EFF update

For months now, Congress has been kicking the ball down the road—temporarily postponing the expiration of the mass surveillance authority Section 702 of FISA in hopes that some consensus could be reached. Now, with the deadline looming, the stakes have never been higher. Nearly every time the statute has come up for renewal, the people demanding privacy and civil liberties have had to compromise, but with current negotiations seemingly at  an impasse, it’s time for surveillance maximalist lawmakers to come to the table. 

We say to the Intelligence Community crowd: Section 702 should require a warrant before the Federal Bureau of Investigation can look at digital communications collected from Americans. If not, we should let the whole thing expire.

This is a serious proposition. The intelligence community can keep a useful national security surveillance tool if and only if they make FBI agents get a warrant signed by a judge before they sift through and read out private communications. A warrant requirement is not the only demand EFF has been making for changing Section 702, but it is the most important reform and it should happen before there is any more reauthorization of the policy. 

For too long, the FBI has been able to piggyback on a major national security tool as an unconstitutional backdoor way of reading Americans’ communications. 702 collects communications going to, from, or between people in other countries—including when they are contacted by people in the United States. Mass surveillance is just that—mass. It’s lacking any of the individualized suspicion that our legal system is based on. 

Take action

TELL congress: 702 Needs Reform

So, what’s been happening?

On one side are surveillance hawks and intelligence community-devotees who think the mass surveillance of Americans is an acceptable, even valuable, product of this authority. This bipartisan coalition of privacy deniers think that 702 should be extended without any change, and they seem to be willing to let the authority expire rather than compromise with the lawmakers and public that are demanding common-sense reforms. They’ve been given a number of chances to pass bills that would implement some key incremental reforms, but those opportunities have not moved the needle. 

On the other side of the debate is a bipartisan coalition of people who understand that this authority can no longer operate as is. Section 702 is rife with problems, loopholes, and compliance issues that need fixing. The National Security Agency collects full conversations being conducted by and with overseas targets—including conversations by and with Americans in the U.S.—and stores them in massive databases. The NSA then allows other agencies, specifically the FBI, to access untold amounts of that information. In turn, the FBI takes a “finders keepers” approach to this data: they reason that since it's already collected under one law, it’s OK for them to see it. If the FBI wanted to get that data on their own, it would require them to get a warrant signed by a judge certifying that there is probable cause. Instead, under current practice, the FBI can query and even read the U.S. side of that communication without a warrant. What’s more, victims of this surveillance won’t know and have very few ways of finding out that their communications have been surveilled.

Complicating this matter more is that the Trump administration has announced Bill Pulte as the new Director of National Intelligence, whose job it will be to oversee and direct U.S. intelligence agencies. This is particularly concerning because of Pulte’s history of using private information held by the government as a political weapon. In his FHFA role, he has accused several of the President’s political foes and targets—including New York State Attorney General Letitia James, U.S. Sen. Adam Schiff, D-Calif., and Federal Reserve governor Lisa Cook—of mortgage fraud based on private data held by his agency. Because of his looming appointment, many Democrats have vowed not to reauthorize Section 702 unless he is removed from the position. They shouldn’t stop there—they should use that leverage to demand a warrant requirement. The integrity of the people in charge of a program should not be the only thing that stands between Americans and violations of their civil liberties. 

What happens if 702 expires? 

As the New York Times reports, “The law, however, has a built-in safety net for a temporary lapse that allows the surveillance program to endure until annual certifications issued by the nation’s intelligence court expire, though such a scenario could invite legal challenges. The court recertified the program in March, meaning the N.S.A. could continue to operate the program through March 2027 even if the statute were to expire.” 

If Section 702 does stay expired past March 2027, the United States government will likely revert to using other programs and authorities to justify the surveillance of overseas national security targets, namely 12333, a shadowy executive order from the 1980s that gives the U.S. government nearly unlimited power to spy on people overseas.  Even if this does come to pass, standing our ground on warrant requirements and allowing Section 702 to expire  is important for several reasons. First, just because the government continues surveillance under a different authority does not mean it is legally justified in doing so—this was the lesson of the post 9/11 Presidential Surveillance Program, which was only retroactively immunized by Congress. Second, seeing how the government responds to the end of Section 702 might give us opportunities to push for transparency in other parts of information collection and better understand how the inner workings of the intelligence apparatus pivot and adapt as new legal authorities take precedence. 

Where do we go from here? 

Every few years, for almost two decades now, we’ve been fighting to reform Section 702 so that it will no longer enable the warrantless mass surveillance of Americans. A bipartisan coalition in Congress supports this goal, but the White House and Congressional leadership won’t listen. It’s past time we make at least one serious reform to a mass surveillance law that has been abused for decades. Tell your elected official: Put a warrant requirement in Section 702 or let it expire.

Take action

TELL congress: 702 Needs Reform

Enshittification isn't just a sweary word to describe the accelerating decay of the online platforms, apps, and services that we rely on.  

It's a framework for understanding the structural incentives that make tech companies enemies of their own users over time—the surveillance business model, the erosion of privacy, the monopoly power that eliminates alternatives, the regulatory capture that prevents accountability.  

SUPPORT EFF

GET LimITED EDITION MERCH + FIGHT ENSHITTIFICATION

These are some of EFF's core fights and have been for over 35 years. EFF sues. EFF advocates. EFF codes. And EFF wins. EFF is the most profound and powerful disenshittifying force on the planet Earth, and I’ve been proud to fight alongside them for nearly 25 of those years.  

One of the lessons you learn in battles with very long timelines against very powerful actors is that these battles are deeply serious, and because of that they must also be fun. “Enshittification” took off as a shorthand in part because of the minor license to vulgarity it confers. It's slightly crass for a reason: getting people to engage with the abstract issues of tech policy can be hard at the best of times. No one knows this better than my colleagues at EFF, who consistently surprise me with their ability to make complex, technical concepts concrete, memorable, and sometimes even joyful. 

Words matter, but so do visuals. For the cover of the U.S. edition of my book, Enshittification, designer Devin Washburn of No Ideas studio created an iconic variation of the "pile of poo" emoji, with angry eyebrows and a grawlix-scrawled censor bar over its mouth. It instantly became the symbol of enshittification I’d been looking for. 

I liked it so much I ordered a couple hundred enamel pins and a couple thousand vinyl stickers and handed them out to people I met on my 33-city book tour. Even when giving them away, I was inundated with requests to buy more of them.  

I've since bought out Devin's rights to the image and released it under a Creative Commons Attribution 4.0 license—free for anyone to use, remix, or build on, including commercially, with attribution. The high-resolution files are on Wikimedia Commons, Flickr, and the Internet Archive (including a PSD with an ink-density adjustment layer). It belongs to the commons now. 

But I made sure EFF had first crack at the design for their “official merch,” and they've done right by it. There are two items available now in the EFF shop, and all proceeds go directly to EFF's work defending digital rights. I’ve spent years admiring EFF’s merch and consistent, creative visual identity, so it fills me with pride to see this more-than-a-mere-poop-emoji in their shop.  

A recognizable visual shorthand is a genuine organizing tool. When someone sees the enshittification emoji, they know what the conversation is about. When you wear the pin or slap the sticker on your laptop, you're signaling that you understand what's happening to the internet, and that you know we can do better.  

You can get a $5 sticker:

Or a $10 pin:

 

 Because the design is CC-licensed, you don't have to buy one. You can make your own merch, your own swag, your own illustrations. I made a lawn flag for my front garden.

 

But if you do want to buy a sticker or pin, you can do so while supporting the most profound and powerful disenshittifying force on the planet Earth—the Electronic Frontier Foundation.

SUPPORT EFF

GET LimITED EDITION MERCH + FIGHT ENSHITTIFICATION

 

Across the country, surveillance companies have spun a vast web of tens of thousands of license plate cameras. The people selling this tech want you to believe that it's for your safety, but how are authorities really using automated license plate readers (ALPR)? In this week's EFFector newsletter, we're looking at how these powerful surveillance networks have become universal people-trackers used for noise complaints and other low-level investigations.

