EFF update

7 hours 14 minutes ago

Last week, Senators Ted Cruz and Ron Wyden introduced the Justice Against Weaponized Bureaucratic Overreach to Networked Expression, or JAWBONE Act. The bipartisan legislation creates a federal cause of action against government officials who coerce or attempt to coerce broadcasters, interactive computer services, or AI providers into taking actions against lawful, First-Amendment-protected speech, and establishes a transparency system for government communications with those intermediaries about user expression.

We thank the Senators for their leadership on this important issue. Jawboning occurs when the government pressures private companies to censor speech protected by the First Amendment, and it’s not always obvious to the public or to the victims what has actually happened. Deleting posts or cancelling accounts because a government official or agency demanded it or even made threats in making those demands—just like spying on people’s communications on behalf of the government—raises serious free speech concerns. Among other things, this bill would provide a new legal right to bring claims against the government in federal court, in addition to what the First Amendment provides.

At EFF, we’re continuing to fight back on behalf of those censored by government coercion. One recent example: we represent the creator of ICEBlock, an app that allows the public to report immigration enforcement activity in their communities. In June 2025, high-ranking federal officials began threatening to investigate and prosecute the creator of ICEBlock, Joshua Aaron. In October 2025, the U.S. Attorney General demanded Apple remove ICEBlock from the App Store, and the company complied. The government’s coercion violated Aaron’s First Amendment rights.

We’ve also filed a Freedom of Information Act lawsuit against the same government agencies that threatened Aaron and other services that provided forums to report ICE activity. The lawsuit seeks the disclosure of the government’s communications with Apple, Google, and Meta that forced the services to remove lawful speech.

When federal officials pressure private companies into censoring protected speech, it can violate the First Amendment. But, not every communication from a government agency to a platform is unconstitutionally coercive. Treating legitimate communication and information-sharing between the government and private actors as though it were always unconstitutional would chill the valuable, good-faith engagement that supports a healthier and safer internet and nation for all Americans. This is a complex issue, and one that is important for Congress and the courts to get right.

Finally, contrary to what many in Congress have been saying, social media platforms and other internet intermediaries have their own First Amendment rights to decide how they moderate users’ speech. They are not “state actors” and do not have an obligation under the First Amendment to allow all user speech on their platforms. EFF filed an amicus brief setting out our position in 2018, and we’ve said it in many cases since. The Supreme Court recognized again in the Netchoice cases that these services have a right to curate and edit their users’ speech, whether or not it aligns with the government’s position. And, it’s important to defend that First Amendment right so that governments cannot dictate how to edit a company’s site according to the government’s wishes and desires. To prevent jawboning by default, companies must be free to curate their platforms as they wish.

EFF applauds Senators Cruz and Wyden for taking this critical issue seriously, and we look forward to working with Congress on this bipartisan bill as it moves through the process. We hope it lands on the right balance to provide additional protections for everyday users around freedom of expression.

India McKinney

Court Records Should Be Free

7 hours 16 minutes ago

Court records belong to the public. Yet anyone seeking access to federal court filings through PACER, a government software system that stands for Public Access to Court Electronic Records, is usually required to pay hefty fees to search for and view documents. PACER’s fees have long acted as a barrier that makes it hard, especially for low income people, to see and understand the work produced by our own public servants.

That's why EFF joined a broad group of organizations supporting the Open Courts Act of 2026, legislation that would modernize the federal courts' electronic filing systems and eliminate PACER fees.

The bill would replace the aging PACER and CM/ECF systems with a modern, unified platform designed to improve public access, strengthen cybersecurity, and reduce long-term costs. Supporters note that PACER currently collects more than $150 million annually in fees from the public, despite court records being public documents.

The Open Courts Act would also make court records easier to find, access, and understand. The legislation builds on a similar proposal, also supported by EFF, that previously won bipartisan support in the Senate Judiciary Committee but did not become law before the end of the congressional session.

This is not a new issue for EFF. More than a decade ago, we criticized PACER's paywalls and the removal of some court records from online access, arguing that the public should not have to pay to read the law and the judicial decisions that shape it. The Open Courts Act would move U.S. courts a big step closer to that goal.

In addition to EFF, the bill is supported by Fix the Court, the group pushing this bill forward, as well as civil society groups, open government watchdogs, and media groups.

Public access to the courts is a cornerstone of democratic accountability. Let’s eliminate unnecessary barriers to court records, and bring the federal judiciary’s tech into the modern era.

Read the full letter supporting the Open Courts Act of 2026

Joe Mullin

Field Notes from a Year of OPSEC Training

7 hours 52 minutes ago

Late last year, as part of our annual “Year in Review” series, we summarized our efforts providing digital privacy and security advice to at-risk communities. OPSEC trainings (short for operational security, a catch-all term we use to describe any kind of workshop, advising session, assessment, or presentation about operational security for individuals and organization) are something we've long provided, but until recently, something we’ve never broadcasted.

