EFF update

This Pride month, we’re calling on the dating app Grindr to prioritize LGBTQ+ user safety by making privacy the default across its platform. That means no more sharing personal data with advertisers or training AI on private information without users’ opt-in consent.

Grindr is a dating app for the LGBTQ+ community; and for queer people, privacy violations can have life-altering consequences. Information that reveals someone’s sexual orientation, gender identity, or HIV status can be used by employers, governments, family members, scammers, or bad actors to inflict harassment, discrimination, arrest, or violence. For example, data from Grindr and other gay dating apps was sold by data brokers and used to 'out' (the act of disclosing someone's sexual orientation without permission) a gay priest in 2021. 

Despite being the world's most popular gay dating app, Grindr has repeatedly mishandled users' sensitive data. Grindr has been caught sharing users' HIV status and precise location with advertisers without obtaining valid consent, resulting in reprimands and fines in several countries. Its former Chief Privacy Officer even sued, alleging the company fired him for raising concerns about Grindr prioritizing “profit over privacy."

Grindr ended several of its most egregious data sharing practices after they were exposed. But more changes are needed if Grindr wants to earn back trust and prove its commitment to users’ privacy and safety. This Pride month, we’re calling on Grindr to make privacy the default and ensure the immediate implementation of two changes to better protect its users:

Opt Users Out of Behavioral Advertising by Default

Grindr currently allows users to opt out of behavioral advertising, but that protection is not enabled automatically (except in some unspecified regions). As we’ve long warned, behavioral advertising relies on the collection and sharing of personal data across a vast network of advertisers, intermediaries, and data brokers. Once information enters this ecosystem, users have little control over where it goes or how it is used: people’s most private and intimate information can be aggregated, sold, and combined with information from other sources to create detailed personal profiles.

By default, Grindr appears to share data with numerous advertising and tracking companies. Using TrackerControl, an app developed by privacy researcher Konrad Kollnig, we recorded Grindr contacting 20 third-party tracking domains during 15 minutes of app activity (see Grindr_TrackerControl_06-23-2026.csv for exported results). TrackerControl observed Grindr contacting Big Tech companies and ad-tech intermediaries, many of which have faced significant legal scrutiny for privacy violations. Several of these companies auction off ad space through a process called “real-time bidding,” which can expose user data to hundreds of additional companies and be exploited by data brokers. 

The dangers of Grindr’s default settings exposing users’ personal data to this ecosystem are not hypothetical. Between approximately 2017 to 2020, a location data broker collected the precise movements of millions of Grindr users from digital advertising networks and made them available for sale. The commercially available data was allegedly so detailed that, in some cases, it could be used to infer romantic encounters between specific Grindr users. 

Although Grindr has stated that it no longer shares precise location data or profile information with advertisers, it acknowledges sharing other personal data, including mobile advertising identifiers (MAIDs)—unique, persistent device IDs that allow advertising companies and data brokers to connect data about the same individual across different sources. MAIDs are not anonymous, and an entire industry exists to link them to more directly identifying information, like emails and phone numbers. According to Grindr’s privacy policy, companies receiving users’ MAIDs “are aware that such data is being transmitted from Grindr,” which could expose a users’ sexuality to the advertising and data broker ecosystem.

Opt Users Out of AI Training on Personal Data by Default

Grindr should stop training its AI models on users’ personal data without opt-in consent. 

Grindr has been investing heavily in AI features as its CEO strives to make Grindr an “AI-first business.” New AI features include a wingman chatbot, profile recommendations based on users’ inferred “type”, summaries of previous interactions with other users, and AI-generated insights about other profiles (like responsiveness, typical online hours, and engagement patterns). By default, Grindr uses its users’ personal data to train the AI models behind these features.

Grindr claims to never use sensitive health information for AI training and requires users to opt-in to AI training on “special-category” data, which includes chat content and precise location. But Grindr automatically enrolls users in AI training on other private information, including profile photos, age, taps, and display names. Users must navigate several levels of Grindr settings to prevent these personal details from being used to train Grindr’s AI.

AI systems trained on personal data create new privacy risks, including the possibility that personal information may be retained, reproduced, or exposed in unexpected ways. For example, researchers have been able to extract training data from AI systems like ChatGPT.

Beyond AI training, Grindr enables AI-powered features by default and allows both “special-category” data and other personal information to be processed by those features. Even users without access to premium-subscription AI features could have their data automatically used to power those features for other users. “Behavior-based profile insights” (pictured below) could expose information that users would never choose to share publicly, like the types of people they interact with on Grindr, their typical online hours, and how often they initiate conversation with other users.

Image of the “Profile Insights” feature from a Grindr blogpost promoting its premium, AI-first subscription

Regardless of whether new AI features leak private information, users deserve meaningful control over how their personal data is used and by whom. Grindr notifies users that their personal information may be used to train AI and that they can opt out on a separate settings page, but this notice does not specify the type of data used (i.e. profile photos, taps) and it is unlikely that people carefully read or understand it. Closing the notice or clicking its only button (which is “Proceed”) maintains Grindr’s default of using personal information for AI training. To respect users’ autonomy, Grindr should require opt-in consent before training AI models on personal data.

Notice displayed in the Grindr app about the use of personal data for new AI features

Celebrate Pride by Demanding Better Privacy

Grindr must immediately stop prioritizing profits over users’ safety. The ability to opt-out is not an acceptable substitute for opt-in consent, especially given the added risks of data sharing for LGBTQ+ users. Defaults matter—studies show that most people cannot or do not change the default settings of technologies they use.

If Grindr wants to back up its claim that it “takes user privacy very seriously,” it should make privacy the default across its platform, rather than something users need to go through complicated processes to opt in to. 

Poke your head into just about any online social network—or any general conversations about internet culture—and you’ll likely find a boogieman: the algorithm. Since at least the moment Facebook introduced (and apologized for) its News Feed, “the algorithm” has been shorthand for the ways the tech giants control what we see and when we see it. In the age of enshittification, there is a push to reclaim our feeds and networks. Good news: there’s a tool that’s been around for decades that can help wrangle many of your feeds into something manageable: Really Simple Syndication, more commonly known as RSS.

What’s RSS and How Do I Use It?

RSS has been around since 1999, but its real publicity glow-up came from Google Reader, a newsreader service that Google offered between 2005 and 2013. Despite the alarm bells people rang at the time, the death of Google Reader wasn’t the death of RSS, and many replacements have come and gone over the years.

RSS may seem complicated, but it boils down to one general concept: when websites publish new content, like news articles, blog entries, webcomics, videos, or podcasts, that content gets added to an RSS feed, where your RSS reader (aka newsreader, feed reader, or aggregator) will show you that content in chronological order. If you’ve ever used a podcast player like Apple Podcasts or Spotify to follow different podcasts, you’ve used RSS. You can think of it like an internet-wide “follow” button, where you can track the contents of websites, users, and more.

People talk about RSS like it’s a power user’s secret trick to making the internet more usable, but the real secret is that it’s not that hard to set up and use. Here’s what you need to do:

• Find an RSS reader: RSS readers come in many forms. Feedly, NewsBlur, or The Old Reader, are web-based, but have their own apps (though they also support third-party apps). Others, like NetNewsWire, are app-based, and support either using a web-based RSS reader like Feedly, or a local file. Some live in browsers or web extensions. There’s an abundance of choice in RSS readers, and part of the fun is finding one that best accomplishes what you want to do. But don’t worry about finding the right RSS reader right away. One of the many magic tricks of RSS is that it is platform agnostic, and nearly every RSS reader—whether it's a website or an app, supports importing and exporting a list of the sites you subscribe to. This means you can change RSS readers in a couple minutes. If you need some help finding an RSS reader, Wired, The Verge, and Privacy Guides all have useful roundups. 
• Collect your feeds: As for adding websites to your feeds, the process is straightforward. Most RSS readers are designed to help find the feed for a site for you, so you don’t need to go hunting down a special link. Just drop the URL of what you want to follow in your reader, and if an RSS feed exists, it should be able to find it. If not, some sites, including ours (and our current podcast, EFFector as well as our last series, How to Fix the Internet), provide direct links to our RSS feeds.
• Sort, filter, and build your feed: Adding a bunch of new feeds can be overwhelming, particularly for news sites. RSS readers typically include folders, which let you group similar feeds together and can be great for lifting up low-traffic updates you don’t want to miss. Your reader may also have different filters, like the option to block any article that contains “sponsored post.” 

RSS Is the Best Way to Follow the News

It can be very difficult to follow the news, whether that means politics, tech policy, or your hobbies. Solutions like Google News or Apple News have tried to make this simpler, but many find that their algorithmic feeds are as often a source of frustration and annoyance as they are genuinely useful. And no matter how often you tap on news stories that matter to you from publications you respect, there may always be stories that refuse to bubble up.

RSS can make reading the news much easier, reliable, and more private. The vast majority of news sites have RSS feeds you can subscribe to, and many, including CNN, The New York Times, BBC, Wired, Politico, and many others, offer RSS for specific sections or special feeds that include the full text of articles for subscribers, so you aren’t just pummeled with a firehose of news all day long (we’ll get to a tip below in the next section that tackles this problem if they don’t have separate feeds, though). In many cases, you can read articles right in your RSS reader, never being forced to engage with wonky comments sections or poor design choices on websites.

Of course, the news isn’t just general news sites, it also includes hobbyist or more niche sites, local news offerings, and blogs. Most of these sorts of websites also offer RSS feeds, as do newsletter platforms like Substack or Ghost. 

RSS Offers One Way to Fix Some Social Feeds

Decentralized social media like Mastodon, Bluesky, and Threads, use RSS for user feeds, so you can follow your friend’s posts on Bluesky or Mastodon without actually having an account on either. This can be especially helpful for news sources, too—where you likely wouldn’t want to subscribe to a feed of everything a national news organization publishes because that would include dozens if not hundreds of stories a day, you can instead subscribe to their social media posts, which often get you the most breaking or important news.

The internet is more than just Facebook.

