying Smart Glasses

You’re likely not the only one who can see (and hear) your footage

The photos and videos you record with most smartglasses will likely be stored online at some point in the process. On Meta’s offerings, unless you are livestreaming, media you capture when you press the camera button is kept on the glasses until you import them onto your phone, but media is imported automatically by default into the Meta AI mobile app, which is required to set up the glasses.

You can't use any AI features locally on the glasses. So anytime you use AI features, like when you say, “Hey Meta, start recording,” the footage is fed to Meta. You can use the glasses without the Meta AI app entirely, but considering you can’t easily download footage from the glasses to your phone without it, most people will likely use the app.

Some videos are fed to Meta for AI training, and we know at least in some cases that those videos go through human review. An investigation by Swedish newspapers found that workers were reviewing and annotating camera footage, which includes all sorts of sensitive videos, including nudity, sex, and going to the bathroom. Meta claimed to the BBC that this is in accordance with its terms of use, all in the name of AI training, which states:

In some cases, Meta will review your interactions with AIs, including the content of your conversations with or messages to AIs, and this review may be automated or manual (human).

This all means that Meta and their third-party contractors will have access to at least some of what you record, and it’s very hard as a user to know where footage goes, who will have access to it, and what they will do with it. When you save footage to your phone’s camera roll, which is where the Meta AI app stores content, that might also be sent to Apple or Google’s servers, depending on your settings. Employees at these companies can then possibly access that media, and it could be shared with law enforcement.

The recorded audio from conversations with Meta AI are also saved by default, and if you don’t like that, tough luck, unless you go in and manually delete them every time you say something.

Filming all the time is even more privacy invasive than you think

A common argument in favor of using the cameras in smartglasses is that phones and cameras can do this too, and it’s never been a problem.

But smartglasses are designed to resemble regular glasses, to the point where most reviews point out how friends didn’t notice that they had cameras embedded in them. They’re designed to be invisible to those being recorded—outside of a small indicator light when they’re recording video footage (that cheap hacks can disable)—whereas it is often obvious that a person is recording if they pull their phone out of their pocket and point it at someone else.

They’re designed to be invisible to those being recorded, outside of a small indicator light when they’re recording.

Moreover, constant recording of everything in public spaces can create all sorts of potential privacy problems, some more obvious than others. This is another way that cameras on glasses are different from cameras on phones: it is far easier to constantly record one’s whereabouts with the former than the latter. If you continuously record, maybe you just happen to catch someone entering their passcode or password onto their phone or computer at a coffee shop, or broadcast someone’s bank details when you’re standing in line at an ATM. That doesn’t even begin to get into when smartglasses are intentionally used for less socially responsible means. And some people may forget to turn off their smartglasses when they enter a private space like a bathroom.

And if you find yourself caught on someone’s camera, there’s not much you can do in recourse. If you do notice a stranger recording you, it’s up to you to intervene and ask not to be included in that footage, which can easily turn awkward or confrontational.

Our expectations of privacy shift when we’re in public, but bystanders in many cases will still have privacy interests. Public spaces are a place where you will be seen, but that shouldn’t mean it’s suddenly okay to catalog and identify everyone.

Consider the company’s track record and public statements

Meta, Google, Apple—perhaps one benefit of all the major tech companies entering this market is that we already have a good idea of how much they tend to respect the privacy of their users or the openness of their platforms. Spoiler, it’s often not much.

Meta has a long history of privacy invasive technologies and practices. We’ve heard rumblings that Meta hopes to add face recognition to its smartglasses, preferably, “during a dynamic political environment where many civil society groups that we would expect to attack us would have their resources focused on other concerns.” Yikes. This is a monumentally bad idea that should be abandoned by Meta and any of its competitors considering a similar feature. But regardless of whether they launch this feature, it’s a pretty clear indication of where Meta wants these sorts of devices to go.

If You Have Smartglasses Already

Opt out of sharing with Meta where you can

You can disable a couple of the features where unnecessary data is sent to Meta. In the Meta AI app, under the device settings, there’s a privacy page where you can disable sharing additional data, and more importantly, turn off “Cloud media,” where your photos and videos are sent to Meta’s cloud for processing and temporary storage.

Decide your use-case and stick to it

These glasses can be useful for filming a variety of activities. We’ve seen fascinating scenes of tattoo artists doing their work (with client’s permission), and it doesn’t take a stretch of the imagination to see how people might use it to film extreme sports. Even on an everyday level, you might find them useful for capturing holidays, birthdays, and all sorts of other private occasions.

But if you buy these glasses for a specific, mostly private purpose, it is probably best to stick to that, instead of wearing them everywhere and recording everything you do.

Follow the rules of businesses and social expectations

You often have a right to record in public spaces, but that doesn’t mean other people will like it. Businesses, including restaurants and stores, may want nothing to do with continuous filming and may either post a sign asking you not to use smartglasses, or ask you to stop. This may reflect the preferences not just of the business owner, but the people around you. And don’t use glasses to record when you enter other people’s private spaces like bathrooms or changing rooms.

It’s also a good idea to check in with friends and family before tapping that record button at a social gathering. Some people may not be as comfortable with these glasses as they are with other recording equipment.

Consider blurring strangers if you’re going to upload video

Blurring video footage isn’t an easy task, but if you’re considering uploading footage from something like a protest, it may be worth the effort to do so (apps like Meta’s Edits simplify this process, as do some other video sites, like YouTube). Some people don’t want the government to see their faces at protests, and might be afraid to attend if other people are uploading their faces.

Some people don’t want the government to see their faces at protests, and might be afraid to attend if other people are uploading their faces.

It would be better if Meta leveraged its AI features to offer this sort of feature automatically, especially with livestreaming. It’s not that outlandish of a request, as it seems like the company tries to blur faces automatically in footage it captures for annotation, though it’s not always reliable. After all, Google began redacting faces in Street View years ago, following privacy concerns from groups like EFF.

Resist face recognition

Adding facial recognition technology to smartglasses would obliterate the privacy of everyone. We cannot let companies push face recognition into these glasses, and as a user, you should make your voice clear that this is not something you want.

Smartglasses don’t have to be used to decimate the privacy of anyone you encounter during the day. There are legitimate uses out there, but it’s up to those who use them to respect the social norms of the spaces they enter and the people they encounter.

The Government Must Not Force Companies to Participate in AI-powered Surveillance

Corynne McSherry — Tue, 10 Mar 2026 20:39:18 +0000

Update:

On March 24, 2026, the Northern District of California granted Anthropic's Motion for Preliminary Injunction, finding that the government's actions were not designed to protect national security, but rather to punish Anthropic. "Punishing Anthropic for bringing public scrutiny to the government’s contracting position is classic illegal First Amendment retaliation."

The rapidly escalating conflict between Anthropic and the Pentagon, which started when the company refused to let the government use its technology to spy on Americans, has now gone to court. The Department of Defense retaliated by designating the company a “supply chain risk” (SCR). Now, Anthropic is asking courts to block the designation, arguing that the First Amendment does not permit the government to coerce a private actor to rewrite its code to serve government ends.

We agree.

As EFF, the Foundation for Individual Rights and Expression, and multiple other public interest organizations explained in a brief filed in support of Anthropic’s motion, the development and operation of large language models involve multiple expressive choices protected by the First Amendment. Requiring a company to rewrite its code to remove guardrails means compelling different expression, a clear constitutional violation. Further, the public record shows that the SCR designation is intended to punish the company both for pushing back and for its CEO’s public statements explaining that AI may supercharge surveillance practices that current law has proven ill-equipped to address.

As we also explain, the company’s concerns about how the government will use its technology are well-founded. The U.S. government has a long history of illegally surveilling its citizens without adequate judicial oversight based on questionable interpretations of its Constitutional and statutory obligations. The Department of Defense acquires vast troves of personal information from commercial entities, including individuals’ physical location, social media, and web browsing data.Other government agencies continue to collect and query vast quantities of Americans’ information, including by acquiring information from third party data brokers.

A growing body of social science research illustrates the chilling effects of these pervasive activities. Fearing retribution for unpopular views, dissenters stay silent. And AI only exacerbates the problem. AI can quickly analyze the government’s massive datasets or combine that information with data scraped off the internet, purchased through the commercial data broker market, or from local police surveillance devices and use all of that data to construct a comprehensive picture of a person’s life and infer sensitive details like their religious beliefs, medical conditions, political opinions, or even sex partners. For example, an agency could use AI to infer an individual’s association with a particular mosque based on data showing that they visited its website, followed its social media accounts, and were located near the mosque during religious services. AI can also deanonymize online speech by using public information to unmask anonymous users.

It is easy to conceive how an agency, a government employee with improper intent, or a malicious hacker could exploit these capabilities to monitor public discourse, preemptively squelch dissent, or persecute people from marginalized communities. Against this background and absent meaningful changes to the governing national security laws and judicial oversight structure, it is entirely reasonable for Anthropic—or any other company—to insist on its own guardrails.

Without action from Congress, the task of protecting your privacy has fallen in large part to Big Tech—something no one wants, including Big Tech. But if Congress won’t do it, companies like Anthropic must be allowed to step in, without facing retribution.

The SAFE Act is an Imperfect Vehicle for Real Section 702 Reform

Matthew Guariglia — Mon, 09 Mar 2026 20:27:36 +0000

The SAFE act, introduced by Senators Mike Lee (R-UT) and Dick Durbin (D-IL), is the first of many likely proposals we will see to reauthorize Section 702 of the Foreign Intelligence Surveillance Act (FISA) Amendments Act of 2008—and while imperfect, it does propose a litany of real and much-needed reforms of Big Brother’s favorite surveillance authority.

The irresponsible 2024 reauthorization of the secretive mass surveillance authority Section 702 not only gave the government two more years of unconstitutional surveillance powers, it also made the policy much worse. But, now people who value privacy and the rule of law get another bite at the apple. With expiration for Section 702 looming in April 2026, we are starting to see the emergence of proposals for how to reauthorize the surveillance authority—including calls from inside the White House for a clean reauthorization that would keep the policy unchanged. EFF has always had a consistent policy: Section 702 should not be reauthorized absent major reforms that will keep this tactic of foreign surveillance from being used as a tool of mass domestic espionage.

What is Section 702?

Section 702 was intended to modernize foreign surveillance of the internet for national security purposes. It allows collection of foreign intelligence from non-Americans located outside the United States by requiring U.S.-based companies that handle online communications to hand over data to the government. As the law is written, the intelligence community (IC) cannot use Section 702 programs to target Americans, who are protected by the Fourth Amendment’s prohibition on unreasonable searches and seizures. But the law gives the intelligence community space to target foreign intelligence in ways that inherently and intentionally sweep in Americans’ communications.

We live in an increasingly globalized world where people are constantly in communication with people overseas. That means, while targeting foreigners outside the U.S. for “foreign intelligence Information” the IC routinely acquires the American side of those communications without a probable cause warrant. The collection of all that data from U.S telecommunications and internet providers results in the “incidental” capture of conversations involving a huge number of people in the United States.

But, this backdoor access to U.S. persons’ data isn’t “incidental.” Section 702 has become a routine part of the FBI’s law enforcement mission. In fact, the IC’s latest Annual Statistical Transparency Report documents the many ways the Federal Bureau of Investigation (FBI) uses Section 702 to spy on Americans without a warrant. The IC lobbied for Section 702 as a tool for national security outside the borders of the U.S., but it is apparent that the FBI uses it to conduct domestic, warrantless surveillance on Americans. In 2021 alone, the FBI conducted 3.4 million warrantless searches of US person’s 702 data.

The Good

Let’s start with the good things that this bill does. These are reforms EFF has been seeking for a long time and their implementation would mean a big improvement in the status quo of national security law.