This has become a critical aspect of our work over the years, keeping us grounded and in touch with the realities of tech-enabled violence as well as evolving resistance strategies used by movement workers. Hoping other security trainers and organizers copy our homework, here’s a more thorough breakdown.

NOT TRADITIONAL PENTESTING

To be clear, we're not a 'pentesting' company, which refers to the methodological process of testing a person or organization's security and privacy posture, nor an information security (infosec) firm that offers anything within scopes of traditional security assessments. Infosec companies almost always adhere to a cycle of: discovery/reconnaissance; > vulnerability scanning and testing; > exploitation of vulnerabilities found; > and a reportback of recommended mitigation strategies. Such full-spectrum audits can run the gamut of testing network security, physical security, organization posture against phishing or ransomware attacks, web app security, and more. For many organizations, the value of such engagements is immeasurable.

Such companies—although equipped with the technical sophistication to do full-spectrum digital security auditing and testing—often lack the critical points of view of human rights defenders and activists. Many human rights defenders and liberation movement workers are critically under-resourced and unable to meet the high costs of engagement with such infosec companies. But that’s not what we offer. Our trainings center the needs of people on the ground, and offer this work pro bono.

The cycle of engagement our work tends to take is similar to the lifecycle of pentesting outlined above, but with some key differences better suited to people-powered movements.

We begin with a period of discovery about the organization we’re engaging with, learning about their work, the issue space they’re working in, and the types of threats their peers have faced in the past. Relying on our knowledge of known threat actors (state-operated threats, non-state actors, surveillance mechanisms, and more), we conduct a thorough threat modeling and risk assessment exercise, surfacing critical pieces of information about what we ought to prioritize protecting and from what. Sometimes that’s enough for a group to get started on improving their security plans, and we send them on their way.

After receiving consent from the group to do so, we may perform some OSINT (open source intelligence) investigation and map out a sketch of their digital footprint. This often looks like some combination of discoverability through public records, data broker ecosystems, and breach databases, as well as risks they may incur through the services they rely on for their web presence. That latter part can be done with typical pentesting reconnaissance tools, as well as our own project Privacy Badger for mapping the trackers on their website, which pose them and their users some amount of risk. Working from this sketch of their digital footprint, opportunities to lessen the reach of their data exposure, or at least the more sensitive areas they ought to be aware of, become apparent.

For a more in-depth engagement, we take the information gathered from the guided threat modeling exercises, as well as the digital footprint we’ve developed for them, and we move on to training the participants on what they need to address their threats. Sometimes that looks like a deep dive on encryption and how it can be used to protect data backups and secure communications. Other times it looks like getting very knowledgeable and practiced on the various ways to stay safe from surveillance threats encountered at a protest. Often though, our engagement with those asking for advice on how to strengthen their OPSEC is as simple as presenting materials covered in our Surveillance Self-Defense (SSD) project, but with EFF staff to help apply those lessons to their context.

MOVEMENTS AND COMMUNITIES ADVISED

Requests for such training mostly arise organically, either via referral, from our participation in external media, or driven by an interest in SSD. Naturally, the demand for accessible OPSEC advice escalates along with the general sophistication and reach of surveillance technology. And as authoritarianism creeps and continues to threaten the movement workers fighting against it, there's a marked urgency for that demand.

The types of communities and liberation movement workers that reach out run a wide array of experiences, but some commonalities stick out. Since the fall of Roe v. Wade, we've seen a huge uptick in abortion access activists like clinic escorts and information distribution networks reaching out. So too are providers of criminalized healthcare services, both abortion services and gender affirming care alike. The list goes on: advocates for transgender rights such as art collectives and archivists, sex worker rights activists, survivors of intimate partner violence, climate justice activists, legal defense groups focusing on immigrant justice and Black liberation. And many, many others, often stemming from experiences of distinct marginalization and state-powered violence.

We’re dressing the wounds the violence of surveillance inflicts.

TAXONOMY OF THREATS

When there's a cast of common threat actors that so often emerge during risk assessment (ideologically motivated harassers, lawmakers, cops, negligent leadership at large tech platforms, etc) there is a level of predictability about their capabilities. We use that information to make knowledgeable risk assessments for those we’re working with, determining the means that threat actors have to cause them harm, as well as the likelihood.

For community organizers and grassroots activists we most often see concerns around doxxing (and harassment driven by OSINT), social media monitoring, content suppression on tech platforms, and insider threats such as infiltration within trusted communication channels. Often this comes with a tension between publicity and privacy—needing to spread their message and further their cause, while recognizing that digital privacy has a profound impact on their personal safety. Some activists may instead hope to organize other more covert forms of direct action. They're more likely to be concerned about the types of street level surveillance that they may encounter.

Small organizations nonprofit and otherwise may share the concerns around doxxing, as well as traditional digital security concerns around their web presence. Website defacement and data exfiltration are particular concerns for organizations that don't have the resources to commit to IT security staff. And for those that do have meager budgets for such things, organizational compliance and ease-of-use regarding privacy and security technologies are a whole other concern. The question then becomes how to manage a system of distributed devices that are uncontrolled by the organization, but operationally necessary for each member of their community.