Some legacy social media works with RSS, too, including YouTube, Reddit (though that is currently at risk), and Tumblr. But others, like Facebook, LinkedIn, and Instagram, wall off posts behind account requirements that seem to pop up if you simply look at an account page for too long, let alone come in from an RSS feed. These walled gardens prevent information from getting out there, which ranges from annoying, like when your favorite local brewery only posts their food truck schedule on Instagram, to dangerous, like when local public services only post to a Facebook page.

The internet is more than just Facebook. It’s more than Mastodon or Bluesky, too. It’s a decentralized smorgasbord of websites, tools, feeds, newsletters, social profiles, and more, and treating it as such will help us wrangle the information we want and trust. 

Other Surprising Places You’ll Find RSS Feeds

When in doubt, try copying and pasting the URL for a site into your RSS reader of choice, you might be surprised to find a feed that proves useful to you. Many places on the internet may offer RSS feeds without you even realizing it. For example, if you want to keep an eye on an artist’s prints that you like, but they don’t have Instagram where they usually post, you might be able to subscribe to their webstore, as some shopping platforms, like Big Cartel, create an RSS feed automatically. And for something even more tweakable, even Google Alerts can be turned into RSS feeds.

RSS is one of the best examples we have of the open web, where we can design and customize how we experience the internet, not the other way around.

If you prefer to track policy over products, then you’ll be happy to know that government sites often support RSS, including most U.S. government sites, many of which break them into different sections like the U.S. Department of State’s various feeds. Many local governments or other public services, like fire departments may offer the same. Some universities (and university newspapers) also sometimes offer some RSS feeds. 

And even if a website doesn’t have an RSS feed, there are workarounds from tools like RSSHub, RSS-Bridge, and RSS.app that require varying levels of technical expertise or a willingness to pay subscription fees.

RSS is one of the best examples we have of the open web, where we can design and customize how we experience the internet, not the other way around. RSS has come in and out of fashion, been declared dead, and has come back, every time. Open systems are the best way forward to a free, equitable internet, and the resilience and continued reinvention of RSS has shown just how creative the web community can be with open protocols.

This is not science fiction. It’s not premature. If towns, cities, states, or the federal government want to act to reign in the emergence of armed police drones and robots, we have precious little time. In the absence of substantial regulation around when and how domestic law enforcement in the United States can deploy force using drones, the companies that markets technology to law enforcement have been moving. It’s past time concerned people take notice. Cities should not procure weaponized drones or robots, and multi-purpose drones and robots should be restricted from causing harm. 

Since 2021, EFF has been advocating against the use of armed robots or drones by law enforcement. This call has become more urgent as companies are moving in to take advantage of the lax regulatory landscape.

This month, two disturbing developments raised concerns that we might be on the verge of a larger trend of drone militarization. The first is that the CEO of Skydio, one of the most prolific vendors of police drones in the United States, signaled that the company has a more permissive attitude toward arming their drones in some contexts than many people expected. When asked on a podcast about the public perception that the company had restrictions around letting the military arm their drones, CEO Adam Bry said, “This is an area where I’ve gotten some things wrong. We said some things previously that led folks externally and internally to believe that, for example, we would prevent the military from putting weapons on our drones […] It’s very easy to sit back in a Silicon Valley office and think that we’re very smart, that we know the technology, and the idea of using it for X, Y, or Z thing seems evil or bad, so we’re going to write a policy or ban people from doing it. I think that’s ultimately misguided.”

Simply put: he is signaling that Skydio will not implement restrictions on their customers’ use of their devices. 

Bry was specifically asked about the military arming drones but the question reveals a disturbing truth: whether police arm drones domestically is currently based more on the internal ethical commitments of companies than it is any laws created by elected officials. Combining Skydio’s huge amount of police contracts, including supplying entire fleets for Drone as First Responders (DFR) programs, and the tendency of military technologies like surveillance aerostats to get redeployed on U.S. soil, creates a real recipe for the emergence of armed police drones. 

The other piece on the chess board to keep our eye on is the introduction of weaponized drones as a tool of school safety. A company called Campus Guardian Angel will run pilot programs in schools in Georgia and Florida in Fall 2026 to introduce drones that are designed to swarm, distract, crash into, and even shoot irritants at potential school shooters. This comes just years after a large national backlash that got the large police tech company Axon to pause its development of drones armed with tasers as a solution to school shootings. 

Although it may be obvious to some people, it’s worth saying again: antagonizing an active shooter with a small drone is a dangerous idea. In chaotic situations, deploying physical harm via drone is likely to get bystanders or good samaritans hurt by accident. It is also unproven that this technology will work to distract or deter an actual school shooter–especially when the demonstrations we see online revolve around crashing drones into stationary mannequins in pristine, controlled conditions. Another important question: What would happen if a potential shooter shoots at the small moving drone and endangers the people fleeing behind it? After all, in the demonstrations we’ve seen it is unclear if these drones have the ability to see what is behind them.  This is an unproven and potentially dangerous method of combating the very serious problem of gun violence in schools, and it’s one that helps to normalize armed drones as a solution to other policing problems as well. 

These developments also mean It’s not enough to follow San Francisco’s lead, which became the first city to change its policy regarding how robots could be used in order to ban police from using deadly force via robots in 2022. A robust and effective policy must include both drones and robots (not one or the other), and it has to explicitly prevent drones and robots from deploying any body harm — including deadly force and less-lethal measures like kinetic strikes, pepper spray, rubber bullets, or tasers. In addition, cities and states should not procure weaponized drones and robots. 

Since 2021, EFF has been advocating against the use of armed robots or drones by law enforcement. This call has become more urgent as companies are moving in to take advantage of the lax regulatory landscape. We cannot continue to rely solely on the good will of companies that make their money selling technology to police departments to protect us from dangerous police technology. Lawmakers need to act now. 

Ignoring EFF’s warnings about the dangers and impossibility of implementing a new mandate for 3D print surveillance software, the California State Assembly has signed off on legislation to do just that. In the process, legislators amended the bill to make it even more confusing, while failing to address the risks to privacy, speech, and consumer rights. We must renew our call on legislators to drop this bill as it heads to the state senate, and protect the tools of creators in the state.

Take action

Tell CA Senators to stand with creators

What’s changed about the bill?

Since we first wrote about AB  2047, a bill targeting 3D printers for the rare, impractical, and already outlawed practice of manufacturing firearms without a license, it has picked up several amendments. Some are welcome changes, but most have only highlighted the technocratic absurdity of the proposed scheme. Our core concerns—that this mandate censors lawful speech, builds out corporate surveillance, and criminalizes open source experimentation—have not been remedied. 

Removes criminalization of resale

Starting with one silver lining, the current bill includes a carveout for the private resale of devices. The original bill would have made it a criminal offense for an individual to resell 3D printers purchased before this mandated censorship and surveillance software. This is a clear win for the 3D-printing community, but it is unfortunately not enough.

Ineffective carveouts for open source

One of the most dangerous aspects of the bill is that it criminalizes individual users for common practices, like creating and using alternative open source programs with their 3D printer. New amendments provide a carveout for the use of an open source tool, but only if it includes compliant censorship software. The bill burdens open source developers with ambiguous and unrealistic standards for print blocking, and continues to create a chilling effect for open source users.

Removes any actual requirement to work

To reiterate—there is no world where the mandated technology actually works as intended. It will both block lawful use of 3D printers, and allow firearms to be printed by anyone determined to do so. There is no amendment that can change this reality.

Instead, the current bill simply drops the pretense that this mandate is expected to work. The performance standard of algorithms changed from “effectively prevent[ing] a technically skilled user from evading [the algorithm]” to “substantially reduce the likelihood of foreseeable circumvention attempts…” The bill will still require all prints to be surveilled, but instead of testing efficacy against a skilled user, it just plays whack-a-mole with the (literally) infinite number of circumventions that any user can employ. 

Further, the bill now leaves us with an unclear process that relies on non-governmental third parties to define standards, and now relies on manufacturers and resellers to self-police.

Hollywood gets a cut

The bill includes yet another carve out for commercial users. This time for the entertainment industry, which makes extensive use of 3D printers for props and costumes. 

That’s fine for big studios, but it leaves out indie filmmakers, cosplayers, and many other small creators. 

This is simply a defensive edit to limit corporate opposition. There isn’t a clear division in 3D-printing between consumer and commercial tools. These are general purpose tools which might be picked up by a prop department of a big studio, or an artist getting ready for Comic Con. Indeed consumer level products are not only used by amateur artists and engineers developing their skills. Commercial 3D printers, like their traditional 2D equivalents, are frequently used in workplaces, as well as by professionals honing their skills or just trying to get some work done at home. 

Commercial carveouts hands printer manufacturers the ability to sell a more expensive tier of printers, locking-in and up-charging their commercial customers. Some of those customers will choose to buy general retail versions, but that carries its own price: increased risk of IP theft as all printed files are surveilled the same way they are for hobbyists. That means a real risk of businesses leaking any prototypes or new designs to not only the printer manufacturer, but potentially snooping governments and/or the general public through data breaches.

Demand  your senator oppose AB 2047

This updated version of AB 2047 downgrades performance standards and removes oversight while still threatening privacy and choice for users of 3D printers. A printer surveillance system won’t work for its intended purpose, and will only harm law abiding users. 

Act now to demand your senators to vote no on this ineffective and invasive bill.

Take action

Tell CA Senators to stand with creators

Time and time again, researchers have found numerous compromised Android devices for sale at large online retailers like Amazon. When these devices get individually reported, we have seen some noted efforts to take them down. But this is a systemic problem and Amazon and other major online retailers must make a corresponding systemic and intentional effort to stop these devices from entering people’s homes and ultimately their networks.

As a refresher: Last year, Google wrote that one major campaign, deemed BADBOX, affected 10 million uncertified devices that were running Android’s open-source software (Android Open Source Project or AOSP). These devices span from TVs and streaming devices to digital picture frames. Even now, someone can go on Amazon and Walmart and buy one of these devices. Not all of them come from Amazon and Walmart, but it’s fair to assume since they have the lion’s share of the market.

