Aggregator | JCA-NET

A Hackers Guide to Circumventing Internet Shutdowns

4 days 23 hours ago

Internet shutdowns are devastating for human rights. When people are disconnected from the internet and digital services, it impacts all aspects of their life—from accessing essential information, to seeking medical care, or communicating with loved ones, both in that country and externally. But on January 8th, 2026, the government of Iran shut down internet communications for the entire country as a rebellion threatened to topple the authoritarian government. The government then proceeded to execute as many as 656 dissidents over the next 3 months, though the actual number could be much higher. Which is part of the point: shutdowns often precede government acts of violence.

Iran’s shutdown was hardly an isolated incident. Earlier this month, the U.S. military invaded Venezuela and kidnapped the Venezuelan president shortly after US cyber forces shut down all internet access and power grids for the capital city of Caracas. India routinely shuts off internet access in the Kashmir region, and Syria shut down internet communications as many as 73 times, most recently in 2025. Even the UK recently had a localized temporary internet shutdown. At the time of this writing there are 14 ongoing internet shutdowns worldwide.

Government shutdowns aren’t the only reason an entire region or country might lose internet access. Hurricanes, earthquakes, and wildfires can take out internet connections in many regions of the world, and will only increase as climate change ramps up. They can completely disable the communications infrastructure relied upon by victims, their families, first responders, and disaster relief efforts. Having an alternate way to communicate in such times can save lives.

One way to limit the impact of such shutdowns is to prepare in advance by setting up systems and structure for circumvention and resiliency.

To keep people connected during internet shutdowns and blackouts, communication networks must be operational before and after the disaster or shutdown. To be effective, they must be widespread so that people can get access to them reliably, and they must be usable by a majority of the community. And any viable solution must be accessible and sustainable on a community level, not just to people with vast financial resources or technical knowledge. You shouldn’t have to be a tech wizard to be able to communicate with your neighbors!

Radios

There are many ways for a community to build their own disaster resilient communications. Radios, for example, are cheap, decentralized, and resilient. Many people with moderate technical skill have set up Meshtastic repeaters. Meshtastic is a way to use a common unlicensed radio spectrum and a technology called LoRA to have peer-to-peer decentralized communications with people in your neighborhood or city. When you buy a Meshtastic device (cheap ones cost around $20) you can link it to your phone and send text messages to people in your area without ever touching the telephone network or the internet. Messages are delivered directly from person to person over public radio waves.

There is also amateur radio, also known as ham radio, which has been used in disaster communications for decades. Ham radio requires a license, but allows you to communicate farther than Meshtastic, using repeaters or even bouncing signals off the stratosphere to talk to people on the other side of the planet or even on the International Space Station. It is even possible to access the internet over ham radio.

Peer-to-peer messaging apps

Another option for internet communication during a shutdown is peer-to-peer messaging apps. One such project,called Briar, uses the Bluetooth functionality on phones to route messages from device to device until they reach their destination, even in instances where there is no internet. However, Briar faces the same problems many mesh projects do: almost nobody has the app installed and it’s difficult to use. If a mesh chat app isn’t already widely installed before an internet shutdown, it’s going to be even harder to get people to install it en masse once the shutdown starts.

A similar effort called bitchat has recently gained some attention. Bitchat is a peer-to-peer chat system that routes over Nostr, Tor, and Bluetooth. It is unfortunately tainted in many people’s eyes by being a project by former Twitter CEO Jack Dorsey, but it is open source and runs on both Android and iOS. It was used with some success in Iran during the latest internet shutdown.

Another option is Delta Chat, which uses PGP for encryption and email for routing, while still being much simpler to use than either technology. Delta Chat is highly regarded in Iran for its ability to route a message through even the tiniest sliver of email access.