Generally speaking, the threats most commonly encountered in these spaces have to do with the opacity and unchecked reach of surveillance systems. With every single individual or group that we encounter in this type of work, threat modeling comes number one in terms of priority. There is no way to protect against every theoretical threat. Instead, we walk others through the process of identifying and then prioritizing known and perceived threats, based on their specific context and the type of work that they do, before moving on to recommended mitigation and resistance strategies.

STRATEGIES OF RESISTANCE

Developing a threat model without a course of action often does more to stoke privacy nihilism than remedy the risks communities face. The more we engage with at-risk communities and offer reasonable, accessible OPSEC advice, the greater our instinct develops for recognizing such strategies. At the core of these recommendations lie the backbones of privacy and security fundamentals, such as encryption, access controls, sophisticated backup plans, OSINT skills, and resistance to online tracking.

Over the years, we've found it easiest to begin with non-technical recommendations first. These strategies often mesh well with the community's extant organizing procedures, such as designating team roles and thought out contingency plans for specific risks. This may look like identifying those extant plans and tacking on responsibilities like data backups, code words for community vetting, and developing workarounds or contingency plans for if they lose access to specific technologies.

Eventually, though, the strategies must become more technical, like switching to more private and secure technology alternatives, developing a sophisticated and encrypted data backup plan, and having technical contingency plans in place for if/when they are deplatformed or their services interrupted. Developing patience and compassion when walking groups through unfamiliar technologies is an essential tool of this work. So too is the habit of checking ourselves, as privacy and security nerds, to know the difference between the most secure technologies and those which will actually be used by at-risk community members. Any step towards more thoughtful OPSEC is better than one too difficult to use. The last thing we want is a recommendation that results in people frustratedly giving up on doing anything at all. After all, the whole point of this is to empower movement workers, not inhibit them.

HOLISTIC MITIGATIONS

It is painfully obvious how many identified threats could be protected against if there were comprehensive data privacy legislation protecting all people. The lack of such is an existential threat to everyone. Bills that undermine peoples' right to privacy are never clear about what they're doing, and often come wrapped in some paternalistic guise of addressing some other harm elsewhere. They often use confusing, oblique language that preys on the public's interest to correct the course of other social harms. The reality is that when it’s clearly explained, every person online wants better privacy. And as we know, every individual's personal security and wellbeing are entwined with their access to privacy. The capacity with which a person can decide what to share online, rather than have sensitive information non-consensually taken from them by creepy surveillance technologies, is a matter of self-determination. And it's in all our best interests to fight for the right to self-determination.

WHAT WE GET BACK

An unexpected outcome of identifying so many common threat actors across such varied issue spaces is revealing potential avenues of collaboration and camaraderie. Some movements are already keen on this allyship, such as those focusing on various aspects of bodily autonomy and self-determination. Abortion access activists and trans liberation activists are often in concerted allyship. Other less obvious connections are legal defense groups that offer "know-your-rights" style educational materials and other issue-specific activists who have questions about the legal threats they're facing while fighting for their cause.

Recognizing the common threat actors across different issue spaces begins to highlight opportunities for collective action against those threats. As a digital rights organization, this is very much our wheelhouse, and precisely why our technologist team is self-described as one working toward the public interest. It’s also from this point of view that we continue to win. And why it’s critical for lawmakers to pay attention when we say particular pieces of bad legislation are harmful to public safety. And finally, why it is necessary for public interest technologists and digital rights activists to connect with other communities to learn about the specific technology risks they’re worried about. As Mariame Kaba says, “Nothing that we do that is worthwhile is done alone.” This very blog post is in an effort to provoke thought for digital security trainers, so that we as a community don’t work atomized and alone, reproducing the same work, exhausting ourselves and creating unnecessary redundancy.

We do what we can to keep up. And thankfully, we participate within an ecosystem of digital security providers that have a keen mind towards fighting for digital rights. We share resources, referrals, and expertise. Our Surveillance Self-Defense project is stress-tested by the experiences shared by the liberation movement workers we engage with and provide this work to. If you’re interested in becoming a digital security resource for your community, start with the SSD. If you’re a human rights defender with questions about how to stay safe, reach out. And if you’re not sure what else to do, you can always help us keep it going.

Daly Barnett

AI Regulation Should Be Rational, Not Retaliatory

8 hours 7 minutes ago

The Trump administration’s approach to AI safety, particularly the generative AI models that regularly grab headlines, has been haphazard at best. At worst, it’s unconstitutional. As EFF and our allies explained in an amicus brief, the Pentagon’s actions against one company, Anthropic, violate the First Amendment because they were motivated by the administration’s desire to punish an uncooperative company, not legitimate concerns about national security.

By and large, the Trump administration’s AI strategy has minimized regulation in the name of “winning” the global “race” to develop leading frontier models. It has pared back regulations intended to address even the most serious AI threats—like AI-enabled cyberattacks on government systems—to protect AI innovation.