Most well-known Android-based devices don’t come with just “stock Android.” The operating system is usually Android plus additional features that the manufacturer wanted. These custom versions of Android often come with pre-installed applications that range from useful to innocuous bloatware to actual malware. Many Android OEMs (original equipment manufacturers) pre-install apps that may not be visibly represented by an icon in your list of installed apps. This obscurity makes the issue particularly hard for users to identify any potential threats.

Since the initial BADBOX analysis, there have been more reports of large campaigns and clusters of different devices participating in malicious activities that utilize people’s home networks to engage in illegal activity. Task forces in the private sector have made an effort to take down these existing Command and Control structures, but these actors may pivot and evolve to flood the market with more devices. 

Online retailers can stop this cycle. A multi-billion dollar company like Amazon should offer more resources, like their anti-fraud efforts, given that these products may have facilitated conditions for large scale attacks and illegal activity. It would also be helpful if they communicated malware-related take downs in a more visible way to consumers who are seeking very similar devices with shared characteristics.

Identifying these devices can be tricky, but it’s not impossible because they tend to follow a pattern. For example, the FBI warned consumers this year to avoid TV streaming devices that claim to provide free sports, tv shows, and movies, a common tactic used by the makers of these malware-filled Android devices that leverages people’s exhaustion from spending money on countless streaming services. We detailed what sorts of indicators to look for on a device you’ve purchased.

But it’s not just the storefronts. There are other parts of this ecosystem that need to improve too, like increased engagement in firmware transparency and the actual manufacturers of the devices themselves being held accountable for these malware laced products.

On Prime Day, we urge retailers like Amazon to better empower users with information they need to make safe and smart decisions.

Seeking transparency and accountability in Paraguay’s use of facial recognition, EFF, the Association of Technology, Education, Development, Research, Communication (TEDIC), and the Centre for Justice and International Law (CEJIL) filed a complaint with the Inter-American Commission on Human Rights against the state for arbitrarily denying access to information about its implementation and use of the technology as a tool for mass surveillance that erodes people’s privacy rights. 

The case involves the Ministry of the Interior and National Police’s installation in 2019 of surveillance cameras with facial recognition technology in Asunción. Maricarmen Sequera, a lawyer and executive director of TEDIC, filed an information request with the ministry seeking details and protocols about the implementation and use of facial recognition systems and the personal data processing involved. 

The request sought information about, among other things, whether the state had conducted human rights or data protection impact assessments, as well as if it had developed measures and protocols for avoiding abuses, illicit uses of personal data, and other risks in the deployment of the facial recognition system.

The state denied most of the information requested, arguing that implementation details, protocols, and the processing of individuals' personal data were confidential security information. TEDIC contested the secrecy in courts, but the analyses lagged and ultimately sustained the denial of information. 

The petition filed last Friday (19) cites Inter-American standards upholding the public’s right to access information, particularly in relation to national security, that the Paraguayan authorities disregarded in denying TEDIC’s information request. The petition also argues that the refusal of information violated privacy and the right to informational self-determination.

The petition asks the Commission to recognize a violation of those rights and require the state to deliver the information requested. Further, the petition seeks an order compelling the state to adopt mandatory permanent mechanisms of active transparency regarding the acquisition, contracting, implementation, financing, functioning, and use of surveillance technologies by public bodies, especially those that incorporate processing of biometric data or artificial intelligence systems. 

It also asks the Commission to order the state to mandatory procedures for human rights impact assessments prior to acquiring and using surveillance technologies, particularly those that collect biometric data or use artificial intelligence.

The state’s lack of transparency in this case is not an isolated incident, both in Paraguay and in Latin America, where opacity in matters of security and surveillance is the unsettling rule. The situation gets worse with the increasing normalization of intrusive surveillance technologies by states in the region.

The Special Rapporteur for Freedom of Expression of the Inter-American Commission emphasized that states should disclose surveillance capabilities and contracts, and acknowledge state use of surveillance technologies at a meaningful level of detail, to facilitate essential public debate on the necessary limitations of surveillance in democratic societies and ensure compliance with international human rights law.

We hope that the Inter-American Commission upholds the robust safeguards in the Inter-American System and advances access to information and privacy rights in a case that can set a crucial precedent for the region.

This week marks four years since Dobbs v. Jackson Women’s Health Organization overturned Roe v. Wade’s constitutional protections for people seeking abortion care. Anniversaries are a moment to take stock, and over the last four years, EFF has seen firsthand how digital rights and reproductive rights have become increasingly intertwined. One major way this has happened: the fight over abortion has also become a fight over online speech and government censorship as a steady stream of proposed laws, cease-and-desist letters, lawsuits, and government investigations have targeted the websites and online resources that help people find and learn about reproductive healthcare.

This is an effort by anti-abortion government officials to mold the information ecosystem, restrict what people can read, and cut off the ways people communicate with one another. We’ve watched this build for years, and the encouraging news is that many of these efforts have failed. The worrying news is that they keep coming. And if they’re allowed to succeed, this could have repercussions for freedom of expression online beyond reproductive rights.

Targeting Sites That Just Share Information

The clearest tell that this is also a war on speech is that officials have aimed their efforts not just at abortion providers or the entities that prescribe and sell medication abortion, but also at websites that do nothing more than tell people what their options are, how to find a doctor, and where abortion remains legal.

Cease-and-Desists & Takedown Demands

State attorneys general have been hitting these online information hubs with cease-and-desist letters and takedown demands. Just this month, for example, Alabama Attorney General Steve Marshall sent cease-and-desist letters to multiple groups with abortion-related websites, including Plan C, a public health campaign that provides educational resources and research on abortion access. Plan C doesn’t sell or ship abortion pills. It simply provides information. Marshall’s office nonetheless claimed Plan C’s website “facilitates, aids, and abets” illegal abortion. The Arkansas attorney general similarly sent out cease-and-desists to several organizations regarding their websites, including Mayday Health, which, like Plan C, provides only information and does not directly prescribe or mail pills.

What’s especially concerning is that the state doesn’t have to win, or even file, a lawsuit to get what it wants.

In another example from earlier this year, North Dakota Attorney General Drew Wrigley threatened legal action and ordered the Prairie Abortion Fund to scrub information off of its website, not because the fund sold pills, but because its site linked to several outside informational resources. The Attorney General primarily focused on the fund’s link to Plan C, meaning the biggest alleged issue was a link to a website that links to other websites where pills can be accessed.

What’s especially concerning is that the state doesn’t have to win, or even file, a lawsuit to get what it wants. Especially for smaller organizations and funds, a letter threatening legal action can be enough to chill their speech, causing them to remove important content and go quiet.

Censorship Mandates

Legislators in multiple states have also attempted to make it illegal to share resources on how to obtain an abortion, including on purely informational websites with a national or global audience. South Dakota recently passed a law making it a felony to “advertise” anything “described in a manner calculated to lead another to use or apply it for producing an abortion.” Language this broad can easily apply to websites that simply engage in First Amendment-protected advocacy or provide educational resources. Mayday Health, which operates one such website, has since sued the state in federal court to block the law. The lawsuit argues the law could reach something as small as wearing a sweatshirt that carries Mayday’s web address.

Other state legislatures have made similar efforts. Last year, for example, Texas introduced a bill that would have made it illegal to “provide information” on how to obtain an abortion-inducing drug. If you exchanged emails, had an online chat, or created a website that shared information about legal abortion services in other states, you could have violated this bill. Luckily this particular bill did not pass, but Texas has attempted to pass similar laws for several years now.

Dressing Censorship Up as Consumer Protection

A major way anti-abortion officials are targeting online speech is by weaponizing consumer protection and deceptive advertising laws, claiming that providing information about abortion violates them. This tactic is a threat to free speech rights. The First Amendment protects publishing truthful information on a public issue, and the Supreme Court has expressly said that includes providing information about legal abortion in a state where it is illegal.

Yet states like South Dakota have continued to use deceptive advertising claims to go after abortion speech. Last year, South Dakota sent a cease-and-desist and then filed a lawsuit against Mayday Health for running ads that simply read: “Pregnant? Don’t want to be?” with a link to Mayday’s website. The state claimed the ads were “deceptive.” Mayday then counter-sued in federal court, challenging South Dakota’s actions under the First Amendment. Though the federal judge ultimately declined to step in while the parallel state case was pending, she made a point of saying she believed Mayday’s website constitutes “speech subject to protection under the First Amendment.”

Other states have attempted to run the same play. Missouri sued Planned Parenthood in 2025 under its consumer-protection statute, calling a webpage that says abortion pills are safe an “unfair and deceptive” trade practice. Florida went even further, invoking its RICO law—a law typically used for organized crime—over the same kind of statement. Florida leaned heavily on a single study funded by an anti-abortion think tank, even as major medical organizations and decades of research put the serious-complication rate below half a percent. States should not be able to cherry-pick studies in order to erase online speech.

Going After Intermediaries & Erasing Whole Websites

Some officials aren’t content to restrict only certain abortion-related content—they want the websites gone entirely.

Take, for example, the cease-and-desist letters sent by the Arkansas attorney general last year. Letters were sent directly to internet intermediaries (entities that facilitate use of the internet, such as internet service providers, web-hosting providers, or things like search engines and social media platforms). The letters demanded that both a domain registry company and a web host stop supporting a site that discusses abortion drugs. But as we know, if we cut off the host or the domain, the speech disappears for everyone—not just for people in Arkansas.

Likewise, Texas’s 2025 bill would have required intermediaries to take down abortion-related content. It’s worth remembering that the imposition of civil and criminal liability on intermediaries also conflicts with a federal law that protects online intermediaries’ ability to host user-generated speech, 47 U.S.C. § 230 (“Section 230”), including speech about abortion medication.

The push has gone federal, too. In March 2026, Senator Bill Cassidy and colleagues on the Senate Health, Education, Labor and Pensions Committee pressed the FDA to use every tool it has against online sellers, including leaning on the domain registrars that keep these sites online.

