California Steps Back From Dangerous Expansion of its Age-Gating Law

13 hours 12 minutes ago

The California legislature has stepped back from a plan that would have expanded its age-gating law, removing language that could have compounded serious threats to users’ speech, privacy and security just to browse the internet. A.B. 1856, authored by Assemblymember Buffy Wicks, will now move forward through the legislature without its most problematic pieces.

EFF still believes the underlying law that A.B. 1856 amends, A.B. 1043, is unconstitutional. Signed into law in 2025 (and effective January of 2027), A.B. 1043 requires all operating systems and app stores to collect users’ ages, place them in various age brackets and then block young people from lawful speech and services depending on their age. We also believe that even though A.B. 1043 does not require age verification, the liability it creates for operating systems and app stores—including fining operating systems up to $7,500 per affected child for violating the law—will push those services to verify users’ ages. In practice, that could lead to more ID checks, more biometric scanning, more invasive data collection and risk of breach, and more barriers to adults’ and young people’s lawful speech.

However, we appreciate that the Legislature has abandoned its plan to expand this problematic age-gating  framework to browsers and websites. This would have significantly expanded this dangerous law before it even took effect. We thank the author and committee staff for recognizing these harms and not moving forward with this language. 

On top of that, EFF is pleased that an earlier amendment to A.B 1856 reduced the threat to the open-source community by exempting open-source operating systems. Given these changes, EFF has removed its opposition to A.B. 1856. We appreciate the author for listening to concerns from advocates, developers and others about the effect it would have on open-source development and also around expanding this problematic framework.

To be clear, we still believe the law passed last year threatens online anonymity, privacy, and security. A.B. 1043 is one of a troubling wave of proposals that encourage—or, in some cases, outright require—age verification. Our position on this is clear: no one should have to provide or verify their age to access the internet. Once users’ personal data is collected, it can easily be leaked, hacked, or misused. No matter the method, every age verification system demands that people hand over their sensitive and immutable personal information to link their offline identity to their online activity. That’s a bad deal for us all.

Age-gating mandates are reshaping the internet in ways that are invasive, dangerous, and deeply unnecessary. But users are not powerless! We can challenge these laws, protect our digital rights, and build a safer digital world for all internet users, no matter their ages. This resource hub can help—so explore, share, and join us in the fight for a better internet.

Rindala Alajaji

地方公共団体情報システムの標準化に関する法律第二条第一項に規定する標準化対象事務 を定める政令に規定するデジタル庁令・総務省令で定める事務を定める命令第六条各号に規定する事務の処理に係るシステムに必要とされる機能等に関する標準化基準を定める省令の一部を改正する省令(案)等に対する意見募集

14 hours 3 minutes ago
地方公共団体情報システムの標準化に関する法律第二条第一項に規定する標準化対象事務 を定める政令に規定するデジタル庁令・総務省令で定める事務を定める命令第六条各号に規定する事務の処理に係るシステムに必要とされる機能等に関する標準化基準を定める省令の一部を改正する省令(案)等に対する意見募集
総務省

Most Smart Watches, Rings, and Bands Lack Basic Transparency Reports and Key Privacy Features

14 hours 7 minutes ago

Oura Rings, Garmin GPS fitness watches, Apple Watches, Whoop bands—every year, more and more tech devices are promising to monitor our health and fitness, guide us toward healthier living, and provide useful health metrics to take to our doctors. But few of these tools provide the sorts of privacy and security promises we demand from all technology, let alone tech that captures personal health data. It’s time they step up and start providing transparency reports and stronger encryption options.

Surveys suggest that around 40 percent of people in the United States own some sort of commercially available wearable health device. Despite being marketed as health devices, they have no special health-related privacy protections that one might hope for. The companies who make these devices can and do collect an abundance of data, and many of them share that data with third-parties for marketing or to influence insurance rates, or use it for their own purposes, like training artificial intelligence models.

Health data is increasingly an important part of law enforcement or government investigations. Wearable data has been critical in a number of cases, where information about heart rate and steps was used to determine the whereabouts of individuals. And the surveillance company Penlink calls fitness trackers and wearables an “overlooked source” for law enforcement since they tend to show movement patterns and changes in heart rates. Law enforcement can try to get access to this data through subpoenas or warrants. 

There are many potential privacy issues with these sorts of devices, including whether the companies who make them share or sell information to third-parties. But here we are choosing to focus on two facets we’re concerned with around health data itself: 1) whether the company shares information with law enforcement and governments and 2) if they offer end-to-end encryption, which means the company itself can’t access that health data to begin with.