First, the bill would partially close the loophole that allows the FBI and domestic law enforcement to dig through 702-collected data’s “incidental” collection of the U.S. side of communications. The FBI currently operates with a “finders keeper” mentality, meaning that because the data is pre-collected by another agency, the FBI believes it can operate with almost no constraints on using it for other purposes. The SAFE act would require a warrant before the FBI looked at the content of these collected communications. As we will get to later, this reform does not go nearly far enough because they can query to see what data on a person exists before getting a warrant, but it is certainly an improvement on the current system.

Second, the bill addresses the age-old problem of parallel construction. If you’re unfamiliar with this term, parallel construction is a method by which intelligence agencies or domestic law enforcement find out a piece of information about a subject through secret, even illegal or unconstitutional methods. Uninterested in revealing these methods, officers hide what actually happened by publicly offering an alternative route they could have used to find that information. So, for instance, if police want to hide the fact that they knew about a specific email because it was intercepted under the authority of Section 702, they might use another method, like a warranted request to a service provider, to create a more publicly-acceptable path to that information. To deal with this problem, the SAFE Act mandates that when the government seeks to use Section 702 evidence in court, it must disclosure the source of this evidence “without regard to any claim that the information or evidence…would inevitably have been discovered, or was subsequently reobtained through other means.”

Next, the bill proposes a policy that EFF and other groups have nonetheless been trying to get through Congress for over five years: ending the data broker loophole. As the system currently stands, data brokers who buy and sell your personal data collected from smartphone applications, among other sources, are able to sell that sensitive information, including a phone’s geolocation, to the law enforcement and intelligence agencies. That means that with a bit of money, police can buy the data (or buy access to services that purchase and map the data) that they would otherwise need a warrant to get. A bill that would close this loophole, the Fourth Amendment is Not For Sale Act passed through the House in 2024 but has yet to be voted on by the Senate. In the meantime, states have taken it upon themselves to close this loophole with Montana being the first state to pass similar legislation in May 2025. The SAFE Act proposes to partially fix the loophole at least as far as intelligence agencies are concerned. This fix could not come soon enough—especially since the Office of the Director of National Intelligence has signaled their willingness to create one big, streamlined, digital marketplace where the government can buy data from data brokers.

Another positive thing about the SAFE Act is that it creates an official statutory end to surveillance power that the government allowed to expire in 2020. In its heyday, the intelligence community used Section 215 of the Patriot Act to justify the mass collection of communication records like metadata from phone calls. Although this legal authority has lapsed, it has always been our fear that it will not sit dormant forever and could be reauthorized at any time. This new bill says that its dormant powers shall “cease to be in effect” within 180 of the SAFE Act being enacted.

What Needs to Change

The SAFE Act also attempts to clarify very important language that gauges the scope of the surveillance authority: who is obligated to turn over digital information to the U.S. government. Under Section 702, “electronic communication service providers” (ECSP) are on the hook for providing information, but the definition of that term has been in dispute and has changed over time—most recently when a FISA court opinion expanded the definition to include a category of “secret” ECSPs that have not been publicly disclosed. Unfortunately, this bill still leaves ambiguity in interpretation and an audit system without a clear directive for enforcing limitations on who is an ECSP or guaranteeing transparency.

As mentioned earlier, the SAFE Act introduces a warrant requirement for the FBI to read the contents of Americans’ communications that have been warrantlessly collected under Section 702. However, the law does not in its current form require the FBI to get a warrant before running searches identifying whether Americans have communications present in the database in the first place. Knowing this information is itself very revealing and the government should not be able to profit from circumventing the Fourth Amendment.

When Congress reauthorized Section 702 in 2014, they did so through a piece of policy called the Reforming Intelligence and Securing America Act (RISAA). This bill made 702 worse in several ways, one of the most severe being that it expanded the legal uses for the surveillance authority to include vetting immigrants. In an era when the United States government is rounding up immigrants, including people awaiting asylum hearings, and which U.S officials are continuously threatening to withhold admission to the United States from people whose politics does not align with the current administration, RISAA sets a dangerous precedent. Although RISAA is officially expiring in April, it would be helpful for any Section 702 reauthorization bill to explicitly prohibit the use of this authority for that reason.

Finally, in the same way that the SAFE Act statutorily ends the expired Section 215 of the Patriot Act, it should also impose an explicit end to “Abouts collection” a practice of collecting digital communications, not if their from suspected people, but if their are “about” specific topics. This practice has been discontinued, but still sits on the books, just waiting to be revamped.

Privacy's Defender: Launch Party in Berkeley

Melissa Srago — Mon, 09 Mar 2026 19:29:42 +0000

We're celebrating the launch of Privacy's Defender, a new book by EFF Executive Director Cindy Cohn on Thursday, March 12—and we want you to join us! Cindy has tangled with the feds, fought for your data security, and argued before judges to protect our access to science and knowledge on the internet. In Privacy's Defender she asks: can we still have private conversations if we live our lives online?

Join the festivities for a live conversation between Cindy Cohn and Annalee Newitz followed by a book signing with Cindy.

$20 General Admission for 1
$30 Discounted tickets for 2
$12.50 Student Ticket
All proceeds benefit EFF's mission.

Want your own copy of Privacy's Defender?
Save $10 when you preorder the book with your ticket purchase

WHEN:
Thursday, March 12th, 2026
6:30 pm to 9:30 pm

WHERE:
Ciel Creative Space
Entrance located at:
940 Parker St, Berkeley, CA 94710

6:30 PM Doors Open
7:15 PM Program Begins

About the book

Throughout her career, Cindy Cohn has been driven by a fundamental question: Can we still have private conversations if we live our lives online? Privacy’s Defender chronicles her thirty-year battle to protect our right to digital privacy and shows just how central this right is to all our other rights, including our ability to organize and make change in the world.

Shattering the hypermasculine myth that our digital reality was solely the work of a handful of charismatic tech founders, the author weaves her own personal story with the history of Crypto Wars, FBI gag orders, and the post-9/11 surveillance state. She describes how she became a seasoned leader in the early digital rights movement, as well as how this work serendipitously helped her discover her birth parents and find her life partner. Along the way, she also details the development of the Electronic Frontier Foundation, which she grew from a ragtag group of lawyers and hackers into one of the most powerful digital rights organizations in the world.

Part memoir and part legal history for the general reader, the book is a compelling testament to just how hard-won the privacy rights we now enjoy as tech users are, but also how crucial these rights are in our efforts to combat authoritarianism, grow democracy, and strengthen other human rights. Learn about the Privacy's Defender book tour.

Parking

Street parking is available around the building.

Accessibility

The main event space is wheelchair accessible, on concrete. Lively music will be playing, and the speakers will be using a microphone, so louder volumes are expected. EFF is committed to improving accessibility for our events. If you will be attending in-person and need accommodation, or have accessibility questions prior to the event, please contact events@eff.org.

Food and Drink

Wine & Beer will be available for purchase. Cellarmaker Brewing Co., located next door to Ciel Space, will be serving food until 8:00 pm.

Questions?

Email us at events@eff.org.

About the Speakers

Ms. Cohn has been named to TheNonProfitTimes 2020 Power & Influence TOP 50 list, honoring 2020's movers and shakers. In 2018, Forbes included Ms. Cohn as one of America's Top 50 Women in Tech. The National Law Journal named Ms. Cohn one of 100 most influential lawyers in America in 2013, noting: "[I]f Big Brother is watching, he better look out for Cindy Cohn." She was also named in 2006 for "rushing to the barricades wherever freedom and civil liberties are at stake online." In 2007 the National Law Journal named her one of the 50 most influential women lawyers in America. In 2010 the Intellectual Property Section of the State Bar of California awarded her its Intellectual Property Vanguard Award and in 2012 the Northern California Chapter of the Society of Professional Journalists awarded her the James Madison Freedom of Information Award.

Ms. Cohn is the author of the professional memoir, called Privacy's Defender to be published by MIT Press in March, 2026. She is also the co-host of EFF's award-winning podcast, How to Fix the Internet.

Annalee Newitz
Annalee Newitz writes science fiction and nonfiction. They are the author of four novels: Automatic Noodle, The Terraformers, The Future of Another Timeline, and Autonomous, which won the Lambda Literary Award. As a science journalist, they are the author of Stories Are Weapons: Psychological Warfare and the American Mind, Four Lost Cities: A Secret History of the Urban Age and Scatter, Adapt and Remember: How Humans Will Survive a Mass Extinction, which was a finalist for the LA Times Book Prize in science. They are a writer for the New York Times and elsewhere, and have a monthly column in New Scientist. They have published in The Washington Post, Slate, Scientific American, Ars Technica, The New Yorker, and Technology Review, among others. They were the co-host of the Hugo Award-winning podcast Our Opinions Are Correct, and have contributed to the public radio shows Science Friday, On the Media, KQED Forum, and Here and Now. Previously, they were the founder of io9, and served as the editor-in-chief of Gizmodo.

EFFecting Change: Privacy's Defender

Melissa Srago — Mon, 09 Mar 2026 17:39:53 +0000

Join EFF Executive Director Cindy Cohn in conversation with 404 Media Cofounder Jason Koebler to discuss Privacy's Defender: My Thirty-Year Fight Against Digital Surveillance, Cindy’s personal story of standing up to the Justice Department, taking on the NSA, and tangling with the FBI to protect our right to digital privacy. The highly anticipated book asks the fundamental question: Can we still have private conversations if we live our lives online? Join the livestream for a live discussion followed by by Q&A.

EFFecting Change Livestream Series:
Privacy's Defender
Thursday, March 19th
11:00 AM - 12:00 PM Pacific
This event is LIVE and FREE!

Accessibility

This event will be live-captioned and recorded. EFF is committed to improving accessibility for our events. If you have any accessibility questions regarding the event, please contact events@eff.org.

Event Expectations

EFF is dedicated to a harassment-free experience for everyone, and all participants are encouraged to view our full Event Expectations.

Upcoming Events

Want to make sure you don’t miss our next livestream? Here’s a link to sign up for updates about this series: eff.org/ECUpdates. If you have a friend or colleague that might be interested, please join the fight for your digital rights by this link: eff.org/EFFectingChange. Thank you for helping EFF spread the word about privacy and free expression online.

Recording

We hope you and your friends can join us live! If you can't make it, we’ll post the recording afterward on YouTube and the Internet Archive!

About the Speakers

Cindy Cohn
Cindy Cohn is the Executive Director of the Electronic Frontier Foundation. From 2000-2015 she served as EFF’s Legal Director as well as its General Counsel. Ms. Cohn first became involved with EFF in 1993, when EFF asked her to serve as the outside lead attorney in Bernstein v. Dept. of Justice, the successful First Amendment challenge to the U.S. export restrictions on cryptography. Ms. Cohn has been named to TheNonProfitTimes 2020 Power & Influence TOP 50 list, honoring 2020's movers and shakers. In 2018, Forbes included Ms. Cohn as one of America's Top 50 Women in Tech. The National Law Journal named Ms. Cohn one of 100 most influential lawyers in America in 2013, noting: "[I]f Big Brother is watching, he better look out for Cindy Cohn." She was also named in 2006 for "rushing to the barricades wherever freedom and civil liberties are at stake online." In 2007 the National Law Journal named her one of the 50 most influential women lawyers in America. In 2010 the Intellectual Property Section of the State Bar of California awarded her its Intellectual Property Vanguard Award and in 2012 the Northern California Chapter of the Society of Professional Journalists awarded her the James Madison Freedom of Information Award.

Jason Koebler
Jason Koebler is a cofounder of 404 Media, a journalist-owned investigative tech publication. He reports on surveillance and privacy, the ways that artificial intelligence is changing the internet, labor, and society, and consumer rights. Before 404 Media, he was the editor-in-chief of Motherboard, VICE's technology publication and an executive producer on Encounters, a Netflix documentary about the search for alien life.