Yet it has repeatedly singled out one AI company for arbitrary, heavy-handed rules and sanctions. For years, the federal government relied on Anthropic’s models for use in its classified systems. But after Anthropic resisted the government’s demands to use Anthropic’s models to autonomously kill people or spy on Americans, the government declared war on the “woke” company. It designated the company a “supply chain risk,” effectively banning agencies and government contractors from doing business with the company.

A court issued a preliminary injunction preventing these sanctions from taking effect, as EFF and other civil liberties organizations urged it to do in an amicus brief filed earlier this year. But absent judicial action, these sanctions would’ve cost the company hundreds of millions of dollars. Either way, it sent a clear signal that companies must adhere to the government’s wishes or face similar consequences.

As we explained in our brief filed today, these sanctions were clear retaliation for the company’s public refusal to allow the Pentagon to use its models to develop fully autonomous weapons and spy on Americans. This kind of retaliation is unconstitutional.

In a recent executive order, the Trump administration took its war on Anthropic even further, by imposing “export controls” that ban any foreign nationals from using Anthropic’s new Mythos and Fable models. To comply with this order, Anthropic shut down the models altogether.

These extreme measures were purportedly justified by security concerns. The administration said it feared that Anthropic’s Mythos-class models could be used to find and exploit existing vulnerabilities in software code—hardly a new feat for an LLM. Anthropic itself has contributed to public anxieties about its Mythos-class models, initially claiming that Mythos was too dangerous for public release and restricting access to a handful of partners. The company’s CEO called for a pause on AI development, citing fears that the technology was becoming too powerful.

But regulators should be cutting through the hype, not feeding it. Even if Mythos’s capabilities were a modest improvement over existing technology, others are already closing the gap. In other words, nothing about Mythos is so uniquely dangerous that it warrants exceptional export controls to protect the public. Yet other LLMs with similar offensive cybersecurity capabilities are not subject to export controls. Instead, the government has embraced a voluntary system in which companies are encouraged to submit models to the government for cybersecurity testing 30 days before releasing them to the public.

AI policy should be reasonably responsive to real-world risk, grounded in the realities of the technology, and no more burdensome than necessary to protect the public. But the government’s haphazard decision to impose export controls on Mythos-class models, while subjecting other AI models to nothing more than a voluntary, light-touch framework, meets none of these criteria. As leading cybersecurity experts and executives recently explained in an open letter, these sanctions prevent developers and security teams from using the best models to find and fix vulnerabilities before adversaries, armed with nearly as capable AI, can exploit them.

Decades Later, Code Is Still Speech

More importantly, export controls on important software tools like LLMs can undermine the free flow of digital communications and technologies that activists, innovators, and ordinary users desperately need. Freedom of expression requires access to these tools. Depriving the public of the best AI threatens our rights without making us any safer.

EFF has long opposed government efforts to restrict the publication of non-classified software to the general public. In the 1990s, EFF challenged export controls on encryption software, helping establish the principle that “code is speech,” protected by the First Amendment. Courts recognized that software is not just a functional tool—it’s a means of ideas, knowledge, and technical know-how. And they recognized that the government was overreaching in trying to restrict private developers from sharing their improvements in computer security with the public.

While AI models raise new questions, efforts to restrict access to them implicate the same constitutional and speech concerns as older efforts to restrict encryption. Export controls are uniquely susceptible to abuse. And they are especially suspect when they are unilaterally imposed without clear and fair standards.

Whether these export controls were another attempt to punish Anthropic or simply a misguided security measure, the public loses. The real cybersecurity risks of advanced AI may ultimately justify limited regulations to protect the public from legitimate threats. But whether the government ultimately chooses to heavily regulate the technology or hold off to promote innovation, its rules must be rational and evenhanded.

Read EFF's Amicus Brief in Anthropic v. Department of War

Tori Noble

The Free and Open Web Is Under Attack at the IETF

1 day 5 hours ago

The ability to access publicly available information using automated tools is a central value and benefit of a free and open internet. Automated access—often called crawling or scraping—powers important, useful tools for locating, preserving, and analyzing online information. For example, crawling and scraping helps journalists, researchers, and watchdog organizations report the news, find security flaws, and investigate discrimination. Crawling the web allows non-profits like the Internet Archive to preserve historical copies of websites. Tools for automated comparison shopping allow consumers to find the best deals on items they want to buy. And so on.

Yet the open internet access is increasingly under threat from publishers and Big Tech companies alike. Fearing lost advertising and licensing revenues, website operators increasingly claim that they need to lock down their sites from bots that crawl public web content to train or operate AI models. Some companies are even trying to embed their business models into internet standards by changing Internet Engineering Task Force (IETF) technical standards that shape much of the internet.

Many of their economic anxieties are understandable. AI bots can strain websites’ infrastructure, in some cases, degrading site performance or taking them offline altogether. Upgrading systems costs money that some sites may not have. And AI is likely to disrupt the business models many publishers adopted in response to the rise of the internet, if users rely on AI overviews instead of visiting source websites.

