EFF and Repro Uncensored Launch #StopCensoringAbortion Campaign

4 hours 59 minutes ago
Campaign Aims to Ensure that People Can Access Reproductive Rights Information Through Social Media

SAN FRANCISCO—The Electronic Frontier Foundation (EFF) and the Repro Uncensored coalition on Wednesday launched the #StopCensoringAbortion campaign to ensure that people who need reproductive health and abortion information can find and share it. 

Censorship of this information by social media companies appears to be increasing, so the campaign will collect information to track such incidents.  

“This censorship is alarming, and we’re seeing it take place across popular social media platforms like Facebook, Instagram, and TikTok, where abortion-related content is often flagged or removed under vague ‘community guideline’ violations, despite the content being legal and factual,” said EFF Legislative Activist Rindala Alajaji. “This lack of transparency leaves organizations, influencers, and individuals in the dark, fueling a wider culture of online censorship that jeopardizes public access to vital healthcare information.” 

Initially, the campaign is collecting stories from people and organizations who have faced censorship on these platforms. This will help the public and the companies understand how often this is happening, who is affected, and with what consequences. EFF will use that information to demand that censorship stop and that the companies create greater transparency in their practices, which are often obscure and difficult to track. Tech companies must not silence critical conversations about reproductive rights.  

"We are not simply raising awareness—we are taking action to hold tech companies accountable for their role in censoring free speech around reproductive health. The stories we collect will be instrumental in presenting to the platforms the breadth of this problem, drawing a picture of its impact, and demanding more transparent policies,” Alajaji said. “If you or someone you know has had abortion-related content taken down or shadowbanned by a social media platform, your voice is crucial in this fight. By sharing your experience, you’ll be contributing to a larger movement to end censorship and demand that social media platforms stop restricting access to critical reproductive health information.” 

In addition to a portal for reporting incidents of online abortion censorship, the campaign’s landing page provides links to reporting and research on this censorship. Additionally, the page includes digital privacy and security guides for abortion activists, medical personnel, and patients. 

With reproductive rights under fire across the U.S. and around the world, access to accurate abortion information has never been more critical. Reproductive health and rights organizations have turned to online platforms to share essential, sometimes life-saving guidance and resources. Whether they provide the latest updates on abortion laws, where to find clinics, or education about abortion medication, online spaces have become a lifeline particularly for those in regions where reproductive freedoms are under siege.  

But a troubling trend is making it harder for people to access vital abortion information: Social media platforms are censoring or removing abortion-related content, often without a clear justification or policy basis. A recent example surfaced last month when Instagram posts by Aid Access, an online abortion services provider, were either blurred out or prevented from loading entirely. This sparked concerns in the press about how recent content moderation policy changes by Meta, the parent company of Instagram and Facebook, would affect availability of reproductive health information. 

For the campaign landing page: https://www.eff.org/pages/stop-censoring-abortion  

Contact:  RindalaAlajajiLegislative Activistrin@eff.org
Josh Richman

Stop Censoring Abortion: The Fight for Reproductive Rights in the Digital Age

5 hours 7 minutes ago

With reproductive rights under fire across the U.S. and globally, access to accurate abortion information has never been more critical—especially online. 

That’s why reproductive health and rights organizations have turned to online platforms to share essential, sometimes life-saving, guidance and resources. Whether it's how to access information about abortion medication, where to find clinics, or the latest updates on abortion laws, these online spaces have become a lifeline, particularly for those in regions where reproductive freedoms are under siege. But there's a troubling trend making it harder for people to access vital abortion information: social media platforms are increasingly censoring or removing abortion-related content—often without clear justification or policy basis. 

A recent example surfaced last month when a number of Instagram posts by Aid Access, an online abortion services provider, were either blurred out or unable to load entirely. This sparked concerns in the press about how recent content moderation policy changes by Meta, the parent company of Instagram and Facebook, would affect the availability of reproductive health information. The result? Crucial healthcare information gets erased, free expression is stifled, and people are left in the dark about their rights and healthcare options.

This censorship is alarming, and we’re seeing it take place across popular social media platforms like Facebook, Instagram, and TikTok, where abortion-related content is often flagged or removed under vague "community guideline" violations, despite the content being perfectly legal and factual. This lack of transparency leaves organizations, influencers, and individuals in the dark, fueling a wider culture of online censorship that jeopardizes public access to vital healthcare information.

#StopCensoringAbortion: An EFF and Repro Uncensored Collaboration

In response to this growing issue, EFF has partnered with the Repro Uncensored coalition to call attention to instances of reproductive health and abortion content being removed or suppressed by social media platforms. 

We are collecting stories from individuals and organizations who have faced censorship on these platforms to expose the true scale of the issue. Our goal is to demand greater transparency in tech companies' moderation practices and ensure that their actions do not silence critical conversations about reproductive rights. 

We are not simply raising awareness—we are taking action to hold tech companies accountable for their role in censoring free speech around reproductive health. 

Share Your Story

If you or someone you know has had abortion-related content taken down or shadowbanned by a social media platform, your voice is crucial in this fight. By sharing your experience, you’ll be contributing to a larger movement to end censorship and demand that social media platforms stop restricting access to critical reproductive health information. These stories will be instrumental in presenting to the platforms the breadth of this problem, drawing a picture of its impact, and demanding more transparent policies.

If you’re able to spend five minutes reporting your experience, EFF and the rest of the Repro Uncensored coalition will do our best to help: https://www.reprouncensored.org/report-incident 

Even If You Haven’t Been Censored, You Can Still Help!

Not everyone has experienced censorship, but that doesn’t mean you can’t contribute to the cause. You can still help by spreading the word. 

Share the #StopCensoringAbortion campaign on your social media platforms and visit our landing page for more resources and actions. 

Follow Repro Uncensored and EFF on Instagram, and sign up for email updates about this campaign. The more people who are involved, the stronger our collective voice will be.

Together, we can amplify the message that information about reproductive health and rights should never be silenced—whether in the real world or online.

Rindala Alajaji

Saving the Internet in Europe: Defending Privacy and Fighting Surveillance

9 hours 32 minutes ago

This post is part three in a series of posts about EFF’s work in Europe. Read about how and why we work in Europe here

EFF’s mission is to ensure that technology supports freedom, justice, and innovation for all people of the world. While our work has taken us to far corners of the globe, in recent years we have worked to expand our efforts in Europe, building up a policy team with key expertise in the region, and bringing our experience in advocacy and technology to the European fight for digital rights.  

In this blog post series, we will introduce you to the various players involved in that fight, share how we work in Europe, and discuss how what happens in Europe can affect digital rights across the globe. 

Implementing a Privacy First Approach to Fighting Online Harms

Infringements on privacy are commonplace across the world, and Europe is no exemption. Governments and regulators across the region are increasingly focused on a range of risks associated with the design and use of online platforms, such as addictive design, the effects of social media consumption on children’s and teenagers’ mental health, and dark patterns limiting consumer choices. Many of these issues share a common root: the excessive collection and processing of our most private and sensitive information by corporations for their own financial gain. 

One necessary approach to solving this pervasive problem is to reduce the amount of data that these entities can collect, analyze, and sell. The European General Data Protection Regulation (GDPR) is central to protecting users’ data protection rights in Europe, but the impact of the GDPR ultimately depends on how well it is enforced. Strengthening the enforcement of the GDPR in areas where data can be used to target, discriminate, and undermine fundamental rights is therefore a cornerstone in our work. 

Beyond the GDPR, we also bring our privacy first approach to fighting online harms to discussions on online safety and digital fairness. The Digital Services Act (DSA) makes some important steps to limit the use of some data categories to target users with ads, and bans targeteds ads for minors completely. This is the right approach, which we will build on as we contribute to the debate around the upcoming Digital Fairness Act

Age Verification Tools Are No Silver Bullet

As in many other jurisdictions around the world, age verification has become a hotly debated topic in the EU, with governments across Europe seeking to introduce them. In the United Kingdom, legislation like the Online Safety Act (OSA) was introduced to make the UK “the safest place” in the world to be online. The OSA requires platforms to prevent individuals from encountering certain illegal content, which will likely mandate the use of intrusive scanning systems. Even worse, it empowers the British government, in certain situations, to demand that online platforms use government-approved software to scan for illegal content. And they are not alone in seeking to do so. Last year, France banned social media access for children under 15 without parental consent, and Norway also pledged to follow a similar ban. 

Children’s safety is important, but there is little evidence that online age verification tools can help achieve this goal. EFF has long fought against mandatory age verification laws, from the U.S. to Australia, and we’ll continue to stand up against these types of laws in Europe. Not just for the sake of free expression, but to protect the free flow of information that is essential to a free society. 

Challenging Creeping Surveillance Powers

For years, we’ve observed a worrying tendency of technologies designed to protect people's privacy and data being re-framed as security concerns. And recent developments in Europe, like Germany’s rush to introduce biometric surveillance, signal a dangerous move towards expanding surveillance powers, justified by narratives framing complex digital policy issues as primarily security concerns. These approaches invite tradeoffs that risk undermining the privacy and free expression of individuals in the EU and beyond.

Even though their access to data has never been broader, law enforcement authorities across Europe continue to peddle the tale of the world “going dark.” With EDRi, we criticized the EU high level group “going dark” and sent a joint letter warning against granting law enforcement unfettered capacities that may lead to mass surveillance and violate fundamental rights. We have also been involved in Pegasus spyware investigations, with EFF’s Executive Director Cindy Cohn participating in an expert hearing on the matter. The issue of spyware is pervasive and intersects with many components of EU law, such as the anti-spyware provisions contained within the EU Media Freedom Act. Intrusive surveillance has a global dimension, and our work has combined advocacy at the UN with the EU, for example, by urging the EU Parliament to reject the UN Cybercrime Treaty.

Rather than increasing surveillance, countries across Europe must also make use of their prerogatives to ban biometric surveillance, ensuring that the use of this technology is not permitted in sensitive contexts such as Europe’s borders. Face recognition, for example, presents an inherent threat to individual privacy, free expression, information security, and social justice. In the UK, we’ve been working with national groups to ban government use of face recognition technology, which is currently administered by local police forces. Given the proliferation of state surveillance across Europe, government use of this technology must be banned.

Protecting the Right to Secure and Private Communications

EFF works closely on issues like encryption to defend the right to private communications in Europe. For years, EFF fought hard against an EU proposal that, if it became law, would have pressured online services to abandon end-to-end encryption. We joined together with EU allies and urged people to sign the “Don’t Scan Me” petition. We lobbied EU lawmakers and urged them to protect their constituents’ human right to have a private conversation—backed up by strong encryption. Our message broke through, and a key EU committee adopted a position that bars the mass scanning of messages and protects end-to-end encryption. It also bars mandatory age verification whereby users would have had to show ID to get online. As Member States are still debating their position on the proposal, this fight is not over yet. But we are encouraged by the recent European Court of Human Rights ruling which confirmed that undermining encryption violates fundamental rights to privacy. EFF will continue to advocate for this to governments, and the corporations providing our messaging services.

As we’ve said many times, both in Europe and the U.S., there is no middle ground to content scanning and no “safe backdoor” if the internet is to remain free and private. Either all content is scanned and all actors—including authoritarian governments and rogue criminals—have access, or no one does. EFF will continue to advocate for the right to a private conversation, and hold the EU accountable to the international and European human rights protections that they are signatories to. 

Looking Forward

EU legislation and international treaties should contain concrete human rights safeguards, robust data privacy standards, and sharp limits on intrusive surveillance powers, including in the context of global cooperation. 

Much work remains to be done. And we are ready for it. Late last year, we put forward comprehensive policy recommendations to European lawmakers and we will continue fighting for an internet where everyone can make their voice heard. In the next—and final—post in this series, you will learn more about how we work in Europe to ensure that digital markets are fair, offer users choice and respect fundamental rights.

