The FCC’s Spam Call Proposal Is Just a Data Collection Scheme

EFF update
4 days 21 hours ago

The Federal Communications Commission wants to require telecommunications providers to collect vast amounts of personal information from every person who wants a phone number in the name of combatting scam and spam calls. This plan will fail to combat the deluge of unwanted calls people in the United States receive every day while giving untrustworthy companies a gold mine of information that would harm everyday consumer’s privacy, access to communications, and ability to speak freely. 

The requirement to provide ID and an address would completely cut off the ability to have an anonymous phone line, which would mean many people in the most precarious situations imaginable: domestic violence and human trafficking survivors, unhoused people, and children without stable homes, would not be able to gain access to a crucial lifeline. EFF, along with ACLU, has submitted comments advising the FCC to abandon this proposal entirely

This Rule Will Not Decrease Spam Calls 

Requiring phone providers to collect consumers’ information will not appreciably decrease or eliminate unwanted calls. The FCC knows this because it confesses in its own rulemaking that “the most effective way to prevent unwanted calls from reaching American consumers is by ensuring they never enter the network.” Further, the Federal Trade Commission found that “a significant proportion, if not the majority, of unwanted robocalls originate from overseas.” Collecting the personal information of everyone who wants to make a phone call will not put a dent in fraudulent calls. 

What will address unwanted calls is the FCC’s STIR/SHAKEN technical standards, which already exist. While STIR/SHAKEN is not perfect, it is actually a technical solution to the problem of spam calls. And where less than 50% of American telecommunication providers have fully implemented the protocol, the FCC should put its energy toward 100% compliance to reduce the scale of unwanted calls, instead of collecting consumer’s private information. 

The FCC gives away the true reason for this proposal in their own comments: this is a move to shut down the very existence of anonymous phones, aka burner phones. FCC says in their comments: 

“Enhanced KYC information can assist law enforcement to more easily identify callers that use the network to perpetuate crimes by ensuring that voice providers have accurate and complete customer information. The KYC information gathered and verified would help ensure that law enforcement gets accurate information in response to subpoenas when investigating crimes. For example, can enhanced KYC rules assist law enforcement in investigating organized criminal groups that use the network to facilitate illegal activities? Can they be used to deter or detect trafficking operations that use communication networks to buy and sell illicit goods?”

Anonymous phones are not just used by people to break the law, they are also used by activists who wish to remain anonymous, privacy conscious consumers, people escaping domestic violence, people escaping human trafficking, journalists who need to reach out to confidential sources, and other people in desperate situations. Anonymous phone lines are a lifeline to many, one which this proposal would cut off without any alternative. 

Mass Data Collection Makes Us All Less Safe

Mass data collection of individuals does not address unwanted calls, but it does 

make us all less safe online. The telecommunications industry has proven time and again that they’re poor stewards of personal information. They’ve been at the center of several large-scale data breaches in recent years and their data practices leave much to be desired.

In 2024, AT&T disclosed two large data breaches. One in which 7.6 million existing account holders and more than 65 million former customers had their information leaked onto the dark web, and another in which more than 100 million customer account call and text logs were downloaded. Another large provider, Comcast, suffered a data breach in 2023 where nearly 36 million account holder’s information was stolen, including the last four digits of their Social Security Number and date of birth. 

In 2024, the nation’s CALEA infrastructure, which law enforcement uses to tap and trace calls, was breached in the Salt Typhoon attacks. Experts maintain that U.S. communications networks remain vulnerable, and even this administration acknowledges these attacks as an ongoing threat. 

If telecoms can’t even protect the most sensitive communications infrastructure in the nation how can we expect that they will protect our identities?

In addition to their poor cybersecurity practice, these providers themselves abuse the information in their possession. In Scott v AT&T, AT&T, among others, made consumer information available to hundreds of third parties without the consumer’s express consent. Though the case was dismissed because AT&T forces its consumers to sign arbitration agreements, it shows the complete lack of care for their consumers' privacy. 

A Lack of Anonymity Silences People 

Mass data collection of individuals just to have a phone number will also harm and silence people. Anonymity in calls provides people the safety they may require to organize themselves, speak freely, and seek services. Anonymous phone calls give people the courage to participate in politics, organize themselves, reach out to a suicide or sexual-assault hotline, an addiction-recovery sponsor, seek medical care, seek escape from a violent and coercive situation, and do much more. Without this anonymity, people may otherwise not do any of these things. 

It will prevent many from obtaining phone numbers at all. 