Why This Should Worry Everyone

It’s tempting to see this as limited to the fight over reproductive rights. That would be a mistake. For people seeking care, the immediate harm is obvious: the internet is often the only place to find accurate, potentially life-saving information, and every letter, lawsuit, and takedown threat makes that information harder to find and riskier to share.

But the damage doesn’t stop there. We’re witnessing a live experiment in how to use consumer-protection laws, criminal statutes, and pressure on intermediaries to suppress a disfavored viewpoint, pull information offline, and make websites disappear. To think these tactics can only be used against abortion speech would be naïve. 

We hope courts and legislatures will continue to protect free speech online. But the continued drumbeat of threatening letters, lawsuits, and investigations is its own kind of harm. Here at EFF, we’ll keep defending the right to share and read information online—about abortion, and about everything else.

The Federal Communications Commission wants to require telecommunications providers to collect vast amounts of personal information from every person who wants a phone number in the name of combatting scam and spam calls. This plan will fail to combat the deluge of unwanted calls people in the United States receive every day while giving untrustworthy companies a gold mine of information that would harm everyday consumer’s privacy, access to communications, and ability to speak freely. 

The requirement to provide ID and an address would completely cut off the ability to have an anonymous phone line, which would mean many people in the most precarious situations imaginable: domestic violence and human trafficking survivors, unhoused people, and children without stable homes, would not be able to gain access to a crucial lifeline. EFF, along with ACLU, has submitted comments advising the FCC to abandon this proposal entirely. 

This Rule Will Not Decrease Spam Calls 

Requiring phone providers to collect consumers’ information will not appreciably decrease or eliminate unwanted calls. The FCC knows this because it confesses in its own rulemaking that “the most effective way to prevent unwanted calls from reaching American consumers is by ensuring they never enter the network.” Further, the Federal Trade Commission found that “a significant proportion, if not the majority, of unwanted robocalls originate from overseas.” Collecting the personal information of everyone who wants to make a phone call will not put a dent in fraudulent calls. 

What will address unwanted calls is the FCC’s STIR/SHAKEN technical standards, which already exist. While STIR/SHAKEN is not perfect, it is actually a technical solution to the problem of spam calls. And where less than 50% of American telecommunication providers have fully implemented the protocol, the FCC should put its energy toward 100% compliance to reduce the scale of unwanted calls, instead of collecting consumer’s private information. 

The FCC gives away the true reason for this proposal in their own comments: this is a move to shut down the very existence of anonymous phones, aka burner phones. FCC says in their comments: 

“Enhanced KYC information can assist law enforcement to more easily identify callers that use the network to perpetuate crimes by ensuring that voice providers have accurate and complete customer information. The KYC information gathered and verified would help ensure that law enforcement gets accurate information in response to subpoenas when investigating crimes. For example, can enhanced KYC rules assist law enforcement in investigating organized criminal groups that use the network to facilitate illegal activities? Can they be used to deter or detect trafficking operations that use communication networks to buy and sell illicit goods?”

Anonymous phones are not just used by people to break the law, they are also used by activists who wish to remain anonymous, privacy conscious consumers, people escaping domestic violence, people escaping human trafficking, journalists who need to reach out to confidential sources, and other people in desperate situations. Anonymous phone lines are a lifeline to many, one which this proposal would cut off without any alternative. 

Mass Data Collection Makes Us All Less Safe

Mass data collection of individuals does not address unwanted calls, but it does 

make us all less safe online. The telecommunications industry has proven time and again that they’re poor stewards of personal information. They’ve been at the center of several large-scale data breaches in recent years and their data practices leave much to be desired.

In 2024, AT&T disclosed two large data breaches. One in which 7.6 million existing account holders and more than 65 million former customers had their information leaked onto the dark web, and another in which more than 100 million customer account call and text logs were downloaded. Another large provider, Comcast, suffered a data breach in 2023 where nearly 36 million account holder’s information was stolen, including the last four digits of their Social Security Number and date of birth. 

In 2024, the nation’s CALEA infrastructure, which law enforcement uses to tap and trace calls, was breached in the Salt Typhoon attacks. Experts maintain that U.S. communications networks remain vulnerable, and even this administration acknowledges these attacks as an ongoing threat. 

If telecoms can’t even protect the most sensitive communications infrastructure in the nation how can we expect that they will protect our identities?

In addition to their poor cybersecurity practice, these providers themselves abuse the information in their possession. In Scott v AT&T, AT&T, among others, made consumer information available to hundreds of third parties without the consumer’s express consent. Though the case was dismissed because AT&T forces its consumers to sign arbitration agreements, it shows the complete lack of care for their consumers' privacy. 

A Lack of Anonymity Silences People 

Mass data collection of individuals just to have a phone number will also harm and silence people. Anonymity in calls provides people the safety they may require to organize themselves, speak freely, and seek services. Anonymous phone calls give people the courage to participate in politics, organize themselves, reach out to a suicide or sexual-assault hotline, an addiction-recovery sponsor, seek medical care, seek escape from a violent and coercive situation, and do much more. Without this anonymity, people may otherwise not do any of these things. 

It will prevent many from obtaining phone numbers at all. 

Not everyone has all the information the FCC wants to require. The FCC wants people’s physical addresses, defined so narrowly that it’s essentially a home address. Not everyone has a stable home address, so those individuals would be not able to get phone service. 

FCC suggests that a government-issued identification should be required for any phone service. About 15 million adult U.S. citizens do not have a driver’s license, while about 2.6 million do not have any form of government-issued photo ID. Others don’t have access to their identifying documents, they may be controlled by an abusive spouse or parent, human trafficker, cult, or someone else from whom a secondary phone line could help a person escape. Estimates show another 21 million adult U.S. citizens do not have a non-expired driver’s license, and over 34.5 million adult citizens have neither a driver’s license nor a state ID card with their current name or address. 

These numbers do not include non-U.S. citizens who do not have current government-issued identification, including undocumented immigrants who cannot obtain a state ID or driver’s license. Black American and Hispanic Americans are disproportionately less likely to have current drivers’ licenses, and Americans with disabilities and Americans with lower annual incomes are also less likely to have current driver’s licenses. 

The FCC’s proposal will not decrease the amount of unwanted calls. All it will do is set up a data collection regime that harms everyday, law abiding Americans. This proposal makes us less secure online, strips away our right to anonymous speech in calls, and actively disconnects those Americans who are already at the margins. EFF recommends the FCC discard this proposal in its entirety. 

The window for reply comments can still be filed until July 26th. Express comments, which are appropriate for most individuals, can be filed on the FCC website. See the suggested language below to help you get started. 

When a car passes an automated license plate reader (ALPR), its plate is captured and instantly compared against a list of vehicles that police are actively looking for or that police have identified for real-time surveillance. These are called “hotlists,” and EFF has learned that one used by agencies across the country targets immigrants on behalf of Immigration and Customs Enforcement (ICE). 

Agencies using Flock Safety ALPR systems commonly allow the plates their cameras collect to be compared against the FBI's National Crime Information Center (NCIC) hotlists. These hotlists are broken into "topics," such as "Gang or Suspected Terrorist," "Stolen Vehicle," and "Missing Person." 

Flock Safety told EFF via email: "Local agencies add/remove license plates from the NCIC list. The FBI curates the NCIC list, and pushes it out to local agencies. Once the list leaves the FBI, they do not see any agency alerts. They only see when a local agency adds or removes plates from the list."

But one list is different: The "Immigration Violator" hotlist is populated exclusively by ICE, and it is the only agency authorized to enter or maintain records in this system, according to the NCIC operator manual. It includes license plates associated with administrative warrants, which are issued by ICE agents without judicial review. The manual further describes the data:

The Immigration Violator File contains records on criminal aliens who have been deported for drug trafficking, firearms trafficking, or serious violent crimes and on foreign-born individuals who have violated some section of the Immigration and Nationality Act.

And: 

If the ICE has reasonable grounds to believe that the subject may be operating a particular vehicle or a vehicle bearing a particular license plate, the vehicle and/or license data may be included in the record.

Buried in the Flock Safety administrative interface, there is a drop-down menu where agencies select which NCIC topics to subscribe to. If Immigration Violator is selected, the local agency will receive an alert that a vehicle ICE is looking for has been sighted. According to Flock Safety, ICE itself does not get an alert, although the local agency may contact ICE to let them know. Many agencies also participate or collaborate with immigration enforcement (through, for example, 287(g) agreements) and may take steps to stop a vehicle based on one of these alerts. 

In many places, using ALPRs for immigration enforcement is against city or state law–or at minimum, against agency policy. But using this hotlist is immigration enforcement. 

For example, Sparks Police Department's ALPR transparency portal lists immigration enforcement among the "prohibited uses." Yet, records show Sparks utilizes ICE's Immigration Violator hotlist.

Many agencies publicly acknowledge using NCIC hotlists, but don't publish which ones. So, EFF filed public records requests with agencies around the country to figure how to identify at least which agencies may be using the Immigration Violator hotlist. Here are links to the documents from the 13 agencies that have responded so far. 

Agencies with the Immigration Violators Hotlist Enabled

• Blue Island Police Department, IL
• Sparks Police Department, NV

Agencies Using NCIC Hotslists, But Immigration Violators Is Disabled

• Baraboo Police Department, WI
• Boonsboro Police Department, MD
• Elmira Police Department, NY
• Franklin Township Police Department, NJ
• Medford Police Department, OR
• New Braunfels Police Department, TX
• Oro Valley Police Department, AZ
• Quincy Police Department, MA
• Reno Police Department, NV
• Roselle Police Department, IL
• Sterling Police Department, IL

Knowing whether your agency has this box checked isn't just useful information—it's the kind of evidence that can change how officials vote when a contract comes up for renewal. So, how can you find out if your local agency is using the Immigration Violator list? It takes some digging, and you may not be successful. But here's what has worked for us in some instances. 

STEP 1: Conduct background research. 

The first questions you want to try to answer are: 

• Does your local agency use Flock Safety ALPRs, and if so, 
• Are they using NCIC hotlists? 