Admiring Our Heroes for International Women’s Day: Celebrating Women Who Have Received EFF Awards

Jason Kelley — Sat, 07 Mar 2026 00:57:34 +0000

For the last hundred years, women have had pivotal and far too often unsung roles in building and shaping the technology that we now use every day. Many have heard of Ada Lovelace’s contributions to computer programming, but far fewer know Mary Allen Wilkes, a prominent modern programmer who wrote much of the software for the LINC, one of the world’s first interactive personal computers (it could fit in a single office and cost $40,000, but it was the 60’s). Decades earlier, when the first all-electronic, digital Eniac computer was built in the 40’s, the “software” for it was written by women: Kathleen McNulty, Jean Jennings, Betty Snyder, Marlyn Wescoff, Frances Bilas and Ruth Lichterman.

It’s thankfully become more common knowledge that actor and inventor Hedy Lamarr co-created the concept of "frequency-hopping" that became a basis for radio systems from cell phones to wireless networking systems. But too few know Laila Ohlgren, who in the 1970’s solved a major problem with the development of mobile networks and phones by recognizing that dialed numbers could be stored and sent all at once with a “call button,” rather than sent one number at a time, which created connection issues before a call was even made.

Women in tech deserve more and brighter spotlights. At EFF, we’ve had the honor of celebrating some of our heroes at our annual EFF Awards, including many women who are leading the digital rights community. For International Women’s Day, we’re highlighting the contributions of just a few of these recipients from the last decade, whose work to protect privacy, speech, and creativity online has had a global impact.

Carolina Botero (EFF Award Winner, 2024)

Carolina Botero is a leader in the fight for digital rights in Latin America. For over a decade, she led the Colombia-based Karisma Foundation and cultivated its regional and international impact. Botero and Karisma helped connect indigenous peoples to the internet and made it possible to contribute content to Wikipedia in their native language, expanding access to both history and modern information. They built alliances to combat disinformation, pushed for legal tools to protect cultural and heritage institutions from digital blackholes, and were, and remain, a necessary voice speaking for human rights in the online world. EFF worked closely with Karisma and Botero to help free Colombian graduate student Diego Gomez, who shared another student’s Master’s thesis with colleagues over the internet. Diego’s story demonstrates what can go wrong when nations enact severe penalties for copyright infringement, and thanks to work from Karisma, many partners, and many EFF supporters, he was cleared of the criminal charges that he faced for this harmless act of sharing scholarly research.

Carolina Botero receiving her EFF Award

Botero stepped down from the role in 2024, opening the door for a new generation. While her work continues—she’s currently on the advisory board of CELE, the Centro de Estudios en Libertad de Expresión—her EFF Award was well-deserved based on her strong and inspiring legacy for those in Latin America and beyond who advocate for a digital world that enhances rights and empowers the powerless. Learn more about Botero on her EFF Awards page and the recap of the 2024 event.

Chelsea Manning (EFF Award Winner, 2017)

Chelsea Manning became famous as a whistleblower: In 2010, she disclosed classified Iraq War documents, including a video of the killings of Iraqi civilians and two Reuters reporters by U.S. troops. These documents exposed aspects of U.S. operations in Iraq and Afghanistan that infuriated the public and embarrassed the government. But she is also a transparency and transgender rights advocate, network security expert, author, and former U.S. Army intelligence analyst.

Manning joined the military in 2007. Her role as an intelligence analyst to an Army unit in Iraq in 2009 gave her access to classified databases, but more importantly, it gave her a uniquely comprehensive view of the war in Iraq, and she became increasingly disillusioned and frustrated by what she saw, versus what was being shared. In 2010, she approached major news outlets hoping to give information to them that would reveal a new side of the war to the public. Ultimately, she shared the documents with Wikileaks.

Manning’s bravery did not end there. When she was arrested a few months later, she endured "cruel, inhuman and degrading" treatment, according to the UN Special Rapporteur on torture. She was locked up alone for 23 hours a day over an 11-month period, before her trial. The mistreatment resulted in public outcry and advocacy by organizations like Amnesty International. Even a State Department spokesperson, Philip Crowley, criticized the treatment as "ridiculous, counterproductive, and stupid," and resigned. She was moved to a medium-security facility in April 2011.

The government’s charges against Manning were outrageous, but in 2013 she was convicted of 19 of 22 counts as a result of her whistleblowing activities. She became one of fewerthan a dozen people prosecuted for espionage in the entire history of the United States, and she was sentenced to the longest punishment ever imposed on a whistleblower. Then, the day after her conviction, isolated from her community and in all likelihood expecting to remain in prison for years if not decades, she courageously issued a statement identifying herself as a trans woman, which she’d wanted to reveal for years.

Over the next several years, while imprisoned, she became an advocate both for government transparency and for transgender rights. Her conviction and sentence pointed to the need for legal reform of both the Computer Fraud and Abuse Act (CFAA) and the Espionage Act. EFF filed an amicus brief to the U.S. Army Court of Criminal Appeals arguing that the CFAA was never meant to criminalize violations of private policies like those of government systems, and EFF also pushed, and continues to fight for, narrower interpretations of the Espionage Act and stronger protections for whistleblowers, particularly to take into account both the motivation of individuals who pass on documents and the disclosure’s ramifications.

Even after President Obama commuted her sentence in 2017, and EFF celebrated her work and her release with an EFF award in September, 2017, her fight wasn’t over. She was imprisoned again twice in 2019 and ultimately fined $256,000 for refusing to testify before grand juries investigating WikiLeaks founder Julian Assange. The U.N. Special Rapporteur on torture again criticized Manning’s treatment, writing that "the practice of coercive detention appears to be incompatible with the international human rights obligations of the United States."

Manning was released in 2020 after having spent almost a decade in total imprisoned for her courage. She wrote a memoir, README.txt, in 2022, to take back control over her story.

EFF Award Winners Mike Masnick, Annie Game, and Chelsea Manning

Annie Game (EFF Award Winner, 2017)

Annie Game spent over 16 years as the Executive Director of IFEX, a global network of journalism and civil liberties organizations working together to defend freedom of expression. IFEX (formerly International Freedom of Expression Exchange) began in the 1990s, when a group of organizations and the Canadian Committee to Protect Journalists came together to consider how to respond as a single voice to free-expression violations around the world. IFEX now is a global hub for the protection of free speech and journalism.

Game recognized early on that digital rights and freedom of expression groups needed one another. Under her leadership, IFEX paired more traditional free-expression organizations with their more digital counterparts, with a focus on building organizational security capacities. IFEX Initiatives under Game’s leadership have been expansive. For example, the International Day to End Impunity for Crimes against Journalists, November 2, has been an annual wake-up call and reminder for UN member states to live up to their commitments to protecting journalists. UNESCO observed more than 1,700 journalists were killed globally between 2006 and 2024, and nearly 90% of these cases went unsolved in the courts.

Game and IFEX have also focused on high-profile cases of journalists threatened by governments for their work, such as Bahey eldin Hassan in Egypt. Bahey is the director of the Cairo Institute for Human Rights Studies (CIHRS) and has advocated for freedom of expression and the basic human rights of Egyptians, but has lived in exile since 2014. The charges against him, of “disseminating false information” and “insulting the judiciary,” are common tactics of intimidation and harassment. Bahey’s supposed crimes were sharing social media posts criticising the Egyptian judiciary’s lack of independence, and speaking about the killing in Egypt of Italian researcher Giulio Regeni. Bahey—an IFEX member—is just one of many reporters and human rights workers in danger when they speak. But when journalists and those defending their rights online speak out as one voice, as IFEX helps them do, it makes a difference.

Another initiative has been the Faces of Free Expression project, a partnership between IFEX and the International Free Expression Project. If you’re looking for more heroes, this project details the stories of “risk-takers and change-makers – individuals who put their careers, their freedom, their safety, and sometimes even their lives on the line,” while reporting, or defending free expression and the right to information.

Wherever authoritarianism and repression of speech have been on the rise, Game has unapologetically called out injustices and made it safer for journalists to do their work, while ensuring accountability when crimes are committed. The work is more critical now than ever, and since leaving IFEX in 2022, she’s remained an activist while focusing increasingly on environmental protection.

Twelve More Heroes

EFF has honored many more women with awards over the years—from Anita Borg and Hedy Lamarr to Amy Goodman and Beth Givens. This blog from 2012 looks back and acknowledges the important contributions from twelve more EFF Award winners.

We’ve also asked five women at EFF about women in digital rights, freedom of expression, technology, and tech activism who have inspired us. You can read that here.

Donate to Support EFF's Work

Your donations empower EFF to do even more.

Admiring Our Heroes for International Women’s Day: Five Women In Tech That EFF Admires

Allison Morris — Fri, 06 Mar 2026 22:48:43 +0000

In honor of International Women’s Day, we asked five women at EFF about women in digital rights, freedom of expression, technology, and tech activism who have inspired us.

Anna Politkovskaya

Jillian York, Activist
This International Women’s Day, I want to honor the memory of Anna Politkovskaya, the Russian investigative journalist who relentlessly exposed political and social abuses, endured harassment and violence for her work, and was ultimately killed for telling the truth. I had just started my career when I learned of her death, and it forced me to confront that freedom of expression isn’t an abstract principle but rather something people risk—and sometimes lose—their lives for.

Her story reminds me that journalism at its best is an act of moral courage, not just a profession. In the face of threats, poison, and relentless pressure to stay silent, she chose to continue writing about what she saw, insisting that ordinary people’s lives were worth the world’s attention. She refused to compromise with power, even when she knew it could cost her life. To me, defending freedom of expression means defending those like Anna who bear witness to injustice, prioritize truth, and hold power to account for those whose voices are silenced.

Cindy Cohn

Corynne McSherry, Legal Director
There are so many women who have shaped tech history—most of whom are still unsung heroes—that it’s hard to single out just one. But it’s easier this year because it’s a chance to celebrate my boss, Cindy Cohn, before she leaves EFF for her next adventure.

Cindy has been fighting for our digital rights for 30 years, leading EFF’s legal work and eventually the whole organization. She helped courts understand that code is speech deserving of constitutional protections at a time when many judges weren’t entirely sure what code even was. She led the fight against NSA spying, and even though outdated and ill-fitting doctrines like the state secrets privilege prevented courts from ruling on the obvious unconstitutionality of the NSA’s mass surveillance program, the fight itself led to real reforms that have expanded over time.

I’ve worked closely with her for much of her EFF career, starting in 2005 when we sued Sony for installing spyware in millions of computers, and I’ve seen firsthand her work as a visionary lawyer, outstanding writer, and tireless champion for user privacy, free expression, and innovation. She’s also warm and funny, with the biggest heart in the world, and I’m proud to call her a friend as well as a mentor.

Donate to Support EFF's Work

Your donations empower EFF to do even more.

Jane

Sarah Hamid, Activist
When talking about women in tech, we usually mean founders, engineers, and executives. But just as important are the women who quietly built the practices that underpin today’s movement security culture.

For as long as social movements have organized in the shadow of state surveillance, women have been designing the protocols, mutual aid networks, and information flows that keep people alive. Those threats feel ever-escalating: fusion‑center monitoring of protests, federal agencies infiltrating and subpoenaing encrypted Signal and social media chats, prosecutors mining search histories.

In the late 1960s and early 1970s, the underground Jane abortion counseling service—formally the Abortion Counseling Service of Women’s Liberation—built what we would now recognize as a feminist infosec project for abortion access. Jane connected an estimated 11,000 people with safer abortions before Roe v. Wade, using a single public phone number—“Call Jane”—paired with code names, compartmentalized roles, and minimal records so no one person held the full story of who needed care, who was providing it, and where. When Chicago police raided the collective in 1972, members destroyed their index‑card files rather than let them become a ready‑made map of patients and helpers—an analog secure‑deletion choice that should feel familiar to anyone who has ever wiped a phone or locked down a shared drive.

The lesson we should take from Jane is a set of principles that still hold in our encrypted‑but‑insecure present: Collect less, separate what you do collect, and be ready to burn the file box. When a search query, a location ping, or a solidarity post can become evidence, treating information as both lifeline and liability is not paranoia—it is care work.