Paige Collings

Crimson Memo: Analyzing the Privacy Impact of Xianghongshu AKA Red Note

21 hours 22 minutes ago

Early in January 2025 it seemed like TikTok was on the verge of being banned by the U.S. government. In reaction to this imminent ban, several million people in the United States signed up for a different China-based social network known in the U.S. as RedNote, and in China as Xianghongshu (小红书/ 小紅書; which translates to Little Red Book). 

RedNote is an application and social network created in 2013 that currently has over 300 million users. Feature-wise, it is most comparable to Instagram and is primarily used for sharing pictures, videos, and shopping. The vast majority of its users live in China, are born after 1990, and are women. Even before the influx of new users in January, RedNote has historically had many users outside of China, primarily people from the Chinese diaspora who have friends and relatives on the network. RedNote is largely funded by two major Chinese tech corporations: Tencent and Alibaba. 

When millions of U.S. based users started flocking to the application, the traditional rounds of pearl clutching and concern trolling began. Many people raised the alarm about U.S. users entrusting their data with a Chinese company, and it is implied, the Chinese Communist Party. The reaction from U.S. users was an understandable, if unfortunate, bit of privacy nihilism. People responded that they, “didn’t care if someone in China was getting their data since US companies such as Meta and Google had already stolen their data anyway.” “What is the difference,” people argued, “between Meta having my data and someone in China? How does this affect me in any way?”

Even if you don’t care about giving China your data, it is not safe to use any application that doesn’t use encryption by default. 

Last week, The Citizen Lab at The Munk School Of Global Affairs, University of Toronto, released a report authored by Mona Wang, Jeffrey Knockel, and Irene Poetranto which highlights three serious security issues in the RedNote app. The most concerning finding from Citizen Lab is a revelation that RedNote retrieves uploaded user content over plaintext http. This means that anyone else on your network, at your internet service provider, or organizations like the NSA, can see everything you look at and upload to RedNote. Moreover someone could intercept that request and replace it with their own media or even an exploit to install malware on your device. 

In light of this report the EFF Threat Lab decided to confirm the CItizen Lab findings and do some additional privacy investigation of RedNote. We used static analysis techniques for our investigation, including manual static analysis of decompiled source code, and automated scanners including MobSF and Exodus Privacy. We only analyzed Version 8.59.5 of RedNote for Android downloaded from the website APK Pure.

EFF has independently confirmed the finding that Red Note retrieves posted content over plaintext http. Due to this lack of even basic transport layer encryption we don’t think this application is safe for anyone to use. Even if you don’t care about giving China your data, it is not safe to use any application that doesn’t use encryption by default. 

Citizen Lab researchers also found that users’ file contents are readable by network attackers. We were able to confirm that RedNote encrypts several sensitive files with static keys which are present in the app and the same across all installations of the app, meaning anyone who was able to retrieve those keys from a decompiled version of the app could decrypt these sensitive files for any user of the application. The Citizen Lab report also found a vulnerability where an attacker could identify the contents of any file readable by the application. This was out of scope for us to test but we find no reason to doubt this claim. 

The third major finding by Citizen Lab was that RedNote transmits device metadata in a way that can be eavesdropped on by network attackers, sometimes without encryption at all, and sometimes in a way vulnerable to a machine-in-the middle attack. We can confirm that RedNote does not validate HTTPS certificates properly. Testing this vulnerability was out of scope for EFF, but we find no reason to doubt this claim. 

Permissions and Trackers

EFF performed further analysis of the permissions and trackers requested by RedNote. Our findings indicate two other potential privacy issues with the application. 

RedNote requests some very sensitive permissions, including location information, even when the app is not running in the foreground. This permission is not requested by other similar apps such as TikTok, Facebook, or Instagram. 

We also found, using an online scanner for tracking software called Exodus Privacy, that RedNote is not a platform which will protect its users from U.S.-based surveillance capitalism. In addition to sharing userdata with the Chinese companies Tencent and ByteDance, it also shares user data with Facebook and Google. 

Other Issues 

RedNote contains functionality to update its own code after it’s downloaded from the Google Play store using an open source library called APK Patch. This could be used to inject malicious code into the application after it has been downloaded without such code being revealed in automated scans meant to protect against malicious applications being uploaded to official stores, like Google Play. 

Recommendations

Due to the lack of encryption we do not consider it safe for anyone to run this app. If you are going to use RedNote, we recommend doing so with the absolute minimum set of permissions necessary for the app to function (see our guides for iPhone and Android.) At least a part of this blame falls on Google. Android needs to stop allowing apps to make unencrypted requests at all. 

Due to the lack of encryption we do not consider it safe for anyone to run this app.

RedNote should immediately take steps to encrypt all traffic from their application and remove the permission for background location information. 

Users should also keep in mind that RedNote is not a platform which values free speech. It’s a heavily censored application where topics such as political speech, drugs and addiction, and sexuality are more tightly controlled than similar social networks. 

Since it shares data with Facebook and Google ad networks, RedNote users should also keep in mind that it’s not a platform that protects you from U.S.-based surveillance capitalism.

The willingness of users to so quickly move to RedNote also highlights the fact that people are hungry for platforms that aren't controlled by the same few American tech oligarchs. People will happily jump to another platform even if it presents new, unknown risks; or is controlled by foreign tech oligarchs such as Tencent and Alibaba.

However, federal bans of such applications are not the correct answer. When bans are targeted at specific platforms such as TikTok, Deepseek, and RedNote rather than privacy-invasive practices such as sharing sensitive details with surveillance advertising platforms, users who cannot participate on the banned platform may still have their privacy violated when they flock to other platforms. The real solution to the potential privacy harms of apps like RedNote is to ensure (through technology, regulation, and law) that people’s sensitive information isn’t entered into the surveillance capitalist data stream in the first place.

We need a federal, comprehensive, consumer-focused privacy law. Our government is failing to address the fundamental harms of privacy-invading social media. Implementing xenophobic, free-speech infringing policy is having the unintended consequence of driving folks to platforms with even more aggressive censorship. This outcome was foreseeable. Rather than a knee-jerk reaction banning the latest perceived threat, these issues could have been avoided by addressing privacy harms at the source and enacting strong consumer-protection laws. 

Figure 1. Permissions requested by RedNote



Permission

Description

android.permission.ACCESS_BACKGROUND_LOCATION

This app can access location at any time, even while the app is not in use.

android.permission.ACCESS_COARSE_LOCATION

This app can get your approximate location from location services while the app is in use. Location services for your device must be turned on for the app to get location.

android.permission.ACCESS_FINE_LOCATION

This app can get your precise location from location services while the app is in use. Location services for your device must be turned on for the app to get location. This may increase battery usage.

android.permission.ACCESS_MEDIA_LOCATION

Allows the app to read locations from your media collection.

android.permission.ACCESS_NETWORK_STATE

Allows the app to view information about network connections such as which networks exist and are connected.

android.permission.ACCESS_WIFI_STATE

Allows the app to view information about Wi-Fi networking, such as whether Wi-Fi is enabled and name of connected Wi-Fi devices.

android.permission.AUTHENTICATE_ACCOUNTS

Allows the app to use the account authenticator capabilities of the AccountManager, including creating accounts and getting and setting their passwords.

android.permission.BLUETOOTH

Allows the app to view the configuration of the Bluetooth on the phone, and to make and accept connections with paired devices.

android.permission.BLUETOOTH_ADMIN

Allows the app to configure the local Bluetooth phone, and to discover and pair with remote devices.

android.permission.BLUETOOTH_CONNECT

Allows the app to connect to paired Bluetooth devices

android.permission.CAMERA

This app can take pictures and record videos using the camera while the app is in use.

android.permission.CHANGE_NETWORK_STATE

Allows the app to change the state of network connectivity.

android.permission.CHANGE_WIFI_STATE

Allows the app to connect to and disconnect from Wi-Fi access points and to make changes to device configuration for Wi-Fi networks.

android.permission.EXPAND_STATUS_BAR

Allows the app to expand or collapse the status bar.

android.permission.FLASHLIGHT

Allows the app to control the flashlight.

android.permission.FOREGROUND_SERVICE

Allows the app to make use of foreground services.

android.permission.FOREGROUND_SERVICE_DATA_SYNC

Allows the app to make use of foreground services with the type dataSync

android.permission.FOREGROUND_SERVICE_LOCATION

Allows the app to make use of foreground services with the type location

android.permission.FOREGROUND_SERVICE_MEDIA_PLAYBACK

Allows the app to make use of foreground services with the type mediaPlayback

android.permission.FOREGROUND_SERVICE_MEDIA_PROJECTION

Allows the app to make use of foreground services with the type mediaProjection

android.permission.FOREGROUND_SERVICE_MICROPHONE

Allows the app to make use of foreground services with the type microphone

android.permission.GET_ACCOUNTS

Allows the app to get the list of accounts known by the phone. This may include any accounts created by applications you have installed.

android.permission.INTERNET

Allows the app to create network sockets and use custom network protocols. The browser and other applications provide means to send data to the internet, so this permission is not required to send data to the internet.

android.permission.MANAGE_ACCOUNTS

Allows the app to perform operations like adding and removing accounts, and deleting their password.

android.permission.MANAGE_MEDIA_PROJECTION

Allows an application to manage media projection sessions. These sessions can provide applications the ability to capture display and audio contents. Should never be needed by normal apps.

android.permission.MODIFY_AUDIO_SETTINGS

Allows the app to modify global audio settings such as volume and which speaker is used for output.

android.permission.POST_NOTIFICATIONS

Allows the app to show notifications

android.permission.READ_CALENDAR

This app can read all calendar events stored on your phone and share or save your calendar data.

android.permission.READ_CONTACTS

Allows the app to read data about your contacts stored on your phone. Apps will also have access to the accounts on your phone that have created contacts. This may include accounts created by apps you have installed. This permission allows apps to save your contact data, and malicious apps may share contact data without your knowledge.

android.permission.READ_EXTERNAL_STORAGE

Allows the app to read the contents of your shared storage.

android.permission.READ_MEDIA_AUDIO

Allows the app to read audio files from your shared storage.

android.permission.READ_MEDIA_IMAGES

Allows the app to read image files from your shared storage.

android.permission.READ_MEDIA_VIDEO

Allows the app to read video files from your shared storage.

android.permission.READ_PHONE_STATE

Allows the app to access the phone features of the device. This permission allows the app to determine the phone number and device IDs, whether a call is active, and the remote number connected by a call.

android.permission.READ_SYNC_SETTINGS

Allows the app to read the sync settings for an account. For example, this can determine whether the People app is synced with an account.

android.permission.RECEIVE_BOOT_COMPLETED

Allows the app to have itself started as soon as the system has finished booting. This can make it take longer to start the phone and allow the app to slow down the overall phone by always running.

android.permission.RECEIVE_USER_PRESENT

Unknown permission from android reference

android.permission.RECORD_AUDIO

This app can record audio using the microphone while the app is in use.

android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS

Allows an app to ask for permission to ignore battery optimizations for that app.

android.permission.REQUEST_INSTALL_PACKAGES

Allows an application to request installation of packages.

android.permission.SCHEDULE_EXACT_ALARM

This app can schedule work to happen at a desired time in the future. This also means that the app can run when youu2019re not actively using the device.

android.permission.SYSTEM_ALERT_WINDOW

This app can appear on top of other apps or other parts of the screen. This may interfere with normal app usage and change the way that other apps appear.

android.permission.USE_CREDENTIALS

Allows the app to request authentication tokens.

android.permission.VIBRATE

Allows the app to control the vibrator.