Not everyone has all the information the FCC wants to require. The FCC wants people’s physical addresses, defined so narrowly that it’s essentially a home address. Not everyone has a stable home address, so those individuals would be not able to get phone service. 

FCC suggests that a government-issued identification should be required for any phone service. About 15 million adult U.S. citizens do not have a driver’s license, while about 2.6 million do not have any form of government-issued photo ID. Others don’t have access to their identifying documents, they may be controlled by an abusive spouse or parent, human trafficker, cult, or someone else from whom a secondary phone line could help a person escape. Estimates show another 21 million adult U.S. citizens do not have a non-expired driver’s license, and over 34.5 million adult citizens have neither a driver’s license nor a state ID card with their current name or address. 

These numbers do not include non-U.S. citizens who do not have current government-issued identification, including undocumented immigrants who cannot obtain a state ID or driver’s license. Black American and Hispanic Americans are disproportionately less likely to have current drivers’ licenses, and Americans with disabilities and Americans with lower annual incomes are also less likely to have current driver’s licenses. 

The FCC’s proposal will not decrease the amount of unwanted calls. All it will do is set up a data collection regime that harms everyday, law abiding Americans. This proposal makes us less secure online, strips away our right to anonymous speech in calls, and actively disconnects those Americans who are already at the margins. EFF recommends the FCC discard this proposal in its entirety. 

The window for reply comments can still be filed until July 26th. Express comments, which are appropriate for most individuals, can be filed on the FCC website. See the suggested language below to help you get started. 

Chao Liu

Are Your Local Police Using Flock Safety ALPRs to Scan for Immigrants?

EFF update
4 days 22 hours ago

When a car passes an automated license plate reader (ALPR), its plate is captured and instantly compared against a list of vehicles that police are actively looking for or that police have identified for real-time surveillance. These are called “hotlists,” and EFF has learned that one used by agencies across the country targets immigrants on behalf of Immigration and Customs Enforcement (ICE). 

Agencies using Flock Safety ALPR systems commonly allow the plates their cameras collect to be compared against the FBI's National Crime Information Center (NCIC) hotlists. These hotlists are broken into "topics," such as "Gang or Suspected Terrorist," "Stolen Vehicle," and "Missing Person." 

Flock Safety told EFF via email: "Local agencies add/remove license plates from the NCIC list. The FBI curates the NCIC list, and pushes it out to local agencies. Once the list leaves the FBI, they do not see any agency alerts. They only see when a local agency adds or removes plates from the list."

But one list is different: The "Immigration Violator" hotlist is populated exclusively by ICE, and it is the only agency authorized to enter or maintain records in this system, according to the NCIC operator manual. It includes license plates associated with administrative warrants, which are issued by ICE agents without judicial review. The manual further describes the data:

The Immigration Violator File contains records on criminal aliens who have been deported for drug trafficking, firearms trafficking, or serious violent crimes and on foreign-born individuals who have violated some section of the Immigration and Nationality Act.

And: 

If the ICE has reasonable grounds to believe that the subject may be operating a particular vehicle or a vehicle bearing a particular license plate, the vehicle and/or license data may be included in the record.

Buried in the Flock Safety administrative interface, there is a drop-down menu where agencies select which NCIC topics to subscribe to. If Immigration Violator is selected, the local agency will receive an alert that a vehicle ICE is looking for has been sighted. According to Flock Safety, ICE itself does not get an alert, although the local agency may contact ICE to let them know. Many agencies also participate or collaborate with immigration enforcement (through, for example, 287(g) agreements) and may take steps to stop a vehicle based on one of these alerts. 

In many places, using ALPRs for immigration enforcement is against city or state law–or at minimum, against agency policy. But using this hotlist is immigration enforcement. 

For example, Sparks Police Department's ALPR transparency portal lists immigration enforcement among the "prohibited uses." Yet, records show Sparks utilizes ICE's Immigration Violator hotlist.

Many agencies publicly acknowledge using NCIC hotlists, but don't publish which ones. So, EFF filed public records requests with agencies around the country to figure how to identify at least which agencies may be using the Immigration Violator hotlist. Here are links to the documents from the 13 agencies that have responded so far. 

Agencies with the Immigration Violators Hotlist Enabled

Agencies Using NCIC Hotslists, But Immigration Violators Is Disabled

Knowing whether your agency has this box checked isn't just useful information—it's the kind of evidence that can change how officials vote when a contract comes up for renewal. So, how can you find out if your local agency is using the Immigration Violator list? It takes some digging, and you may not be successful. But here's what has worked for us in some instances. 