Ebele Okobi

Babette Ngene, Director of Public Interest Technology
In the winter of 2013, I had just landed my first job at the intersection of tech and human rights, working for a prominent nonprofit and I was encouraged to attend regular tech and policy events around town. One such event on internet governance was happening at George Washington University, focusing on multi-stakeholder engagement on internet policy and governance issues, with companies, nonprofits, and government representatives in attendance. I was inexperienced with these topics, and I’ll admit I was a bit intimidated.

Then I saw her. She was the only woman on the opening panel, an African woman, an accomplished woman. Not only was she a respected lawyer at Yahoo at the time, but her impressive background, presence, and confident speaking style immediately inspired me. She made me feel like I, too, belonged in that room and could become a powerful voice.

Ebele Okobi would go on to become one of the most powerful and respected voices in the tech and human rights space, known for her advocacy for digital rights and responsible innovation across Africa and the broader global majority during her tenure at Facebook. Beyond her corporate advocacy, Ebele has consistently championed ethical technology and social justice. She embodies the leadership qualities I value most: empathy, speaking truth to power, integrity, and authenticity.

I remain in the tech and human rights space because I saw her, because seeing her made me feel seen. Representation truly does matter.

Ada Lovelace

Allison Morris, Chief Development Director
I’m not a lawyer, activist, or technologist; I’m a fundraiser and a lover of stories. And what storyteller at EFF couldn’t help but love Ada Lovelace? The daughter of Lord Byron—the human embodiment of Romanticism—Ada was an innovator in math and science and, ultimately, the writer of the first computer program.

Lovelace saw the potential in Charles Babbage’s theoretical General Purpose Computer (which was never actually built) and created the foundations of modern computing long before the digital age. In creating the first computer code, Lovelace took Babbage’s concept of a machine that could perform mathematical calculations and realized that it could manipulate symbols as well as numbers.

Given the expectations of women in her time and the controversy of what work should be attributed to Lovelace as opposed to the man she often worked with, I can’t help but be inspired by her story.

Women in tech deserve more and brighter spotlights. At EFF, we’ve had the honor of celebrating some of our heroes at our annual EFF Awards, including many women who are leading the digital rights community. For International Women’s Day, we also highlighted the contributions of just a few of these recipients from the last decade, whose work to protect privacy, speech, and creativity online has had a global impact.

Weasel Words: OpenAI’s Pentagon Deal Won’t Stop AI‑Powered Surveillance

Corynne McSherry — Fri, 06 Mar 2026 16:03:15 +0000

OpenAI, the maker of ChaptGPT, is rightfully facing widespread criticism for its decisions to fill the gap the U.S. Department of Defense (DoD) created when rival Anthropic refused to drop its restrictions against using its AI for surveillance and autonomous weapons systems. After protests from both users and employees who did not sign up to support government mass surveillance—early reports show that ChaptGPT uninstalls rose nearly 300% after the company announced the deal—Sam Altman, CEO of OpenAI, conceded that the initial agreement was “opportunistic and sloppy.” He then re-published an internal memo on social media stating that additions to the agreement made clear that “Consistent with applicable laws, including the Fourth Amendment to the United States Constitution, National Security Act of 1947, [and] FISA Act of 1978, the AI system shall not be intentionally used for domestic surveillance of U.S. persons and nationals.”

Trouble is, the U.S. government doesn’t believe “consistent with applicable laws” means “no domestic surveillance.” Instead, for the most part, the government has embraced a lax interpretation of “applicable law” that has blessed mass surveillance and large-scale violations of our civil liberties, and then fought tooth and nail to prevent courts from weighing in.

"After all, many of the world’s most notorious human rights atrocities have historically been “legal” under existing laws at the time."

“Intentionally” is also doing an awful lot of work in that sentence. For years the government has insisted that the mass surveillance of U.S. persons only happens incidentally (read: not intentionally) because their communications with people both inside the United States and overseas are swept up in surveillance programs supposedly designed to only collect communications outside the United States.

The company’s amendment to the contract continues in a similar vein, “For the avoidance of doubt, the Department understands this limitation to prohibit deliberate tracking, surveillance, or monitoring of U.S. persons or nationals, including through the procurement or use of commercially acquired personal or identifiable information.” Here, “deliberate” is the red flag given how often intelligence and law enforcement agencies rely on incidental or commercially purchased data to sidestep stronger privacy protections.

Here’s another one: “The AI System shall not be used for unconstrained monitoring of U.S. persons’ private information as consistent with these authorities. The system shall also not be used for domestic law-enforcement activities except as permitted by the Posse Comitatus Act and other applicable law.” What, one wonders, does “unconstrained” mean, precisely—and according to whom?

Lawyers sometimes call these “weasel words” because they create ambiguity that protects one side or another from real accountability for contract violations. As with the Anthropic negotiations, where the Pentagon reportedly agreed to adhere to Anthropic’s red lines only “as appropriate,” the government is likely attempting to publicly commit to limits in principle, but retain broad flexibility in practice.

OpenAI also notes that the Pentagon promised the NSA would not be allowed to use OpenAI’s tools absent a new agreement, and that its deployment architecture will help it verify that no red lines are crossed. But secret agreements and technical assurances have never been enough to rein in surveillance agencies, and they are no substitute for strong, enforceable legal limits and transparency.

OpenAI executives may indeed be trying, as claimed, to use the company’s contractual relationship with the Pentagon to help ensure that the government should use AI tools only in a way consistent with democratic processes. But based on what we know so far, that hope seems very naïve.

Moreover, that naïvete is dangerous. In a time when governments are willing to embrace extreme and unfounded interpretations of “applicable laws,” companies need to put some actual muscle behind standing by their commitments. After all, many of the world’s most notorious human rights atrocities have historically been “legal” under existing laws at the time. OpenAI promises the public that it will “avoid enabling uses of AI or AGI that harm humanity or unduly concentrate power,” but we know that enabling mass surveillance does both.

OpenAI isn’t the only consumer-facing company that is, on the one hand, seeking to reassure the public that they aren’t participating in actions that violate human rights while, on the other, seeking to cash in on government mass surveillance efforts. Despite this marketing double-speak, it is very clear that companies just cannot do both. It’s also clear that companies shouldn’t be given that much power over the limits of our privacy to begin with. The public should not have to rely on a small group of people—whether CEOs or Pentagon officials—to protect our civil liberties.

The Government Uses Targeted Advertising to Track Your Location. Here's What We Need to Do.

Lena Cohen — Thu, 05 Mar 2026 14:00:38 +0000

We've all had the unsettling experience of seeing an ad online that reveals just how much advertisers know about our lives. You're right to be disturbed. Those very same online ad systems have been used by the government to warrantlessly track peoples' locations, new reporting has confirmed.

For years, the internet advertising industry has been sucking up our data, including our location data, to serve us "more relevant ads." At the same time, we know that federal law enforcement agencies have been buying up our location data from shady data brokers that most people have never heard of.

Now, a new report gives us direct evidence that Customs and Border Protection (CBP) has used location data taken from the internet advertising ecosystem to track phones. In a document uncovered by 404 Media, CBP admits what we’ve been saying for years: The technical systems powering creepy targeted ads also allow federal agencies to track your location.

The document acknowledges that a program by the agency to use "commercially available marketing location data" for surveillance drew from the process used to select the targeted ads shown to you on nearly every website and app you visit. In this blog post, we'll tell you what this process is, how it can and is being used for state surveillance, and what can be done about it—by individuals, by lawmakers, and by the tech companies that enable these abuses.

Advertising Surveillance Enables Government Surveillance

The online advertising industry has built a massive surveillance machine, and the government can co-opt it to spy on us.

In the absence of strong privacy laws, surveillance-based advertising has become the norm online. Companies track our online and offline activity, then share it with ad tech companies and data brokers to help target ads. Law enforcement agencies take advantage of this advertising system to buy information about us that they would normally need a warrant for, like location data. They rely on the multi-billion-dollar data broker industry to buy location data harvested from people’s smartphones.

We’ve known for years that location data brokers are one part of federal law enforcement's massive surveillance arsenal, including immigration enforcement agencies like CBP and Immigration and Customs Enforcement (ICE). ICE, CBP and the FBI have purchased location data from the data broker Venntell and used it to identify immigrants who were later arrested. Last year, ICE purchased a spy tool called Webloc that gathers the locations of millions of phones and makes it easy to search for phones within specific geographic areas over a period of time. Webloc also allows them to filter location data by the unique advertising IDs that Apple and Google assign to our phones.

But a document recently obtained by 404 Media is the first time CBP has acknowledged the location data it buys is partially sourced from the system powering nearly every ad you see online: real-time bidding (RTB). As CBP puts it, “RTB-sourced location data is recorded when an advertisement is served.”

Even though this document is about a 2019-2021 pilot use of this data, CBP and other federal agencies have continued to purchase and use commercially obtained location data. ICE has purchased location tracking tools since then and recently requested information on “Ad Tech” tools it could use for investigations.

The CBP document acknowledges two sources of location data that it relies on: software development kits (SDKs) and RTB, both methods of location-tracking that EFF has written about before. Apps for weather, navigation, dating, fitness, and “family safety” often request location permissions to enable key features. But once an app has access to your location, it could share it with data brokers directly through SDKs or indirectly (and often without the app developers' knowledge) through RTB. Data brokers can collect location data from SDKs that they pay developers to put in their apps. When relying on RTB, data brokers don’t need any direct relationship with the apps and websites they’re collecting location data from. RTB is facilitated by ad companies that are already plugged into most websites and apps.

Donate to Support EFF's Work

Your donations empower EFF to do even more.

How Real-Time Bidding Works

RTB is the process by which most websites and apps auction off their ad space. Unfortunately, the milliseconds-long auctions that determine which ads you see also expose your information, including location data, to thousands of companies a day. At a high-level, here’s how RTB works:

The moment you visit a website or app with ad space, it asks an ad tech company to determine which ads to display for you.
This ad tech company packages all the information they can gather about you into a “bid request” and broadcasts it to thousands of potential advertisers.
The bid request may contain information like your unique advertising ID, your GPS coordinates, IP address, device details, inferred interests, demographic information, and the app or website you’re visiting. The information in bid requests is called “bidstream data” and typically includes identifiers that can be linked to real people.
Advertisers use the personal information in each bid request, along with data profiles they’ve built about you over time, to decide whether to bid on the ad space.
The highest bidder gets to display an ad for you, but advertisers (or the adtech companies that represent them) can collect your bidstream data regardless of whether or not they bid on the ad space.

A key vulnerability of real-time bidding is that while only one advertiser wins the auction, all participants receive data about the person who would see their ad. As a result, anyone posing as an ad buyer can access a stream of sensitive data about billions of individuals a day. Data brokers have taken advantage of this vulnerability to harvest data at a staggering scale. For example, the FTC found that location data broker Mobilewalla collected data on over a billion people, with an estimated 60% sourced from RTB auctions. Leaked data from another location data broker, Gravy Analytics, referenced thousands of apps, including Microsoft apps, Candy Crush, Tinder, Grindr, MyFitnessPal, pregnancy trackers and religious-focused apps. When confronted, several of these apps’ developers said they had never heard of Gravy Analytics.

As Venntel, one of the location data brokers that has sold to ICE, puts it, “Commercially available bidstream data from the advertising ecosystem has long been one of the most comprehensive sources of real-time location and device data available.” But the privacy harms of RTB are not just a matter of misuse by individual data brokers. RTB auctions broadcast the average person’s data to thousands of companies, hundreds of times per day, with no oversight of how this information is ultimately exploited. Once your information is broadcast through RTB, it’s almost impossible to know who receives it or control how it’s used.