To answer the first question, here are two sites to try: 

• AtlasofSurveillance.org - This is an EFF project to catalog the technologies law enforcement agencies use. You can search for your agency to see if they use ALPR.

• EyesonFlock.com  - This site includes an index of every agency that maintains a Flock Safety "Transparency Portal." These portals often disclose what hotlists an agency uses. You'll want to look for your agency, then click the outbound link to their transparency portal, if they have one. 

Once you're on the transparency portal, you'll want to look for two things. 

• Is "immigration enforcement" a prohibited use? If it is, you might find that the agency is violating its own policies. 

• Does the agency list "NCIC" as one of its hot lists? 

Not all agencies disclose this information, so even if you don't find anything, you can move on to these next steps. 

STEP 2: File a public records request. 

Every state has a law that allows the public to request information from the government. This can often be done by emailing the police department or sheriff’s office, using the agency's online public records portal. You can usually find these emails or portals quickly online by searching for the agency's website and contact information. You can also subscribe to a service like MuckRock, which is how we filed these requests. 

We have developed language to request the hotlist topics. It doesn't always work, due to differences in how agencies interpret public records laws, but it is still worth a shot. 

Note: This is template language. A Google doc version is available here (Google's Privacy Policy applies). 

To Whom It May Concern:

Pursuant to the [INSERT LOCAL PUBLIC RECORDS LAW - FIND THAT HERE], I hereby request the following information:

- The NCIC topics that the agency has selected.

Within the Flock Safety ALPR administrative controls for hotlists, there is an NCIC drop-down menu to allow an agency to choose which NCIC "Topics" it will alert on. For example, "Gang or Suspected Terrorist" or "Missing Person." 

You may provide this as a print out or a screen grab, or simply copy-paste the selected items. If you'd prefer to do a full CSV export, that is also acceptable but may take more effort.

I leave the format at your discretion, but I would prefer to use as little of your agency's resources as possible for this request. You can see an example here: https://www.documentcloud.org/documents/28277589-20260414084201725/

The requested documents will be made available to the general public, and this request is not being made for commercial purposes.

In the event that there are fees, I would be grateful if you would inform me of the total charges in advance of fulfilling my request. I would prefer the request filled electronically, by e-mail attachment if available or CD-ROM if not.

Thank you in advance for your anticipated cooperation in this matter. Please do not hesitate to contact me with any questions at [CONTACT DETAILS].

Sincerely,

[Your Name]

STEP 3: Wait for a response.

Depending on the agency and the state law, it may take anywhere from days to weeks to receive a response. 

If the agency provides the records, they might look something like this: 

If "Immigration Violator" is checked, then yes–police are scanning vehicles for immigration enforcement. 

You can then put this information to work, sharing it with local reporters or bringing it directly to city officials who have the authority to modify, restrict, or cancel your agency's Flock contract. This is especially important if the agency has the box checked but also claims ALPR data is not used for immigration enforcement. Government officials like easy fixes, and "uncheck the box" is about as easy as it gets. But remember: If that's where it stops, the infrastructure for immigration surveillance stays fully intact, and the system is one policy, personnel change, or error away from being switched back on.

In many cases, you will not receive records. The agency may claim it's protected under legal exemptions or that it is not actually a public record under state law. For example, we received rejections from the Abington Police Department in Massachusetts and the Akron Police Department in Ohio.

If that happens, push back politely. You can explain that many other agencies across the country have produced this information and that it would greatly help inform the public. You can try contacting the police department's public information officer. Another option is alerting local press that the agency is refusing to disclose basic information about a public surveillance system, shutting residents out of decisions about how that system is being used. If you have the resources and time, you may also consider litigating a denial or lack of response.

You can also email your city council or board of supervisors member. Explain why this matters: The law enforcement agency may be facilitating immigration enforcement in secret, potentially in violation of its own policies. Ask them to use their oversight authority to demand answers from the agency, including pressing the vendor directly. Elected officials hold real leverage here: In most cities, either the council or the city manager controls the contract, and both are accountable to the public. If your agency's contract is up for renewal—or if a new pilot program is on the horizon—this is exactly the kind of information that should be part of that public debate before officials sign anything.

While we have filed dozens of these requests, we need locals to help gather even more. Drop us a line with the records you receive (or don't) at aos@eff.org. 

Within the next week, Congress is preparing to vote on the KIDS Act, a sprawling package of legislation that seeks to control Americans’ web browsing and private messaging. The package includes a revised version of the Kids Online Safety Act, or KOSA, combined with a collection of other internet bills, study bills, reporting requirements, and new regulations. Instead of debating any of these proposals on their merits, lawmakers are attempting to move them all at once under an ultra-expedited process. 

The package of cobbled-together bills is a mess, with different age-gating schemes for different services, using different standards. It’s a lot of complexity, and a lot of legal risk. Faced with that, many companies will conclude that the safest option is restrictive age-checking practices across their entire platforms.

Buried inside the KIDS Act are provisions that will push online services to verify all users’ ages, require government-directed moderation policies for online speech, and even create new rules about private and encrypted communications. While supporters continue to claim this bill protects minors online, its requirements come at the expense of privacy, free expression, and the ability of people of all ages to use the internet without revealing sensitive data. 

Take action

Tell Congress to reject this age-gating bill

The KIDS Act Pressures Platforms to Check Everyone's Age

Supporters of KOSA have said the bill doesn’t require age verification. And technically, the KOSA section of the bill does say that KOSA shouldn’t be read to require age verification. 

But if you read the rest of the bill, that disclaimer starts to look hollow. 

Throughout the KOSA section of the legislation, special protections, controls, messaging settings, and parental tools are required whenever a website or app “knows or should have known” a user is a child (defined in the bill as anyone under 13) or a teen (defined as anyone between 13 and 16 years old). 

The problem is a website operator doesn’t need actual knowledge that a user is a minor to get in legal trouble. It applies when a platform “knows or should have known” a user’s age—a low, negligence-style standard of knowledge. If an online service gets it wrong, it’s going to be up to courts and regulators to decide, after the fact, if an online service “should” have known a user was 16. 

To try to avoid liability, services will have to determine which users are teenagers and which are not. Most won’t be able to simply trust their users. They’ll have to collect more information about age, before any lawsuit or government action arises. Some companies may respond by requesting driver's licenses or passports. Others will rely on age-estimation systems that attempt to guess users' ages by looking at existing activity or doing facial scans. Existing estimation systems make mistakes when estimating children’s ages correctly, which is a big problem when that is the population KOSA is trying to protect. And the systems fail more frequently for people of color, people with disabilities, and trans and nonbinary people.

The bill’s authors seem to know this is a problem. On the one hand, the new KOSA section says age verification is not required. On the other, it repeatedly imposes obligations that depend on knowing whether a user is under 17. But a disclaimer doesn’t magically eliminate legal risk, especially for smaller services and startups that can’t afford to defend lawsuits or fight regulators.  

Take action

The "KIDS Act" Is an Age Surveillance Bill

KOSA is not the only part of this package that creates age-verification pressure. The SAFE BOTS Act, like KOSA, goes back to the standard that if a service “knows or should have known” that a user is a minor it can’t offer certain chatbot features. 

The SCREEN Act requires services that host sexually explicit content to determine whether users are “more likely than not” under the relevant age limit, before allowing access to certain content. 

The consequences of this liability will not be limited to minors. If websites and apps are expected to reliably identify teenagers, adults will be asked to prove they are adults. The result is a less private internet for everyone.

The KIDS Act Pressures Platforms To Police Lawful Speech 

The new version of KOSA removes the bill’s infamous "duty of care" provision, a significant change. The revised KOSA requires covered platforms to "establish, implement, maintain, and enforce" policies and procedures addressing several categories of content and conduct. 

Some categories, such as true threats and sexual exploitation, involve unlawful activity. Others are much broader. The bill specifically requires policies addressing the "sale or use" of narcotic drugs, tobacco products, cannabis products, gambling, and alcohol. It also restricts discussions around financial fraud.

Sounds straightforward enough. Then you remember how people actually talk—online and off. Can teens discuss addiction and recovery? Can a 15-year-old post that she’s worried she has a friend who is drinking too much? Can they seek advice about a parent’s gambling problem, or get help if they or a family member have been scammed? Can they participate in harm-reduction communities or discuss substance abuse treatment? All of these young people would be engaging in lawful speech when discussing topics covered by KOSA’s enumerated harms. 

The bill does not directly ban those conversations. But it places platforms under huge pressure to create and enforce moderation policies around broad categories of lawful speech. Faced with legal risk, many services will inevitably choose to remove that speech or restrict those discussions to spaces where they know only adults can participate. We’ve seen this movie before. When legal risk goes up, platforms will take down more speech. 

The KIDS Act Regulates Private Messages, Too 

Several provisions of the bill create new rules around direct messages, disappearing or “ephemeral” messages, and AI chat services. 

The bill includes language stating that certain KOSA requirements should not be construed to override strong encryption. But the protection is incomplete. The carve-out applies to certain features and messaging controls, but doesn’t apply to KOSA’s separate requirement that platforms "address" a list of harms to minors. 

The KIDS Act never answers an obvious question: how exactly is a platform supposed to address those activities if they’re inside encrypted communications that it can’t read? That will create pressure for providers to weaken private communications or limit features on encrypted private services. 

That approach is especially troubling when it comes to ephemeral messaging. Disappearing messages are not a “loophole” or a dangerous design trick. They are a useful privacy feature that allows online conversations to function more like ordinary real-world conversations, which are not preserved forever in a permanent database.

Like many other parts of the KIDS Act, these private messaging provisions also depend on websites and apps knowing who is a minor and who is not. The result is more age checks, more restrictions, and less privacy online.

Take action

Tell congress: no online age checkpoints

Sold to the public as a foreign surveillance tool, Section 702 is the law has let intelligence agencies spy on millions of Americans’ private conversations without a warrant. Despite years of revelations about this law's misuse, Congress has repeatedly reauthorized Section 702 without meaningful reform. Until this month, that is, when it finally lapsed in a major victory for privacy. In our latest EFFector newsletter, we're covering the expiration of Section 702 and what happens next.