Satellite internet

Satellite internet is an internet connection that uses a connection to a satellite dish to reach the internet, such as Starlink. Since there are no wires and no physical connection to infrastructure, satellite internet is harder to shut down. Satellite internet has therefore been used in many cases to circumvent internet shutdowns, with people sharing bandwidth with their neighbors. Satellites are harder for governments to shut down unilaterally. Unfortunately when the satellites are owned by tech oligarchs, such as Starlink (owned by Elon Musk), or by allied governments, the owners of those satellites may willingly shut down the network anyway.

EFF update

5 days 19 hours ago

Last year, the Canadian government pushed Bill C-2, which would erode Canadian digital rights in the name of “border security.” The bill was so bad it didn’t even make it to committee because of the backlash from the privacy community. Now, the spring’s worst sequel, Bill C-22, aka The Lawful Access Act, is trying it again.

As with most sequels, Bill C-22 makes some tweaks to problematic elements, but largely retains the same problems. The bill forces digital services, which could include telecoms, messaging apps, and more, to record and retain metadata for a full year, and expands information sharing with foreign governments, including the United States. Metadata can reveal a lot about who you communicate with, where you go, and when you do so. Expanding the collection of metadata would require companies to store even more information about their users than they already do, providing an incentive for bad actors to access that information.

Worst of all, Bill C-22 erodes the privacy of millions by providing a mechanism for the Minister of Public Safety to demand companies create a backdoor to their services to provide law enforcement access to data, as long as these mandates don’t introduce a “systemic vulnerability.” These widespread surveillance backdoors would likely facilitate even more data breaches than we see already. The bill also bans companies from even revealing the existence of these orders publicly.

The definitions of both “systemic vulnerabilities” and “encryption” are not clear enough in C-22, leaving wiggle room for the government to demand that companies circumvent encryption. And the overbroad definitions in the bill can include apps as well as operating systems. Canadian officials have made it clear they believe it’s possible to add surveillance without introducing systemic vulnerabilities, which is just not true. Surveillance of encrypted communications is fundamentally a systemic vulnerability.

This resembles what happened in the UK last year, when the government demanded that Apple implement this type of backdoor into its optional Advanced Data Protection feature, which then forced Apple to revoke the feature for its UK users instead of complying with the request. To this day, UK users still do not have access to this powerful, privacy-protective feature that provides stronger protections for data stored in iCloud. Both Meta and Apple are concerned that C-22 would give the Canadian governments similar powers, and both companies have come out against the bill. The U.S. House Judiciary and Foreign Affairs committees also sent a joint letter to Canada’s Minister of Public Safety highlighting the concern around backdoors into encrypted systems.

The dangers of these sorts of backdoors are not theoretical. In 2024, the Salt Typhoon hack took advantage of a system built by Internet Service Providers to give law enforcement access to user data. When you build these systems, hackers will come.

Canadians deserve strong privacy protections, transparency into how companies handle user data, and clear safeguards around encrypted data. Bill C-22 provides none of that, instead reaching further into the digital pockets of tech companies to build broad lawful access mechanisms.

EFF to Fourth Circuit: Electronic Device Searches at the Border Require a Warrant

EFF update

5 days 19 hours ago

EFF, along with the national ACLU, the ACLU affiliates in Maryland, North Carolina, South Carolina, and Virginia, and the National Association of Criminal Defense Lawyers (NACDL) filed an amicus brief in the U.S. Court of Appeals for the Fourth Circuit urging the court to require a warrant for border searches of electronic devices under the Fourth Amendment, an argument EFF has been making in the courts and Congress for nearly a decade. The Fourth Circuit heard oral arguments on May 8. The Knight Institute at Columbia University and Reporters Committee for Freedom of the Press also filed a helpful brief focusing on the First Amendment implications of border searches of electronic devices.

The case, U.S. v. Belmonte Cardozo, involves a U.S. citizen whose cell phone was manually searched after he arrived at Dulles airport near Washington, D.C., following a trip to Bolivia. He had been on the government’s radar prior to his international trip and had been flagged for secondary inspection. Border officers found child sexual abuse material (CSAM) on his phone, and he was later arrested and criminally charged.