What You Can Do To Protect Yourself

Revelations about the government's exploitation of this location data shows how dangerous online tracking has become, but we’re not powerless. Here are two basic steps you can take to better protect your location data:

Disable your mobile advertising ID (see instructions for iPhone/Android). Apple and Google assign unique advertising IDs to each of their phones. Location data brokers use these advertising IDs to stitch together the information they collect about you from different apps.
Review apps you’ve granted location permissions to. Apps that have access to your location could share it with other companies, so make sure you’re only granting location permission to apps that really need it in order to function. If you can’t disable location access completely for an app, limit it to only when you have the app open or only approximate location instead of precise location.

For more tips, check out EFF’s guide to protecting yourself from mobile-device based location tracking. Keep in mind that the security plan that’s best for you will vary in different situations. For example, you may want to take stronger steps to protect your location data when traveling to a sensitive location, like a protest.

What Tech Companies and Lawmakers Must Do

Legislators and tech companies must act so that individuals don’t bear the burden of defending their data every time they use the internet.

Ad tech companies must reckon with their role in warrantless government surveillance, among other privacy harms. The systems they built for targeted advertising are actively used to track people’s location. The best way to prevent online ads from fueling surveillance is to stop targeting ads based on detailed behavioral profiles. Ads can still be targeted contextually—based on the content people are viewing—without collecting or exposing their sensitive personal information. Short of moving to contextual advertising, tech companies can limit the use of their systems for government location tracking by:

Stopping the use of precise location data for targeted advertising. Ad tech companies facilitating ad auctions can and should remove precise location data from bid requests. Ads can be targeted based on people’s coarse location, like the city they’re in, without giving data brokers people’s exact GPS coordinates. Precise location data can reveal where we work, where we live, who we meet, where we protest, where we worship, and more. Broadcasting it to thousands of companies a day through RTB is dangerous.
Removing advertising IDs from devices, or at minimum, disabling them by default. Advertising IDs have become a linchpin of the data broker economy and are actively used by law enforcement to track people’s location. Advertising IDs were added to phones in 2012 to let companies track you, and removing them is not a far-fetched idea. When Apple forced apps to request access to people’s advertising IDs starting in 2021 (if you have an iPhone you’ve probably seen the "Ask App Not to Track" pop-ups), 96% of U.S. users opted out, essentially disabling advertising IDs on most iOS devices. One study found that iPhone users were less likely to be victims of financial fraud after Apple implemented this change. Google should follow Apple’s lead and disable advertising IDs by default.

Lawmakers also need to step up to protect their constituents' privacy. We need strong, federal privacy laws to stop companies from spying on us and selling our personal information. EFF advocates for data privacy legislation with teeth and a ban on ad targeting based on online behavioral profiles, as it creates a financial incentive for companies to track our every move.

Legislators can and must also close the "data broker loophole" on the Fourth Amendment. Instead of obtaining a warrant signed by a judge, law enforcement agencies can just buy location data from private brokers to find out where you've been. Last year, Montana became the first state in the U.S. to pass a law blocking the government from buying sensitive data it would otherwise need a warrant to obtain. And in 2024, Senator Ron Wyden's EFF-endorsed Fourth Amendment is Not for Sale Act passed the House before dying in the Senate. Others should follow suit to stop this end-run around constitutional protections.

Online behavioral advertising isn’t just creepy–it’s dangerous. It's wrong that our personal information is being silently harvested, bought by shadow-y data brokers, and sold to anyone who wants to invade our privacy. This latest revelation of warrantless government surveillance should serve as a frightening wakeup call of how dangerous online behavioral advertising has become.

Donate to Support EFF's Work

Your donations empower EFF to do even more.

Speaking Freely: Shin Yang

David Greene — Wed, 04 Mar 2026 19:47:03 +0000

*This interview has been edited for length and clarity.

David Greene: Shin, please introduce yourself to the Speaking Freely community.

Shin Yang: My name is Shin Yang. I am a queer writer with a legal background and experience in product management. I am the steward of Lezismore, an independent, self-hosted, open-source community for sexual minorities in Taiwan. For the past decade, I have focused on platform governance as infrastructure, with a particular emphasis on anonymity, minimal data collection, and behavior-based accountability, so that people can speak about intimacy and identity without fear of extraction or exposure. I am a community architect and builder, not an influencer. I’ve spent most of the past decade working anonymously building systems, designing governance protocols, and holding space for others to speak while keeping myself in the background.

DG: Great. And so let’s talk about how that work intersects with freedom of expression as a principle, and your own personal feelings about freedom of expression. And so with that in mind, let me just start with a basic question, what does freedom of expression mean to you?

SHIN: For me, free expression is about possibility, and possibility always contains both and even multiple ends, the beautiful ones and the brutal in equal measure. Maybe not that equal, but you cannot just speak about the beautiful or good things. I think it's not about pushing discomfort out of the room. If we refuse all discomfort, we end up in echo chambers, which is safe, predictable; but dead. What matters to me is the equipment and principles: Who carries through that discomfort, self-discipline, mutual support, and the infrastructure and governance that can let people grow over time. Keeps a workable gray space open: room to make mistakes, learn, repair, and keep speaking.

DG: How does that resonate with you personally? Why are you passionate about that?

SHIN: Around 2013 in Taiwan's context, when Facebook started to take over the digital ecosystem in Taiwan, many local independent bulletin boards (BBS) that had been formed for sexual minorities were shut down because they had no income from advertisements, and people were pushed into mainstream platforms—like Facebook, Instagram, Meta, whatever, Twitter now X—where sexual expression was usually reported or flagged, and where I watched sharp intra-community exclusionary voices saying “bisexual and trans people were not pure enough”, or that talking openly about sex would harm our image, or that it was inappropriate to children, or it would invite harassment. Those oppressions are even fiercer within the queer community itself, which is self-censoring in order to gain approval from mainstream society.

So, the community itself says that the best way to do it is don't talk about it. Never talk about it. Never mention a single thing about it. It was a wakeup call for me, because I think it's not right. And also, there's another more private story for me, it's a story I heard from our sexual minority community. I once heard about a butch student who was sexually assaulted by a group of men because she dated a beautiful classmate, a beautiful woman in the class.

And when I learned what happened to her, that story changed my focus. Because, you know, when people hear this kind of story, they always focus on punishing those men, punishing those criminals—but what matters for me most is building conditions where someone like her could someday still have a chance at intimacy on her own terms, and finally be free from fear. That's more important for me. I may never meet her, but I know who I am and what I'm here to build. I have been building an infrastructure –– not just “safe space” as a slogan, but an “ecospace” designed to make survival and growth possible. So that's why I believe that a well-governed space is what matters for communities now.

DG: Why is it so important for sexual minorities to have forums where they can communicate in that way? When it was just the bulletin boards, before social media, what worked really well and what didn’t work well?

SHIN: That’s a wonderful question. Okay, the bulletin boards I used before, the registration process doesn't require a lot of information. You just need email.

What I miss about bulletin boards is the sense of structure. You didn’t enter a personalized feed—you entered a place with visible rooms and topics. Even in the spaces you visited daily, you’d encounter views you didn’t like, and you had to live with that—and learn how to argue, or leave, or build something parallel. In some boards, moderators were community-chosen, which created a practical kind of participation—not perfect democracy, but civic practice.

You have to provide the information of which school you are in, because it's based on school. But it's not that difficult to use that. And also they have some kinds of logistics, like you log into different boards with different topics, and you can see that there are huge topics along with several small topics. So when you log into that, you can sense and feel the whole structure of that community. It's not a personal feed bombing you with everything you like. So you know, even in the board you’re most likely to visit every day, you will definitely encounter some speech you don't like, and you argue with them, you fight with them, or build something parallel, that's the civic foundation of democracy. You experience the everyday practice of civic democracy. People can vote for moderators or even recall them.

DG: You mean, the community can ask them to leave the bulletin boards?

SHIN: No, they don't actually leave the bulletin board. It's more that the moderator no longer has the right to perform administrative tasks, but they can still be part of the community, and ordinary users can vote in the election for this.

DG: Okay, and then what were the shortcomings of the bulletin boards?

SHIN: Yeah, it’s brutal. Really brutal. And I’ve seen people literally organize to push others out. I didn’t expect this to turn into story time, but I actually love this. So—back in Taiwan, we had this big BBS forum called PTT. There was a board called the ‘Sex’ board, where people could talk about sexual topics and share sexual health info. But around 2010, the space was dominated by mainstream straight cis men. And whenever a woman or a sexual minority posted anything, they often got harassed or attacked. So, women created another board inside the forum—basically a separate space—called ‘Feminine Sex.’ And from then on, the original Sex board and the Feminine Sex board were in conflict all the time. And honestly, if this happened today on Facebook, Threads, or X… we’d just block each other. Easy. Clean. Done.

But the problem is: when blocking becomes the default, we don’t really learn how to argue well, how to organize our reasons, or even how to sit with discomfort and understand why the other side thinks the way they do. We lose that practice—because it’s just so easy to delete people from our world now. I’m not saying blocking is always wrong. But there’s a trade-off.

DG: I get that. Then when Facebook and the other social media platforms that followed came along and the users migrated over to the commercial services, what was lost?

SHIN: What was lost? I think our behavior got shaped—personal branding became the default setting for joining an online community. If you don't do it, like me, you basically don't exist. Influence can be shaped by the number of social media followers; people define each other based on this. Choosing not to obey the logic of mainstream platforms means being unseen, and being unseen means having no influence.

And sure, personal branding can be useful—but I don’t believe it’s the only way to express yourself or connect with a community. The problem is, on mainstream platforms, the whole system is built for visibility. So clout becomes the game. Look at what they push: stories, reels, short-form visuals. And as a former product manager, I can tell you—this is not accidental. It’s designed. It’s designed around human nature: to avoid friction as much as possible. So they keep you scrolling, to make reacting effortless. One tap and you’ve sent a smiley face. Engagement becomes easier… but also cheaper.

And the scary part is, people start thinking that’s the whole internet. It’s not. But the more we get trained by these interfaces, the harder it becomes to even imagine other ways of building community. It is becoming more difficult for people to imagine that the "right" amount of friction can actually help us to grow, and coexist with the diversity.

DG: So did you find that there were certain things you couldn't talk about on Facebook or on the other social media platforms because they were sexual, because sexual speech was not as welcome as it was earlier?

SHIN: Yes, when I first started building my community, I knew nothing about technology. Like everyone else, I just created a fan page on Facebook, which was then flagged and deleted. This happened. I think it still happens to this day. At first, I was so angry about it. I felt it was unjust. But every time I wrote to Facebook, they just said that I had violated the user terms. At first I was furious. But I don’t stop at anger. I dig deeper. I thought, “Why do you say I violated the user terms?”

I read the terms, compared policies across platforms and applications, and realized the pattern: All of the terms of use forbid adult or erotic content in fine print. Because these are profit-driven systems optimized to minimize legal and business risk. So, I don’t frame it as “evil platforms.” I frame it as incentives. Once I understood this, I realized that we should not only protest and ask those big tech platforms to “give” us a voice –– that's a good approach, but it shouldn't be the only one. I believe we should build our own community. That's why I started researching open-source software and building my own self-hosted community.

DG: Please talk a little bit more about what you're building, and how what you're building is consistent with your view of free expression.

SHIN: Sure. It’s a long process but the reason why I use open-source software is, for a person knowing nothing about technology, I can come to the open-source community and ask questions about it. It’s more reliable than building it myself.

And the second example is about how I designed Lezismore’s registration and community access, mostly through trial and error.

We don’t require any real-name or ID verification. In fact, you can register with just an email. But instead of “verifying people,” we redesigned the "space".

Lezismore is built as a two-layer structure. The main website is searchable, but it looks almost… boring on purpose—advocacy articles, writers’ posts, slow content. The truly active community space is inside that main site, and the entry point is not something you casually discover through search. Most people learn how to get in through word of mouth. We also block search engines, bots, and crawlers from the community area. So from day one, we gave up visibility on purpose—we traded reach for resilience.