STEP 1: Conduct background research. 

The first questions you want to try to answer are: 

  • Does your local agency use Flock Safety ALPRs, and if so, 
  • Are they using NCIC hotlists? 

To answer the first question, here are two sites to try: 

  • AtlasofSurveillance.org - This is an EFF project to catalog the technologies law enforcement agencies use. You can search for your agency to see if they use ALPR.

  • EyesonFlock.com  - This site includes an index of every agency that maintains a Flock Safety "Transparency Portal." These portals often disclose what hotlists an agency uses. You'll want to look for your agency, then click the outbound link to their transparency portal, if they have one. 

Once you're on the transparency portal, you'll want to look for two things. 

  • Is "immigration enforcement" a prohibited use? If it is, you might find that the agency is violating its own policies. 

  • Does the agency list "NCIC" as one of its hot lists? 

Not all agencies disclose this information, so even if you don't find anything, you can move on to these next steps. 

STEP 2: File a public records request. 

Every state has a law that allows the public to request information from the government. This can often be done by emailing the police department or sheriff’s office, using the agency's online public records portalYou can usually find these emails or portals quickly online by searching for the agency's website and contact information. You can also subscribe to a service like MuckRock, which is how we filed these requests

We have developed language to request the hotlist topics. It doesn't always work, due to differences in how agencies interpret public records laws, but it is still worth a shot. 

Note: This is template language. A Google doc version is available here (Google's Privacy Policy applies). 

To Whom It May Concern:

Pursuant to the [INSERT LOCAL PUBLIC RECORDS LAW - FIND THAT HERE], I hereby request the following information:

- The NCIC topics that the agency has selected.

Within the Flock Safety ALPR administrative controls for hotlists, there is an NCIC drop-down menu to allow an agency to choose which NCIC "Topics" it will alert on. For example, "Gang or Suspected Terrorist" or "Missing Person." 

You may provide this as a print out or a screen grab, or simply copy-paste the selected items. If you'd prefer to do a full CSV export, that is also acceptable but may take more effort.

I leave the format at your discretion, but I would prefer to use as little of your agency's resources as possible for this request. You can see an example here: https://www.documentcloud.org/documents/28277589-20260414084201725/

The requested documents will be made available to the general public, and this request is not being made for commercial purposes.

In the event that there are fees, I would be grateful if you would inform me of the total charges in advance of fulfilling my request. I would prefer the request filled electronically, by e-mail attachment if available or CD-ROM if not.

Thank you in advance for your anticipated cooperation in this matter. Please do not hesitate to contact me with any questions at [CONTACT DETAILS].

Sincerely,

[Your Name]

STEP 3: Wait for a response.

Depending on the agency and the state law, it may take anywhere from days to weeks to receive a response. 

If the agency provides the records, they might look something like this: 

If "Immigration Violator" is checked, then yes–police are scanning vehicles for immigration enforcement. 

You can then put this information to work, sharing it with local reporters or bringing it directly to city officials who have the authority to modify, restrict, or cancel your agency's Flock contract. This is especially important if the agency has the box checked but also claims ALPR data is not used for immigration enforcement. Government officials like easy fixes, and "uncheck the box" is about as easy as it gets. But remember: If that's where it stops, the infrastructure for immigration surveillance stays fully intact, and the system is one policy, personnel change, or error away from being switched back on.

In many cases, you will not receive records. The agency may claim it's protected under legal exemptions or that it is not actually a public record under state law. For example, we received rejections from the Abington Police Department in Massachusetts and the Akron Police Department in Ohio.

If that happens, push back politely. You can explain that many other agencies across the country have produced this information and that it would greatly help inform the public. You can try contacting the police department's public information officer. Another option is alerting local press that the agency is refusing to disclose basic information about a public surveillance system, shutting residents out of decisions about how that system is being used. If you have the resources and time, you may also consider litigating a denial or lack of response.

You can also email your city council or board of supervisors member. Explain why this matters: The law enforcement agency may be facilitating immigration enforcement in secret, potentially in violation of its own policies. Ask them to use their oversight authority to demand answers from the agency, including pressing the vendor directly. Elected officials hold real leverage here: In most cities, either the council or the city manager controls the contract, and both are accountable to the public. If your agency's contract is up for renewal—or if a new pilot program is on the horizon—this is exactly the kind of information that should be part of that public debate before officials sign anything.