JOIN OUR NEWSLETTER

For over 35 years, EFFector has been your guide to understanding the intersection of technology, civil liberties, and the law. This week's issue covers a victory for facial privacy, EFF's testimony to Congress about AI and surveillance, and troubling new examples of ALPR mission creep.

Prefer to listen in? EFFector is now available on all major podcast platforms. This week, we're chatting with EFF Associate Director of State Affairs Rindala Alajaji about what she uncovered about police use of ALPR. And don't miss the EFFector news quiz. You can find the episode and subscribe on your podcast platform of choice:

%3Ciframe%20height%3D%22200px%22%20width%3D%22100%25%22%20frameborder%3D%22no%22%20scrolling%3D%22no%22%20seamless%3D%22%22%20src%3D%22https%3A%2F%2Fplayer.simplecast.com%2F733a5637-dec4-4949-8c0f-976a5222c48a%3Fdark%3Dfalse%22%20allow%3D%22autoplay%22%3E%3C%2Fiframe%3E Privacy info. This embed will serve content from simplecast.com

   

Want to stay in the fight for privacy and free speech online? Sign up for EFF's EFFector newsletter for updates, ways to take action, and new merch drops. You can also fuel the fight against online surveillance when you support EFF today!

Several U.S. states are pushing to ban young people from social media entirely. This marks the latest wave of censorship bills masquerading as “children’s online safety” measures, with states like Massachusetts, Idaho, Minnesota, North Carolina, South Carolina, Illinois, and EFF’s home state of California leading the charge.

Just a few years ago, lawmakers supporting age-gating laws insisted their efforts were narrowly targeted at limiting young people’s access to adult content. At the time, we warned that they would not stop there: once the government established the authority and built the infrastructure to collect and “verify” massive troves of user data, it would inevitably sweep broader and broader categories of lawful speech into this mass surveillance and censorship system. 

Unfortunately, our predictions came true. As legislators across the country advance proposals that would block all young people from accessing the “modern public square,” the Overton window has shifted dramatically towards mass censorship—and the speed of this shift should concern all of us. 

This primer breaks down this dangerous wave of social media bans: how they work (and why they don’t), who they harm, and how we can fight back. 

How to Spot a Social Media Ban

The details of these bills vary from state to state. Some (like California’s AB 1709) are a flat-out social media ban for all young people under a certain age, while other states (like South Carolina and Minnesota) allow access to young users who hand over even more data to show verifiable parental consent. Many bills regulate certain social media features, too, including by setting default privacy settings, time limits, or notification preferences for all accounts that fail the age-gate.

As for the age-gating mechanism itself, most proposals fall into two broad categories: age verification bills and behavioral age estimation bills. 

Age Verification Bills require online services to collect highly sensitive data, including government ID and biometric information, from all users before either restricting or allowing them access. 

For example, take California’s social media ban (AB 1709). Starting in January 2027, operating systems will be required to collect enough information from users to sort them into age groups, or “brackets.” Under AB 1709, social media apps would then use that age bracket information to completely block anyone under 16, while supposedly letting everyone else through. By contrast, Florida’s law (HB 3) takes a more aggressive route by forcing platforms to verify users' identities directly, usually by contracting with private third-party companies to perform verification services.

Behavioral Age Estimation Bills, on the other hand, are a more recent innovation of states like Minnesota (HF 1438) and South Carolina (H 4591). These bills require platforms to estimate the ages of users based largely on data that they already collect, including self-attested age, behavioral information, and account history and activity. In practice, these bills enable tech companies to use algorithms and/or AI to analyze our online behavior and estimate age based on that. 

Proponents of behavioral age estimation bills claim that their proposals avoid the massive security risks that come with mandatory age verification bills. However, much of the data that social media platforms collect from us “in the ordinary course of operation” is collected in order to serve us targeted behavioral ads. If we force platforms to use this imperfect data to make more important judgments about who can access their services, we risk entrenching those insidious data collection practices. Surely we don’t want to give social media companies more reasons to justify and sustain their reliance on this exploitative business model.

If you want to dig into the nuance here, our terminology guide sheds more light on the technical differences between age verification and age estimation bills. 

Overall, it’s a lose-lose scenario: either platforms collect new forms of our most sensitive and immutable data, or they unleash their AI and algorithms on our existing behavioral data to make creepy guesses about who we are and what we deserve to see. No matter which age-gating method your state chooses to execute its social media ban, there will be lots of error at the margins—and lots of users who will be blocked or chilled from access to lawful online speech.

Why Social Media Bans Are So Dangerous

Social media bans are unconstitutional, discriminatory, and deeply misguided. They reinforce existing structures of oppression, and they are broadly unsupported by young people, whose voices are conspicuously absent from this conversation. They undermine parental decision-making and replace tailored family-level solutions with a one-size-fits-all band-aid. And, in the places we have seen social media bans go into effect, early reports show that they don't even work. 

For example, in Australia, where a social media ban has been in effect since late 2025, a majority of young people can still access social media, those who can’t have lost their access to the news, and crisis helplines are reporting skyrocketing numbers of calls from youth left stranded without online community or resources.

We could go on and on about all of the inherent harms here, but we’ll try to keep this short as we walk through some of the major issues.

1. Security Risks and Privacy Harms

In order to ban some users, social media platforms first must confirm the ages of all users, regardless of age. Bans thus incentivize companies to force users of all ages to hand over government IDs, face scans, and other sensitive information. When parental consent is required, companies must collect even more verification data and often create explicit links between child and parent accounts—further destroying users’ anonymity. 

Both of these databases create massive data "honeypots" that invite identity theft and permanent surveillance. We’ve already seen repeated data breaches involving age- and identity-verification services. Yet these laws would force both adults and the youth they claim to protect to feed their most sensitive data into this growing surveillance ecosystem. 

If we don’t trust tech companies with our private information now, we shouldn't pass laws that force us to give them even more of it. 

2. Disproportionate Harm to Vulnerable Communities

Age-verification technology is deeply flawed and prone to discrimination. These systems frequently misidentify or lock out people of color, people with disabilities, and trans or gender-nonconforming individuals whose IDs may not match their appearance. 

Where these bills require parental consent, they impose disproportionate access barriers on low-income, non-traditional, and immigrant families. These sorts of families are more likely to share a single family device or have strong reasons to not want the government to track family associations and ID documents. 

Beyond the technical failures, these bans cut off a vital lifeline. For LGBTQ+ youth, foster kids, and those stuck in unsupportive home environments, social media is often the only place to find community, explore their identity, or access life-saving resources. Forcibly removing young people isolates those who need connection the most, while creating massive new barriers for adults. 

You can read a breakdown of the diverse groups vulnerable to these laws here. 

3. Based on Shoddy Science

The current legislative push to ban young people from social media relies heavily on the idea that the "great rewiring" of the adolescent brain is a proven fact. This simply isn’t true.

Social science indicates that moderate internet use is a net positive for teens’ development, and negative outcomes are usually due to either lack of access or excessive use. For LGBTQ+ and marginalized youth in particular, social media offers an essential space to access support they might lack offline. By forcing youth into digital isolation, these bans cut off vital access to political news, community, and health resources. They also completely ignore the calls of young people themselves who favor digital literacy and education over restrictive government control.

Instead of cutting off these lifelines, we should support measures that arm all youth (and the adults in their lives) with the knowledge they need to navigate online spaces safely.

4. Reckless Free Speech Violations for Users of All Ages

No matter your age, the First Amendment protects your right to speak and access information. 

Blanket social media bans immensely and unconstitutionally chill all users’ exercise of this right. They cut off young people’s access to lawful speech, or ruin their privacy in the home by mandating parental consent and sometimes even parental access to their account activities and settings. They force all users (adults and young people alike) to hand private information over to tech companies before speaking or accessing information on social media platforms, imposing annoying obstacles on lawful online expression and wrongfully blocking some adults outright. 

Critically, these bans destroy our right to online anonymity—a cornerstone of our right to free expression that protects whistleblowers, journalists, activists, immigrants, and everyone who has ever used a private browser or account to ask the internet an embarrassing question.