Then there’s the onboarding. New users go through an “apprenticeship” period. You can’t immediately post, comment, or DM people. You first have to read, observe, and understand how the community works. We don’t even tell you exactly how long it takes—you just have to be patient. In the fast-content era, people constantly complain that this is “annoying” or “hard to use.” And yes, it is friction indeed.

But that friction buys something valuable: a space that can stay anonymous, inclusive, and high-trust—without being instantly overwhelmed by harassment or bad-faith users. It also means we don’t need to depend on Big Tech’s third-party verification APIs. With relatively low technical cost, we’re using governance design—not data collection—to balance inclusion and protection.

And honestly, as a platform owner, I have to be real about what users “actually” need. If this was truly “just terrible UX,” the site wouldn’t survive in today’s hyper-competitive platform environment. But Lezismore has been running for over a decade, and we still have tens of thousands of people quietly reading and interacting every month. This is one of the biggest tradeoffs in my governance design. In an attention economy, choosing low visibility is a bold decision, and maintaining it has a real cost.

On top of that, we rely on human, context-based moderation. We use posts, replies, and Q&A threads to actively teach community norms—why diversity and conflict exist, how to handle risk, and how to protect yourself. Users also share practical safety tips and real interaction experiences with each other. There are many more small mechanisms built into the system, but that’s the core logic.

And there’s one more layer: the legal environment. In Taiwan, the legal climate around sex and speech can create chilling effects for smaller platforms. Platform owners can be criminally liable in certain scenarios. That’s exactly why governance design matters—it’s how we keep lawful expression possible without over-collecting data.

DG: Ah, so you need to be careful. I’m curious whether you’ve had any examples of offline repression. Do you have any experiences with censorship or feeling like you didn’t have your full freedom of expression in your offline experiences? Any experiences that might inform what an ideal online community might look like?

SHIN: Yes—actually, most of my earliest experiences with repression were offline, and they shaped how I later understood the internet as an escape route.

Back when I was a high school student, I was already involved in student movements and gender-related advocacy. One very concrete example was dress codes. The school restricted what female students could wear, and students organized to push for change. At one point we even had a vote—something like 98% of students supported revising the policy. But when the issue entered the “official” system, the administration simply ignored it. They bypassed procedure, dismissed the consensus, and used authority to shut it down completely.

That was my first clear lesson about repression: it’s not always someone telling you “you’re forbidden to speak.” Sometimes it’s a system designed so that even if students, women, or sexual minorities spend enormous effort building agreement, once our voices enter the institution, they can be treated as if they don’t exist.

That’s why, in the early 2010s, online space became my breakthrough. This was still the blog era, before social platforms fully standardized everything, and even before “share” mechanisms were built into everyday activism. I started experimenting with things like blog-based petitions, and a lot of students joined. The internet became a way to bypass institutional gatekeeping.

In college, I saw another layer. There was serious sexism from people in authority—military-style discipline officers, some teachers, and administrators. When gender-related controversies happened on campus, the media sometimes showed up and reported in ways that were harmful: exposing people, sensationalizing stories, and ignoring the realities of sexual minority students. Meanwhile, the administration would shut down student demands with authority, and at the same time use incentives and pressure behind the scenes, especially around housing or “benefits”—so some student representatives were afraid to speak honestly in meetings.

And this was before livestreaming was a normal tool. But even then, I was already using audio-based live channels to connect students across campuses. Online networks became a lifeline for young advocates, especially those of us who didn’t “fit” the institution and needed each other to survive.

I came from a literature background. I had zero technical training at the beginning. But I’ve always been the kind of person who loves trying new technology. And I was lucky, because I was born in that strange window when the internet was rapidly expanding, but not yet fully swallowed by Big Tech. So, I grew up in this tension between nostalgia and innovation, and I kept pushing, resisting, and experimenting. I’ve experienced both sides of speech: how beautiful freedom can be, and how terrifying it can become.

DG: Going back to Lezismore, I’m curious: When you ask people to observe before they post, what are you hoping they learn about the community before they more actively participate in it?

SHIN: I hope people understand that this is a community rather than a dating app focused on results. The community needs people to support and nurture each other. Some people see us as a dating app and expect a frictionless experience; naturally, they are disappointed. If you're only looking for a fast-food relationship, that's fine. Here, however, it is a community that offers more than just hooking up. The design focuses on words and a person’s behavioral history rather than just a photo. Dopamine bombing is not how we do things here.

We’ve also built a library of community safety notes, FAQs, and governance reminders over time. Some written by the team, some contributed by members. Not everyone reads them, and that’s fine. But the design makes it easier for people who want a slower, more intentional space to stay—and for people who want something frictionless to self-select out.

SHIN: I run the platform anonymously by design. People may know that there’s an admin called “Shin”, but I don’t associate a face or personal brand with the role because I don’t want the community to depend on my visibility for their trust.

We maintain a clear distinction between work and private life. Admin power is never a shortcut to social capital. In a sex-positive space, this boundary is a matter of ethics. The moment a founder’s identity becomes central, the space starts to orbit that person, and expectations, fan-service dynamics and power asymmetries creep in. Then speech becomes performance.

It also means I’m less “marketable” to attention-driven media—but that tradeoff protects the community’s integrity. Some media outlets only want a face and a persona. However, I accept this cost because I am trying to build a community that can thrive independently of an idol, where people relate to each other through behavior and shared norms, not proximity to the founder.

DG: It sounds like a lot of what you’re doing is about people being authentic on the site, not using personas or using it to create a personal platform for themselves for marketing purposes.

SHIN: Exactly, people can share links, but if a post is purely self-promotion with no contribution to the community, we don’t encourage this. I hope people here can respect the reciprocity.

DG: I want to shift a bit and talk about freedom of expression as a principle for a while. Do you think freedom of expression should be regulated by governments?

SHIN: Speech regulation is hard, because speech is freaking messy. And once you turn messy human speech into rules that scale, nuance gets flattened. Minority communities usually pay first, because large systems choose efficiency over lived reality.

I also don’t think the answer is “erase all conflict.” Some friction is the price of pluralism, and with good guidance and interface design, conflict can become a point of learning instead of a point of collapse. From a platform owner’s perspective, legal liability is real and often cruel. So if we expect platforms to be free, frictionless, allow everything we like, erase everything we dislike, and still amplify our visibility—then we’re really asking for magic. That’s why we need to talk seriously about alternatives and procedural safeguards, not just louder demands.

Age verification is a good example. I get that the goal is to protect minors. But identity-based age gates often turn into identity infrastructure. They chill lawful adult speech, concentrate gatekeeping power, and push everyone to hand over personal data just to access legal content. From my experience, there are other tools that can reduce harm with less damage—things like community design, visibility gating, and human, context-based moderation. Those approaches can protect people without building a personal-data checkpoint for everyone.

DG: You talked about minority voices, and minority speech. Are you concerned that any regulation will end up trying to silence minority speakers, or won’t benefit minority speakers. How are these speakers more vulnerable to speech regulations than others?

SHIN: Hmmm......a lot of minority speech is context-heavy. The same words can be support, education, or harassment depending on who says it and why. When regulation turns into broad categories, sexual health education, self-explore experiment sharing, trans healthcare discussions, or reclaimed language can be treated as “harmful” out of context (at both sides). So the risk isn’t only censorship, it’s misclassification at scale.

DG: Are there certain types of speech that don’t deserve the conversation. Some people might say that hate speech or speech that’s dehumanizing doesn’t deserve the conversation. Are there any categories of speech that you would say we shouldn’t consider, or do we get to talk about everything?

SHIN: Okay, I don't think the issue is about saying certain kinds of speech don't deserve to be discussed; the problem lies in the definition. As soon as we suggest that some speech doesn't merit discussion, some people will exploit this to silence their opponents. Whether it's right-wing, left-wing or anything else, if we say that we don't allow any kind of hate speech, the next thing someone will do is define your speech as hate speech. It's an endless war that draws us all into an eagerness to silence others and grab the mic, instead of creating more space for conversations and learning from each other.

We should go further than just regulation and create spaces where people can coexist in a grey area, endure some discomfort and engage with each other. I prefer this approach to trying to draw lines.

DG: So even well-intentioned restrictions might always be used against minority speakers?

SHIN: I wouldn’t say restriction is not good. There always has to be some kind of restriction, but people will always find a way to overcome or take advantage of it. So, the thing I believe is that regulation is regulation, but community should be an open-source archive. How we govern community, how we dialogue between each other when we disagree with each other…how can we create a space where those things can exist? I believe that those things should be open source. People always talk about open source like it’s just coding, but I believe governance should be open source too.

DG: So when you said before some restrictions are necessary but then we talk about open source governance, we’re talking about the same thing. When you say some restrictions are necessary, you’re not necessarily saying government restrictions, but that restrictions should come from somewhere else: that’s an open source governance model?

SHIN: Yes. And it should include restrictions in law, and how people deal with it, the way we deal with it. I’m not saying every rule or detection signal should be public. By “open-source governance,” I mean shareable governance playbooks: proportional steps, appeals templates, community norms, and design patterns that small communities can adapt. The goal is portability and adaptability of methods, not making systems easy to game. Because malice is always part of the environment.

DG: Is there anything else you want to say about your theory of open-source governance or what it means to you?

SHIN: I noticed there was a question in another interview about fostering transparency in social media, and how to appeal, and that the reason [for a takedown] should be more transparent. The interesting thing is that before our interview today I was joining a law and technology policy research group, and they’re reading a book called “Law and Technology: A Methodical Approach”. It's worth mentioning that it's very interesting. Apparently, scientists tend to place emphasis on complexity, which often trips up pragmatic reform efforts, so the recommendations often only call for greater transparency or participation.

I think this echoes what we were talking about before and the transparency thing. I heard this podcast in Taiwan about cybersecurity where they interview an outsourced ex-moderator from Meta and how the platform moderates speech. Because most of the information is confidential, the moderator can’t say too much, but she told us that every day Meta provided a whole set of lists with things they should ban, and every day it changes. Sometimes it even changes on an hourly basis. And they can never really put those fully transparent to the world. The reason they can’t do that is because those words are partially forbidding scams, because the scale is too big. So, when they show the transparency of how they ban things, the scammers will use this against them. Like, “now you’ve banned this word so I’ll just use another one.” It’s an endless war. So, I think transparency matters, but it shouldn’t be the only thing we think about, we should think about governance as well. And when we talk about governance, we shouldn’t just think about some high authority in government or a law just forcing the platform into something we like. We should go back and think about what we can do. We’ve got lots of open-source software now and we can literally build those things by ourselves. That’s what I’m trying to say.

DG: Okay, one last question. This is the last question we ask everybody. Who’s your free speech hero?

SHIN: This is the question I saw everyone answering, and I honestly struggled with it. Because I’m Taiwanese, and the names that often come up in U.S. free speech conversations aren’t the names I’m familiar with. I’m sorry about this.

DG: That’s okay, it doesn’t have to be a perfect answer.

SHIN: If you want a public figure from Taiwan, I think of the journalists and dissidents who pushed for press freedom during Taiwan’s democratization—Nylon (Tēnn Lâm-iông) is one name many Taiwanese recognize.

If I answer this as truthfully as I can, my hero is my family. My father taught me that integrity is not a slogan. It’s the ability to keep your ethics when it costs you something. My mother is the opposite kind of teacher: she’s relentless in a practical way: she doesn’t easily back down, and she keeps finding room to move even when the room is small. Put together, that’s what free expression means to me. It’s not “I can say anything.” It's about whether you can continue to think independently and live with integrity through layers of fear, pressure, temptation and coercion, while still moving forward and creating more possibilities for others.

EFF to Third Circuit: Electronic Device Searches at the Border Require a Warrant

Sophia Cope — Tue, 03 Mar 2026 23:56:33 +0000

EFF, along with the national ACLU and the ACLU affiliates in Pennsylvania, Delaware, and New Jersey, filed an amicus brief in the U.S. Court of Appeals for the Third Circuit urging the court to require a warrant for border searches of electronic devices, an argument EFF has been making in the courts and Congress for nearly a decade.