However reasonable these fears may be, the answer is not to change the IETF standards from neutral protocols that encourage openness to restrictive requirements designed to monetize internet access.

The worst of these proposed standards would give websites far greater ability to automatically block legitimate, lawful scraping and crawling. For example, the AI Preferences working group is working on proposals to give publishers a way to express “preference signals” against crawling web data for AI-related purposes, including to train models, generate outputs, and help users search the web. These preference signals would be expressed through robots.txt and could potentially become legally binding in some jurisdictions.

Another working group, called Web Bot Auth, is pursuing efforts to protect sites from overly-aggressive bots that strain website resources—a positive goal that could meaningfully improve the internet in the AI era. But Web Bot Auth is simultaneously pursuing a much more dangerous path as well: standards changes that would enable sites to cryptographically identify bots so that they can more easily block anyone they wish—not just “bad” actors, but competitors, dissidents, or anyone who hasn’t paid for the right to access sites using automated tools. If sites restrict crawling to a preapproved list of cryptographically authenticated bots, they could require licensing payments from those wishing to crawl their sites. This would close off the open web to researchers, archivists, and startups without the ability to pay for automated access.

Websites may have legitimate reasons to worry about AI’s impacts on their traffic and advertising revenue, but those reasons must be weighed against the benefits of the open web. These proposals would effectively give website operators veto power over a wide range of important uses—from the investigations and archival works described above to accessibility tools for people with disabilities, to research efforts aimed at holding governments accountable.

That is why we are fighting back against these threats to open access. EFF and our allies in the open internet community have successfully resisted some of the most dangerous IETF proposals thus far—and won’t stop working to protect the open web from efforts to manipulate internet standards to undermine the right to freely access the internet in any legal way, including with automated tools.

Tori Noble

The NO FAKES Act Could Silence Satire, Commentary, And News

1 day 6 hours ago

The NO FAKES Act is supposed to target harmful AI-generated impersonations. But in reality, it will make it easier to suppress commentary, satire, and other lawful speech. That's why EFF has signed a letter urging the Senate Judiciary Committee not to advance the bill in its current form.

In the letter, EFF joins a coalition of civil society groups in pointing out that the bill would import many of the worst features of the DMCA notice-and-takedown system into an even broader range of online expression. Faced with a “heckler’s veto” over legal speech, platforms will have incentives to remove content first and ask questions later.

The bill offers no protection for a platform’s judgment about an often difficult question—whether a particular piece of content is satire, parody, commentary, or news. Any platform that guesses wrong faces penalties of up to $750,000 per work.

NO FAKES could also undermine the rights of the people it is supposed to protect. The new federal “likeness” right could be licensed or transferred to others, so individuals will lose control over the use of their own face and voice. That’s not theoretical—workers in the entertainment industry are routinely asked to sign broad contracts about the future use of their likenesses.

As the letter notes:

A background actor who signs a release on set or an ordinary person who clicks through a platform's terms of service could end up with the right to their own face and voice in someone else's hands, for years, with federal enforcement behind it.

EFF and the other signatories urge Congress to examine existing legal remedies and pursue narrowly tailored solutions to genuine harms. The last thing we need is a sweeping new intellectual property right that threatens free expression.

In addition to EFF, the letter is signed by the Center for Democracy & Technology, the American Civil Liberties Union, Fight for the Future, Foundation for Individual Rights and Expression, the Organization for Transformative Works, Public Knowledge, the R Street Institute, The Future of Free Speech, and the Woodhull Freedom Foundation. Read the full letter here.

Joe Mullin

Onward, Friends

2 days 7 hours ago

After 26 years, today is my last day at EFF. It's been a terrific and wild ride — the organization has grown from a tiny band of fighty people trying to plant a flag for freedom and justice in the coming digital world into a large, established band of fighty people doing, well, much the same. The world around us has changed enormously. Our core values haven't budged.

I'm proud of what we've achieved: freeing encryption, defending coders, pushing to rein in government and corporate surveillance and ensure the right to have a private conversation online, standing up for free speech and anonymous speech, fighting for network neutrality and safe voting machines, busting stupid patents, and making sure copyright didn't become the one law that rules the internet. That's only the start. We've stopped more bad legislative, regulatory, and legal ideas than I can count, built tools that millions rely on to protect their privacy, and helped encrypt the web. I've long said EFF is the plumber of the internet — finding the clogs and barriers that prevent technology from serving freedom, justice, and innovation for everyone.

In addition to presenting cases in courts across the land, testifying in Congress and in California, in the European Parliament and at the United Nations, I went onto the internet with Stephen Colbert and engaged in a healthy disagreement with Jon Stewart. I wrote a lot of it down in a book, hoping to recruit others to the cause. The work has been hard and often frustrating at times. But looking back, the fun parts are what I remember most.