How to Fight Back

Social media bans weaponize parents’ concerns about children’s safety to justify unprecedented levels of surveillance and censorship. In the process, these laws deny young people their rights, threaten online anonymity for everyone, expose our sensitive personal data to breach and abuse, and replace parental decision-making with state authority. This is a battle over the future of the open, private, and free internet, and we must act now to protect it.

Here’s how you can help us fight back: Talk to your community (including young people!) about what’s at stake. If you’re a parent, lean on open conversations and platforms’ existing tools to tailor your child’s experiences instead of handing that power over to the government. And no matter where you live, contact your government representatives and tell them clearly that social media bans are not the answer to kids’ online safety.

The Senate Judiciary Committee is set to consider and vote on the Nurture Originals, Foster Art, and Keep Entertainment Safe Act (NO FAKES). Instead of targeting the real privacy harms posed by AI-generated replicas, this law would create another layer of internet censorship on top of the already existing legal and voluntary takedown systems. Congress should reject NO FAKES.

Take action

Tell Congress to Say No to NO FAKES

As currently written, NO FAKES proposes to tackle the problems of misleading AI-generated replicas by creating a broad property right in someone's look, voice, and general style. However, there are all kinds of First Amendment-protected expression that would be swept under the NO FAKES regime—think about parody, news, criticism.

NO FAKES also does a laughable job of protecting artists from use of their image in misleading ways. It doesn’t create a privacy right, but rather a property right that can easily be signed away—as major studios and record labels are almost certain to require in their contracts with artists. As a result, NO FAKES actually creates a new avenue for the exploitation of artists by companies instead of protection from misleading replicas. 

The bill also makes it trivially easy for protected speech to be censored. It is a supercharged version of the already flawed copyright takedown regime. It would essentially require platforms to institute filters that don't just look for exact matches of copyrighted material, as current filters do, but anything that might be a digital replica. Even though the latest version of this bill adds some forms of redress for bad faith takedowns, those provisions lack the teeth required to deter a malicious actor. 

NO FAKES targets speech, tools, and innovation instead of focusing on the real concern posed by these replicas: privacy. This bill was a bad idea when it was introduced, and got even worse when it was amended last year. Tell Congress to just say no to NO FAKES.

Take action

Tell Congress to Say No to NO FAKES

Just days after a damning WIRED report exposed that Meta had quietly embedded facial recognition technology (FRT) code into millions of phones, the tech giant has quietly acquiesced in demands to reverse course.

Last week, researchers identified code in Meta AI, a companion app for its line of smart glasses, that could convert images of faces into unique biometric signatures to identify strangers in public. EFF’s Threat Lab verified these findings through static analysis, and reminded consumers to think twice before buying or using Meta’s surveillance glasses. 

Just as quietly as Meta embedded this code, the app’s June 5th app update appears to have quietly removed all those features and systems. Gone is the face-recognition technology, the code meant to trigger “Person recognized” alerts, and the machine learning models and databases  designed to detect, digitize, and store the biometric signatures of people users engage with.

When WIRED broke the news last week, Meta’s executives immediately went on the defensive. Yet, their actions speak louder than their tweets: less than 48 hours after the public caught wind of their plans, Meta quietly launched an update to scrub nearly all traces of the FRT system from their app.

But this quiet deletion of code does not equal a permanent change of heart. Meta previously used face recognition, and stopped only after it faced the legal and financial consequences. Now the company has refused to answer WIRED’s inquiries on whether it plans to bring the NameTag system back in the future, or what they did with any data they may have already collected during internal testing. 

There are billions of reasons not to turn Meta’s customers into a distributed surveillance machine. This whiplash behavior proves exactly why we cannot rely on the "good will" of Big Tech to protect our digital rights. We need robust, enforceable consumer privacy laws, complete with a private right of action that allows everyday people to sue companies that violate their biometric privacy.

While we won this round, Meta's FRT ambitions probably aren't going away. EFF will keep watching.

On a warm June evening in San Francisco, attorneys and other legally-minded friends of EFF gathered for our 18th Annual Cyberlaw Trivia Night, an annual test of tech-related legal knowledge, and the ability to remember some deeply obscure facts under pressure. 

Returning Quizmaster Kurt Opsahl once again guided competitors through six rounds of trivia covering everything from intellectual property and free speech to privacy, security, and artificial intelligence. Teams wrestled with questions about geofence warrants, AI copyright disputes, the SOPA/PIPA internet blackout, Section 230, and even a Senate hearing featuring a contestant who was herself present at cyberlaw trivia. 

The judges’ table made it obvious that 2026 was a notable year. Weighing in on the toughest close calls were three folks with a deep history at our org: outgoing EFF Executive Director Cindy Cohn and new Executive Director Nicole Ozer both sat at as judges, joined by new cyberlaw judge Mike Masnick, founder of Techdirt and a recipient of an EFF Award in 2020. 

The food was hot, the drinks were cold, and the competition was fierce. Teams including Shady Docket, Byte Club, Flock U, This Is Why We Can't Have Nice Precedent, Nicky's Angels, and Betamaxxers battled through six rounds of challenging questions. 

When a question about Afroman's successful legal battle against Ohio sheriff's deputies came up, members of Byte Club offered to do more than name his most popular album: they offered to perform a rendition of “Lemon Pound Cake” (also the album name—tricky!) for the judges. This won no sway with the 3-judge Cyberlaw Judiciary, and the offer was politely declined. 

The teams racked their collective law-noggins about some of the details of recent legal battles over digital rights, and a round entitled “You Can Call Me AI.” After the IP round, which rewarded folks in the audience who could answer details about the server test, the trivia moved onto newsier questions, with questions about ICE apps, anti-ICE apps, recent defamation cases involving our sitting president, and the slogan of a mineral company that you might've heard on terrestrial radio anytime between the early aughts and this week. 

You don't have to wear a morning coat to win Supreme Court arguments, but knowing who did for 4 years might have helped you win the IP round. 

By the end of regulation play, the cyberlaw trivia competition was closer than we could have imagined. For the first time in Cyberlaw Trivia history, three teams finished tied for first place, sending the contest to two tiebreaker questions. 

The final question noted that Google had received more than 287,000 government information requests in the first half of 2025, and asked teams to estimate how many were received by OpenAI during the same period. Every team guessed over, but it was the victors, Shady Docket, who guessed the lowest: 260. (The real answer is 146.)

As Shady Docket team member Erin Simon explained after the win: "As much as we love EFF, what we love even more is crushing other trivia teams."

In second place were Nicky’s Angels. Rounding out the virtual podium in 3rd were the Betamaxxers, who jumped ahead early with a home-run run in the Free Speech round, getting every question correct. 

Each summer, EFF's Cyberlaw Trivia Night brings together the legal community that helps defend privacy, free expression, innovation, and digital rights. We want to especially thank this year Morrison Foerster, Fenwick, Wilson Sonsini, and Public Resource for supporting EFF's legal intern program.

Are you an attorney interested in defending civil liberties in the digital world? Consider joining EFF's Cooperating Attorneys list. This network helps EFF connect people to legal assistance when EFF is unable to provide direct assistance. 

Fighting for first place at EFF’s Cyberlaw Trivia Night helps us fight for your rights online! Sponsor one of our annual events and join the movement for digital privacy, free speech, and innovation. Please visit eff.org/thanks or contact tierney@eff.org for more information.

The internet is an essential resource for young people and adults to access information, explore community, and find themselves—both inside countries and across continents. Yet governments around the world continue to introduce and implement legislation requiring all online users to verify their ages before accessing the digital space. In some cases, politicians are going further, putting forth proposals to ban social media for younger users.  