While we have filed dozens of these requests, we need locals to help gather even more. Drop us a line with the records you receive (or don't) at aos@eff.org

Dave Maass

【おすすめ本】トマ・ピケティ (著)・山本 知子(訳)『エコロジー社会主義に向けて――世界を読む2020–2024』―〈脱商品化〉の領域拡大 富裕層・大企業に適切な課税を=本田 浩邦(獨協大学教授)<br />

日本ジャーナリストクラブ(JCJ)
4 days 22 hours ago
 コロナ・パンデミック最中の2020年7月から24年9月まで『ルモンド』紙に連載されたエッセイに書き下ろしの序章を加えた作品である。 20世紀は「社会民主主義」の時代であったが、21世紀はさらに進んで「民主的でエコロジカルな社会主義」でなければならないというのが本書のモチーフである。 「社会主義」といっても、それは「生産手段の社会化」によってイメージされる従来のオーソドックスなそれではない。その柱は、「脱商品化」の領域の拡大と、強い所得再分配(富裕層や大企業に対する限界税率..
JCJ

〈国民国家と文明〉内田樹

週刊金曜日
5 days 3 hours ago
 英国在住のブレイディみかこさんとオンラインでおしゃべりをした。英国と日本の政治状況があまりに似ているので、話を聴いているうちに少し寒気がしてきた。  それは両国とも「ポピュリズム国家」だということである。かつて有権者た […]
admin

〈非戦の意志を憲法に書き込む〉想田和弘

週刊金曜日
5 days 3 hours ago
 解釈改憲にも、ほどがある。  高市政権下、そう思わざるをえない政策が、次々に実行されつつある。武器輸出解禁、敵基地攻撃能力を有するミサイルの配備、軍事費の倍増、国旗損壊罪……。  そもそも日本国憲法第9条は、その制定時 […]
admin

旧動燃の差別是正訴訟、最高裁は上告不受理決定 「原子力機構は差別認め真摯な謝罪を」

週刊金曜日
5 days 3 hours ago
 元職員への思想・信条を理由とした差別を巡る動燃差別是正訴訟の上告不受理決定が6月3日に最高裁から出た。  同訴訟は2015年7月、旧動力炉・核燃料開発事業団(以下「動燃」、現在は国立研究開発法人日本原子力研究開発機構、 […]
admin

コラム〈いやな予感〉 田中優子

週刊金曜日
5 days 4 hours ago
 沖縄県名護市の辺野古沖で船が転覆し、研修旅行中の生徒が亡くなった。その後、新潟市の高校生の乗ったマイクロバスの事故があり、やはり高校生が亡くなった。どちらも痛ましい事故である。船やバスの安全対策も学校の管理体制も見直さ […]
admin

京都・舞鶴トマホーク配備めぐり2800人が反対集会 「このままでは私たちは加害者に」

週刊金曜日
5 days 4 hours ago
 米国製巡航ミサイルのトマホークを海上自衛隊舞鶴基地(京都府舞鶴市)所属のイージス艦に配備する計画に反対する集会が、5月31日に同基地周辺で開かれた。府内外からの参加者(主催者発表で約2800人)が、旧軍港を長い「人間の […]
admin

The KIDS Act Would Require Age Checks To Get Online

EFF update
5 days 8 hours ago

Within the next week, Congress is preparing to vote on the KIDS Act, a sprawling package of legislation that seeks to control Americans’ web browsing and private messaging. The package includes a revised version of the Kids Online Safety Act, or KOSA, combined with a collection of other internet bills, study bills, reporting requirements, and new regulations. Instead of debating any of these proposals on their merits, lawmakers are attempting to move them all at once under an ultra-expedited process. 

The package of cobbled-together bills is a mess, with different age-gating schemes for different services, using different standards. It’s a lot of complexity, and a lot of legal risk. Faced with that, many companies will conclude that the safest option is restrictive age-checking practices across their entire platforms.

Buried inside the KIDS Act are provisions that will push online services to verify all users’ ages, require government-directed moderation policies for online speech, and even create new rules about private and encrypted communications. While supporters continue to claim this bill protects minors online, its requirements come at the expense of privacy, free expression, and the ability of people of all ages to use the internet without revealing sensitive data. 

Take action

Tell Congress to reject this age-gating bill

The KIDS Act Pressures Platforms to Check Everyone's Age

Supporters of KOSA have said the bill doesn’t require age verification. And technically, the KOSA section of the bill does say that KOSA shouldn’t be read to require age verification. 