JOIN OUR NEWSLETTER

For over 35 years, EFFector has been your guide to understanding the intersection of technology, civil liberties, and the law. This issue covers a disastrous plan to overhaul the U.S. Copyright Office, why the UK's social media ban will cause more harm than it prevents, and a new Senate bill taking aim at government pressure to silence lawful speech online.

Prefer to listen in? EFFector is now available on all major podcast platforms. This time, we're chatting with EFF Senior Policy Analyst Matthew Guariglia on what the expiration of Section 702 means for warrantless domestic spying. You can find the episode and subscribe on your podcast platform of choice:

%3Ciframe%20height%3D%22200px%22%20width%3D%22100%25%22%20frameborder%3D%22no%22%20scrolling%3D%22no%22%20seamless%3D%22%22%20src%3D%22https%3A%2F%2Fplayer.simplecast.com%2Faa8b6660-bde6-466d-80e3-156cddad0e95%3Fdark%3Dfalse%22%20allow%3D%22autoplay%22%3E%3C%2Fiframe%3E Privacy info. This embed will serve content from simplecast.com

   

Want to protect your private conversations? Sign up for EFF's EFFector newsletter for updates, ways to take action, and new merch drops. You can also fuel the fight for privacy and free speech online when you support EFF today!

This week, politicians in the UK pushed forward with plans to eviscerate privacy and free speech on the internet by announcing a ban on social media for users under 16 that is set to take effect in Spring 2027. 

The UK government continues to falsely characterize this policy as a necessary response to growing concerns about online harms for young people. In reality, much like the Online Safety Act, it will cause more harm than it will prevent. 

Users of all ages are burdened with proving their age before accessing content, with social media platforms such as Snapchat, TikTok, YouTube, Instagram, Facebook, and X included in the ban. There remains no reliable, privacy-preserving method of verifying the age of every internet user and methods vary from one platform to the next.

Young people will not simply be protected from being contacted by adults or endlessly scrolling—they’ll also lose access to educational videos on YouTube, local events on Facebook, and potentially cut off from distant friends and family. 

Public policy must be effective, proportionate and respectful of fundamental rights. Young people deserve better than a policy built on panic, and all internet users deserve a safe and free internet. A social media ban generates headlines, but it will not solve the problem. 

A Brief History of Age-Gating in the UK

Age restriction proposals in the UK date back to a decade ago, when the proposed Digital Economy Bill was put forth to (among other things) restrict young people from accessing pornographic websites. While the Digital Economy Act of 2017 passed without age-based restrictions, it laid the groundwork for later age verification measures.

Over the next few years, age checks for porn websites were announced then delayed several times. But it wasn’t until a consultation under the 2016-2019 May government and the 2020 publication of the Online Harms Whitepaper that age verification became a broader idea.

In 2023, the UK passed the controversial Online Safety Act, establishing powers that could weaken privacy protections and freedom of expression for internet users worldwide. In July 2025, the government implemented age assurance measures on sites hosting “harmful” content. 

And despite politicians affirming repeatedly that the Online Safety Act would solve all of the problems with online safety, this year they decided it in fact did not go far enough. American social psychologist and The Anxious Generation author Jonathan Haidt—who has called for age-related social media bans around the world, despite significant scientific doubt about his research—met with the UK Health Secretary in February to push for the ban.

In March, politicians introduced plans for a social media ban into the Children’s Wellbeing and Schools Bill to “prevent children under the age of 16 from becoming or being users” of “all regulated user-to-user services,” to be implemented by “highly-effective age assurance measures”—effectively banning under-16s from social media. 

When this proposal came before the House of Commons, MPs defeated and proposed their own amendment: enabling the Secretary of State to introduce provisions “requiring providers of specified internet services” to prevent access by children, under age 18 rather than 16, to specified internet services or to specified features; and to restrict access by children to specified internet services which ministers provide. 

But the social media ban does not stop there. The provision also requires internet service providers to limit the time kids spend online, and has rules about who can contact them online. These extreme rules will take decisions about using technology away from families and put them in the hands of government regulators. 

The history of this proposal shows that the UK government has repeatedly returned to the same flawed idea: restricting access to online services by requiring age checks for everyone. But the fundamental problems have not changed. There is still no widely available way to verify age online without compromising privacy—but even if there were, broad restrictions on social media will inevitably limit access to lawful speech, and valuable online communities, and arts and culture.

This week, EFF joined Foxglove, Human Rights Watch, and 60 other organizations in writing to the UK’s Minister of State for Border Security and Asylum, Alex Norris, raising serious concern about the Home Office’s decision to deploy Facial Age Estimation (FAE) to assess asylum-seeking children from 2027. 

The letter points to four key concerns:

Discrimination 

As with most face estimation and recognition tools, there is ongoing bias in the deployment of these technologies. With FAE, many have highlighted its baked-in failures and discrimination, particularly in relation to women and people of color. Evidence shows that FAE is most accurate for estimating the ages of Eastern European men, but even then it consistently produces errors. The Home Office itself noted “that FAE performance can vary depending on ethnicity” and skin tone. 

Inaccuracy

The Home Office has admitted that FAE systems are imprecise for analyzing 16-to 18-year-olds, with even the “top systems” having an “error margin of around 2.5 years here.” This is exactly the age range for which the Home Office has chosen to deploy this technology. And this error margin will be widened yet further because children seeking asylum often suffer from trauma-induced aging. 

Lawfulness of Use of Children’s Data

Major concerns exist around the lawful basis on which the Home Office, or its chosen third-party FAE vendors, could have sought consent to collect and process photographs or data from asylum-seeking children to train this system. Further, there is no clarity on the images and/or data that this technology has been trained on. 

Lack of Necessary Disclosure 

The Home Office claims “extensive testing has already been carried out across diverse groups, including different ethnicities, genders and age ranges, indicating promising performance and accuracy.” But these purported “promising” results have not been published, nor have any Equality or Data Protection Impact Assessments. 

The letter continues by requesting clarification on several key questions regarding these concerns. EFF and partners have provided the UK government 21 days for a response, and we urge the Home Office to take on this uphill task in good faith and release the information.

You can read the letter in full here. 

With no serious debate, including on proposed amendments, Canada is blazing full speed ahead with Bill C-22, which would threaten encryption and increase surveillance. Also known as the Lawful Access Bill, Bill C-22 is currently moving forward quickly to a vote despite the many, many criticisms civil liberty groups and the tech industry have hurled at it.

As we’ve discussed before, Bill C-22 is dangerous on multiple levels. It pushes for requirements for metadata retention, expands information sharing with foreign governments, and establishes a mechanism that allows Canada’s Ministry of Public Safety to demand that companies create backdoors, effectively breaking encryption. That mechanism was a key facet of Part 2 in Bill C-22, and the government prevented it from being independently debated.

In a deep analysis of the bill, Citizen Lab and the Canadian Civil Liberties Association detail every one of flaws of this proposal, concluding that most elements are unsalvageable. 

A wide range of tech companies agree. Signal, Apple, Google, and several VPN providers oppose the bill, and some have said they’d likely be forced to either cut Canadians off from certain features or shut down services in Canada altogether.

The Canadian government wants this dangerous, complicated, overreaching bill passed before June 19. Bill C-22 is riddled with privacy problems that affect millions of people. It should be debated and studied fully, not jammed through on an arbitrary deadline. 

OpenMedia is offering a tool for Canadians to contact their elected representatives about the bill. Actions taken on OpenMedia's website are governed by OpenMedia's privacy policy, not EFF's.

EFF is grateful for SerpApi’s generous support, helping us fight for your rights to speak and access information online. SerpApi has been giving to EFF every year since 2018, and alongside our 32,000 individual donors, their gift is critical to keeping up the fight.

Whether in the courts, halls of power, or broader policy debates, we appreciate the work this support has made possible over the years. Some examples:

• We sued the U.S. Department of Homeland Security and Department of State to stop an unconstitutional social media surveillance program to identify and punish individuals who express viewpoints the government disagrees with.
• We helped develop the Santa Clara Principles, a framework to reign in overbroad content moderation so that all users are treated fairly and offered consistent tools for recourse if their speech is censored by tech companies.
• In the whitepaper Unfiltered: How YouTube’s Content ID Discourages Fair Use and Dictates What We See Online, we pushed back on YouTube for silencing individual creators in the interest of protecting a small number of giant copyright holders.
• We stood with whistleblowers and dissidents persecuted for their online speech.
• We continued the fight to protect Section 230.

We live in an era when lawful speech and the right to access information are being targeted by Big Tech and governments around the world that are hostile to dissent. Free speech online is core to EFF’s mission, and SerpApi’s support will help us continue the fight to protect everyone’s right to free expression.

This Pride season, join EFF and the Queer Arts Collective in building a creative space at the intersection of digital justice and artistic expression. 

We’re looking for fresh, untold, historically censored takes on digital liberation. 

Whether it’s pointing the lens towards an issue you feel is underrepresented in digital justice efforts; sharing personal accounts of joy, pleasure, or sorrow under surveillance; painting your widest imagination for our communities using technology for good instead of carcerality and doom—we want to see it and we want it to expand our own understanding of what’s important and beautiful. 

We’re going to be curating between five and nine art pieces across writing (fiction, nonfiction, poetry) and visual arts (photography, drawing, painting). We welcome fluidity in medium and genre, and cross-genre works of all kinds, such as graphic storytelling and collaborations. 

We are looking for works that convey the importance of digital liberation and ways of achieving it, particularly from under-represented perspectives. Pieces will be selected based on interpretation of the theme, emotional resonance (does it surprise, move, frighten, delight?), and overall curatorial cohesion for each issue. 

Submissions that adhere to the following length guidelines are preferred: 

(NON)FICTION - max 1500 words
POETRY - max 2 poems 
VISUAL ARTS - max 1 artwork, which can be a serialized collection. 