In late 2025, Australia’s government rolled out the first complete ban on users under 16 from having social media accounts. In this sweeping regime, platforms are required to introduce age assurance tools to block under-16s, demonstrate that they have taken “reasonable steps” to deactivate accounts used by under-16s, and prevent any new accounts being created, or face fines of up to 49.5 million Australian dollars ($32 million USD). The 10 banned platforms—Instagram, Facebook, Threads, Snapchat, YouTube, TikTok, Kick, Reddit, Twitch, and X—have each said they’ll comply with the legislation, which led to young people losing access to their accounts overnight. Reddit is currently challenging the law in Australian courts on constitutional grounds. Recent research notes how the ban is preventing teenagers from accessing news in the country. 

In the United Kingdom, rules took effect in mid-2025 under the Online Safety Act that require all online services available in the country to assess whether they host content considered harmful to children; if so, these services must introduce age checks to prevent children from accessing such content. Online services are also required to change their algorithms and moderation systems to ensure that content defined as harmful, like violent imagery, is not shown to young people. 

This approach is reckless, short-sighted, and we’ve already seen it introduce more harm to the young people that it is trying to protect. The UK’s scramble to find an effective age verification method shows us that there isn't one, and we’ve spent years urging UK politicians to abandon any measures that require platforms to collect data or remove privacy protections around users’ identities. 

Earlier this year, Indonesia’s Communications and Digital Affairs Minister, Meutya Hafid, announced that users under 16 would have their accounts on “high risk” platforms deactivated from 28 March. The platforms subject to this ban are YouTube, TikTok, Facebook, Instagram, Threads, X, Bigo Live, and Roblox; with Hafid noting how this policy would make Indonesia “the first non-Western country to delay children's access to digital spaces according to age.”

Similarly, the Malaysian government has recently pushed forward with plans to ban users under 16 from having accounts on social media platforms with at least 8 million users in Malaysia, including Facebook, Instagram, TikTok, and YouTube. Users under the age of 16 are being told to download or transfer their data from these platforms in one month before the restrictions are applied. Platforms failing to comply with the ban may face penalties of up to $2.5 million USD.

In Latin America, Brazil approved a new law in 2025 establishing that providers of information technology products and services directed to children and teenagers, or likely to be accessed by them, must conduct age checks when their products and services offer risks to underage users. Regulation requires age assurance for products and services that are not allowed for children and adolescents in accordance with Brazilian legislation. App stores and operating systems are required to provide age signals for other providers. 

While the law is already in force, full compliance with its obligations is expected for early 2027, after the approval of further regulations and a transition period, and the authority responsible for enforcing the law is the Brazilian National Data Protection Agency. The list of concerns regarding the implementation of the law include: the wide scope of products and services that may fall within age-check obligations, how these obligations can affect non-proprietary operating systems and free software projects, and how effective the law's crucial data protection safeguards will be in a context of likely widespread age checks for accessing content online.

Similarly, the European Union has taken large steps towards mandatory age verification that could undermine privacy, expression, and participation rights for everyone. Politicians are promoting an EU-wide approach to age verification through its age verification “app,” which will be fully interoperable with the Digital Identity Wallet. While this mini-app has been announced as technically ready to be rolled out “for citizens to use,” it comes with its own realm of potential privacy and security concerns, such as long-term identifiers (which could result in tracking) and over-exposure of personal information. 

The European Commission also supports age verification in various legislative initiatives, from proposals that would allow or mandate companies to scan our communication (“Chat Control”) to non-binding guidelines of existing laws, such as the Digital Services Act. The EU Parliament, too, has proposed an EU digital minimum age of 16 for access to social media, a move that aligns with EU Commission’s president Ursula von der Leyen’s recent public support for measures inspired by Australia’s model. To all these initiatives EFF has provided one consistent response: mandatory age verification measures are not the right way to protect young people. 

These proposals restrict the fundamental rights of young people to speak to each other and to access information. They also force all internet users, not just those under a certain age, to upload private data—like a face scan or passport—in order to access a website or service. In considering the vast scope of privacy issues pertaining to the collection, storage, and sharing of this personal information, the problems of age verification in restricting free speech are compounded by these reckless and harmful approaches to verification. 

The problem of censorship and surveillance goes far beyond the borders of the internet. EFF continues to explore support for legislative and litigation challenges that recognize how these laws harm everyone’s rights to privacy, free expression and due process.

Last year during LGBTQ+ Pride month, we launched an LGBT Q&A where we answered your most pressing digital rights questions on EFF’s Instagram and TikTok  accounts. 

Ahead of LGBT Q&A Season 2 launching next week, we’re posting a recap with some of the questions we answered. Check them out below.

1. You wanted to know: How to stay safe when dating online.
2. You asked: I'm a 17 year old trans woman and my address is public on the Internet. What steps can I take to mitigate this risk? 
3. You wondered about: Tips for staying safe at Budapest Pride.
4. You questioned: Why does homophobic content I report on social media not get removed?  
5. You asked: What pictures are safe to use on dating apps?
6. You wanted to know: Is it safe to have gay, trans, and Palestinian flags in my bio? 

We’re here to help build an online space where you get to decide what aspects of yourself you share with others, how you present to the world, and what things you keep private. Join us to make the internet private, safe, and full of pride.

California lawmakers are again considering A.B. 412, a bill that would require AI developers to identify and disclose copyrighted works used to train generative AI systems.

The problem this year is the same as last year: it’s practically impossible to comply with this law. The bill demands information that often does not exist, and cannot realistically be obtained. 

EFF submitted an opposition letter to the California Senate Privacy Committee explaining why we continue to believe A.B. 412 is simply unworkable. To the extent developers do follow this law, it will have the effect of locking in the power of the largest companies in AI. 

A Burden That Can’t Be Met

A.B. 412 sounds simple: just have AI developers create and keep a list of all the registered copyrighted works they use in AI training. 

That may seem straightforward. In practice, it’s anything but. 

There is no machine-readable “list” of copyrighted works at the U.S. Copyright Office. And many copyright holders can get a copyright without even depositing a publicly viewable sample of the work—for example, software companies may register copyright on proprietary code without revealing it to the public. 

And on the open internet, copyright information is often incomplete, unavailable, or impossible to verify. One image may be registered with the copyright office, while the next is licensed under a free Creative Commons license (like the images that EFF creates), and the next is public domain. A message forum user might post an original story, photograph, or poem without any indication of ownership or registration status. 

The bill effectively asks developers to continuously cross-reference massive batches of online data against a copyright system that simply wasn’t designed to do so. If California passes A.B. 412, its impact will go far beyond the large AI companies we read about in the headlines. 

Not Just Big Tech

Supporters often frame this bill as a way to help creative workers have some leverage against Big Tech, but the bill reaches much further than the big AI companies. 

Its definition of “developer” extends to anyone who makes a generative AI model available to Californians. That includes indie developers tinkering with an existing model, open-source initiatives, nonprofits, and other non-commercial efforts. Recent amendments added exemptions for universities and government entities, which is important, but that still leaves out a vast swathe of non-commercial tech work that’s done by people without full-time jobs in government or academia. 

Large companies will hire compliance teams and lawyers to navigate these requirements. Smaller organizations and independent developers usually can’t. The result will be fewer opportunities for startups and new entrants. Faced with this massive compliance burden, some won’t even try. 

Courts Are Already Deciding These Questions

The bill is premised on the idea that copyright owners currently don’t have good remedies if they’re mistreated by AI companies. That simply isn’t true. And the growing wave of federal court filings in this space prove it. Content companies that want to sue tech companies, large or small, have no problem doing so. Those courts are still working through important questions about fair use and transformative use. Some courts have already concluded that many AI training activities qualify as fair use. Others continue to evaluate the issue.

California lawmakers should not rush to impose new state regulation while those questions remain unresolved. This is why copyright is governed at the federal level: both creators and fair users benefit from a single set of nationwide rules. 

At this point, the bill remains a solution in search of a problem. Rights holders already have powerful tools to protect their interests under existing federal law. What this bill adds isn’t clarity or transparency, but a costly and essentially impossible compliance burden that will discourage small developers and researchers. 

California has been able to support both artistic creativity and tech innovation for decades now.  But A.B. 412 does not strike the right balance. 

If you are a California resident and interested in speaking out about this bill, you can find and contact your representatives through this website. 