android.permission.WAKE_LOCK

Allows the app to prevent the phone from going to sleep.

android.permission.WRITE_CALENDAR

This app can add, remove, or change calendar events on your phone. This app can send messages that may appear to come from calendar owners, or change events without notifying their owners.

android.permission.WRITE_CLIPBOARD_SERVICE

Unknown permission from android reference

android.permission.WRITE_EXTERNAL_STORAGE

Allows the app to write the contents of your shared storage.

android.permission.WRITE_SETTINGS

Allows the app to modify the system's settings data. Malicious apps may corrupt your system's configuration.

android.permission.WRITE_SYNC_SETTINGS

Allows an app to modify the sync settings for an account. For example, this can be used to enable sync of the People app with an account.

cn.org.ifaa.permission.USE_IFAA_MANAGER

Unknown permission from android reference

com.android.launcher.permission.INSTALL_SHORTCUT

Allows an application to add Homescreen shortcuts without user intervention.

com.android.launcher.permission.READ_SETTINGS

Unknown permission from android reference

com.asus.msa.SupplementaryDID.ACCESS

Unknown permission from android reference

com.coloros.mcs.permission.RECIEVE_MCS_MESSAGE

Unknown permission from android reference

com.google.android.gms.permission.AD_ID

Unknown permission from android reference

com.hihonor.push.permission.READ_PUSH_NOTIFICATION_INFO

Unknown permission from android reference

com.hihonor.security.permission.ACCESS_THREAT_DETECTION

Unknown permission from android reference

com.huawei.android.launcher.permission.CHANGE_BADGE

Unknown permission from android reference

com.huawei.android.launcher.permission.READ_SETTINGS

Unknown permission from android reference

com.huawei.android.launcher.permission.WRITE_SETTINGS

Unknown permission from android reference

com.huawei.appmarket.service.commondata.permission.GET_COMMON_DATA

Unknown permission from android reference

com.huawei.meetime.CAAS_SHARE_SERVICE

Unknown permission from android reference

com.meizu.c2dm.permission.RECEIVE

Unknown permission from android reference

com.meizu.flyme.push.permission.RECEIVE

Unknown permission from android reference

com.miui.home.launcher.permission.INSTALL_WIDGET

Unknown permission from android reference

com.open.gallery.smart.Provider

Unknown permission from android reference

com.oplus.metis.factdata.permission.DATABASE

Unknown permission from android reference

com.oplus.permission.safe.AI_APP

Unknown permission from android reference

com.vivo.identifier.permission.OAID_STATE_DIALOG

Unknown permission from android reference

com.vivo.notification.permission.BADGE_ICON

Unknown permission from android reference

com.xiaomi.dist.permission.ACCESS_APP_HANDOFF

Unknown permission from android reference

com.xiaomi.dist.permission.ACCESS_APP_META

Unknown permission from android reference

com.xiaomi.security.permission.ACCESS_XSOF

Unknown permission from android reference

com.xingin.xhs.permission.C2D_MESSAGE

Unknown permission from android reference

com.xingin.xhs.permission.JOPERATE_MESSAGE

Unknown permission from android reference

com.xingin.xhs.permission.JPUSH_MESSAGE

Unknown permission from android reference

com.xingin.xhs.permission.MIPUSH_RECEIVE

Unknown permission from android reference

com.xingin.xhs.permission.PROCESS_PUSH_MSG

Unknown permission from android reference

com.xingin.xhs.permission.PUSH_PROVIDER

Unknown permission from android reference

com.xingin.xhs.push.permission.MESSAGE

Unknown permission from android reference

freemme.permission.msa

Unknown permission from android reference

freemme.permission.msa.SECURITY_ACCESS

Unknown permission from android reference

getui.permission.GetuiService.com.xingin.xhs

Unknown permission from android reference

ohos.permission.ACCESS_SEARCH_SERVICE

Unknown permission from android reference

oplus.permission.settings.LAUNCH_FOR_EXPORT

Unknown permission from android reference

Cooper Quintin

Alaa Abd El Fattah's Mother, Laila Soueif, Calls on UK Government to Help as She Continues Hunger Strike

5 days 11 hours ago

As calls by UK’s top leaders for the release of British-Egyptian blogger, coder, and activist Alaa Abd El-Fattah from prison in Cairo continue, Alaa’s mother, math professor Laila Soueif, grows weaker four months into a hunger strike she began in September to keep attention focused on her son and protest the lack of progress in obtaining his release.  

She has consumed only water, coffee, tea and rehydration salts for more than 135 days. She is 68 years old, and her condition is becoming dire. 

It's a shocking and unacceptable situation for Alaa’s family and his many supporters around the world. They continue to get the runaround from the British government about its efforts to get him released. The prime minister and foreign secretary, the key players in the drive to secure Alaa’s release, have expressed support for Alaa and dealt directly with Egypt’s highest authorities on his behalf. But Alaa’s family has received scant information about those discussions.  

What we do know is that Prime Minister Keir Starmer spoke directly to Egyptian President Abdel Fattah al-Sisi about Alaa during a phone call last summer and in December, but did not raise the issue when the two met at the G20 summit in November. Starmer told  Soueif in a January 29 letter (he has so far declined to meet with her) that he is committed to pushing Egypt to release him. “I believe progress is possible, but it will take time,” he said. 

"I don't have time, Soueif told Agence France-Presse.

Likewise, Foreign Secretary David Lammy said in January that he met with Egypt’s foreign minister in Saudi Arabia and has made securing Alaa’s release his number one priority. He spoke to his Egyptian counterpart, Badr Abdel Aty, again while in Cairo. Meanwhile, the government sent a strong message in its periodic review of Egypt before the UN Human Rights Council, saying freeing Alaa was its foremost recommendation and calling his detention “unacceptable.” 

Yet, there have been no signs that the Egyptian government will free Alaa. He remains in a maximum-security prison outside of Cairo. He has spent the better part of the last 10 years behind bars, unjustly charged for supporting online free speech and privacy for Egyptians and people across the Middle East and North Africa. The Egyptian government’s treatment of Alaa, a prominent global voice during the Arab Spring, is a travesty. 

“I don’t have time,” Soueif told Agence France-Presse.  

“We’ve been in this endless loop of imprisonment for almost 10 years,” Soueif told Middle East Eye in explaining why she went on a hunger strike. “I couldn't allow this to go on any further, and there was no reason to believe that if we waited a bit more, he'd come out.” 

Alaa should have been released on September 29, after serving his five-year sentence for sharing a Facebook post about a death in police custody, but Egyptian authorities have continued his imprisonment in contravention of the country’s own Criminal Procedure Code.  

Journalism and former foreign correspondent Peter Greste, who befriended Alaa 11 years ago when the two were locked up in the same prison—Greste on terrorism charges for his reporting—joined Soueif in a 21-day hunger strike to show his solidarity. “This injustice has gone on far too long,” he said.  

Others continue to press for Alaa’s release. This week a group of prominent Egyptian public figures called on President al-Sisi to release Alaa, citing among other things Soueif’s declining health. Allowing Alaa to get out of prison would not merely be a humanitarian response, but “a strategic decision that would foster a more conciliatory political climate,” they said.  

EFF and six international partner organizations in December called on Starmer to take immediate action to secure Alaa’s release. We told him that Alaa’s case is a litmus test of the UK’s commitment to human rights. Soueif’s future, and Alaa’s, rests in the UK government’s hands, and it must act now. Starmer needs to pick up the phone and call al-Sisi.  

If you’re based in the UK, here are some actions you can take to support the calls for Alaa’s release:

  1. Write to your MP (external link): https://freealaa.net/message-mp  
  1. Join Laila Soueif outside the Foreign Office in London daily between 10-11am 
  1. Share Alaa’s plight on social media using the hashtag #freealaa 

 

 

 

Karen Gullo

First Trump DOJ Assembled “Tiger Team” To Rewrite Key Law Protecting Online Speech

6 days 3 hours ago

As President Donald Trump issued an Executive Order in 2020 to retaliate against online services that fact-checked him, a team within the Department of Justice (DOJ) was finalizing a proposal to substantially weaken a key law that protects internet users’ speech.

Documents released to EFF as part of a Freedom of Information Act (FOIA) suit reveal that the DOJ officials—a self-described “Tiger Team”—were caught off guard by Trump’s retaliatory effort, which was aimed at the same online social services they wanted to regulate further by amending 47 U.S.C. § 230 (Section 230).

Section 230 protects users’ online speech by protecting the online intermediaries we all rely on to communicate on blogs, social media platforms, and educational and cultural platforms like Wikipedia and the Internet Archive. Section 230 embodies that principle that we should all be responsible for our own actions and statements online, but generally not those of others. The law prevents most civil suits against users or services that are based on what others say.

The correspondence among DOJ officials shows that the group delayed unveiling the agency’s official plans to amend Section 230 in light of Trump’s executive order, which was challenged on First Amendment grounds and later rescinded by President Joe Biden. EFF represented the groups who challenged Trump’s Executive Order and filed two FOIA suits for records about the administration’s implementation of the order.

In the most recent FOIA case, the DOJ has been slowly releasing records detailing its work to propose amendments to Section 230, which predated Trump’s Executive Order. The DOJ released the text of its proposed amendments to Section 230 in September 2020, and the proposal would have substantially narrowed the law’s protections.

For example, the DOJ’s proposal would have allowed federal civil suits and state and federal criminal prosecutions against online services if they learned that users’ content broke the law. It also would have established notice-and-takedown liability for user-generated content that was deemed to be illegal. Together, these provisions would likely result in online services screening and removing a host of legal content, based on a fear that any questionable material might trigger liability later.

The DOJ’s proposal had a distinct emphasis on imposing liability on services should they have hosted illegal content posted by their users. That focus was likely the result of the team DOJ assembled to work on the proposal, which included officials from the agency’s cybercrime division and the FBI.

The documents also show that DOJ officials met with attorneys who brought lawsuits against online services to get their perspective on Section 230. This is not surprising, as the DOJ had been meeting with multiple groups throughout 2020 while it prepared a report about Section 230.

EFF’s FOIA suit is ongoing, as the DOJ has said that it still has thousands of potential pages to review and possibly release. Although these documents reflect DOJ’s activity from Trump’s first term, they are increasingly relevant as the administration appoints officials who have previously threatened online intermediaries for exercising their own First Amendment rights. EFF will continue to publish all documents released in this FOIA suit and push back on attempts to undermine internet users’ rights to speak online.

Aaron Mackey

Google is on the Wrong Side of History

6 days 5 hours ago

Google continues to show us why it chose to abandon its old motto of “Don’t Be Evil,” as it becomes more and more enmeshed with the military-industrial complex. Most recently, Google has removed four key points from its AI principles. Specifically, it previously read that the company would not pursue AI applications involving (1) weapons, (2) surveillance, (3) technologies that “cause or are likely to cause overall harm,” and (4) technologies whose purpose contravenes widely accepted principles of international law and  human rights.

Those principles are gone now.

In its place, the company has written that “democracies” should lead in AI development and companies should work together with governments “to create AI that protects people, promotes global growth, and supports national security.” This could mean that the provider of the world’s largest search engine–the tool most people use to uncover the best apple pie recipes and to find out what time their favorite coffee shop closes–could be in the business of creating AI-based weapons systems and leveraging its considerable computing power for surveillance.

This troubling decision to potentially profit from high-tech warfare, which could have serious consequences for real lives and real people comes after criticism from EFF, human rights activists, and other international groups. Despite its pledges and vocal commitment to human rights, Google has faced criticism for its involvement in Project Nimbus, which provides advanced cloud and AI capabilities to the Israeli government, tools that an increasing number of credible reports suggest are being used to target civilians under pervasive surveillance in the Occupied Palestinian Territories. EFF said in 2024, “When a company makes a promise, the public should be able to rely on it.” Rather than fully living up to its previous human rights commitments, it seems Google has shifted its priorities.