But if you read the rest of the bill, that disclaimer starts to look hollow. 

Throughout the KOSA section of the legislation, special protections, controls, messaging settings, and parental tools are required whenever a website or app “knows or should have known” a user is a child (defined in the bill as anyone under 13) or a teen (defined as anyone between 13 and 16 years old). 

The problem is a website operator doesn’t need actual knowledge that a user is a minor to get in legal trouble. It applies when a platform “knows or should have known” a user’s age—a low, negligence-style standard of knowledge. If an online service gets it wrong, it’s going to be up to courts and regulators to decide, after the fact, if an online service “should” have known a user was 16. 

To try to avoid liability, services will have to determine which users are teenagers and which are not. Most won’t be able to simply trust their users. They’ll have to collect more information about age, before any lawsuit or government action arises. Some companies may respond by requesting driver's licenses or passports. Others will rely on age-estimation systems that attempt to guess users' ages by looking at existing activity or doing facial scans. Existing estimation systems make mistakes when estimating children’s ages correctly, which is a big problem when that is the population KOSA is trying to protect. And the systems fail more frequently for people of color, people with disabilities, and trans and nonbinary people.

The bill’s authors seem to know this is a problem. On the one hand, the new KOSA section says age verification is not required. On the other, it repeatedly imposes obligations that depend on knowing whether a user is under 17. But a disclaimer doesn’t magically eliminate legal risk, especially for smaller services and startups that can’t afford to defend lawsuits or fight regulators.  

Take action

The "KIDS Act" Is an Age Surveillance Bill

KOSA is not the only part of this package that creates age-verification pressure. The SAFE BOTS Act, like KOSA, goes back to the standard that if a service “knows or should have known” that a user is a minor it can’t offer certain chatbot features. 

The SCREEN Act requires services that host sexually explicit content to determine whether users are “more likely than not” under the relevant age limit, before allowing access to certain content. 

The consequences of this liability will not be limited to minors. If websites and apps are expected to reliably identify teenagers, adults will be asked to prove they are adults. The result is a less private internet for everyone.

The KIDS Act Pressures Platforms To Police Lawful Speech 

The new version of KOSA removes the bill’s infamous "duty of care" provision, a significant change. The revised KOSA requires covered platforms to "establish, implement, maintain, and enforce" policies and procedures addressing several categories of content and conduct. 

Some categories, such as true threats and sexual exploitation, involve unlawful activity. Others are much broader. The bill specifically requires policies addressing the "sale or use" of narcotic drugs, tobacco products, cannabis products, gambling, and alcohol. It also restricts discussions around financial fraud.

Sounds straightforward enough. Then you remember how people actually talk—online and off. Can teens discuss addiction and recovery? Can a 15-year-old post that she’s worried she has a friend who is drinking too much? Can they seek advice about a parent’s gambling problem, or get help if they or a family member have been scammed? Can they participate in harm-reduction communities or discuss substance abuse treatment? All of these young people would be engaging in lawful speech when discussing topics covered by KOSA’s enumerated harms. 

The bill does not directly ban those conversations. But it places platforms under huge pressure to create and enforce moderation policies around broad categories of lawful speech. Faced with legal risk, many services will inevitably choose to remove that speech or restrict those discussions to spaces where they know only adults can participate. We’ve seen this movie before. When legal risk goes up, platforms will take down more speech. 

The KIDS Act Regulates Private Messages, Too 

Several provisions of the bill create new rules around direct messages, disappearing or “ephemeral” messages, and AI chat services. 

The bill includes language stating that certain KOSA requirements should not be construed to override strong encryption. But the protection is incomplete. The carve-out applies to certain features and messaging controls, but doesn’t apply to KOSA’s separate requirement that platforms "address" a list of harms to minors. 

The KIDS Act never answers an obvious question: how exactly is a platform supposed to address those activities if they’re inside encrypted communications that it can’t read? That will create pressure for providers to weaken private communications or limit features on encrypted private services. 

That approach is especially troubling when it comes to ephemeral messaging. Disappearing messages are not a “loophole” or a dangerous design trick. They are a useful privacy feature that allows online conversations to function more like ordinary real-world conversations, which are not preserved forever in a permanent database.

Like many other parts of the KIDS Act, these private messaging provisions also depend on websites and apps knowing who is a minor and who is not. The result is more age checks, more restrictions, and less privacy online.

Take action

Tell congress: no online age checkpoints

Joe Mullin