Reading through dozens of product review sites we narrowed our research in on ten companies that seem to make the majority of recommended consumer health products on the market:

  • Amazfit
  • Apple
  • Coros
  • Garmin
  • Google (including Fitbit)
  • Hume
  • Oura
  • Polar
  • Suunto
  • Whoop 

We reviewed each company’s public facing policies, then emailed them to confirm those findings. Here’s what we found.

Transparency Reports Are Few and Far Between

Companies should provide transparency reports of how often they provide data to the government, including information about whether it’s an official demand or an unofficial request. We have been calling on tech companies to publish transparency reports for a long time, but the practice is still rare across the industry. That’s especially true with fitness gadgets. 

Only two of the companies we surveyed, Apple and Google (which also owns Fitbit), currently publish transparency reports. Apple, Google, and Whoop promise to notify users of law enforcement requests in publicly available documentation. 

Oura now does too, after an update to their privacy policy in June 2026 that was perhaps prompted by a series of requests from journalist Zack Whittaker. In that same update and in an email to us, Oura promises that it is “actively evaluating ways to provide greater visibility into how we handle these requests, like through a transparency report.” This is promising, and we hope the company agrees that transparency reports are the best option moving forward. 

Any company that handles data that’s of interest to law enforcement and governments owes it to their users to publish transparency reports and, when legally possible, notify users when that data is requested.

Similarly, Suunto does not currently publish transparency reports, but in an email reply to our questions the company did express an openness to potentially doing so, stating, “We continuously evaluate our transparency practices and may publish additional information, such as a transparency report, in the future if we believe it would provide meaningful value for users and support our data protection efforts.” We hope they do, as these sorts of reports are a useful metric for all of us to better understand if and when our data can potentially be accessed by law enforcement.

We could not find instances where the other companies publicly state a policy around notification or transparency reports, and no others replied to our email questions.

Any company that handles data that’s of interest to law enforcement and governments owes it to their users to publish transparency reports and, when legally possible, notify users when that data is requested. This is especially true of personal health data, which can reveal our movements, and be used to infer details about what we’re doing at any given moment.

End-to-End Encrypted Data Is Far Too Rare of a Feature

End-to-end encryption is a method to ensure that your personal data is only accessible by you, and not the company who makes the device and manages the cloud storage. End-to-end encryption is usually used to refer to message encryption in communication apps, like Signal or WhatsApp, but can also refer to data storage. For example, many password managers use end-to-end encryption, and Ring implemented it for its cameras after we pushed for it. There’s no reason it can’t be offered for wearables too.

In the case of health data from wearable devices, it’s a way to store data in the cloud so that information can be synced and backed up between your device and an app on your phone in a way where only your devices can access it. 

Support for end-to-end encryption is more rare than transparency reports. 

The Apple Watch, at least with data that’s stored in the Health app, is the only popular fitness wearable that supports end-to-end encryption, and it’s enabled by default for all users (you are required to have two-factor authentication enabled as well, but that is also on by default for most accounts).

However, Apple Watch owners should remember that this protection is only for data stored in the Apple Health app. If you use other apps on your watch, or choose to share data with third-parties, like Strava, or if you’re sharing data with other wearables, like an Oura ring, that data is likely not end-to-end encrypted by the third-party company. 

Support for end-to-end encryption is more rare than transparency reports. 

And that’s it. Apple is the only one. No other popular consumer health wearable offers end-to-end encryption for the data it collects and stores online. Not Google. Not Garmin. Not Oura. Most of these companies instead offer encryption in transit and at rest, but this means those companies can still see and use your data. This is the industry standard, but it doesn’t have to be.

Another option would be more robust local-storage options. Some devices we looked at, like a handful of Garmin and Polar watches, can operate on the watch itself without syncing data to the cloud, but some models are limited in capability and cannot sync to an app without storing data online. More robust options for limiting the data to just the wearable and the phone app it's synced to would be a privacy improvement. For example, the Apple Watch has the option to disable iCloud sharing in Apple Health, which will keep the data only on your phone. It’s the only wearable we found that offers this feature without using a third-party app like Gadgetbridge or by physically connecting the wearable to a computer with a USB cable and transferring activity files over manually.

The general lack of local-only options or end-to-end encryption is a major privacy oversight, especially when you consider these devices collect heart rate, track sleep, and can log your location while also calculating a variety of health metrics supposedly intuiting everything from anxiety to your fitness “age.”

We understand that it’s technically more difficult to implement end-to-end encryption than other sorts of cloud storage, and comes with some limitations that may affect a user’s experience with a product. It also makes certain types of AI-related features harder to implement, since they’d typically need to work on-device (either in the app or the wearable device itself). Because of that, we believe an option for end-to-end encryption or local-only storage of the data collected by a wearable is the least companies can do. This way, those who want to use these devices can do so with the choice to either accept some privacy risks, or choose a more locked down option.