Google is a company valued at $2.343 trillion that has global infrastructure and a massive legal department and appears to be leaning into the current anti-humanitarian moment. The fifth largest company in the world seems to have chosen to make the few extra bucks (relative to the company’s earnings and net worth) that will come from mass surveillance tools and AI-enhanced weapons systems.

And of course we can tell why. With government money flying out the door toward defense contractors, surveillance technology companies, and other national security and policing related vendors, the legacy companies who swallow up all of that data don’t want to miss out on the feeding frenzy. With $1 billion contracts on the table even for smaller companies promising AI-enhanced tech, it looks like Google is willing to throw its lot in with the herd.

In addition to Google and Amazon’s involvement with Project Nimbus, which involved both cloud storage for the large amounts of data collected from mass surveillance and analysis of that data, there are many other scenarios and products on the market that could raise concerns. AI could be used to power autonomous weapons systems which decide when and if to pull the trigger or drop a bomb. Targeting software can mean physically aiming weapons at people identified by geolocation or by other types of machine learning like face recognition or other biometric technology. AI could also be used to sift through massive amounts of intelligence, including intercepted communications or publicly available information from social media and the internet in order to assemble lists of people to be targeted by militaries.

Whether autonomous AI-based weapons systems and surveillance are controlled by totalitarian states or states that meet Google’s definition of “democracy”, is of little comfort to the people who could be targeted, spied on, or killed in error by AI technology which is prone to mistakes. AI cannot be accountable for its actions. If we, the public, are able to navigate the corporate, government, and national security secrecy to learn of these flaws, companies will fall on a playbook we’ve seen before: tinkering with the algorithms and declaring the problem solved.

We urge Google, and all of the companies that will follow in its wake, to reverse course. In the meantime, users will have to decide who deserves their business. As the company’s most successful product, its search engine, is faltering, that decision gets easier and easier.

Matthew Guariglia

Yes, You Have the Right to Film ICE

1 week ago

Across the United States, Immigration and Customs Enforcement (ICE) has already begun increasing enforcement operations, including highly publicized raids. As immigrant communities, families, allies, and activists think about what can be done to shift policy and protect people, one thing is certain: similar to filming the police as they operate, you have the right to film ICE, as long as you are not obstructing official duties.

Filming ICE agents making an arrest or amassing in your town helps promote transparency and accountability for a system that often relies on intimidation and secrecy and obscures abuse and law-breaking

While it is crucial for people to help aid in transparency and accountability, there are considerations and precautions you should take. For an in-depth guide by organizations on the frontlines of informing people who wish to record ICE’s interactions with the public, review these handy resources from the hard-working folks at WITNESS and NYCLU

At EFF, here are our general guidelines when it comes to filming law enforcement, including ICE: 

What to Know When Recording Law Enforcement

  • You have the right to record law enforcement officers exercising their official duties in public.
  • Stay calm and courteous.
  • Do not interfere with law enforcement. If you are a bystander, stand at a safe distance from the scene that you are recording.
  • You may take photos or record video and/or audio.
  • Law enforcement cannot order you to move because you are recording, but they may order you to move for public safety reasons even if you are recording.
  • Law enforcement may not search your cell phone or other device without a warrant based on probable cause from a judge, even if you are under arrest. Thus, you may refuse a request from an officer to review or delete what you recorded. You also may refuse to unlock your phone or provide your passcode.
  • Despite reasonably exercising your First Amendment rights, law enforcement officers may illegally retaliate against you in a number of ways including with arrest, destruction of your device, and bodily harm. They may also try to retaliate by harming the person being arrested. We urge you to remain alert and mindful about this possibility.
  • Consider the sensitive nature of recording in the context of an ICE arrest. The person being arrested or their loved ones may be concerned about exposing their immigration status, so think about obtaining consent or blurring out faces in any version you publish to focus on ICE’s conduct (while still retaining the original video).
Your First Amendment Right to Record Law Enforcement Officers Exercising Their Official Duties in Public

You have a First Amendment right to record law enforcement, which federal courts and the Justice Department have recognized and affirmed. Although the Supreme Court has not squarely ruled on the issue, there is a long line of First Amendment case law from the high court that supports the right to record law enforcement. And federal appellate courts in the First, Third, Fourth, Fifth, Seventh, Eighth, Ninth, Tenth, and Eleventh Circuits have directly upheld this right. EFF has advocated for this right in many amicus briefs.

Federal appellate courts typically frame the right to record law enforcement as the right to record officers exercising their official duties in public. This right extends to private places, too, where the recorder has a legal right to be, such as in their own home. However, if the law enforcement officer is off-duty or is in a private space that you don’t have a right to be in, your right to record the officer may be limited. 

Special Considerations for Recording Audio

The right to record law enforcement unequivocally includes the right to take pictures and record video. There is an added legal wrinkle when recording audio—whether with or without video. Some law enforcement officers have argued that recording audio without their consent violates wiretap laws. Courts have generally rejected this argument. The Seventh Circuit, for example, held that the Illinois wiretap statute violated the First Amendment as applied to audio recording on-duty police.

There are two kinds of wiretaps laws: those that require “all parties” to a conversation to consent to audio recording (12 states), and those that only require “one party” to consent (38 states, the District of Columbia, and the federal statute). Thus, if you’re in a one-party consent state, and you’re involved in an incident with law enforcement (that is, you’re a party to the conversation) and you want to record audio of that interaction, you are the one party consenting to the recording and you don’t also need the law enforcement officer’s consent. If you’re in an all-party consent state, and your cell phone or recording device is in plain view, your open audio recording puts the officer on notice and thus their consent might be implied.

Additionally, wiretap laws in both all-party consent states and one-party consent states typically only prohibit audio recording of private conversations—that is, when the parties to the conversation have a reasonable expectation of privacy. Law enforcement officers exercising their official duties, particularly in public, do not have a reasonable expectation of privacy. Neither do civilians in public places who speak to law enforcement in a manner audible to passersby. Thus, if you’re a bystander, you may legally audio record an officer’s interaction with another person, regardless of whether you’re in a state with an all-party or one-party consent wiretap statute. However, you should take into consideration that ICE arrests may expose the immigration status of the person being arrested or their loved ones. As WITNESS puts it: “[I]t’s important to keep in mind the privacy and dignity of the person being targeted by law enforcement. They may not want to be recorded or have the video shared publicly. When possible, make eye contact or communicate with the person being detained to let them know that you are there to observe and document the cops’ behavior. Always respect their wishes if they ask you to stop filming.” You may also want to consider blurring faces to focus on ICE’s conduct if you publish the video online (while still retaining the original version)

Moreover, whether you may secretly record law enforcement (whether with photos, video or audio) is important to understand, given that officers may retaliate against individuals who openly record them. At least one federal appellate court, the First Circuit, has affirmed the First Amendment right to secretly audio record law enforcement performing their official duties in public. On the other hand, the Ninth Circuit recently upheld Oregon’s law that generally bans secret recordings of in-person conversations without all participants’ consent, and only allows recordings of conversations where police officers are participants if “[t]he recording is made openly and in plain view of the participants in the conversation.” Unless you are within the jurisdiction of the First Circuit (Maine, Massachusetts, New Hampshire, Puerto Rico and Rhode Island), it’s probably best to have your recording device in plain view of police officers.

Do Not Interfere With Law Enforcement

While the weight of legal authority provides that individuals have a First Amendment right to record law enforcement, courts have also stated one important caveat: you may not interfere with officers doing their jobs.

The Seventh Circuit, for example, said, “Nothing we have said here immunizes behavior that obstructs or interferes with effective law enforcement or the protection of public safety.” The court further stated, “While an officer surely cannot issue a ‘move on’ order to a person because he is recording, the police may order bystanders to disperse for reasons related to public safety and order and other legitimate law enforcement needs.”

Transparency is Vital

While a large number of deportations is a constant in the U.S. regardless of who is president or which party is in power, the current administration appears to be intentionally making ICE visible in cities and carrying out flashy raids to sow fear within immigrant communities. Specifically, there are concerns that this administration is targeting people already under government supervision while awaiting their day in court. Bearing witness and documenting the presence and actions of ICE in your communities and neighborhoods is important. You have rights, and one of them is your First Amendment-protected right to film law enforcement officers, including ICE agents.

Just because you have the right, however, does not mean law enforcement will always acknowledge and uphold your right in that moment. Be safe and be alert. If you have reason to think your devices might be seized or you may run the risk of putting yourself under surveillance, make sure to check out our Surveillance Self-Defense guides and our field guide to identifying and understanding the surveillance tools law enforcement may employ.

Saira Hussain

When Platforms and the Government Unite, Remember What’s Private and What Isn’t

1 week ago

For years now, there has been some concern about the coziness between technology companies and the government. Whether a company complies with casual government requests for data, requires a warrant, or even fights overly-broad warrants has been a canary in the digital coal mine during an era where companies may know more about you than your best friends and families. For example, in 2022, law enforcement served a warrant to Facebook for the messages of a 17-year-old girl—messages that were later used as evidence in a criminal trial that the teenager had received an abortion. In 2023, after a four year wait since announcing its plans, Facebook encrypted its messaging system so that the company no longer had access to the content of those communications.

The privacy of messages and the relationship between companies and the government have real-world consequences. That is why a new era of symbiosis between big tech companies and the U.S. government bodes poorly for both, our hopes that companies will be critical of requests for data, and any chance of tech regulations and consumer privacy legislation. But, this chumminess should also come with a heightened awareness for users: as companies and the government become more entwined through CEO friendships, bureaucratic entanglements, and ideological harmony, we should all be asking what online data is private and what is sitting on a company's servers and accessible to corporate leadership at the drop of hat.

Over many years, EFF has been pushing for users to switch to platforms that understand the value of encrypting data. We have also been pushing platforms to make end-to-end encryption for online communications and for your stored sensitive data the norm. This type of encryption helps ensure that a conversation is private between you and the recipient, and not accessible to the platform that runs it or any other third-parties. Thanks to the combined efforts of our organization and dozens of other concerned groups, tech users, and public officials, we now have a lot of options for applications and platforms that take our privacy more seriously than in previous generations. But, in light of recent political developments it’s time for a refresher course: which platforms and applications have encrypted DMs, and which have access to your sensitive personal communications.

The existence of what a platform calls “end-to-end encryption” is not foolproof. It may be poorly implemented, lack widespread adoption to attract the attention of security researchers, lack the funding to pay for security audits, or use a less well-established encryption protocol that doesn’t have much public scrutiny. It also can’t protect against other sorts of threats, like someone gaining access to your device or screenshotting a conversation. Being caught using certain apps can itself be dangerous in some cases. And it takes more than just a basic implementation to resist a targeted active attack, as opposed to later collection. But it’s still the best way we currently have to ensure our digital conversations are as private as possible. And more than anything, it needs to be something you and the people you speak with will actually use, so features can be an important consideration.

No platform provides a perfect mix of security features for everyone, but understanding the options can help you start figuring out the right choices. When it comes to popular social media platforms, Facebook Messenger uses end-to-end encryption on private chats by default (this feature is optional in group chats on Messenger, and on some of the company’s other offerings, like Instagram). Other companies, like X, offer optional end-to-end encryption, with caveats, such as only being available to users who pay for verification. Then there’s platforms like Snapchat, which have given talks about their end-to-end encryption in the past, but don’t provide further details about its current implementations. Other platforms, like Bluesky, Mastodon, and TikTok, do not offer end-to-end encryption in direct messages, which means those conversations could be accessible to the companies that run the platforms or made available to law enforcement upon request.