The case, U.S. v. Roggio, involves a man who had been under ongoing criminal investigation for illegal exports when he returned to the United States from an international trip via JFK airport. Border officers used the opportunity to bypass the Fourth Amendment’s warrant requirement when they seized several of his electronic devices (laptop, tablet, cell phone, and flash drive) and conducted forensic searches of them. As the district court explained, “investigative agents had a case coordination meeting and border search authority was discussed in early January 2017,” before Mr. Roggio traveled internationally in February 2017.

The district court denied Mr. Roggio’s motion to suppress the emails and other data obtained from the warrantless searches of his devices. He was subsequently convicted of illegally exporting gun manufacturing parts to Iraq (he was also charged in a superseding indictment with torture and also convicted of that).

The number of warrantless device searches at the border and the significant invasion of privacy they represent is only increasing. In Fiscal Year 2025, U.S. Customs and Border Protection (CBP) conducted 55,318 device searches, both manual (“basic”) and forensic (“advanced”).

While a manual search involves a border officer tapping or mousing around a device, a forensic search involves connecting another device to the traveler’s device and using software to extract and analyze the data to create a detailed report the device owner’s activities and communications. Border officers have access to forensic tools that help gain access to data on a locked or encrypted device they have physical access to. From public reporting, we know that more recent devices (and ones that have had the latest security updates applied) are more resistant to these type of tools, especially if they are turned off or turned on but not yet unlocked.

The U.S. Supreme Court has recognized for a century a border search exception to the Fourth Amendment’s warrant requirement, allowing not only warrantless but also often suspicionless “routine” searches of luggage, vehicles, and other items crossing the border.

The primary justification for the border search exception has been to find—in the items being searched—goods smuggled to avoid paying duties (i.e., taxes) and contraband such as drugs, weapons, and other prohibited items, thereby blocking their entry into the country. But a traveler’s privacy interests in their suitcase and its contents are minimal compared to those in all the personal data on the person’s phone or laptop.

In our amicus brief, we argue that the U.S. Supreme Court’s balancing test in Riley v. California (2014) should govern the analysis here. In that case, the Court weighed the government’s interests in warrantless and suspicionless access to cell phone data following an arrest against an arrestee’s privacy interests in the depth and breadth of personal information stored on a cell phone. The Court concluded that the search-incident-to-arrest warrant exception does not apply, and that police need to get a warrant to search an arrestee’s phone.

Travelers’ privacy interests in their cell phones, laptops and other electronic devices are, of course, the same as those considered in Riley. Modern devices, over a decade later, contain even more data that together reveal the most personal aspects of our lives, including political affiliations, religious beliefs and practices, sexual and romantic affinities, financial status, health conditions, and family and professional associations.

In considering the government’s interests in warrantless access to digital data at the border, Riley requires analyzing how closely such searches hew to the original purpose of the warrant exception—preventing the entry of prohibited goods themselves via the items being searched. We argue that the government’s interests are weak in seeking unfettered access to travelers’ electronic devices.

First, physical contraband (like drugs) can’t be found in digital data.

Second, digital contraband (such as child sexual abuse material) can’t be prevented from entering the country through a warrantless search of a device at the border because it’s likely, given the nature of cloud technology and how internet-connected devices work, that identical copies of the files are already in the country on servers accessible via the internet.

Finally, searching devices for evidence of contraband smuggling (for example, the emails here revealing details of the illegal import scheme) and other evidence for general law enforcement (i.e., investigating non-border-related domestic crimes) are too “untethered” from the original purpose of the border search exception, which is to find prohibited items themselves and not evidence to support a criminal prosecution. Therefore, emails or other data found on a digital device searched without a warrant at the border cannot and should not be used as evidence in court.

If the Third Circuit is not inclined to require a warrant for electronic device searches at the border, we also argue that such a search—whether manual or forensic—should be justified only by reasonable suspicion that the device contains digital contraband and be limited in scope to looking for digital contraband.

This extends the Ninth Circuit’s rule from U.S. v. Cano (2019) in which the court held that only forensic device searches at the border require reasonable suspicion that the device contains digital contraband—that is, some set of already known facts pointing to this possibility—while manual searches may be conducted without suspicion. But the Cano court also held that all searches must be limited in scope to looking for digital contraband (for example, call logs are off limits because they can’t contain digital contraband in the form of photos or files).

We hope that the Third Circuit will rise to the occasion and be the first circuit to fully protect travelers’ Fourth Amendment rights at the border.

The Anthropic-DOD Conflict: Privacy Protections Shouldn’t Depend On the Decisions of a Few Powerful People

Matthew Guariglia — Tue, 03 Mar 2026 21:35:50 +0000

The U.S. military has officially ended its $200 million contract with AI company Anthropic and has ordered all other military contractors to cease use of their products. Why? Because of a dispute over what the government could and could not use Anthropic’s technology to do. Anthropic had made it clear since it first signed the contract with the Pentagon in 2025 that it did not want its technology to be used for mass surveillance of people in the United States or for fully autonomous weapons systems. Starting in January, that became a problem for the Department of Defense, which ordered Anthropic to give them unrestricted use of the technology. Anthropic refused, and the DoD retaliated.

There is a lot we could learn from this conflict, but the biggest take away is this: the state of your privacy is being decided by contract negotiations between giant tech companies and the U.S. government—two entities with spotty track records for caring about your civil liberties. It’s good when CEOs step up and do the right thing—but it's not a sustainable or reliable solution to build our rights on. Given the government’s loose interpretations of the law, ability to find loopholes to surveil you, and willingness to do illegal spying, we needs serious and proactive legal restrictions to prevent it from gobbling up all the personally data it can acquire and using even routine bureaucratic data for punitive ends.

Imposing and enforcing such those restrictions is properly a role for Congress and the courts, not the private sector.

The companies know this. When speaking about the specific risk that AI poses to privacy, the CEO of Anthropic Dario Amodei said in an interview, “I actually do believe it is Congress’s job. If, for example, there are possibilities with domestic mass surveillance—the government buying of bulk data has been produced on Americans, locations, personal information, political affiliations, to build profiles, and it’s not possible to analyze all of that with AI—the fact that that is legal—that seems like the judicial interpretation of the Fourth Amendment has not caught up or the laws passed by Congress have not caught up.”

The example he cites here is a scarily realistic one—because it’s already happening. Customs and Border Protection has tapped into the online advertising world to buy data on Americans for surveillance purposes. Immigration and Customs Enforcement has been using a tool that maps millions of peoples’ devices based on purchased cell phone data. The Office of the Director of National Intelligence has proposed a centralized data broker marketplace to make it easier for intelligence agencies to buy commercially available data. Considering the government’s massive contracts with a bunch of companies that could do analysis, including Palantir, a company which does AI-enabled analysis of huge amounts of data, then the concerns are incredibly well founded.

But Congress is sadly neglecting its duties. For example, a bill that would close the loophole of the government buying personal information passed the House of Representatives in 2024, but the Senate stopped it. And because Congress did not act, Americans must rely on a tech company CEO has to try to protect our privacy—or at least refuse to help the government violate it.

Privacy in the digital age should be an easy bipartisan issue. Given that it’s wildly popular (71% of American adults are concerned about the government's use of their data and among adults that have heard of AI 70% have little to no trust in how companies use those products) you would think politicians would be leaping over each other to create the best legislation and companies would be promising us the most high-end privacy protecting features. Instead, for the time being, we are largely left adrift in a sea of constant surveillance, having to paddle our own life rafts.

EFF has, and always will, fight for real and sustainable protections for our civil liberties including a world where our privacy does not rest upon the whims of CEOs and back room deals with the surveillance state.

EFF to Supreme Court: Shut Down Unconstitutional Geofence Searches

Hudson Hongo — Tue, 03 Mar 2026 15:54:57 +0000

Digital Dragnets Violate Fourth Amendment, Brief Argues

WASHINGTON, D.C. – The Electronic Frontier Foundation (EFF), the American Civil Liberties Union (ACLU), the ACLU of Virginia, and the Center on Privacy & Technology at Georgetown Law filed a brief Monday urging the U.S. Supreme Court to rule that invasive geofence warrants are unconstitutional.

The brief argues that geofence warrants—which compel companies to provide information on every electronic device in a given area during a given time period—are the digital version of the exploratory rummaging that the drafters of the Fourth Amendment specifically intended to prevent.

Unlike typical warrants, geofence warrants do not name a suspect or even target a specific individual or device. Instead, police cast a digital dragnet, demanding location data on every device in a geographic area during a certain time period, regardless of whether the device owner has any connection to the crime under investigation. These searches simultaneously impact the privacy of millions and turn innocent bystanders into suspects, just for being in the wrong place at the wrong time.

The Supreme Court agreed earlier this year to hear Chatrie v. United States, in which a 2019 geofence warrant compelled Google to search the accounts of all its hundreds of millions of users to see if any one of them was within a radius police drew around a Northern Virginia crime scene. This area amounted to several football fields in size and encompassed numerous homes, businesses, and a church. In an amicus brief filed Monday, the brief argues that allowing this sweeping power to go unchecked is inconsistent with the basic freedoms of a democratic society.

"This is not traditional police work, but rather the leveraging of new and powerful technology to claim a novel and formidable power over the people," the brief states. "By their very nature, geofence searches turn innocent bystanders into suspects and leverage even purportedly limited searches into larger dragnets, causing intrusions at a scale far beyond those held unconstitutional in the physical world."

The brief also cautioned the Court not to authorize future geofence warrants based on the facts of the Chatrie case, which reflect how such searches were conducted in 2019. Since July 2025, mass geofence searches of Google users’ location data have not been possible. However, Google is not the only company collecting location data, nor the only way for police to access mass amounts of data on people with no connection to a crime. All suspicionless searches drag a net through vast swaths of information in hopes of identifying previously unknown suspects—ensnaring innocent bystanders along the way.

"To courts, to lawmakers, and to tech companies themselves, EFF has repeatedly argued that these high-tech efforts to pull suspects out of thin air cannot be constitutional, even with a warrant," said EFF Surveillance Litigation Director Andrew Crocker. "The Supreme Court should find once and for all that geofence searches are just the kind of impermissible general warrants that the Framers of the Constitution so reviled."

For the brief: https://www.eff.org/document/chatrie-v-united-states-eff-supreme-court-amicus-brief

Tags:

geofence warrants

Contact:

Andrew

Crocker

Surveillance Litigation Director

andrew@eff.org

EFF to Court: Don’t Make Embedding Illegal

Corynne McSherry — Mon, 02 Mar 2026 23:46:33 +0000

Who should be directly liable for online infringement – the entity that serves it up or a user who embeds a link to it? For almost two decades, most U.S. courts have held that the former is responsible, applying a rule called the server test. Under the server test, whomever controls the server that hosts a copyrighted work—and therefore determines who has access to what and how—can be directly liable if that content turns out to be infringing. Anyone else who merely links to it can be secondarily liable in some circumstances (for example, if that third party promotes the infringement), but isn’t on the hook under most circumstances.

The test just makes sense. In the analog world, a person is free to tell others where they may view a third party’s display of a copyrighted work, without being directly liable for infringement if that display turns out to be unlawful. The server test is the straightforward application of the same principle in the online context. A user that links to a picture, video, or article isn’t in charge of transmitting that content to the world, nor are they in a good position to know whether that content violates copyright. In fact, the user doesn’t even control what’s located on the other end of the link—the person that controls the server can change what’s on it at any time, such as swapping in different images, re-editing a video or rewriting an article.

But a news publisher, Emmerich Newspapers, wants the Fifth Circuit to reject the server test, arguing that the entity that embeds links to the content is responsible for “displaying” it and, therefore, can be directly liable if the content turns out to be infringing. If they are right, the common act of embedding is a legally fraught activity and a trap for the unwary.