President Trump’s highly politicized appointment of an entirely unqualified acting Director of National Intelligence (DNI) underscores why the government’s warrantless mass spying power must be reformed. 

Congress now faces a deadline of Friday, June 12 to reauthorize Section 702 of the Foreign Intelligence Surveillance Act, an unconstitutional program rife with problems, loopholes, and compliance issues. Section 702 allows the National Security Agency to collect communications from targets overseas – including communications with Americans in the U.S. – and stores them in massive databases. The NSA then allows other agencies, including the Federal Bureau of Investigation, to access untold amounts of that information.  

Under current practice, the FBI can query and even read the U.S. side of that communication without a warrant. What’s more, victims won’t even know and have very few ways of finding out that their communications have been surveilled. EFF and other civil liberties advocates have been trying for years to know how data collected through Section 702 is used in domestic investigations and prosecutions.  

Our advocacy to reform Section 702 has been consistent across administrations, including when the federal Intelligence Community was run by people with experience in the relevant agencies. In fact, the 2004 law creating the position of DNI – which coordinates America’s 18 spy agencies – requires those who hold it to have “extensive national security expertise.” 

Enter Bill Pulte. 

Trump on Tuesday named Pulte – currently director of the Federal Housing Finance Agency (FHFA) and chairman of Fannie Mae and Freddie Mac – to replace current DNI Tulsi Gabbard, who announced her resignation last month. Pulte lacks any intelligence, military, or congressional experience.  

“William has deep experience managing the most sensitive matters in America, the safety and soundness of the Markets, and over 10 Trillion Dollars at Fannie Mae/Freddie Mac, a substantial increase from where it was just 12 months ago,” Trump wrote on his Truth Social platform.

Pulte isn't a qualified intelligence administrator. He does, however, seem to be unquestioningly loyal to President Trump and willing to use his position to attack and smear the President’s political foes.   

Because Trump named him acting DNI, Pulte isn’t subject to Senate confirmation. And under the Vacancies Act, Pulte could remain in the role for about seven months. 

This is particularly concerning because of Pulte’s history of using private information held by the government as a political weapon. In his FHFA role, he has accused several of the President’s political foes and targets – including New York State Attorney General Letitia James, U.S. Sen. Adam Schiff, D-Calif., and Federal Reserve governor Lisa Cook – of mortgage fraud based on private data held by his agency.  

All these targets and others have denied wrongdoing. A federal criminal complaint filed against James in Virginia imploded after a judge found prosecutor Lindsey Halligan had been unlawfully appointed, and prosecutors twice failed to convince a grand jury to indict James. Pulte’s accusations against Schiff, Cook, and others have not led to criminal charges. 

Pulte also used his FHFA pulpit to attack then-Federal Reserve Chair Jerome Powell and dismantle internal oversight. 

Pulte isn't a qualified intelligence administrator. He does, however, seem to be unquestioningly loyal to President Trump and willing to use his position to attack and smear the President’s political foes. As acting DNI, Pulte would have access to every scrap of classified information the Intelligence Community holds, and under Section 702, that includes massive amounts of information about Americans. 

Even lawmakers who are typically friendly to the intelligence community acknowledge that this is a disaster in the making. U.S. Sen. Mark Warner, D-Va., who is the Senate Intelligence Committee’s ranking Democrat, told NPR that Pulte has "no experience in the military, no experience in Congress, no experience in the intel community or law enforcement" and was chosen because he is "100% loyal to doing anything and everything President Trump demands." 

And Senate Majority Leader John Thune, R-S.D., told reporters “we don’t need a weaponized” national intelligence director. Asked about fears that Pulte might pursue Trump’s political opponents, Thune said: “We need professionals there.” 

Congress already has had trouble reauthorizing Section 702 as Freedom Caucus Republicans and many Democrats joined forces to demand reforms including the common-sense requirement that federal agencies get a probable cause warrant from a judge before searching any data involving Americans. Pulte’s appointment exemplifies why no administration should have the power granted by Section 702 without the independent judicial review required in seeking a warrant. 

Governments must not adopt emerging and powerful AI technologies without also adopting strong and clear safeguards to protect Constitutional rights, EFF Senior Policy Analyst Dr. Matthew Guariglia testified today to the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection. 

During the hearing on “The AI Security Landscape: How Frontier Models, Agentic AI, and AI Coding Tools Are Reshaping Cybersecurity and Critical Infrastructure Resilience,” he explained that the use of generative AI for the purposes of mass government surveillance would supercharge unconstitutional violations of civil liberties. He also highlighted how government secrecy, in addition to the black box of for-profit proprietary technology, prevents the public and lawmakers from knowing when AI models make mistakes, including errors that seriously impact the cybersecurity of critical infrastructure and the lives of individuals.  

“AI also has a track record of getting things wrong—from false citations on legal briefs to a major AI mistake that sent DHS recruits to the field without proper training. There are likely more consequential examples that we do not even know about because of classification that would prevent a more thorough accounting," he said in his opening remarks.

%3Ciframe%20width%3D%22560%22%20height%3D%22315%22%20src%3D%22https%3A%2F%2Fwww.youtube.com%2Fembed%2F5K_0etAPDxA%3Fsi%3Dw-RLGRR_I788C4Nh%26autoplay%3D1%26mute%3D1%22%20title%3D%22YouTube%20video%20player%22%20frameborder%3D%220%22%20allow%3D%22accelerometer%3B%20autoplay%3B%20clipboard-write%3B%20encrypted-media%3B%20gyroscope%3B%20picture-in-picture%3B%20web-share%22%20referrerpolicy%3D%22strict-origin-when-cross-origin%22%20allowfullscreen%3D%22%22%3E%3C%2Fiframe%3E Privacy info. This embed will serve content from youtube.com

 

“At this level the question is not how do we rein in AI, it’s how do we rein in the agencies that would unleash AI on the American public,” Matthew said in response to a question by Subcommittee Ranking Member Delia Ramirez, D-Ill.  

You can read his full testimony as prepared here. 

Update, June 8, 2026: Following widespread public scrutiny and WIRED’s critical reporting, Meta has stripped the unactivated facial recognition code from its latest Meta AI app update.

Meta has deployed facial recognition code to millions of their always-on surveillance glasses, according to new reporting by Wired. EFF’s Threat Lab was able to confirm that the facial recognition code is present through static analysis of the application. 

This dangerous new Meta functionality stores faceprints as a series of 2,048 numbers uniquely representing the positioning of a person’s facial features. When this feature is activated, it will convert every new face in the sightlines of the surveillance glasses into a series of numbers, and compare it to all the existing faceprints in the user’s database.

Wired and EFF confirmed that the code is present and active, though not yet exposed to consumers. Another researcher confirmed that when they manually added a face to the app database by connecting the phone to a computer in debug mode and issuing a few commands, the glasses would subsequently detect that face when it came into view. 

Meta has already paid $650 million to settle a BIPA lawsuit challenging mass facial recognition of every photo posted to its platform, a feature which it has since shut down. 

Despite the billions of reasons not to, Meta seems to have created the capacity to turn their customers into a distributed surveillance machine. This is just one more reason to think twice before buying or using Meta’s surveillance glasses. 

Considering that Meta previously wrote in an internal document that they want to launch facial recognition “during a dynamic political environment where many civil society groups that we would expect to attack us would have their resources focused on other concerns," this invasive new feature doesn't come as a surprise. But Meta's surveillance plans won't escape public scrutiny that easily, and we'll be watching if this feature is rolled out to the public. 

EFF is on the front lines of the fight against tech-enabled tyranny, but we aren't alone. Our team depends on your help to fight back against the surveillance state.

JOIN EFF

People around the world are pushing back against the mass surveillance that undermines privacy and free expression for everyone. You can help during EFF's spring membership drive.

One of the people who joined the fight for digital rights is EFF client Will Freeman. Will created the website DeFlock.me to reveal the dangers of automated license plate readers (ALPRs)—cameras that collect location data on every vehicle they see and upload that to a massive nationwide police database. Deflock.me turns the tables by enlisting ordinary people to track the locations of tens of thousands of ALPR cameras.