As for apps more specifically designed around chat, there are more examples. Signal offers end-to-end encryption for text messages and voice calls by default with no extra setup on your part, and collects less metadata than other options. Metadata can reveal information such as who you are talking with and when, or your location, which in some cases may be all law enforcement needs. WhatsApp is also end-to-end encrypted. Apple’s Messages app is end-to-end encrypted, but only if everyone in the chat has an iPhone (blue bubbles). The same goes for Google Messages, which is end-to-end encrypted as long as everyone has set it up properly, which sometimes happens automatically.

Of course, we have a number of other communication tools at our disposal, like Zoom, Slack, Discord, Telegram, and more. Here, things continue to get complicated, with end-to-end encryption being an optional feature sometimes, like on Zoom or Telegram; available only for specific types of communication, like video and voice calls on Discord but not text conversations; or not being available at all, like with Slack. Many other options exist with varying feature-sets, so it’s always worth doing some research if you find something new. This does not mean you need to avoid these tools entirely, but knowing that your chats may be available to the platform, law enforcement, or an administrator is an important thing to consider when choosing what to say and when to say it. 

And for high-risk users, the story becomes even more complicated. Even on an encrypted platform, users can be subject to targeted machine-in-the middle attacks (also known as man-in-the middle attacks) unless everyone verifies each others’ keys. Most encrypted apps will let you do this manually, but some have started to implement automatic key verification, which is a security win. And encryption doesn’t matter if message backups are uploaded to the company’s servers unencrypted, so it’s important to either choose to not backup messages, or carefully set up encrypted backups on platforms that allow it. This is all before getting into the intricacies of how apps handle deleted and disappearing messages, or whether there’s a risk of being found with an encrypted app in the first place.

CEOs are not the beginning and the end of a company’s culture and concerns—but we should take their commitments and signaled priorities seriously. At a time when some companies may be cozying up to the parts of government with the power to surveil and marginalize, it might be an important choice to move our data and sensitive communications to different platforms. After all, even if you are not at specific risk of being targeted by the government, your removed participation on a platform sends a clear political message about what you value in a company. 

Thorin Klosowski

EFF Sues OPM, DOGE and Musk for Endangering the Privacy of Millions

1 week ago
Lawsuit Argues Defendants Violated the Privacy Act by Disclosing Sensitive Data

NEW YORK—EFF and a coalition of privacy defenders led by Lex Lumina filed a lawsuit today asking a federal court to stop the U.S. Office of Personnel Management (OPM) from disclosing millions of Americans’ private, sensitive information to Elon Musk and his “Department of Government Efficiency” (DOGE).

The complaint on behalf of two labor unions and individual current and former government workers across the country, filed in the U.S. District Court for the Southern District of New York, also asks that any data disclosed by OPM to DOGE so far be deleted.

The complaint by EFF, Lex Lumina LLP, State Democracy Defenders Fund, and The Chandra Law Firm argues that OPM and OPM Acting Director Charles Ezell illegally disclosed personnel records to Musk’s DOGE in violation of the federal Privacy Act of 1974. Last week, a federal judge temporarily blocked DOGE from accessing a critical Treasury payment system under a similar lawsuit.

This lawsuit’s plaintiffs are the American Federation of Government Employees AFL-CIO; the Association of Administrative Law Judges, International Federation of Professional and Technical Engineers Judicial Council 1 AFL-CIO; Vanessa Barrow, an employee of the Brooklyn Veterans Affairs Medical Center; George Jones, President of AFGE Local 2094 and a former employee of VA New York Harbor Healthcare; Deborah Toussant, a former federal employee; and Does 1-100, representing additional current or former federal workers or contractors.

As the federal government is the nation’s largest employer, the records held by OPM represent one of the largest collections of sensitive personal data in the country. In addition to personally identifiable information such as names, social security numbers, and demographic data, these records include work information like salaries and union activities; personal health records and information regarding life insurance and health benefits; financial information like death benefit designations and savings programs; and nondisclosure agreements; and information concerning family members and other third parties referenced in background checks and health records. OPM holds these records for tens of millions Americans, including current and former federal workers and those who have applied for federal jobs. OPM has a history of privacy violations—an OPM breach in 2015 exposed the personal information of 22.1 million people—and its recent actions make its systems less secure. 

With few exceptions, the Privacy Act limits the disclosure of federally maintained sensitive records on individuals without the consent of the individuals whose data is being shared. It protects all Americans from harms caused by government stockpiling of our personal data. This law was enacted in 1974, the last time Congress acted to limit the data collection and surveillance powers of an out-of-control President.

“The Privacy Act makes it unlawful for OPM Defendants to hand over access to OPM’s millions of personnel records to DOGE Defendants, who lack a lawful and legitimate need for such access,” the complaint says. “No exception to the Privacy Act covers DOGE Defendants’ access to records held by OPM. OPM Defendants’ action granting DOGE Defendants full, continuing, and ongoing access to OPM’s systems and files for an unspecified period means that tens of millions of federal-government employees, retirees, contractors, job applicants, and impacted family members and other third parties have no assurance that their information will receive the protection that federal law affords.” 

For more than 30 years, EFF has been a fierce advocate for digital privacy rights. In that time, EFF has been at the forefront of exposing government surveillance and invasions of privacy—such as forcing the release of hundreds of pages of documents about domestic surveillance under the Patriot Act—and enforcing existing privacy laws to protect ordinary Americans—such as in its ongoing lawsuit against Sacramento's public utility company for sharing customer data with police. 

For the complaint: https://www.eff.org/document/afge-v-opm-complaint

For more about the litigation: https://www.eff.org/deeplinks/2025/02/eff-sues-doge-and-office-personnel-management-halt-ransacking-federal-data

Contacts:
Electronic Frontier Foundation: press@eff.org
Lex Lumina LLP: Managing Partner Rhett Millsaps, rhett@lex-lumina.com

Josh Richman

The TAKE IT DOWN Act: A Flawed Attempt to Protect Victims That Will Lead to Censorship

1 week 1 day ago

Congress has begun debating the TAKE IT DOWN Act (S. 146), a bill that seeks to speed up the removal of a troubling type of online content: non-consensual intimate imagery, or NCII. In recent years, concerns have also grown about the use of digital tools to alter or create such images, sometimes called deepfakes.

While protecting victims of these heinous privacy invasions is a legitimate goal, good intentions alone are not enough to make good policy. As currently drafted, the TAKE IT DOWN Act mandates a notice-and-takedown system that threatens free expression, user privacy, and due process, without addressing the problem it claims to solve.

The Bill Will Lead To Overreach and Censorship

TAKE IT DOWN mandates that websites and other online services remove flagged content within 48 hours and requires “reasonable efforts” to identify and remove known copies. Although this provision is designed to allow NCII victims to remove this harmful content, its broad definitions and lack of safeguards will likely lead to people misusing the notice-and-takedown system to remove lawful speech.

The takedown provision applies to a much broader category of content—potentially any images involving intimate or sexual content—than the narrower NCII definitions found elsewhere in the bill. The takedown provision also lacks critical safeguards against frivolous or bad-faith takedown requests. Lawful content—including satire, journalism, and political speech—could be wrongly censored. The legislation’s tight time frame requires that apps and websites remove content within 48 hours, meaning that online service providers, particularly smaller ones, will have to comply so quickly to avoid legal risk that they won’t be able to verify claims. Instead, automated filters will be used to catch duplicates, but these systems are infamous for flagging legal content, from fair-use commentary to news reporting.

TAKE IT DOWN creates a far broader internet censorship regime than the Digital Millennium Copyright Act (DMCA), which has been widely abused to censor legitimate speech. But at least the DMCA has an anti-abuse provision and protects services from copyright claims should they comply. TAKE IT DOWN contains none of those minimal speech protections and essentially greenlights misuse of its takedown regime.

TAKE IT DOWN Threatens Encrypted Services

The online services that do the best job of protecting user privacy could also be under threat from Take It Down. While the bill exempts email services, it does not provide clear exemptions for private messaging apps, cloud storage, and other end-to-end encrypted (E2EE) services. Services that use end-to-end encryption, by design, are not able to access or view unencrypted user content.

How could such services comply with the takedown requests mandated in this bill? Platforms may respond by abandoning encryption entirely in order to be able to monitor content—turning private conversations into surveilled spaces.

In fact, victims of NCII often rely on encryption for safety—to communicate with advocates they trust, store evidence, or escape abusive situations. The bill’s failure to protect encrypted communications could harm the very people it claims to help.

Victims Of NCII Have Legal Options Under Existing Law

An array of criminal and civil laws already exist to address NCII. In addition to 48 states that have specific laws criminalizing the distribution of non-consensual pornography, there are defamation, harassment, and extortion statutes that can all be wielded against people abusing NCII. Since 2022, NCII victims have also been able to bring federal civil lawsuits against those who spread this harmful content.

As we explained in 2018:

If a deepfake is used for criminal purposes, then criminal laws will apply. If a deepfake is used to pressure someone to pay money to have it suppressed or destroyed, extortion laws would apply. For any situations in which deepfakes were used to harass, harassment laws apply. There is no need to make new, specific laws about deepfakes in either of these situations.


In many cases, civil claims could also be brought against those distributing the images under causes of action like False Light invasion of privacy. False light claims commonly address photo manipulation, embellishment, and distortion, as well as deceptive uses of non-manipulated photos for illustrative purposes.

A false light plaintiff (such as a person harmed by NCII) must prove that a defendant (such as a person who uploaded NCII) published something that gives a false or misleading impression of the plaintiff in such a way to damage the plaintiff’s reputation or cause them great offense

Congress should focus on enforcing and improving these existing protections, rather than opting for a broad takedown regime that is bound to be abused. Private platforms can play a part as well, improving reporting and evidence collection systems. 

Joe Mullin

EFF Sues DOGE and the Office of Personnel Management to Halt Ransacking of Federal Data

1 week 1 day ago

EFF and a coalition of privacy defenders have filed a lawsuit today asking a federal court to block Elon Musk’s Department of Government Efficiency (DOGE) from accessing the private information of millions of Americans that is stored by the Office of Personnel Management (OPM), and to delete any data that has been collected or removed from databases thus far. The lawsuit also names OPM, and asks the court to block OPM from sharing further data with DOGE.

The Plaintiffs who have stepped forward to bring this lawsuit include individual federal employees as well as multiple employee unions, including the American Federation of Government Employees and the Association of Administrative Law Judges.

This brazen ransacking of Americans’ sensitive data is unheard of in scale. With our co-counsel Lex Lumina, State Democracy Defenders Fund, and the Chandra Law Firm, we represent current and former federal employees whose privacy has been violated. We are asking the court for a temporary restraining order to immediately cease this dangerous and illegal intrusion. This massive trove of information includes private demographic data and work histories of essentially all current and former federal employees and contractors as well as federal job applicants. Access is restricted by the federal Privacy Act of 1974. Last week, a federal judge temporarily blocked DOGE from accessing a critical Treasury payment system under a similar lawsuit

The mishandling of this information could lead to such significant and varied abuses that they are impossible to detail. 

What’s in OPM’s Databases?

The data housed by OPM is extraordinarily sensitive for several reasons. The federal government is the nation’s largest employer, and OPM’s records are one of the largest, if not the largest, collection of employee data in the country. In addition to personally identifiable information such as names, social security numbers, and demographics, it includes work experience, union activities, salaries, performance, and demotions; health information like life insurance and health benefits; financial information like death benefit designations and savings programs; and classified information nondisclosure agreements. It holds records for millions of federal workers and millions more Americans who have applied for federal jobs. 