None of it would have been possible without EFF’s stalwart members. More than 30,000 people, some with big wallets and some with small ones, give us what we need to stand up to bullies and fight for the long haul. EFF has always served as a beacon for people who know that for technology to support freedom, justice, and innovation for all the people of the world, we need a dedicated band of folks working overtime on behalf of users, innovators, and creators.

There's still plenty left to do. We haven't killed the third-party doctrine, tamed the surveillance business model, or gotten metadata the constitutional protection it deserves. Stupid patents persist as does the overreach of DMCA section 1201 and the Computer Fraud and Abuse Act. The government is now the largest purchaser of data from shady brokers, communities everywhere are fighting license plate readers and other street-level surveillance, and we haven't reined in NSA and FBI spying nearly enough. Meanwhile, the rise of AI is supercharging problems we've fought against for years.

But I'm proud of what we've built together. I'm grateful to every EFFer — past, present, and future — who threw in with us when the odds were long and the pay was much better elsewhere. I'm grateful to the EFF Board and especially to my mentors and friends Pam Samuelson and Shari Steele, along with my longtime partner in justice, Lee Tien, who has been working with me since the Bernstein case. Fighting for justice is easier when you have a posse: coworkers, co-counsel, coalitions, interns, volunteers, and the heroic clients who trusted us to steward their cases in ways that bent the law toward everyone's benefit. Twenty-six years later, EFF is part of a global diaspora of organizations defending internet freedom — and I'm proud of that too.

I'm stepping down because good leaders should make way for new ones, and the time feels right. EFF is strong and full of fight. My successor Nicole Ozer — a longtime friend and collaborator — is exactly the right person for this moment. She understands EFF's role and values at a deep level and will protect them while helping the organization rise to meet what's coming.

As for me, I'm not going far. After a few months off to reflect and walk dogs, I plan to get back into the fight for justice — likely heading back into the courtroom. And I'll be watching, cheering, donating, and wearing the merch from EFF, just like the rest of you.

Cindy Cohn

EFFecting Change: LGBTQ+ Solidarity Against the Tide of Surveillance

3 days 3 hours ago

LGBTQ+ communities are facing an escalating wave of censorship and targeted surveillance, but we can push back through mutual solidarity. Join us live to learn how safer virtual spaces get built, how platform policies and government pressure are reshaping the digital landscape, and what platform accountability actually looks like. Our panel will share ideas for direct action and concrete strategies you can bring back to your community. Whether you’re an activist, an ally, or just paying attention, this conversation is for you. Join the livestream online followed by live Q&A.

EFFecting Change Livestream Series:
LGBTQ+ Solidarity Against the Tide of Surveillance
Wednesday, June 17th
9:00 am - 10:00 am Pacific - Check Local Time
Livestream followed by Q&A

This event is LIVE and FREE!

About the Speakers

Paige Collings
As a lawyer, digital policy activist and community organizer, Paige works to dismantle systems of oppression and advance collective liberation. Her work focuses on highlighting how state surveillance and corporate restrictions stifle marginalized communities and perpetuate historic injustices and harm. She has worked with activists across the globe to facilitate systemic change by speaking truth to power and creating spaces for alternative imaginations; and her writing on digital justice has been featured in Wired, Politico, Teen Vogue, the Daily Beast and more.

Jillian C. York
Jillian is EFF's Director for International Freedom of Expression, based in London. Her work examines state and corporate censorship and its impact on culture and human rights, with a focus on historically marginalized communities. At EFF, she organizes coalitions, writes about and researches topics related to freedom of expression, leads the Speaking Freely interview series, and contributes to various other areas of the organization's work. Jillian is the author of Silicon Values: The Future of Free Speech Under Surveillance Capitalism (Verso, 2021), a contributor to several academic volumes, and has written for MIT Technology Review, The Guardian, and WIRED, among others. She is also a visiting professor at the College of Europe Natolin in Warsaw, and a regular speaker at global events.

Soatok Dreamseeker
Soatok Dreamseeker is a gay furry security engineer. He blogs about applied cryptography on his blog, Dhole Moments, and is developing key transparency to enable end-to-end encryption on the Fediverse. His puns are 100% whole groan.

Luísa Franco Machado
Luísa Franco Machado is an award-winning international expert in digital rights and data justice. She has also been a technical advisor in data governance and AI ethics for governments, NGOs, and international organizations worldwide, including the UN, OECD.AI, GIZ, and others. Luísa has carried on policy research at the London School of Economics and Political Science (LSE) and Sciences Po Paris on the intersection between technology and socio-economic development. In 2022, the United Nations recognized them as a global Young Leader for the Sustainable Development Goals (SDGs) among more than 6,500 advocates. In 2025 she was featured in Apolitical's Government AI 100 list as a rising star.

Melissa Srago

Victory! 702 has Expired!

6 days 3 hours ago

Section 702 of the Foreign Intelligence Surveillance Act lets US intelligence agencies collect communications from foreigners abroad without a warrant, and routinely sweeps in Americans’ emails, messages, and calls in the process.