But when the police spy-tech company Flock Safety went after Will's website with legal threats citing trademark law, he saw it for what it was: an attempt to silence critics and dim the light on mass surveillance.

The company will try everything it can to downplay the criticism, but EFF will be right there demanding accountability.

"I was totally unprepared to receive a cease & desist letter. I can see how most people would be bullied into submission by a threat like that. That's when I remembered Dave Maass from the EFF introduced himself via email several weeks before, so I reached out for help," Freeman says.

And that's when EFF stepped in. Recognizing DeFlock.me as a quintessential expression of grassroots advocacy and a form of criticism protected by the U.S. First Amendment, EFF's lawyers helped Will fight back. And the Big Surveillance Tech flinched.

But these battles against Flock's Spying tools rage on. In cities around the country, privacy advocates are pressuring officials to block or end contracts for ALPRs—and winning. The company will try everything it can to downplay the criticism, but EFF will be right there demanding accountability.

Get the new Claw Back member t-shirt featuring a fierce feline swatting at community surveillance. You might empathize with him, but there’s a better way. Let’s end the law enforcement contracts, harmful practices, and twisted logic that enable mass spying in the first place.

"I'm really grateful the EFF was able to step in and help. Without them, free speech would be only for those wealthy enough to defend themselves against billion dollar companies. We've grown a lot since then and are expanding our efforts to expose and push back against mass surveillance on our streets," Freeman says.

Support the movement

stop mass surveillance tech today when you join EFF

____________________

EFF is a member-supported U.S. 501(c)(3) organization. We've received top ratings from the nonprofit watchdog Charity Navigator since 2013! Your donation is tax-deductible as allowed by law.

EFF welcomes our new Executive Director Nicole Ozer today! 

Nicole is a legal expert on privacy and surveillance, artificial intelligence, and digital speech who previously served as the inaugural executive director of the Center for Constitutional Democracy at UC Law San Francisco. From 2004-2025, she was founding director of the Technology and Civil Liberties Program at the American Civil Liberties Union of Northern California. 

Nicole has long been a partner of EFF’s in the fight to defend civil liberties in the digital world. Many of us already know her, and she’s basically as close to EFF “family” as someone can be without actually having worked here.   

Over her more than two decades leading public interest technology work, Nicole has:  

• spearheaded passage of the California Electronic Communications Privacy Act – working with EFF to enact the nation’s strongest electronic surveillance law, requiring a warrant for government access to electronic information; 
• modernized California law to protect reading records in the digital age by helping, along with EFF, to craft the Reader Privacy Act, requiring a “super warrant” for government access; 
• created a groundbreaking model law for local democratic oversight of surveillance systems which inspired 25 laws across the country that help safeguard the rights and safety of more than 17 million people; 
• litigated civil liberties cases, including work with EFF on the NSA cases, and drafted influential amicus briefs on technology issues at all levels of state and federal court, including the U.S. Supreme Court and California Supreme Court; and 
• developed multi-year campaigns to strengthen the anti-surveillance policies related to social media surveillance and face recognition of major technology companies and foster stronger privacy and free expression protection for billions of people worldwide. 

And that's just the TL;DR! You can read more about her bona fides here. 

EFF’s work to ensure technology supports freedom, justice, and innovation is more urgent than ever. And with Nicole’s decades of leadership in public interest technology work, EFF is poised to be stronger than ever to meet this moment and build for the fights ahead. 

Nicole succeeds Cindy Cohn, who has been with EFF for more than 25 years and served as executive director since 2015. Cindy is leaving EFF later this month – not to retire, but to find a role that puts her back in the courtroom doing what she does best: suing the government! She’ll still be part of the EFF community. 

We are living digital lives, using technology to connect, communicate, and mobilize for change. And we need you in these critical fights to defend and advance rights in the digital world – so join EFF today, and sign up for our EFFector newsletter to make sure you’re updated on the latest EFF news including upcoming events to help you get to know Nicole. 

Welcome Nicole! 

After public outrage, California lawmakers are moving closer to exempting open-source operating systems from the sweeping age-bracketing regime mandated by last year’s Digital Age Assurance Act (AB 1043). Nonetheless, the current bill still jeopardizes internet users’ speech, privacy, and security.

While the open source exemption, if passed, would improve the law, the remaining amendments proposed by AB 1856 would require all web browsers and websites to request and collect users’ ages. This is an expansion of last year's AB 1043's age-bracketing system that compounds its constitutional harms to users’ speech, privacy, and security. As AB 1856 moves on to the Senate, EFF will continue fighting for amendments that reduce those harms.

AB 1856 Extends AB 1043’s Age-Gating Regime

Last year, California passed AB 1043, which requires all operating systems and app stores to create age-bracketing systems that segment users based on their ages. As we’ve written, that regime is a recipe for censorship: it creates unnecessary and unconstitutional barriers to accessing lawful online speech, threatens our right to anonymity, and pressures online services to collect troves of valuable and sensitive user data. On top of that, A.B. 1043’s wide-sweeping compliance burdens impose disproportionate harms on the open-source ecosystem that underpins much of the modern web. 

Given these flaws, lawmakers introduced AB 1856 this year as a supposed “clean-up” bill for AB 1043. But instead of sticking to fixing AB 1043’s unique and serious harms (like its impact on open-source operating systems), AB 1856 also expanded the regime even further—extending its age-bracketing requirements beyond operating systems and app stores to browsers and websites. 

EFF opposed AB 1856 on two grounds, which we explained in our opposition letter to the Assembly: 

1. The harms that age-gating regimes pose to users’ speech, privacy, and anonymity; and
2. The disproportionate harms that this particular regime imposes on open-source developers. 

Open Source Concerns Somewhat Alleviated By Amendment

On May 28th, AB 1856 passed the Assembly in a nearly unanimous vote (68-1). 

Before that vote, however, AB 1856 was amended to relieve the compliance burden on open-source operating systems. This is a meaningful improvement and a welcome relief for open-source developers, who have been loud and clear about how much of an existential threat A.B. 1043’s age-gating mandate would pose.

The new exception reads:

“Operating system provider” does not mean a person or entity that distributes an operating system or application under license terms that permit a recipient to copy, redistribute, and modify the software.”

EFF understands this amendment to exempt open-source operating systems from the requirement to collect and transmit users’ age-bracket data. That is a definite win for open-source developers. The bill is narrower now than it was before, and lawmakers clearly responded to concerns raised by EFF and the broader open-source community. 

Some important questions still remain—for example, it is unclear how the law would apply when an open-source operating system is incorporated into a commercial product or service. And, given the structure of where the exemption is placed under the “operating system provider” definition, lawmakers could stand to clarify that the exemption applies to open-source operating systems and applications.

Nonetheless, that ambiguity aside, this amendment does substantially reduce the threat that AB 1043 could have on many open-source developers. 

AB 1856 Still Expands the Problematic Age-Bracketing Regime

Don’t get us wrong—if this bill passes, we will be very happy that AB 1043 does not pose nearly the amount of harm to our friends behind open-source operating systems. But even after these amendments, EFF remains opposed to AB 1856 because it ultimately expands California’s sweeping age-bracketing framework far beyond the original scope of AB 1043. 

In AB 1856 and its amendments, the Assembly failed to address the core problem with AB 1043’s age-bracketing regime: mandated age-gating systems threaten users’ speech, privacy, anonymity, and security. 

Even after these amendments, EFF remains opposed to AB 1856 because it ultimately expands California’s sweeping age-bracketing framework far beyond the original scope of AB 1043. 

Even though AB 1043 does not explicitly require companies to perform age verification, it nonetheless imposes a liability structure that strongly pressures companies to verify users’ ages anyway. In practice, that could lead to more ID checks, more biometric scanning, more invasive data collection and risk of breach, and more barriers to adults’ and young people’s lawful speech.