The district court denied the defendant’s motion to suppress the images and other data obtained from the warrantless search of his cell phone. He was ultimately convicted of child pornography and sexual exploitation of minors because he had used social media to entice minors to send him sexually explicit photos of themselves.

The number of warrantless device searches at the border and the significant invasion of privacy they represent is only increasing. In Fiscal Year 2025, U.S. Customs and Border Protection (CBP) conducted 55,318 device searches, both manual (“basic”) and forensic (“advanced”).

A manual search involves a border officer tapping or mousing around a device. A forensic search involves connecting another device to the traveler’s device and using software to extract and analyze the data to create a detailed report the device owner’s activities and communications. However, both search methods are highly privacy-invasive, as border officers can access the same data that can reveal the most personal aspects of our lives, including political affiliations, religious beliefs and practices, sexual and romantic affinities, financial status, health conditions, and family and professional associations.

In our amicus brief, we argued that the Fourth Circuit should adopt the same legal standard for both manual and forensic searches, and that standard should be a warrant supported by probable cause and issued by a neutral judge. The highly personal nature of the information found on electronic devices is why there should not be different legal standards for different methods of search, and why a judge should determine whether the government has provided credible preliminary evidence that there’s a likelihood that further evidence will be found on the device indicating wrongdoing by the specific traveler.

Moreover, we argued that “the process of getting a warrant is not unduly burdensome,” and that “getting a warrant would not impede the efficient processing of travelers. If border officers have probable cause to search a device, they may retain it and let the traveler continue on their way, then get a search warrant. Or, where there is truly no time to go to a judge, the exigent circumstances exception may apply on a case-by-case basis.”

The Fourth Circuit in prior cases only considered forensic device searches at the border. In U.S. v. Kolsuz (2018), the court held that the forensic search of the defendant’s cell phone at the border “must be considered a nonroutine border search, requiring some measure of individualized suspicion” of a transnational offense, but the court declined to decide whether the standard is only reasonable suspicion or instead a probable cause warrant. Then in U.S. v. Aigbekaen (2019), the court held that a forensic device search at the border in support of a purely domestic law enforcement investigation requires a warrant. The court also reiterated the general Kolsuz rule for a forensic border-related device search: the “Government must have individualized suspicion of an offense that bears some nexus to the border search exception's purposes of protecting national security, collecting duties, blocking the entry of unwanted persons, or disrupting efforts to export or import contraband.” Now, manual searches are before the court.

In urging the Fourth Circuit to adopt a warrant standard for both manual and forensic device searches at the border, we argued that the U.S. Supreme Court’s balancing test in Riley v. California (2014) should govern the analysis here. In that case, the Court weighed the government’s interests in warrantless and suspicionless access to cell phone data following an arrest, against an arrestee’s privacy interests in the depth and breadth of personal information stored on a cell phone. The Court concluded that the search-incident-to-arrest warrant exception does not apply, and that police need to get a warrant to search an arrestee’s phone.

The U.S. Supreme Court has recognized for a century a border search exception to the Fourth Amendment’s warrant requirement, allowing not only warrantless but also often suspicionless “routine” searches of luggage, vehicles, and other items crossing the border. The primary justification for the border search exception has been to find—in the items being searched—goods smuggled to avoid paying duties (i.e., taxes) and contraband such as drugs, weapons, and other prohibited items, thereby blocking their entry into the country.

But a traveler’s privacy interests in their suitcase and its contents are minimal compared to those in all the personal data on the person’s cell phone or laptop. And a travelers’ privacy interests in their electronic devices are at least the same as those considered in Riley. Modern devices, over a decade later, contain even more data that can reveal even more intimate details about our lives.

We hope that the Fourth Circuit will rise to the occasion and be the first circuit to fully protect travelers’ Fourth Amendment rights at the border.

Sophia Cope