Please submit to paige+pride@eff.org by June 30, 2026, including your piece as an attachment and a short bio in the body of the email, alongside anything else we should know about your submission. You can expect to hear back from us around July 31, and we aim to have the first issue published in September. If we select your submission for publication on both EFF and Queer Arts Collective websites, we will compensate you between $25 - $50, depending on the number of pieces published. 

There is no fee for entry. Please only submit one piece or a contained series for this call, and wait for us to get back to you before submitting again. If you plan to submit both individually and as part of a collective, one submission in each of these categories applies. 

Your submission must be your original work and you must have the legal right to authorize us to publish it, but it need not be created specifically for this project; you may submit a work you have published previously. Please disclose any use of AI in a note in your application—this will not disqualify your entry, though we value transparency of labor exchange. 

As attempting to witness art is a highly subjective endeavor, please don't consider not being selected as anything other than circumstantial. We are looking to foster a community of artists working for digital justice, and would love to see more from you in the future. 

You will retain all legal rights to your work, but agree to provide EFF and Queer Arts Collective with a non-exclusive and non-time-limited license to publish your work on their websites and other promotional materials, such as in zines. 

Meet the Judges

Kit Walsh is an EFF attorney who works to protect the rights of activists, journalists, researchers, and dissenters in order to build a better world. She is also a Nebula-award-winning author and is best known for her tabletop roleplaying game Thirsty Sword Lesbians.

Paige Collings is an EFF activist working to dismantle systems of oppression and advance collective liberation. Her work focuses on highlighting how state surveillance and corporate restrictions stifle marginalized communities and perpetuate historic injustices and harm. She works with activists across the globe to facilitate systemic change by speaking truth to power and creating spaces for alternative imaginations.

The Queer Arts Collective is an NYC-based collective run by queer and racialized artist-activists, looking to make space for art that is deliberately disruptive of structural hierarchies that power the status quo.

Last week, Senators Ted Cruz and Ron Wyden introduced the Justice Against Weaponized Bureaucratic Overreach to Networked Expression, or JAWBONE Act. The bipartisan legislation creates a federal cause of action against government officials who coerce or attempt to coerce broadcasters, interactive computer services, or AI providers into taking actions against lawful, First-Amendment-protected speech, and establishes a transparency system for government communications with those intermediaries about user expression.

We thank the Senators for their leadership on this important issue. Jawboning occurs when the government pressures private companies to censor speech protected by the First Amendment, and it’s not always obvious to the public or to the victims what has actually happened. Deleting posts or cancelling accounts because a government official or agency demanded it or even made threats in making those demands—just like spying on people’s communications on behalf of the government—raises serious free speech concerns. Among other things, this bill would provide a new legal right to bring claims against the government in federal court, in addition to what the First Amendment provides.

At EFF, we’re continuing to fight back on behalf of those censored by government coercion. One recent example: we represent the creator of ICEBlock, an app that allows the public to report immigration enforcement activity in their communities. In June 2025, high-ranking federal officials began threatening to investigate and prosecute the creator of ICEBlock, Joshua Aaron. In October 2025, the U.S. Attorney General demanded Apple remove ICEBlock from the App Store, and the company complied. The government’s coercion violated Aaron’s First Amendment rights.

We’ve also filed a Freedom of Information Act lawsuit against the same government agencies that threatened Aaron and other services that provided forums to report ICE activity. The lawsuit seeks the disclosure of the government’s communications with Apple, Google, and Meta that forced the services to remove lawful speech.

When federal officials pressure private companies into censoring protected speech, it can violate the First Amendment. But, not every communication from a government agency to a platform is unconstitutionally coercive. Treating legitimate communication and information-sharing between the government and private actors as though it were always unconstitutional would chill the valuable, good-faith engagement that supports a healthier and safer internet and nation for all Americans. This is a complex issue, and one that is important for Congress and the courts to get right. 

Finally, contrary to what many in Congress have been saying, social media platforms and other internet intermediaries have their own First Amendment rights to decide how they moderate users’ speech. They are not “state actors” and do not have an obligation under the First Amendment to allow all user speech on their platforms. EFF filed an amicus brief setting out our position in 2018, and we’ve said it in many cases since. The Supreme Court recognized again in the Netchoice cases that these services have a right to curate and edit their users’ speech, whether or not it aligns with the government’s position. And, it’s important to defend that First Amendment right so that governments cannot dictate how to edit a company’s site according to the government’s wishes and desires. To prevent jawboning by default, companies must be free to curate their platforms as they wish.

EFF applauds Senators Cruz and Wyden for taking this critical issue seriously, and we look forward to working with Congress on this bipartisan bill as it moves through the process. We hope it lands on the right balance to provide additional protections for everyday users around freedom of expression. 

Court records belong to the public. Yet anyone seeking access to federal court filings through PACER, a government software system that stands for Public Access to Court Electronic Records, is usually required to pay hefty fees to search for and view documents. PACER’s fees have long acted as a barrier that makes it hard, especially for low income people, to see and understand the work produced by our own public servants. 

That's why EFF joined a broad group of organizations supporting the Open Courts Act of 2026, legislation that would modernize the federal courts' electronic filing systems and eliminate PACER fees. 

Public access to the courts is a cornerstone of democratic accountability.

The bill would replace the aging PACER and CM/ECF systems with a modern, unified platform designed to improve public access, strengthen cybersecurity, and reduce long-term costs. Supporters note that PACER currently collects more than $150 million annually in fees from the public, despite court records being public documents.

The Open Courts Act would also make court records easier to find, access, and understand. The legislation builds on a similar proposal, also supported by EFF, that previously won bipartisan support in the Senate Judiciary Committee but did not become law before the end of the congressional session.

This is not a new issue for EFF. More than a decade ago, we criticized PACER's paywalls and the removal of some court records from online access, arguing that the public should not have to pay to read the law and the judicial decisions that shape it. The Open Courts Act would move U.S. courts a big step closer to that goal. 

In addition to EFF, the bill is supported by Fix the Court, the group pushing this bill forward; the Free Law Project, which maintains RECAP, software that has created a large archive of legal opinions and other court records; as well as civil society groups, open government watchdogs, and media groups. 

Public access to the courts is a cornerstone of democratic accountability. Let’s eliminate unnecessary barriers to court records, and bring the federal judiciary’s tech into the modern era. 

• Read the full letter supporting the Open Courts Act of 2026

Late last year, as part of our annual “Year in Review” series, we summarized our efforts providing digital privacy and security advice to at-risk communities. OPSEC trainings (short for operational security, a catch-all term we use to describe any kind of workshop, advising session, assessment, or presentation about operational security for individuals and organization) are something we've long provided, but until recently, something we’ve never broadcasted.

This has become a critical aspect of our work over the years, keeping us grounded and in touch with the realities of tech-enabled violence as well as evolving resistance strategies used by movement workers. Hoping other security trainers and organizers copy our homework, here’s a more thorough breakdown.

NOT TRADITIONAL PENTESTING

To be clear, we're not a 'pentesting' company, which refers to the methodological process of testing a person or organization's security and privacy posture, nor an information security (infosec) firm that offers anything within scopes of traditional security assessments.  Infosec companies almost always adhere to a cycle of: discovery/reconnaissance; > vulnerability scanning and testing; > exploitation of vulnerabilities found; > and a reportback of recommended mitigation strategies. Such full-spectrum audits can run the gamut of testing network security, physical security, organization posture against phishing or ransomware attacks, web app security, and more. For many organizations, the value of such engagements is immeasurable.

Such companies—although equipped with the technical sophistication to do full-spectrum digital security auditing and testing—often lack the critical points of view of human rights defenders and activists. Many human rights defenders and liberation movement workers are critically under-resourced and unable to meet the high costs of engagement with such infosec companies.  But that’s not what we offer. Our trainings center the needs of people on the ground, and offer this work pro bono. 

The cycle of engagement our work tends to take is similar to the lifecycle of pentesting outlined above, but with some key differences better suited to people-powered movements. 

We begin with a period of discovery about the organization we’re engaging with, learning about their work, the issue space they’re working in, and the types of threats their peers have faced in the past. Relying on our knowledge of known threat actors (state-operated threats, non-state actors, surveillance mechanisms, and more), we conduct a thorough threat modeling and risk assessment exercise, surfacing critical pieces of information about what we ought to prioritize protecting and from what. Sometimes that’s enough for a group to get started on improving their security plans, and we send them on their way.

After receiving consent from the group to do so, we may perform some OSINT (open source intelligence) investigation and map out a sketch of their digital footprint. This often looks like some combination of discoverability through public records, data broker ecosystems, and breach databases, as well as risks they may incur through the services they rely on for their web presence. That latter part can be done with typical pentesting reconnaissance tools, as well as our own project Privacy Badger for mapping the trackers on their website, which pose them and their users some amount of risk. Working from this sketch of their digital footprint, opportunities to lessen the reach of their data exposure, or at least the more sensitive areas they ought to be aware of, become apparent.

For a more in-depth engagement, we take the information gathered from the guided threat modeling exercises, as well as the digital footprint we’ve developed for them, and we move on to training the participants on what they need to address their threats. Sometimes that looks like a deep dive on encryption and how it can be used to protect data backups and secure communications. Other times it looks like getting very knowledgeable and practiced on the various ways to stay safe from surveillance threats encountered at a protest. Often though, our engagement with those asking for advice on how to strengthen their OPSEC is as simple as presenting materials covered in our Surveillance Self-Defense (SSD) project, but with EFF staff to help apply those lessons to their context.

MOVEMENTS AND COMMUNITIES ADVISED

Requests for such training mostly arise organically, either via referral, from our participation in external media, or driven by an interest in SSD. Naturally, the demand for accessible OPSEC advice escalates along with the general sophistication and reach of surveillance technology. And as authoritarianism creeps and continues to threaten the movement workers fighting against it, there's a marked urgency for that demand.

The types of communities and liberation movement workers that reach out run a wide array of experiences, but some commonalities stick out. Since the fall of Roe v. Wade, we've seen a huge uptick in abortion access activists like clinic escorts and information distribution networks reaching out. So too are providers of criminalized healthcare services, both abortion services and gender affirming care alike. The list goes on: advocates for transgender rights such as art collectives and archivists, sex worker rights activists, survivors of intimate partner violence, climate justice activists, legal defense groups focusing on immigrant justice and Black liberation. And many, many others, often stemming from experiences of distinct marginalization and state-powered violence.