The Court should decline, or risk destabilizing fundamental, and useful, online activities. As we explain in an amicus brief filed with several public interest and trade organizations, linking and embedding are not unusual, nefarious, or misleading practices. Rather, the ability to embed external content and code is a crucial design feature of internet architecture, responsible for many of the internet’s most useful functions. Millions of websites—including EFF’s—embed external content or code for everything from selecting fonts and streaming music to providing services like customer support and legal compliance. The server test provides legal certainty for internet users by assigning primary responsibility to the person with the best ability to prevent infringement. Emmerich’s approach, by contrast, invites legal chaos.

Emmerich also claims that altering a URL violates the Digital Millennium Copyright Act’s prohibition on changing or deleting copyright management information. If they are correct, using a link shortener could put users at risks of statutory penalties—an outcome Congress surely did not intend.

Both of these theories would make common internet activities legally risky and undermine copyright’s Constitutional purpose: to promote the creation of and access to knowledge. The district court recognized as much and we hope the appeals court agrees.

National Book Tour for Cindy Cohn’s Memoir, ‘Privacy’s Defender’

Josh Richman — Mon, 02 Mar 2026 16:15:10 +0000

MIT Press Publishes EFF Executive Director’s Book As She Prepares to Depart Organization After 25 Years

SAN FRANCISCO – Electronic Frontier Foundation Executive Director Cindy Cohn will launch her memoir, Privacy’s Defender: My Thirty-Year Fight Against Digital Surveillance (MIT Press, March 10), with events in San Francisco and Berkeley before embarking on a national book tour.

In Privacy’s Defender, Cohn weaves her own personal story with her role as a leading legal voice representing the rights and interests of technology users, innovators, whistleblowers, and researchers during the Crypto Wars of the 1990s, battles over NSA’s dragnet internet spying revealed in the 2000s, and the fight against FBI gag orders.

The book will be Cohn’s swansong at EFF as she’s stepping down as executive director later this year after 25 years with the organization. And there’s no timelier topic: Everyone should be concerned about privacy right now, as the federal government consolidates and weaponizes data, companies track our every click, and law enforcement from local police to ICE keep tabs on all of us, everywhere we go, every day.

The Privacy’s Defender tour will begin with a free event at San Francisco’s famed City Lights Bookstore (261 Columbus Ave., San Francisco, CA 94133) moderated by bestselling author and EFF Special Advisor Cory Doctorow, at 7pm PST Tuesday, March 10.

Then EFF will host a launch party at Berkeley’s Ciel Creative Space (940 Parker St., Berkeley, CA 94710) moderated by bestselling author Annalee Newitz at 7 p.m. PT on Thursday, March 12; tickets cost $12.50-$20.

The book tour will also include events in Portland, OR; Seattle; Denver; Cambridge, MA; Ann Arbor, MI; and Iowa City, IA. Later events are being planned in New York City and Washington, D.C., as well as a May 13 event at Commonwealth Club World Affairs in San Francisco.

Proceeds from sales of the book benefit EFF.

“These beautifully written stories show why the fight for privacy is worth having and reveal all that Cindy Cohn and EFF have done to establish the modern privacy doctrine as the essential core of a free society.” -- Lawrence Lessig, Harvard University; author of How to Steal a Presidential Election

“Cindy Cohn gives readers a first-person window into some of the pivotal legal disputes of the digital era and reminds us that action and activism are crucial to preserving Americans’ freedom.” -- U.S. Sen. Ron Wyden, D-OR, author of It Takes Chutzpah: How to Fight Fearlessly for Progressive Change

“Privacy’s Defender is a compelling account of a life well lived and an inspiring call to action for the next generation of civil liberties champions.” -- Edward Snowden, whistleblower; author of Permanent Record

For the San Francisco event: https://citylights.com/events/cindy-cohn-launch-party-for-privacys-defender/

For the Berkeley event: https://www.eff.org/event/privacys-defender-book-launch-party

For more on Privacy’s Defender and the book tour: https://www.eff.org/Privacys-Defender

Contact:

Karen

Gullo

Senior Writer for Free Speech and Privacy

karen@eff.org

Victory! Tenth Circuit Finds Fourth Amendment Doesn’t Support Broad Search of Protesters’ Devices and Digital Data

Saira Hussain — Fri, 27 Feb 2026 06:03:02 +0000

In a big win for protesters’ rights, the U.S. Court of Appeals for the Tenth Circuit overturned a lower court’s dismissal of a challenge to sweeping warrants to search a protester’s devices and digital data and a nonprofit’s social media data.

The case, Armendariz v. City of Colorado Springs, arose after a housing protest in 2021, during which Colorado Springs police arrested protesters for obstructing a roadway. After the demonstration, police also obtained warrants to seize and search through the devices and data of Jacqueline Armendariz Unzueta, who they claimed threw a bike at them during the protest. The warrants included a search through all of her photos, videos, emails, text messages, and location data over a two-month period, as well as a time-unlimited search for 26 keywords, including words as broad as “bike,” “assault,” “celebration,” and “right,” that allowed police to comb through years of Armendariz’s private and sensitive data—all supposedly to look for evidence related to the alleged simple assault. Police further obtained a warrant to search the Facebook page of the Chinook Center, the organization that spearheaded the protest, despite the Chinook Center never having been accused of a crime.

The district court dismissed the civil rights lawsuit brought by Armendariz and the Chinook Center, holding that the searches were justified and that, in any case, the officers were entitled to qualified immunity. The plaintiffs, represented by the ACLU of Colorado, appealed. EFF—joined by the Center for Democracy and Technology, the Electronic Privacy Information Center, and the Knight First Amendment Institute at Columbia University—wrote an amicus brief in support of that appeal.

In a 2-1 opinion, the Tenth Circuit reversed the district court’s dismissal of the lawsuit’s Fourth Amendment search and seizure claims. The court painstakingly picked apart each of the three warrants and found them to be overbroad and lacking in particularity as to the scope and duration of the searches. The court further held that in furnishing such facially deficient warrants, the officers violated “clearly established” law and thus were not entitled to qualified immunity. Although the court did not explicitly address the First Amendment concerns raised by the lawsuit, it did note the backdrop against how these searches were carried out, including animus by Colorado Springs police leading up to the housing protest.

It is rare for appellate courts to call into question any search warrants. It’s even rarer for them to deny qualified immunity defenses. The Tenth Circuit’s decision should be celebrated as a big win for protesters and anyone concerned about police immunity for violating people’s constitutional rights. The case is now remanded back to the district court to proceed—and hopefully further vindicate the privacy rights we all have in our devices and digital data.

☺️ Trust Us With Your Face | EFFector 38.4

Christian Romero — Wed, 25 Feb 2026 18:16:41 +0000

Do you remember the last time you were carded at a bar or restaurant? It was probably such a quick and normal experience, that you barely remember it. But have you ever been carded to use the internet? Being required to present your ID to access content online is becoming a growing reality for many. We're explaining the dangers of age verification laws, and the latest in the fight for privacy and free speech online, with our EFFector newsletter.

For over 35 years, EFFector has been your guide to understanding the intersection of technology, civil liberties, and the law. This issue covers Discord's controversial rollout of mandatory age verification, a leaked Meta memo on face-scanning smart glasses, and a Super Bowl surveillance ad that said the quiet part out loud.

Prefer to listen in? In our audio companion, EFF Associate Director of State Affairs Rin Alajaji explains how online age verification hurts free expression for all users. Find the conversation on YouTube or the Internet Archive.

LISTEN TO EFFECTOR

EFFECTOR 38.4 - ☺️ Trust Us With Your Face

How to Pick Your Password Manager

Jacob Hoffman-Andrews — Wed, 25 Feb 2026 17:26:39 +0000

Phishing and data breaches are a constant on the internet. The single best defense against both is to use a password manager to generate and automatically fill a unique password for every site. While 1Password has recently raised their prices, and researchers have recently published potential flaws in some implementations, using a password manager is still a critical investment in keeping yourself safe on the internet. There are free options, and even ones built into your operating system or browser. We can help you choose.

Password managers protect you from phishing by memorizing the connection between a password and a website, and, if you use the browser integration, filling each password only on the website it belongs to. They protect you from data breaches by making it feasible to use a long, random, unique password on each site. When bad actors get their hands on a data breach that includes email addresses and password data, they will typically try to crack those passwords, and then attempt to login on dozens of different websites with the email address/password combinations from the breach. If you use the same password everywhere, this can turn one site’s data breach into a personal disaster, as many of your accounts get compromised at once.

In recent years, the built-in password managers in browsers and operating systems have come a long way but still stumble on cross-platform support. Within the Apple ecosystem, you can use iCloud Keychain, with support for generating passwords, autofill in Safari, and end-to-end encrypted synchronization, so long as you don’t need access to your passwords in Google Chrome or Android (Windows is supported, though). Within the Google ecosystem, you can use Google Password Manager, which also supports password generation, autofill, and sync. Crucially, though, Google Password manager does not end-to-end encrypt credentials unless you manually enable on-device encryption. Firefox and Microsoft also offer password managers. All of these platform-based options are free, and may already be on your devices. But they tend to lock you into a single-vendor world.

There are also a variety of third-party password managers, some paid, and some free, and some open source. Most of these have the advantage of letting you sync your passwords across a wide variety of devices, operating systems, and browsers. Here are four key things to look out for. First, when synchronizing between devices, your passwords should be encrypted end-to-end using a password that only you know (a “master” or “primary” password). Second, support for autofill can reduce the chance that you’ll get phished. Third, security audits performed by third parties can increase confidence that the software really does what it is designed to do. And finally, of course, random generation of unique passwords is a must.

Don’t let uncertainty or price increases dissuade you from using a password manager. There’s a good choice for everyone, and using one can make your online life a lot safer. Want more help choosing? Check out our Surveillance Self-Defense guide.

Tech Companies Shouldn’t Be Bullied Into Doing Surveillance

Matthew Guariglia — Tue, 24 Feb 2026 23:42:44 +0000

The Secretary of Defense has given an ultimatum to the artificial intelligence company Anthropic in an attempt to bully them into making their technology available to the U.S. military without any restrictions for their use. Anthropic should stick by their principles and refuse to allow their technology to be used in the two ways they have publicly stated they would not support: autonomous weapons systems and surveillance. The Department of Defense has reportedly threatened to label Anthropic a “supply chain risk,” in retribution for not lifting restrictions on how their technology is used. According to WIRED, that label would be, “a scarlet letter usually reserved for companies that do business with countries scrutinized by federal agencies, like China, which means the Pentagon would not do business with firms using Anthropic’s AI in their defense work.”

Anthropic should stick by their principles and refuse to allow their technology to be used in the two ways they have publicly stated they would not support: autonomous weapons systems and surveillance.

In 2025, reportedly Anthropic became the first AI company cleared for use in relation to classified operations and to handle classified information. This current controversy, however, began in January 2026 when, through a partnership with defense contractor Palantir, Anthropic came to suspect their AI had been used during the January 3 attack on Venezuela. In January 2026, Anthropic CEO Dario Amodei wrote to reiterate that surveillance against US persons and autonomous weapons systems were two “bright red lines” not to be crossed, or at least topics that needed to be handled with “extreme care and scrutiny combined with guardrails to prevent abuses.” You can also read Anthropic’s self-proclaimed core views on AI safety here, as well as their LLM, Claude’s, constitution here.

Now, the U.S. government is threatening to terminate the government’s contract with the company if it doesn’t switch gears and voluntarily jump right across those lines.

Companies, especially technology companies, often fail to live up to their public statements and internal policies related to human rights and civil liberties for all sorts of reasons, including profit. Government pressure shouldn’t be one of those reasons.

Whatever the U.S. government does to threaten Anthropic, the AI company should know that their corporate customers, the public, and the engineers who make their products are expecting them not to cave. They, and all other technology companies, would do best to refuse to become yet another tool of surveillance.