What’s Next

If you’re a user of a fitness wearable from any of the companies we’ve reached out to, or any other one, don’t be shy in asking for these sorts of features. In the rare cases a company offers a feature request page, use it—like for Garmin, Polar, Suunto, and Whoop. And when those types of outlets aren’t offered, don’t shy away from general contact pages, like those offered by Amazfit and Oura, or on community subreddits.

The companies that make these wearables, whether they’re designed for fitness or health, need to improve. At the bare minimum, companies need to publish transparency reports detailing how often they receive requests from law enforcement and commit to notifying users whenever that happens. 

It’s also well past the time for more companies to offer end-to-end encryption for the health data they’re storing. We acknowledge that this may be a trade-off for some features, like social networking features, but it should be up to users to decide if they’re willing to make those trade-offs. This level of privacy is an appealing feature that benefits users in myriad ways and more companies can set themselves apart by committing to this level of privacy.

Health data is some of the most personal data we produce, and most wearables companies are behind the times when it comes to basic privacy practices and transparency. Now’s the time to improve those practices.

Thorin Klosowski

702 is Currently Expired. Tell Congress not to Reauthorize it Without Substantial Reforms.

16 hours 23 minutes ago

There are no excuses for any Member of Congress to support a clean reauthorization of Section 702. Anyone who votes to do so does not take your privacy seriously. Full stop. Section 702 is currently expired but we cannot tolerate any reauthorization that does not include substantial reforms.

Section 702 of the Foreign Intelligence Surveillance Act (FISA) is among the United States’ most infamous mass surveillance programs. Sold to the public as a foreign surveillance tool, it has become a backdoor for law enforcement to search through Americans’ private communications without ever obtaining a warrant. We need to act now to prevent Congress from reauthorizing 702 in a way that ignores the truth: This authority needs to change.

House Speaker Mike Johnson has attempted several times to push re-authorization bills that give us non-substantive reforms. We will not fall for fig leafs or shifts in rhetoric. Our demands are common sense: no renewal without real reforms. A simple extension is a betrayal of every US resident who expects their government to respect their rights and the Constitution.

Your representative needs to hear from you right now, before the 45 date extension ends and Congress will need to vote again. Contact them today.

Tell them: No vote on any bills that would reauthorize Section 702 without meaningful reform.

Electronic Frontier Foundation

🚫 Don't Let Congress Age-Gate the Internet | EFFector 38.13

17 hours 1 minute ago

The effort to age gate the internet is back in Washington—and now it has a new name. Recently passed by the House of Representatives, the KIDS Act is a sprawling package of proposals to control what we can see and say online. Supporters claim the KIDS Act is needed to protect minors online. But if lawmakers really want to make the internet safer, why are they encouraging more surveillance instead of protecting our privacy? We dive into this question with our EFFector newsletter.

JOIN OUR NEWSLETTER

For over 35 years, EFFector has been your guide to understanding the intersection of technology, civil liberties, and the law. This issue covers a victory for location privacy in the Supreme Court, disturbing developments in the militarization of domestic drones, and a controversial Congressional bill to control what we can see and say online.

Prefer to listen in? EFFector is now available on all major podcast platforms. This time, we're chatting with EFF Senior Policy Analyst Joe Mullin on what would happen to the open internet if the KIDS Act becomes law. You can find the episode and subscribe on your podcast platform of choice:

%3Ciframe%20height%3D%22200px%22%20width%3D%22100%25%22%20frameborder%3D%22no%22%20scrolling%3D%22no%22%20seamless%3D%22%22%20src%3D%22https%3A%2F%2Fplayer.simplecast.com%2F4e65dc91-33af-4dd4-ae88-1c8626b39537%3Fdark%3Dfalse%22%20allow%3D%22autoplay%22%3E%3C%2Fiframe%3E Privacy info. This embed will serve content from simplecast.com

   

Want to protect your right to online anonymity and access to the open web? Sign up for EFF's EFFector newsletter for updates, ways to take action, and new merch drops. You can also fuel the fight for privacy and free speech online when you support EFF today!

Christian Romero

【特別国会終盤2】定数削減 国民投票法 SNS対策

18 hours 3 minutes ago
比例定数削減審議は難航へ 衆院議員定数1割削減法案は、自民が9日、政治制度改革本部の総会で示した方針で「今後1年をめどに与野党協議会で結論が出なかった場合、比例区のみ45議席を自動的に減らす」という内容だ。高市首相が維新との連立協議の中で「合意」した。 比例のみ削減では中小の政党はさらに不利になるため賛同は広がりにくいうえ、党利党略というより、1強独裁体制強化の策謀。首相は「真摯に実現」と意気盛んだが、野党3党は与党が国会に提出しても、審議入りは見送るべきで一致した。合意が簡..
JCJ