The mishandling of this information could lead to such significant and varied abuses that they are impossible to detail. On its own, DOGE’s unchecked access puts the safety of all federal employees at risk of everything from privacy violations to political pressure to blackmail to targeted attacks. Last year, Elon Musk publicly disclosed the names of specific government employees whose jobs he claimed he would cut before he had access to the system. He has also targeted at least one former employee of Twitter. With unrestricted access to OPM data, and with his ownership of the social media platform X, federal employees are at serious risk.

And that’s just the danger from disclosure of the data on individuals. OPM’s records could give an overview of various functions of entire government agencies and branches. Regardless of intention, the law makes it clear that this data is carefully protected and cannot be shared indiscriminately.

In late January, OPM reportedly sent about two million federal employees its "Fork in the Road" form email introducing a “deferred resignation” program. This is a visible way in which the data could be used; OPMs databases contain the email addresses for every federal employee. 

How the Privacy Act Protects Americans’ Data

Under the Privacy Act of 1974, disclosure of government records about individuals generally requires the written consent of the individual whose data is being shared, with few exceptions

Congress passed the Privacy Act in response to a crisis of confidence in the government as a result of scandals including Watergate and the FBI’s Counter Intelligence Program (COINTELPRO). The Privacy Act, like the Foreign Intelligence Surveillance Act of 1978, was  created at a time when the government was compiling massive databases of records on ordinary citizens and had minimal restrictions on sharing them, often with erroneous  information and in some cases for retaliatory purposes

These protections were created the last time Congress rose to the occasion of limiting the surveillance powers of an out-of-control President.

Congress was also concerned with the potential for abuse presented by the increasing use of electronic records and the use of identifiers such as social security numbers, both of which made it easier to combine individual records housed by various agencies and to share that information. In addition to protecting our private data from disclosure to others, the Privacy Act, along with the Freedom of Information Act, also allows us to find out what information is stored about us by the government. The Privacy Act includes a private right of action, giving ordinary people the right to decide for themselves whether to bring a lawsuit to enforce their statutory privacy rights, rather than relying on government agencies or officials.

It is no coincidence that these protections were created the last time Congress rose to the occasion of limiting the surveillance powers of an out-of-control President. That was fifty years ago; the potential impact of leaking this government information, representing the private lives of millions, is now even more serious. DOGE and OPM are violating Americans’ most fundamental privacy rights at an almost unheard-of scale. 

OPM’s Data Has Been Under Assault Before

Ten years ago, OPM announced that it had been the target of two data breaches. Over twenty-million security clearance records—information on anyone who had undergone a federal employment background check, including their relatives and references—were reportedly stolen by state-sponsored attackers working for the Chinese government. At the time, it was considered one of the most potentially damaging breaches in government history. 

DOGE employees likely have access to significantly more data than this. Just as an example, the OPM databases also include personal information for anyone who applied to a federal job through USAJobs.gov—24.5 million people last year. Make no mistake: this is, in many ways, a worse breach than what occurred in 2014. DOGE has access to ten more years of data; it likely includes what was breached before, as well as significantly more sensitive data. (This is not to mention that while DOGE has access to these databases, they reportedly have the ability to not only export records, but to add them, modify them, or delete them.) Every day that DOGE maintains its current level of access, more risks mount. 

EFF Fights for Privacy

EFF has fought to protect privacy for nearly thirty-five years at the local, state, and federal level, as well as around the world. 

We have been at the forefront of exposing government surveillance and invasions of privacy: In 2006, we sued AT&T on behalf of its customers for violating privacy law by collaborating with the NSA in the massive, illegal program to wiretap and data-mine Americans’ communications. We also filed suit against the NSA in 2008; both cases arose from surveillance that the U.S. government initiated in the aftermath of 9/11. In addition to leading or serving as co-counsel in lawsuits, such as in our ongoing case against Sacramento's public utility company for sharing customer data with police, EFF has filed amicus briefs in hundreds of cases to protect privacy, free speech, and creativity.

EFF’s fight for privacy spans advocacy and technology, as well: Our free browser extension, Privacy Badger, protects millions of individuals from invasive spying by third-party advertisers. Another browser extension, HTTPS Everywhere, alongside Certbot, a tool that makes it easy to install free HTTPS certificates for websites, helped secure the web, which has now largely switched from non-secure HTTP to the more secure HTTPS protocol. 

EFF is glad to join the brigade of lawsuits to protect this critical information. 

EFF also fights to improve privacy protections by advancing strong laws, such as the California Electronic Communications Privacy Act (CalECPA) in 2015, which requires state law enforcement to get a warrant before they can access electronic information about who we are, where we go, who we know, and what we do. We also have a long, successful history of pushing companies, as well, to protect user privacy, from Apple to Amazon

What’s Next

The question is not “what happens if this data falls into the wrong hands.” The data has already fallen into the wrong hands, according to the law, and it must be safeguarded immediately. Violations of Americans’ privacy have played out across multiple agencies, without oversight or safeguards, and EFF is glad to join the brigade of lawsuits to protect this critical information. Our case is fairly simple: OPM’s data is extraordinarily sensitive, OPM gave it to DOGE, and this violates the Privacy Act. We are asking the court to block any further data sharing and to demand that DOGE immediately destroy any and all copies of downloaded material. 

You can view the press release for this case here.

Related Cases: American Federation of Government Employees v. U.S. Office of Personnel Management
Jason Kelley

Building a Community Privacy Plan

1 week 1 day ago

Digital security training can feel overwhelming, and not everyone will have access to new apps, new devices, and new tools. There also isn't one single system of digital security training, and we can't know the security plans of everyone we communicate with—some people might have concerns about payment processors preventing them from obtaining fees for their online work, whilst others might be concerned about doxxing or safely communicating sensitive medical information. 

This is why good privacy decisions begin with proper knowledge about your situation and a community-oriented approach. To start, explore the following questions together with your friends and family, organizing groups, and others:

  1. What do we want to protect? This might include sensitive messages, intimate images, or information about where protests are organized.
  2. Who do we want to protect it from? For example, law enforcement or stalkers. 
  3. How much trouble are we willing to go through to try to prevent potential consequences? After all, convincing everyone to pivot to a different app when they like their current service might be tricky! 
  4. Who are our allies? Besides those who are collaborating with you throughout this process, it’s a good idea to identify others who are on your side. Because they’re likely to share the same threats you do, they can be a part of your protection plans. 

This might seem like a big task, so here are a few essentials:

Use Secure Messaging Services for Every Communication 

Private communication is a fundamental human right. In the online world, the best tool we have to defend this right is end-to-end encryption, ensuring that only the sender and recipient of any communication have access to the content. But this protection does not reach its full potential without others joining you in communicating on these platforms. 

Of the most common messaging apps, Signal provides the most extensive privacy protections through its use of end-to-end encryption, and is available for download across the globe. But we know it might not always be possible to encourage everyone in your network to transition away from their current services. There are alternatives, though. WhatsApp, one of the most popular communication platforms in the world, uses end-to-end encryption, but collects more metadata than Signal. Facebook Messenger now also provides end-to-end encryption by default in one-on-one direct messages. 

Specific privacy concerns remain with group chats. Facebook Messenger has not enabled end-to-end encryption for chats that include more than two people, and popular platforms like Slack and Discord similarly do not provide these protections. These services may appear more user-friendly in accommodating large numbers, but in the absence of real privacy protections, make sure you consider what is being communicated on these sites and use alternative messaging services when talking about sensitive topics.

As a service's user base gets larger and more diverse, it's less likely that simply downloading and using it will indicate anything about a particular user's activities. For example, the more people use Signal, the less those seeking reproductive health care or coordinating a protest would stand out by downloading it. So beyond protecting just your communications, you’re building up a user base that can protect others who use encrypted, secure services and give them the shield of a crowd. 

It also protects your messages from being available for law enforcement should they request it from the platforms you use. In choosing a platform that protects our privacy, we create a space from safety and authenticity away from government and corporate surveillance.  

For example, prosecutors in Nebraska used messages sent via Facebook Messenger (prior to the platform enabling end-to-end encryption by default) as evidence to charge a mother with three felonies and two misdemeanors for assisting her daughter with an abortion. Given that someone known to the family reported the incident to law enforcement, it’s unlikely using an end-to-end encrypted service would have prevented the arrest entirely, but it would have prevented the contents of personal messages turned over by Meta from being used as evidence in the case. 

Beyond this, it's important to know the privacy limitations of the platforms you communicate on. For example, while a secure messaging app might prevent government and corporate eavesdroppers from snooping on conversations, that doesn't stop someone you're communicating with from taking screenshots, or the government from attempting to compel you (or your contact) to turn over your messages yourselves. Secure messaging apps also don't protect when someone gets physical access to an unlocked phone with all those messages on it, which is why you may want to consider enabling disappearing message features for certain conversations.

Consider The Content You Post On Social Media 

We’re all interconnected in this digital age. Even without everyone having access to their own personal device or the internet, it is pretty difficult to completely opt out of the online. One person’s decision to upload a picture to a social media platform may impact another person without the second even knowing it, such as an association with a movement or a topic that you don’t want to be public knowledge. 

Talk with your friends about the potentially sensitive data you reveal about each other online. Even if you don’t have a social media account, or if you untag yourself from posts, friends can still unintentionally identify you, report your location, and make their connections to you public. This works in the offline world too, such as sharing precautions with organizers and fellow protesters when going to a demonstration, and discussing ahead of time how you can safely document and post the event online without exposing those in attendance to harm.

It’s important to carefully consider the tradeoffs between publicity and privacy when it comes to social media. If you’re promoting something important that needs greater reach, it may be more worth posting to the more popular platforms that undermine user privacy. To do so, it’s vital that you compartmentalize your personal information (registration credentials, post attribution, friends list, etc) away from these accounts.

If you are organising online or conversing on potentially sensitive issues, choose platforms that limit the amount of information collected and tracking undertaken. We know this is not always possible—perhaps people cannot access different applications, or might not have interest in downloading or using a different service. In this scenario, think about how you can protect your community on the platform you currently engage on. For example, if you currently use Facebook for organizing, work with others to keep your Facebook groups as private and secure as Facebook allows.

Think About Cloud Servers as Other People’s Computers  

For our online world to function, corporations use online servers (often referred to as the cloud) to store the mass amounts of data collected from our devices. When we back up our content to these cloud services, corporations may run automated tools to check the content being stored, including scanning all our messages, pictures, and videos. The best case scenario in the event of a false flag is that your account is temporarily blocked, but worst case could see your entire account deleted and/or legal action initiated for perceivably illegal content. 

For example, in 2021 a father took pictures of son’s groin area and sent these to a health care provider’s messaging service. Days later, his Google account was disabled because the photos constituted a “a severe violation of Google’s policies and might be illegal,” with an attached link flagging “child sexual abuse and exploitation” as one of the possible reasons. Despite the photos being taken for medical purposes, Google refused to reinstate the account, meaning that the father lost access to years of emails, pictures, account login details, and more. In a similar case, a father in Houston took photos of his child’s infected intimate parts to send to his wife via Google’s chat feature. Google refused to reinstate this account, too.

The adage goes, “there are no clouds, just other peoples’ computers.” It’s true! As countless discoveries over the years have revealed, the information you share on Slack at work is on Slack's computers and made accessible to your employer. So why not take extra care to choose whose computers you’re trusting with sensitive information? 

If it makes sense to back up your data onto encrypted thumb drives or limited cloud services that provide options for end-to-end encryption, then so be it. What’s most important is that you follow through with backing it up. And regularly!

Assign Team Roles

Adopting all of these best practices can be daunting, we get it. Every community is made up of people with different strengths, so with some consideration you can make smart decisions about who does what for the collective privacy and security. Once these tasks are broken down into smaller, more easily done tasks, it’s easier for a group to accomplish together. As familiarity with these tasks grows, you’ll realize you’re developing a team of experts, and after some time, you can teach each other.