In fact, instead of narrowing AB 1043’s wide net, AB 1856 expanded it to add browser providers and website operators to the list of entities that must comply with its age-bracketing requirements. This dramatically broadens the scope of AB 1043 and pulls more services, developers, and users into an anonymity- and privacy-destroying data collection framework that has not yet been implemented or evaluated. The result would make it nearly impossible for regular internet users to avoid AB 1043’s age gates.

The Fight Moves to the Senate

On those grounds, EFF will continue to oppose AB 1856. Though it has passed the Assembly, the fight is not over. As the bill moves through the Senate, we’ll continue to push for amendments that actually “clean up” and narrow the scope of AB 1043, and offer more protection to users from the harms of age-gating systems.

In the rush to block young people from certain parts of the internet, lawmakers are creating a privacy and security nightmare for everyone. This scenario is already playing out globally. Help us stop it and keep the web open and accessible for all.

JOIN EFF

Protect the web for everyone

Even with the best intentions, every online age verification scheme has the same result: users are forced to reveal sensitive personal information to third parties simply to access the web. Once that valuable data is centralized, it becomes an immediate target for leaks, hacks, and misuse. This isn’t hypothetical: it has already happened several times.

By age gating the web, we serve up a honeypot of private info ripe for bad actors. But you can help us stop this when you join EFF.

Support digital rights in EFF's new Claw Back member t-shirt and Privacy Badger Crewneck.

Thanks to our members, EFF is on the front lines fighting against online age gating and identity verification online. We’re working with lawmakers to pass better policies, educating the public, and fighting the wildfire of age verification proposals around the world. Now all we need is you.

🐝 No, It’s Not a Bug

We all want young people to be safe online, but we don’t need to trade everyone's digital rights to achieve it. These new restrictive mandates are used to justify government-led censorship and expanded surveillance. That's no accident.

Whether you trust today’s lawmakers or not, handing anyone keys to new forms of censorship and surveillance is a serious risk. Because history shows us that these powers are always abused. It’s time to demand better.

Join EFF today

Help us claw back your privacy

____________________

EFF is a member-supported U.S. 501(c)(3) organization. We've received top ratings from the nonprofit watchdog Charity Navigator since 2013! Your donation is tax-deductible as allowed by law.

An EFF analysis of millions of searches of Flock Safety automated license plate reader (ALPR) data by police has uncovered a troubling pattern: in the absence of a warrant requirement to search ALPR databases, law enforcement agencies have moved beyond specific investigations to use these surveillance networks for virtually any whim.

Our findings suggest that the absence of a warrant requirement has fostered a culture of unrestricted access to sensitive location data, allowing agencies to leverage that data beyond the scope of specific criminal investigations.

As a refresher: Law enforcement agencies lease or purchase camera systems from Flock Safety and then mount them by the side of the road and at intersections to document every vehicle that passes, including the plate, make, model, color and distinguishing characteristics, along with the date, time and location of where it was seen. 

Law enforcement's talking points—often scripted by the company itself—trumpet their role in solving high-stakes crimes. But the data reveals a different story. What they're not saying is that ALPRs are also frequently used for extremely low-level investigations, such as verifying whether a student lives within a particular school zone. In some cases, police have even used this tech to conduct employment background checks and investigations into loud music complaints. Recently, a motorcyclist was even targeted for simply holding a cell phone while riding.

The reach of this ALPR surveillance is amplified by the nature of the indiscriminate sharing these technologies encourage. Most agencies choose to share broadly, often as part of a nationwide pool, making it common for a single city's system to be searched hundreds of thousands of times each month. By analyzing these "network audit logs," privacy advocates and journalists have uncovered evidence of the technology being used to surveil protesters, abortion-seekers, immigrants, and even ethnic Roma populations. 

While these high-profile abuses are shocking, the more mundane uses are also problematic, signaling a massive, unchecked mission creep that has turned an alleged “crime-fighting” tool into a universal tracker of everyone’s movements. 

Residency Checks

School systems in the U.S. conduct "residency verification" investigations of their parents or guardians to ensure enrolled children live in the district. To carry out these checks, some school districts have enlisted law enforcement officers for help, leveraging ALPR databases to track the comings and goings of families across the region. 

Buford City Schools in Georgia, which serves only about 6,000 students, illustrates the scale of this prying. Between January 2025 and March 2026, school police ran more than 375 searches where officers listed school residency verification, or simply "RV," as the reason for the search. That accounts for more than half of all ALPR searches in that period, and in those three months of 2026, three-quarters of all searches were related to residency verification. 

School officials stand by the searches. "[B]ecause Buford City Schools is a highly sought-after district, we experience ongoing challenges with residency fraud," a spokesperson told Appen Media, which shared the email with EFF. "Flock Safety is one of the tools we use to verify residency and protect the integrity of the Buford City School System for families who live within the district."

A search of ALPR data will show a lot more than whether a family lives within the right zone. In these Buford cases, officers ran some searches across more than 5,800 different networks nationwide. Every time a plate is searched, it can reveal personal information about a family: when they go to the doctor, when they go to worship, when they go out at night, and where they travel on vacation. None of that is the school district's business, and these searches are a huge invasion of privacy. 

While Buford was by the far the most prolific, it wasn't the only agency to run school residency checks. For example, Delhi Township Police Department (DTPD) in Ohio ran 35 searches related to students in five schools in a three-month period during spring 2025, and similarly stood by the practice, citing a warning given to parents that submitting a false statement of residency may be a felony. 

After EFF sent an inquiry to DTPD, the agency conducted a brief investigation and found that "these searches were not done to verify residency upon submission, but to investigate cases where it was believed the form was filled out with false information." DTPD did not say what kind of evidence was required to establish suspicion before an ALPR query, nor did it offer information on how many of these investigations turned out to be justified. 

However, the official told EFF: "in response to your inquiry, the department will be implementing a change to how these queries are documented in the Flock system and internally, to increase accountability and help avoid any confusion moving forward."

Other agencies that ran school residency searches include Cortland Police Department in Ohio and Lincoln Police Department in Alabama. Several agencies also ran searches with "residency," "residency investigation" or "residency verification" as the reason, but that could refer to a number of public services. These agencies include Ridgeland Police Department in Mississippi, Fairfield County Sheriff's Office in South Carolina, Manteno Police Department in Illinois, Illinois Department of Natural Resources, and Mora County Sheriff's Office in New Mexico. 

Background Checks

Few people would imagine that applying for a government job would open you up to an ALPR search. Yet, several law enforcement agencies ran searches through the Flock network related to employment. 

For example:

• Jefferson County Sheriff's Office in Missouri ran six searches across 2,853 networks, documenting "employment" in the reason field.
• Little Elm Police Department in Texas ran 10 searches across 6,306 networks, documenting "EMPLOYMENT" in the reason field.
• Ridgeland Police Department in Mississippi ran two searches across more than 6,000 networks documenting "employment background inv" in the reason field.
• Texas City Police Department, Texas ran three searches across 728 networks, documenting "pre employment background" in the reason field. 
• Zion Police Department in Illinois ran a research across 585 networks documenting "Employee Background" in the reason field. 

Davidson Police Department in North Carolina logged a search listed as "Employment Background," but in response to an inquiry from EFF, the chief described this as "poor choice of words by our investigator." He further stated that the agency does not use ALPRs as part of employment background checks, but in this case, the agency shared that a potential violation of a protective order came to light during a background check, hence the reference to it in the search log.

In addition to the agencies mentioned, several agencies ran searches that simply referred to "background check" or "background checks," which could be related to employment or perhaps some other issue, such as a concealed weapons permit, for example. These include Avon Police Department in Indiana, Rockford Police Department in Illinois, San Bernardino County Sheriff's Office in California, and Seaford Police Department in Delaware.

Noise Complaints

Many people have probably been irritated at some point or another by a car blasting a deep bassline or even the infamous "whistle tip." Some may have even called the cops to complain about a neighbor’s house party. But that's a far cry from the types of serious crimes that Flock and its customers have claimed that the ALPR systems would be used to solve. 