We’re dressing the wounds the violence of surveillance inflicts.

TAXONOMY OF THREATS

When there's a cast of common threat actors that so often emerge during risk assessment (ideologically motivated harassers, lawmakers, cops, negligent leadership at large tech platforms, etc) there is a level of predictability about their capabilities. We use that information to make knowledgeable risk assessments for those we’re working with, determining the means that threat actors have to cause them harm, as well as the likelihood.

For community organizers and grassroots activists we most often see concerns around doxxing (and harassment driven by OSINT), social media monitoring, content suppression on tech platforms, and insider threats such as infiltration within trusted communication channels. Often this comes with a tension between publicity and privacy—needing to spread their message and further their cause, while recognizing that digital privacy has a profound impact on their personal safety. Some activists may instead hope to organize other more covert forms of direct action. They're more likely to be concerned about the types of street level surveillance that they may encounter.

Small organizations nonprofit and otherwise may share the concerns around doxxing, as well as traditional digital security concerns around their web presence. Website defacement and data exfiltration are particular concerns for organizations that don't have the resources to commit to IT security staff. And for those that do have meager budgets for such things, organizational compliance and ease-of-use regarding privacy and security technologies are a whole other concern. The question then becomes how to manage a system of distributed devices that are uncontrolled by the organization, but operationally necessary for each member of their community. 

Generally speaking, the threats most commonly encountered in these spaces have to do with the opacity and unchecked reach of surveillance systems. With every single individual or group that we encounter in this type of work, threat modeling comes number one in terms of priority. There is no way to protect against every theoretical threat. Instead, we walk others through the process of identifying and then prioritizing known and perceived threats, based on their specific context and the type of work that they do, before moving on to recommended mitigation and resistance strategies. 

STRATEGIES OF RESISTANCE

Developing a threat model without a course of action often does more to stoke privacy nihilism than remedy the risks communities face. The more we engage with at-risk communities and offer reasonable, accessible OPSEC advice, the greater our instinct develops for recognizing such strategies. At the core of these recommendations lie the backbones of privacy and security fundamentals, such as encryption, access controls, sophisticated backup plans, OSINT skills, and resistance to online tracking.

Over the years, we've found it easiest to begin with non-technical recommendations first. These strategies often mesh well with the community's extant organizing procedures, such as designating team roles and thought out contingency plans for specific risks. This may look like identifying those extant plans and tacking on responsibilities like data backups, code words for community vetting, and developing workarounds or contingency plans for if they lose access to specific technologies. 

Eventually, though, the strategies must become more technical, like switching to more private and secure technology alternatives, developing a sophisticated and encrypted data backup plan, and having technical contingency plans in place for if/when they are deplatformed or their services interrupted. Developing patience and compassion when walking groups through unfamiliar technologies is an essential tool of this work. So too is the habit of checking ourselves, as privacy and security nerds, to know the difference between the most secure technologies and those which will actually be used by at-risk community members. Any step towards more thoughtful OPSEC is better than one too difficult to use. The last thing we want is a recommendation that results in people frustratedly giving up on doing anything at all. After all, the whole point of this is to empower movement workers, not inhibit them.

HOLISTIC MITIGATIONS

It is painfully obvious how many identified threats could be protected against if there were comprehensive data privacy legislation protecting all people. The lack of such is an existential threat to everyone. Bills that undermine peoples' right to privacy are never clear about what they're doing, and often come wrapped in some paternalistic guise of addressing some other harm elsewhere. They often use confusing, oblique language that preys on the public's interest to correct the course of other social harms. The reality is that when it’s clearly explained, every person online wants better privacy. And as we know, every individual's personal security and wellbeing are entwined with their access to privacy. The capacity with which a person can decide what to share online, rather than have sensitive information non-consensually taken from them by creepy surveillance technologies, is a matter of self-determination. And it's in all our best interests to fight for the right to self-determination.

WHAT WE GET BACK

An unexpected outcome of identifying so many common threat actors across such varied issue spaces is revealing potential avenues of collaboration and camaraderie. Some movements are already keen on this allyship, such as those focusing on various aspects of bodily autonomy and self-determination. Abortion access activists and trans liberation activists are often in concerted allyship. Other less obvious connections are legal defense groups that offer "know-your-rights" style educational materials and other issue-specific activists who have questions about the legal threats they're facing while fighting for their cause. 

Recognizing the common threat actors across different issue spaces begins to highlight opportunities for collective action against those threats. As a digital rights organization, this is very much our wheelhouse, and precisely why our technologist team is self-described as one working toward the public interest. It’s also from this point of view that we continue to win. And why it’s critical for lawmakers to pay attention when we say particular pieces of bad legislation are harmful to public safety. And finally, why it is necessary for public interest technologists and digital rights activists to connect with other communities to learn about the specific technology risks they’re worried about. As Mariame Kaba says, “Nothing that we do that is worthwhile is done alone.” This very blog post is in an effort to provoke thought for digital security trainers, so that we as a community don’t work atomized and alone, reproducing the same work, exhausting ourselves and creating unnecessary redundancy.

We do what we can to keep up. And thankfully, we participate within an ecosystem of digital security providers that have a keen mind towards fighting for digital rights. We share resources, referrals, and expertise. Our Surveillance Self-Defense project is stress-tested by the experiences shared by the liberation movement workers we engage with and provide this work to. If you’re interested in becoming a digital security resource for your community, start with the SSD. If you’re a human rights defender with questions about how to stay safe, reach out. And if you’re not sure what else to do, you can always help us keep it going.

The Trump administration’s approach to AI safety, particularly the generative AI models that regularly grab headlines, has been haphazard at best. At worst, it’s unconstitutional. As EFF and our allies explained in an amicus brief, the Pentagon’s actions against one company, Anthropic, violate the First Amendment because they were motivated by the administration’s desire to punish an uncooperative company, not legitimate concerns about national security.

By and large, the Trump administration’s AI strategy has minimized regulation in the name of “winning” the global “race” to develop leading frontier models. It has pared back regulations intended to address even the most serious AI threats—like AI-enabled cyberattacks on government systems—to protect AI innovation.

Yet it has repeatedly singled out one AI company for arbitrary, heavy-handed rules and sanctions. For years, the federal government relied on Anthropic’s models for use in its classified systems. But after Anthropic resisted the government’s demands to use Anthropic’s models to autonomously kill people or spy on Americans, the government declared war on the “woke” company. It designated the company a “supply chain risk,” effectively banning agencies and government contractors from doing business with the company.

A court issued a preliminary injunction preventing these sanctions from taking effect, as EFF and other civil liberties organizations urged it to do in an amicus brief filed earlier this year. But absent judicial action, these sanctions would’ve cost the company hundreds of millions of dollars. Either way, it sent a clear signal that companies must adhere to the government’s wishes or face similar consequences.

As we explained in our brief filed today, these sanctions were clear retaliation for the company’s public refusal to allow the Pentagon to use its models to develop fully autonomous weapons and spy on Americans. This kind of retaliation is unconstitutional.

In a recent executive order, the Trump administration took its war on Anthropic even further, by imposing “export controls” that ban any foreign nationals from using Anthropic’s new Mythos and Fable models. To comply with this order, Anthropic shut down the models altogether.

These extreme measures were purportedly justified by security concerns. The administration said it feared that Anthropic’s Mythos-class models could be used to find and exploit existing vulnerabilities in software code—hardly a new feat for an LLM. Anthropic itself has contributed to public anxieties about its Mythos-class models, initially claiming that Mythos was too dangerous for public release and restricting access to a handful of partners. The company’s CEO called for a pause on AI development, citing fears that the technology was becoming too powerful.

But regulators should be cutting through the hype, not feeding it. Even if Mythos’s capabilities were a modest improvement over existing technology, others are already closing the gap. In other words, nothing about Mythos is so uniquely dangerous that it warrants exceptional export controls to protect the public. Yet other LLMs with similar offensive cybersecurity capabilities are not subject to export controls. Instead, the government has embraced a voluntary system in which companies are encouraged to submit models to the government for cybersecurity testing 30 days before releasing them to the public.

AI policy should be reasonably responsive to real-world risk, grounded in the realities of the technology, and no more burdensome than necessary to protect the public. But the government’s haphazard decision to impose export controls on Mythos-class models, while subjecting other AI models to nothing more than a voluntary, light-touch framework, meets none of these criteria. As leading cybersecurity experts and executives recently explained in an open letter, these sanctions prevent developers and security teams from using the best models to find and fix vulnerabilities before adversaries, armed with nearly as capable AI, can exploit them.

Decades Later, Code Is Still Speech

More importantly, export controls on important software tools like LLMs can undermine the free flow of digital communications and technologies that activists, innovators, and ordinary users desperately need. Freedom of expression requires access to these tools. Depriving the public of the best AI threatens our rights without making us any safer.

EFF has long opposed government efforts to restrict the publication of non-classified software to the general public. In the 1990s, EFF challenged export controls on encryption software, helping establish the principle that “code is speech,” protected by the First Amendment. Courts recognized that software is not just a functional tool—it’s a means of ideas, knowledge, and technical know-how. And they recognized that the government was overreaching in trying to restrict private developers from sharing their improvements in computer security with the public.

While AI models raise new questions, efforts to restrict access to them implicate the same constitutional and speech concerns as older efforts to restrict encryption. Export controls are uniquely susceptible to abuse. And they are especially suspect when they are unilaterally imposed without clear and fair standards.

Whether these export controls were another attempt to punish Anthropic or simply a misguided security measure, the public loses. The real cybersecurity risks of advanced AI may ultimately justify limited regulations to protect the public from legitimate threats. But whether the government ultimately chooses to heavily regulate the technology or hold off to promote innovation, its rules must be rational and evenhanded. 

• Read EFF's Amicus Brief in Anthropic v. Department of War