Create Incident Response Plans

Developing a plan for if or when something bad happens is a good practice for anyone, but especially a community of people who face increased risk. Since many threats are social in nature, such as doxxing or networked harassment, it’s important to strategize with your allies around what to do in the event of such things happening. Doing so before an incident occurs is much easier than when you’re presently facing a crisis.

Only you and your allies can decide what belongs on such a plan, but some strategies might be: 

  • Isolating the impacted areas, such as shutting down social media accounts and turning off affected devices
  • Notifying others who may be affected
  • Switching communications to a predetermined more secure alternative
  • Noting behaviors of suspected threats and documenting these 
  • Outsourcing tasks to someone further from the affected circle who is already aware of this potential responsibility.

Everyone's security plans and situations will always be different, which is why we often say that security and privacy are a state of mind, not a purchase. But the first step is always taking a look at your community and figuring out what's needed and how to get everyone else on board.

Paige Collings

Privacy Loves Company

1 week 1 day ago

Most of the internet’s blessings—the opportunities for communities to connect despite physical borders and oppressive controls, the avenues to hold the powerful accountable without immediate censorship, the sharing of our hopes and frustrations with loved ones and strangers alike—tend to come at a price. Governments, corporations, and bad actors too often use our content for surveillance, exploitation, discrimination, and harm.

It’s easy to dismiss these issues because you don’t think they concern you. It might also feel like the whole system is too pervasive to actively opt-out of. But we can take small steps to better protect our own privacy, as well as to build an online space that feels as free and safe as speaking with those closest to us in the offline world.

This is why a community-oriented approach helps. In speaking with your friends and family, organizing groups, and others to discuss your specific needs and interests, you can build out digital security practices that work for you. This makes it more likely that your privacy practices will become second nature to you and your contacts.  

Good privacy decisions begin with proper knowledge about your situation—and we’ve got you covered. To learn more about building a community privacy plan, read our ‘how to’ guide here, where we talk you through the topics below in more detail: 

Using Secure Messaging Services For Every Communication 

At some point, we all need to send a message that’s safe from prying eyes, so the chances of these apps becoming the default for sensitive communications is much higher if we use these platforms for all communications. On an even simpler level, it also means that messages and images sent to family and friends in group chats will be safe from being viewed by automated and human scans on services like Telegram and Facebook Messenger. 

Consider The Content You Post On Social Media 

Our decision to send messages, take pictures, and interact with online content has a real offline impact, and whilst we cannot control for every circumstance, we can think about how our social media behaviour impacts those closest to us, as well as those in our proximity. 

Think About Cloud Servers as Other People’s Computers  

When we backup our content to online cloud services, corporations may run automated tools to check the content being stored, including scanning all our messages, pictures, and videos. Whilst we might think we don't have anything to hide, these tools scan without context, and what might be an innocent picture to you may be flagged as harmful or illegal by a corporation's service. So why not take extra care to choose whose computers you’re entrusting with sensitive information. 

Assign Team Roles

Once these privacy tasks are broken down into smaller, more easily done projects, it’s much easier for a group to accomplish together. 

Create Incident Response Plans

Since many threats are social in nature, such as doxxing or networked harassment, it’s important to strategize with your allies what to do in such circumstances. Doing so before an incident occurs is much easier than on the fly when you’re already facing a crisis.

To dig in deeper, continue reading in our blog post Building a Community Privacy Plan here.

Paige Collings

Why the So-Called AI Action Summit Falls Short

1 week 2 days ago

Ever since Chat-GPT’s debut, artificial intelligence (AI) has been the center of worldwide discussions on the promises and perils of new technologies. This has spawned a flurry of debates on the governance and regulation of large language models and “generative” AI, which have, among others, resulted in the Biden administration’s executive order on AI and international guiding principles for the development of generative AI and influenced Europe’s AI Act. As part of that global policy discussion, the UK government hosted the AI Safety Summit in 2023, which was followed in 2024 by the AI Seoul Summit, leading up to this year’s AI Action Summit hosted by France.

As heads of states and CEOs are heading to Paris for the AI Action Summit, the summit’s shortcomings are becoming glaringly obvious. The summit, which is hosted by the French government, has been described as a “pivotal moment in shaping the future of artificial intelligence governance”. However, a closer look at its agenda and the voices it will amplify tells a different story.

Focusing on AI’s potential economic contributions, and not differentiating between for example large language models and automated decision-making, the summit fails to take into account the many ways in which AI systems can be abused to undermine fundamental rights and push the planet's already stretched ecological limits over the edge. Instead of centering nuanced perspectives on the capabilities of different AI systems and associated risks, the summit’s agenda paints a one-sided and simplistic image, not reflective of global discussion on AI governance. For example, the summit’s main program does not include a single panel addressing issues related to discrimination or sustainability.

A summit captured by industry interests cannot claim to be a transformative venue

This imbalance is also mirrored in the summit’s speakers, among which industry representatives notably outnumber civil society leaders. While many civil society organizations are putting on side events to counterbalance the summit’s misdirected priorities, an exclusive summit captured by industry interests cannot claim to be a transformative venue for global policy discussions.

The summit’s significant shortcomings are especially problematic in light of the leadership role European countries are claiming when it comes to the governance of the AI. The European Union’s AI Act, which recently entered into force, has been celebrated as the world’s first legal framework addressing the risks of AI. However, whether the AI Act will actually “promote the uptake of human centric and trustworthy artificial intelligence” remains to be seen. 

It's unclear if the AI Act will provide a framework that incentivizes the roll out of user-centric AI tools or whether it will lock-in specific technologies at the expense of users. We like that the new rules contain a lot of promising language on fundamental rights protection, however, exceptions for law enforcement and national security render some of the safeguards fragile. This is especially true when it comes to the use of AI systems in high-risks contexts such as migration, asylum, border controls, and public safety, where the AI Act does little to protect against mass surveillance and profiling and predictive technologies. We are also concerned by the  possibility that other governments will copy-paste the AI Act’s broad exceptions without having the strong constitutional and human rights protections that exist within the EU legal system. We will therefore keep a close eye on how the AI Act is enforced in practice.

The summit also lags in addressing the essential role human rights should play in providing a common baseline for AI deployment, especially in high-impact uses. Although human-rights-related concerns appear in a few sessions, the Summit as purportedly a global forum aimed at unleashing the potential of AI for the public good and in the public interest, at a minimum, seems to miss the opportunity to clearly articulate how such a goal connects with fulfilling international human rights guarantees and which steps this entail.

Countries must address the AI divide without replicating AI harms.

Ramping up government use of AI systems is generally a key piece in national strategies for AI development worldwide. While countries must address the AI divide, doing so must not mean replicating AI harms. For example, we’ve elaborated on leveraging Inter-American human rights standards to tackle challenges and violations that emerge from public institutions’ use of algorithmic systems for rights-affecting determinations in Latin America.

In times of a global AI arms race, we do not need more hype for AI. Rather, there is a crucial need for evidence-based policy debates that address AI power centralization and consider the real-world harms associated with AI systems—while enabling diverse stakeholders to engage at eye level. The AI Action Summit will not be the place to have this conversation.

Svea Windwehr

The UK's Demands for Apple to Break Encryption Is an Emergency for Us All

1 week 5 days ago

The Washington Post reported that the United Kingdom is demanding that Apple create an encryption backdoor to give the government access to end-to-end encrypted data in iCloud. Encryption is one of the best ways we have to reclaim our privacy and security in a digital world filled with cyberattacks and security breaches, and there’s no way to weaken it in order to only provide access to the “good guys.” We call on Apple to resist this attempt to undermine the right to private spaces and communications.

As reported, the British government’s undisclosed order was issued last month, and requires the capability to view all encrypted material in iCloud. The core target is Apple’s Advanced Data Protection, which is an optional feature that turns on end-to-end encryption for backups and other data stored in iCloud, making it so that even Apple cannot access that information. For a long time, iCloud backups were a loophole for law enforcement to gain access to data otherwise not available to them on iPhones with device encryption enabled. That loophole still exists for anyone who doesn’t opt in to using Advanced Data Protection. If Apple does comply, users should consider disabling iCloud backups entirely. Perhaps most concerning, the U.K. is apparently seeking a backdoor into users’ data regardless of where they are or what citizenship they have.

There is no technological compromise between strong encryption that protects the data and a mechanism to allow the government special access to this data. Any “backdoor” built for the government puts everyone at greater risk of hacking, identity theft, and fraud. There is no world where, once built, these backdoors would only be used by open and democratic governments. These systems can be, and quickly will be, used by more repressive governments around the world to read protesters’ and dissenters’ communications. We’ve seen and opposed these sorts of measures for years. Now is no different.

Perhaps most concerning, the U.K. is apparently seeking a backdoor into users’ data regardless of where they are or what citizenship they have.

Of course, Apple is not the only company who uses end-to-end encryption. Some of Google’s backup options employ similar protections, as do many chat apps, cloud backup services, and more. If the U.K. government secures access to the encrypted data of Apple users through a backdoor, every other secure file-sharing, communication, and backup tool is at risk.

Meanwhile, in the U.S., just last year we had a top U.S. cybersecurity chief declare that “encryption is your friend,” taking a welcome break from the messaging we’ve seen over the years at EFF. Even the FBI, which has frequently pushed for easier access to data by law enforcement, issued the same recommendation.

There is no legal mechanism for the U.S. government to force this same sort of rule on Apple, and we’d hope to see Apple continue to resist it as they have in the past. But what happens in the U.K. will still affect users around the world, especially as the U.K. order specifically stated that Apple would be prohibited from warning its users that its Advanced Data Protection measures no longer work as initially designed.

Weakening encryption violates fundamental human rights and annihilates our right to private spaces. Apple has to continue fighting against this ruling to keep backdoors off users’ devices.

Thorin Klosowski

EFF to Ninth Circuit: Young People Have a First Amendment Right to Use Social Media (and All of Its Features)

1 week 5 days ago

Minors, like everyone else, have First Amendment rights. These rights extend to their ability to use social media both to speak and access the speech of others online. But these rights are under attack, as many states seek to limit minors’ use of social media through age verification measures and outright bans. California’s SB 976, or the Protecting Our Kids from Social Media Addiction Act, prohibits minors from using a key feature of social media platforms—personalized recommendation systems, or newsfeeds. This law impermissibly burdens minors’ ability to communicate and find others’ speech on social media. 

On February 6th, 2025, EFF, alongside the Freedom to Read Foundation and Library Futures, filed a brief in the Ninth Circuit Court of Appeals in NetChoice v. Bonta urging the court to overturn the district court decision partially denying a preliminary injunction of SB 976.  

SB 976 passed into law in September of 2024, and prohibits various online platforms from providing personalized recommendation systems to minors without parental consent. For now, this prohibition only applies where the platforms know a user is a minor. Starting in 2027, however, the platforms will need to estimate the age of all their users based on regulations promulgated by the California attorney general. This means that (1) all users of platforms with these systems will need to pass through an age gate to continue using these features, and (2) children without parental consent will be denied access to the protected speech that is organized and distributed via newsfeeds. This is separate from the fact that feeds are central to most platforms’ user experience, and it’s not clear how social media platforms can or will adapt the experience for young people to comply with this law. Because these effects burden both users and platforms’ First Amendment rights, EFF filed this friend-of-the-court brief. This work is part of our broader fight against similar age-verification laws at the state and federal levels. 