Yet, EFF identified 26 agencies where officers felt it was appropriate to pry into a driver's life because of a noise complaint, ranging from house parties to loud exhausts to just "music": 

Some of these agencies searched upwards of 6,500 networks’ cameras—the equivalent of launching a nationwide goose chase over a booming subwoofer or a busted muffler. 

When Mission Creep Is Just Plain Creepy

An observant reader of this report may have noticed that Ridgeland Police Department in Mississippi ran searches in all three of the categories we reported above.

However, after the city first installed the Flock Safety cameras, the then-police chief told the press that the technology helps solve cases that range from "theft to crimes of violence"—without disclosing that the range would extend much further.

When police and salespeople trot out cherry-picked cases to argue that a mass surveillance technology is an "important" tool,  they obfuscate that it's a convenient shortcut around due process. For serious crimes, police can already go through the standard legal process: making the case to a judge on why they should get a search warrant for location data, whether it's from cell phones or service providers. But police treat ALPR databases as if no such threshold exists, giving them free rein to track a person’s movements without a sliver of judicial oversight.

When police and salespeople trot out cherry-picked cases to argue that a mass surveillance technology is an "important" tool,  they obfuscate that it's a convenient shortcut around due process.

"This is the same as if I put a police officer on the side of the road with a pen and a notepad and he writes down every license plate number that drives by,” the former chief said, repeating a commonly circulated talking point. 

That rhetoric may sound reasonable if we were just talking about a single camera on a street corner, but Ridgeland now operates more than 50 cameras—the equivalent of one for every 500 residents—and maintains access to tens of thousands more. 

If the chief had stood in front of the city’s aldermen and asked for permission to search more than 20,000 cameras so his officers could investigate the high crime of "music," it’s quite unlikely that they would have been nodding their heads along. 

Ridgeland Police Department did not respond to EFF’s requests for comment.

When it comes to keeping our texts, chats, and other digital messages safe from prying eyes, we have a powerful tool: end-to-end encryption. Used correctly, end-to-end encryption turns our conversations online into secret messages that can only be decoded by their intended recipients. In our latest EFFector newsletter, we're covering new developments in this tool, and how you can use it to prevent tech companies, governments, and other eavesdroppers from listening in.

JOIN OUR NEWSLETTER

For over 35 years, EFFector has been your guide to understanding the intersection of technology, civil liberties, and the law. This latest issue covers the shaky science backing social media bans, Canada's surveillance nightmare bill, and a victory for keeping private messages private.

Prefer to listen in? EFFector is now available on all major podcast platforms. This time, we're chatting with EFF Senior Security and Privacy Activist Thorin Klosowski on an important step forward for encrypted messaging—as well as a notable disappointment. You can find the episode and subscribe on your podcast platform of choice:

%3Ciframe%20height%3D%22200px%22%20width%3D%22100%25%22%20frameborder%3D%22no%22%20scrolling%3D%22no%22%20seamless%3D%22%22%20src%3D%22https%3A%2F%2Fplayer.simplecast.com%2Fcb903071-798d-429d-91dc-52ae77015a7d%3Fdark%3Dfalse%22%20allow%3D%22autoplay%22%3E%3C%2Fiframe%3E Privacy info. This embed will serve content from simplecast.com

   

Want to protect your private conversations? Sign up for EFF's EFFector newsletter for updates, ways to take action, and new merch drops. You can also fuel the fight for privacy and free speech online when you support EFF today!

For years, civil society organizations, workers, journalists, and human rights experts have warned that major technology companies risk enabling grave human rights abuses when they provide cloud computing, AI, and surveillance infrastructure to governments implicated in violations of international and humanitarian law. While many companies pay lip service to evaluating customers and contracts for human rights implications (lip service Exhibit A: Palantir!), too often those processes fail to provide any meaningful accountability when their standards are not met or are simply ignored. But recent developments at Microsoft suggest that accountability for failing to uphold the human rights standards that a company itself sets, even if incomplete, is possible. 

According to recent reporting, Microsoft’s Israel chief has departed amid an escalating ethical controversy surrounding the company’s business relationships with the Israeli Ministry of Defense. The move follows months of scrutiny, internal dissent, and sustained pressure from inside the organization along with press and civil society, especially after a report by The Guardian revealed that Microsoft technologies were used in systems connected to mass surveillance and military targeting operations in Gaza in ways that appeared to violate Microsoft’s own standards. This did not happen overnight.

In September 2025, Microsoft reportedly suspended certain services after initial investigations raised serious concerns about how its cloud and AI infrastructure may have been used. That alone distinguished Microsoft from many of its peers. Rather than simply dismissing mounting concerns or hiding behind vague claims of neutrality, Microsoft appeared to recognize that providing technology in conflict settings creates real human rights responsibilities. Now, after additional investigation and continued public scrutiny, it appears the company has taken another step, one that should send a strong signal to others that violating Microsoft’s human rights commitments could cost you your job. This is important. 

There is still much more Microsoft should do, of course. The company has yet to fully disclose the scope of its findings, explain exactly which services were suspended, or clarify what safeguards remain in place to prevent its technologies from contributing to human rights abuses in the future. We shouldn’t have to infer the connection between this employment action and the company’s investigation. 

Just prior to reports that Microsoft had fired its Israel Country General Manager, EFF joined Access Now, Amnesty International, Fight for the Future, and 7amleh in a joint May 7, 2026 letter to Microsoft leadership calling on the company to publicly release the findings of its investigation, suspend business relationships tied to serious human rights abuses, and implement meaningful safeguards to prevent its technologies from contributing to further harm. The letter detailed allegations regarding Microsoft’s reported provision of Azure cloud and AI services to Israeli military and intelligence units involved in surveillance and targeting operations, while also pressing the company to take concrete human rights due diligence measures going forward. Those demands remain urgent, even as Microsoft appears to be taking some of the steps we urged.

But even as we push for more, it is important to recognize when a company takes steps in the right direction. Because this is what it means to put human rights commitments into practice. It means acknowledging that human rights policies are not just branding exercises or transparency reports. It means accepting that companies providing cloud infrastructure and AI services have responsibilities when credible evidence emerges that their technologies may be enabling violations of international law. And it means taking concrete action when those risks become known.

The allegations facing Microsoft are serious. Human rights organizations and investigative reporting have documented claims that Microsoft Azure services were used by Israeli military and intelligence units to process large-scale surveillance data, support AI-assisted targeting systems, and sustain military cloud infrastructure during the war in Gaza. The concerns raised extend beyond ordinary business risk; they implicate potential complicity in violations of international humanitarian and human rights law.

Faced with these allegations, Microsoft could have chosen the path many tech companies take: deny everything, attack critics, suppress worker dissent, and continue business as usual. Instead, the company appears to have begun responding to the evidence.

Technology companies are not powerless bystanders. Cloud providers and AI companies make choices every day about who gets access to their infrastructure, under what conditions, and with what oversight. When companies claim to uphold human rights principles, those commitments should have operational consequences. Too many companies, in both international and domestic policing contexts, provide technology to institutions that violate people’s human rights and civil liberties, then fall back on the claim that they are merely providing a service that their customers can use how they see fit. This is an ethical failing that falls short of most companies’ publicly expressed commitments. Microsoft’s recent actions suggest that sustained public pressure, worker organizing, investigative journalism, and civil society advocacy can force even the world’s largest technology companies to respond.

Google and Amazon should especially see this as a clear example to follow. Both companies also provide services to the Israeli Ministry of Defense and have faced years of criticism over those contracts and services, including from EFF. Yet neither has demonstrated the level of responsiveness or accountability that Microsoft has shown. If Microsoft can suspend services, investigate allegations, and make leadership changes amid mounting evidence and ethical concerns, then other cloud giants can no longer pretend that meaningful action is impossible.

The technology industry has spent years insisting that ethics and human rights matter. The real test has always been whether those principles survive when profits, government contracts, and geopolitical pressure are on the line. Microsoft’s recent steps are not the end of that story, but they may mark the beginning of what real accountability can look like.

We’re looking at you, Amazon and Google. If Microsoft can do it, why can’t you?