The authority for this program is set to expire Friday, June 12th, 2026, at midnight. As we wrote earlier this week, Congress has been kicking the ball down the road for months now—temporarily postponing the expiration of the mass surveillance authority Section 702 of FISA in hopes that some consensus on a longer reauthorization could be reached.

EFF has said for decades, every time this program is up for renewal: Section 702 should require a warrant before the Federal Bureau of Investigation can look at digital communications collected from Americans. If not, we should let the whole thing expire. And this time, it has, at least for a little while.

Ironically, we have Bill Pulte to thank for this (probably temporary) reprieve. Earlier this month, Trump on Tuesday named Pulte – currently director of the Federal Housing Finance Agency (FHFA) and chairman of Fannie Mae and Freddie Mac – to replace current DNI Tulsi Gabbard, who announced her resignation last month. As has been widely reported, Pulte lacks any intelligence, military, or congressional experience. Senate Democrats responded by refusing to move forward with their version of a bill to reauthorize Section 702. Similarly, the House refused to approve even a short-term renewal of the program.

However, the potential for abuse of this program is not limited to one individual or one administration. And if Congress is this concerned about one particular individual having access to Americans’ most sensitive information, the responsible thing to do is to put more transparency, accountability, and oversight into the structure of this program.

Members on both sides of the aisle understand this. As we have seen several times this year already, the appetite for reform is stronger than ever. We hope to continue to see strong bipartisan opposition in Congress to renewing Section 702 without a warrant requirement for backdoor searches. Until then, the authority for this program should remain expired.

India McKinney

Yes to California's Bill to Ban Surveillance Pricing

1 week ago

Corporations harvest and monetize ever-growing amounts of our personal data, such as our browsing history and physical location. One bitter fruit of this poisonous tree is known as “surveillance pricing”: corporations offer the same product to two different people at two different prices, based on scrutiny of these people’s respective personal data.

Surveillance pricing is bad for privacy, equity, and price transparency. So EFF supports a California bill, S.B. 2564, which would ban this creepy practice.

How Surveillance Pricing Works

In 2025, the Federal Trade Commission (FTC) published a report about the practices of six companies that provide surveillance pricing services to hundreds of other companies, including grocery stores and apparel retailers. The report found that surveillance pricing draws upon customers’ browsing history, physical location, and shopping transaction history. Customers’ data can come from the vendor itself, from its surveillance pricing service provider, or from third-party data brokers. Customers are sorted into groups based on their personal data, as is done for targeted ads. As a result of surveillance pricing, a business might offer two customers different prices for the same product, based for example on whether they are a new parent, or whether they live near a business’s competitor.

As former FTC Chair Lina Khan explained:

Initial staff findings show that retailers frequently use people’s personal information to set targeted, tailored prices for goods and services – from a person’s location and demographics, down to their mouse movements on a webpage.

Unfortunately, the current FTC chair closed the FTC’s portal for public comments regarding surveillance pricing. Fortunately, the California Attorney General has initiated its own investigation of this practice.

Researchers have identified many examples of surveillance pricing:

The Princeton Review offered people who lived in some zip codes a higher price for test prep services, compared to people in other zip codes. As a result, Asians were twice as likely as non-Asians to be offered a higher price.
In a year-long study of tens of millions of rides in Chicago, Uber and Lyft offered a higher price for trips that ended in neighborhoods with high non-white populations.
Tindr offered older people (aged 30 to 49) higher prices for Tindr Plus, compared to younger people (aged 18-29).
Orbitz offered people who used Apple computers a higher price for hotel rooms, compared to people who used other types of computers.
Hotel booking sites offered people from San Francisco a higher price for hotel rooms, compared to people from other cities.
Target offered a higher price to people physically located at the store, compared to people located elsewhere.
Staples offered a higher price to customers who lived further from the company’s competitors, compared to customers who lived closer.

Why EFF Hates Surveillance Pricing

This practice is harmful in many ways. First, surveillance pricing invades our privacy. Vendors offer us a price only after scrutinizing our personal data about what we’ve clicked online and where we’ve travelled offline. Moreover, surveillance pricing incentivizes all businesses to harvest as much of our personal data as possible. Some businesses will use it for their own surveillance pricing. Other businesses, which might not themselves use it this way, will sell it to data brokers, which in turn will sell it to others for use in surveillance pricing.

Second, surveillance pricing can disparately burden people of color and other vulnerable groups. For example, as described above, surveillance pricing led to Asian people paying more for test prep services, older people paying more for dating services, and people living in non-white neighborhoods paying more for a ride home.

Third, surveillance pricing is opaque. Many people don’t even know when they’ve been subjected to it. Those that do often cannot determine the unknown reasons for the price they’re offered. As a result, consumer advocates will be less able to publish meaningful price comparisons to help consumers make choices. And regulators will be less able to identify unlawful pricing practices.

Thus, EFF and many other groups object to surveillance pricing.