EFF got involved in this suit both to advocate for the First Amendment rights of adult and minor users and to correct the dangerous logic by the district court. The district court, hearing NetChoice’s challenge on behalf of online platforms, ruled that the personalized feeds covered by SB 976 are not expressive, and therefore not covered by the First Amendment. The lower court took an extremely narrow view of what constitutes expressive activity, writing that algorithms behind personalized newsfeeds don’t reflect the messages or editorial choices of their human creators and therefore do not trigger First Amendment scrutiny. The Ninth Circuit has since stayed the district court’s ruling, preliminarily blocking the law from taking effect until it has a chance to consider the issues. 

EFF pushed back on this flawed reasoning, arguing that “the personalized feeds targeted by SB 976 are inherently expressive, because they (1) reflect the choices made by platforms to organize content on their services, (2) incorporate and respond to the expression users create to distribute users’ speech, and (3) provide users with the means to access speech in a digestible and organized way.” Moreover, the presence of these personalized recommendation systems informs the speech that users create on platforms, as users often create content with the intent of it getting “picked up” by the algorithm and delivered to other users.  

SB 976 burdens the First Amendment rights of minor social media users by blocking their use of primary systems created to distribute their own speech and to hear others’ speech via those systems, EFF’s brief argues. The statute also burdens all internet users’ First Amendment rights because the age-verification scheme it requires will block some adults from accessing lawful speech, make it impossible for them to speak anonymously on these services, and increase their risk of privacy invasions. Under the law, adults and minors alike will need to provide identifying documents to prove their age, which chills users of any age who wish to remain anonymous from accessing protected speech, excludes adults lacking proper documentation, and exposes those who do share their documentation to data breaches or sale of their data. 

We hope the Ninth Circuit recognizes that personalized recommendation systems are expressive in nature, subjects SB 976 to strict scrutiny, and rejects the district court ruling.

Related Cases: NetChoice Must-Carry Litigation
Emma Leeds Armstrong

EFF Applauds Little Rock, AR for Cancelling ShotSpotter Contract

1 week 5 days ago

Community members coordinated to pack Little Rock City Hall on Tuesday, where board members voted 5-3 to end the city's contract with ShotSpotter.

Initially funded through a federal grant, Little Rock began its experiment with the “gunshot detection” sensors in 2018. ShotSpotter (now SoundThinking) has long been accused of steering federal grants toward local police departments in an effort to secure funding for the technology. Members of Congress are investigating this funding. EFF has long encouraged communities to follow the money that pays for police surveillance technology.

Now, faced with a $188,000 contract renewal using city funds, Little Rock has joined the growing number of cities nationwide that have rejected, ended, or called into question their use of the invasive, error-prone technology.

EFF has been a vocal critic of gunshot detection systems and extensively documented how ShotSpotter sensors risk capturing private conversations and enable discriminatory policing—ultimately calling on cities to stop using the technology.

This call has been echoed by grassroots advocates coordinating through networks like the National Stop ShotSpotter Coalition. Community organizers have dedicated countless hours to popular education, canvassing neighborhoods, and conducting strategic research to debunk the company's spurious marketing claims.

Through that effort, Little Rock has now joined the ranks of cities throughout the country to reject surveillance technologies like gunshot detection that harm marginalized communities and fail time and time again to deliver meaningful public safety. 

If you live in a city that's also considering dropping (or installing) ShotSpotter, share this news with your community and local officials!

Sarah Hamid

Protecting Free Speech in Texas: We Need To Stop SB 336

1 week 6 days ago

The Texas legislature will soon be debating a bill that would seriously weaken the free speech protections of people in that state. If you live in Texas, it’s time to contact your state representatives and let them know you oppose this effort. 

Texas Senate Bill 336 (SB 336) is an attack on the Texas Citizens Participation Act (TCPA), the state’s landmark anti-SLAPP law, passed in 2011 with overwhelming bipartisan support. If passed, SB 336 (or its identical companion bill, H.B. 2459) will weaken safeguards against abusive lawsuits that seek to silence peoples’ speech. 

What Are SLAPPs?

SLAPPs, or Strategic Lawsuits Against Public Participation, are lawsuits filed not to win on the merits but to burden individuals with excessive legal costs. SLAPPs are often used by the powerful to intimidate critics and discourage public discussion that they don’t like. By forcing defendants to engage in prolonged and expensive legal battles, SLAPPs create a chilling effect that discourages others from speaking out on important issues.

Under the TCPA, when a defendant files a motion to dismiss a SLAPP lawsuit, the legal proceedings are automatically paused while a court determines whether the case should move forward. They are also paused if the SLAPP victim needs to get a second review from an appeal court. This is crucial to protect individuals from being dragged through an expensive discovery process while their right to speak out is debated in a higher court. 

SB 336 Undermines Free Speech Protections

SB 336 strips away safeguards by removing the automatic stay of trial court proceedings in certain TCPA appeals. Even if a person has a strong claim that a lawsuit against them is frivolous, they would still be forced to endure the financial and emotional burden of litigation while waiting for an appellate decision. 

This would expose litigants to legal harassment. With no automatic stay, plaintiffs with deep pockets will be able to financially drain defendants. In the words of former Chief Justice of the Texas Supreme Court, Wallace B. Jefferson, removing the automatic stay in the TCPA would create a “two-tier system in which parties would be forced to litigate their cases simultaneously at the trial and appellate courts.”

If the TCPA is altered, the biggest losers will be everyday Texans who rely on the TCPA to shield them from retaliatory lawsuits. That will include domestic violence survivors who face defamation suits from their abusers after reporting them; journalists and whistleblowers who expose corruption and corporate wrongdoing; grassroots activists who choose to speak out; and small business owners and consumers who leave honest reviews and speak out against unethical business practices.

Often, these individuals already face uphill battles when confronting wealthier and more powerful parties in court. SB 336 would tip the scales further in favor of those with the financial means to weaponize the legal system against speech they dislike.

Fighting To Protect Free Speech For Texans 

In addition to EFF, SB 336 is opposed by a broad coalition of groups including the ACLU, the Reporters Committee for Freedom of the Press, and an array of national and local news organizations. To learn more about the TCPA and current efforts to weaken it, check out the website maintained by the Texas Protect Free Speech Coalition

Unfortunately, this is the fourth legislative session in a row in which a bill has been pushed to significantly weaken the TCPA. Those efforts started in 2019, and while we stopped the worst changes that year, the 2019 Texas Legislature did vote through some unfortunate exceptions to TCPA rules. We succeeded in blocking a slate of poorly thought-out changes in 2023. We can, and must, protect TCPA again in 2025–if people speak up.  

If you live in Texas, call or email your state representatives or the Senators on Committee for State Affairs today and urge them to vote NO on SB 336. Let’s ensure Texas continues to be a place where peoples’ voices are heard, not silenced by unjust lawsuits. 

Joe Mullin

Closing the Gap in Encryption on Mobile

1 week 6 days ago

It’s time to expand encryption on Android and iPhone. With governments around the world engaging in constant attacks on user’s digital rights and access to the internet, removing glaring and potentially dangerous targets off of people’s backs when they use their mobile phones is more important than ever. 

So far we have seen strides for at least keeping messages private on mobile devices with end-to-end encrypted apps like Signal, WhatsApp, and iMessage. Encryption on the web has been widely adopted. We even declared in 2021 that “HTTPS Is Actually Everywhere.” Most web traffic is encrypted and for a website to have a reputable presence with browsers, they have to meet certain requirements that major browsers enforce today. Mechanisms like certificate transparency, Cross-origin resource sharing (CORS) rules, and enforcing HTTPS help prevent malicious activity happening to users every day. 

Yet, mobile has always been a different and ever expanding context. You access the internet on mobile devices through more than just the web browser. Mobile applications have more room to spawn network requests in the app without the user ever knowing where and when a request was sent. There is no “URL bar” to see the network request URL for the user to see and check. In some cases, apps have been known to “roll their own” cryptographic processes outside of non-standard encryption practices.

While there is much to discuss on the privacy issues of TikTok and other social media apps, for now, let’s just focus on encryption. In 2020 security researcher Baptiste Robert found TikTok used their own “custom encryption” dubbed “ttEncrypt.” Later research showed this was a weak encryption algorithm in comparison to just using HTTPS. Eventually, TikTok replaced ttEncrypt with HTTPS, but this is an example of one of the many allowed practices mobile applications can engage in without much regulation, transparency, or control by the user.

Android has made some strides to protect users’ traffic in apps, like allowing you to set private DNS. Yet, Android app developers can still set a flag to use clear text/unencrypted requests. Android owners should be able to block app requests engaging in this practice. While security settings can be difficult for users to set themselves due to lack of understanding, it would be a valuable setting to provide. Especially since users are currently being bombarded on their devices to turn on features they didn’t even ask for or want. This flag can’t possibly capture all clear text traffic due to the amount of network access “below” HTTPS in the network stack apps can control. However, it would be a good first step for a lot of apps that still use HTTP/unencrypted requests.

As for iOS, Apple introduced a feature called iCloud Private Relay. In their words “iCloud Private Relay is designed to protect your privacy by ensuring that when you browse the web in Safari, no single party — not even Apple — can see both who you are and what sites you're visiting.” This helps shield your IP address from websites you’re visiting. This is a useful alternative for people using VPNs to provide IP masking. In several countries engaging in internet censorship and digital surveillance, using a VPN can possibly put a target on you. It’s more pertinent than ever to be able to privately browse on your devices without setting off alarms. But Private Relay is behind a iCloud+ subscription and only available on Safari. It would be better to make this free and expand Private Relay across more of iOS, especially apps.

There are nuances as to why Private Relay isn’t like a traditional VPN. The “first hop” exposes the IP address to Apple and your Internet Service Provider. However, the website names requested cannot be seen by either party. Apple is vague with its details about the “second relay,” stating,  “The second internet relay is operated by third-party partners who are some of the largest content delivery networks (CDNs) in the world.” Cloudflare is confirmed as the third-party, and its explanation goes further to expound that the standards used for Private Relay are TLS 1.3, QUIC, and MASQUE.

The combination of protocols used in Private Relay could be utilized on Android by using Cloudflare’s 1.1.1.1 app. Which would be the “closest” match from a technical standpoint for Android, and be applied globally instead of just the browser. A more favorable outcome would be utilizing this technology on mobile in a way that doesn’t use just one company to distribute modern encryption. Android’s Private DNS setting allows for various options of providers, but that covers just the encrypted DNS part of the request.

VPNs are another tool that can be used to mask an IP address and circumvent censorship, especially in cases where someone distrusts their Internet Service Provider (ISP). But using VPNs for this sole purpose should start to become obsolete with modern encryption protocols that can be deployed to protect the user. Better encryption practices across mobile platforms would lessen the need for people to flock to potentially nefarious VPN apps that put the user in danger. Android just announced a new badge program that attempts to address this issue by getting VPNs to adhere to Play Store guidelines for security and Mobile Application Security Assessment (MASA) Level 2 validation. While this attempt is noted, when mass censorship is applied, users may not always go to the most reputable VPN or even be able to access reputable VPNs because Google and Apple comply with app store take downs. So widening encryption outside of VPN usage is essential. Blocking clear text requests by apps, allowing users to restrict an app’s network access, and expanding Apple’s Private Relay would be steps in the right direction.

There are many other privacy leaks apps can engage in that expose what you are doing. In the case of apps acting badly by either rolling their own, unverified cryptography or using HTTP, users should be able to block network access to those apps. Just because the problem of mobile privacy is complex, doesn’t mean that complexity should stop potential. We can have a more private internet on our phones. “Encrypt all the things!” includes the devices we use the most to access the web and communicate with each other every day.

Alexis Hancock
Checked
1 hour 15 minutes ago
EFF's Deeplinks Blog: Noteworthy news from around the internet
Subscribe to EFF update feed