Its defenders sometimes argue that surveillance pricing benefits consumers because it can lead to lower prices. But while some consumers some of the time might get lower prices because of surveillance of their personal data, other consumers will get higher prices, as shown by the examples above. Some recent studies indicate there will be losers and winners based on factors like whether a consumer is willing or able to switch products. Who loses or wins also will turn on the accuracy of the underlying data – yet surveillance pricing is often based on false information.

In any event, both losers and winners of this price discrimination are harmed by surveillance. Privacy is a human right, not a property to be bought and sold on a market. For this reason, EFF has long opposed pay-for-privacy schemes, in which a company charges a higher price to a customer who refuses to submit to processing of their personal data. Thus, even if surveillance pricing sometimes leads to lower prices (and again, it often will not), we oppose it as just another way that corporations try to make customers pay for their privacy.

What the California Bill Would Do

The key term of California’s S.B. 2564 is short and sweet: “a retailer shall not engage in surveillance pricing.”

The banned practice is defined as: “[i] a customized price for a good for a specific consumer or group of consumers, [ii] based, in whole or in part, on personally identifiable information collected through electronic surveillance,” including if that information is “acquired from a third party.” In other words, “surveillance pricing” is a customized price based on personal information.

The bill has two enforcement methods. First, state and local government may bring enforcement actions, and seek all manner of remedies including monetary penalties. Second, individual consumers may bring their own enforcements lawsuits, and seek the remedies of an injunction and attorney fees. We are pleased the bill provides this private right of action, which is the most important method of enforcement (we’d be even more pleased if the private remedies included liquidated damages).

The bill has three exemptions where surveillance pricing is allowed:

First, for price differences “based solely on costs associated with providing the good to different consumers.”
Second, for a discount offered to a consumer who is taking steps to terminate a service.
Third, for a discount, conspicuously posted on a retailer’s website, that is uniformly available based on (1) criteria anyone can meet, such as signing up for a mailing list, (2) membership in a broadly defined group, such as seniors, or (3) participation in a loyalty program.

The bill’s author is California Assembly Member Chris Ward. Its co-sponsors are Consumer Reports and TechEquity. Its supporters include Consumer Federation, EPIC, Kapor Center Advocacy, Oakland Privacy, Privacy Rights Clearinghouse, labor unions, and other groups. The bill has advanced through the California Assembly and has arrived for consideration in the California Senate.

Why EFF Supports the California Bill

Surveillance pricing is just one part of a much larger problem: corporations maximizing their profits by invading our privacy. The all-too-common business model is to systematically harvest, collate, and store as much of our personal data as possible, and then monetize it through use and sale.

EFF’s general approach to this problem is a strong regulatory framework that we call “privacy first.” For example, laws should require businesses to “minimize” their data processing, meaning they must not collect, store, use, or disclose our data unless doing so is strictly necessary to give us what we asked for. Likewise, laws should require businesses to get our voluntary and informed opt-in consent before processing our data, buttressed by legal bans on coercive pay-for-privacy schemes and manipulative “dark patterns.”

A.B. 2564 is just a specific application of the minimization rule. Nobody who uses a web browser or a mobile app expects that, as a result, their clicks and footsteps will be funneled into personal dossiers, and later used by downstream businesses to offer a higher or lower price.

A.B. 2564 is also a specific application of the “no pay-for-privacy” rule. At its best, surveillance pricing is a corporate offer of a lower price in exchange for a consumer’s submission to surveillance of their personal data. This scheme encourages all people to surrender their privacy in exchange for a lower price. This is especially coercive for people with lower incomes, and thus carries the risk of creating a society of privacy “haves” and “have nots.” And swept into this supposed “bargain” is the potential for higher surveillance-based prices based on false information or erroneous inferences.

Surveillance pricing is very similar to online behavioral advertising, a business practice that EFF urges governments to ban. Both practices incentivize all businesses to collect as much of our personal data as possible, in order to later monetize it. Both practices lead some businesses to collate and store our data into dossiers about us for later use. Both practices use these surveillance-based dossiers to manipulate and limit our economic choices, by altering the advertisements and prices we see online. In the words of the FTC report discussed above: “Existing and common techniques used for targeted advertising can also be used for other forms of targeting prices.”

Absent a specific ban on surveillance pricing, as in A.B. 2564, it would be very difficult to protect the public from the many harms it causes. Corporate price-setting is increasingly opaque, making it difficult for consumers and regulators to determine whether a particular company set a particular price for a particular consumer based on their data, and if so, the particular data that it used. As a result, it would be very difficult in this context to enforce general laws requiring minimization or consent. Moreover, many such laws exempt how a business processes the data it directly collected from its own customers; for example, the California Consumer Privacy Act’s limits on “cross-context behavioral advertising” do not apply to how a business uses personal data it collected on its own website. Yet many practitioners of surveillance pricing (like Tindr) rely on such data.

Finally, there is little to no risk that A.B. 2564 will have unintended consequences that hurt internet users’ speech or technological innovation. The bill does not address any particular type of technology. It does not limit any collection, retention, or disclosure of personal data. It limits only one very narrow and easily defined use of data: use to set a customized price. And it has three broad exemptions.

In sum, EFF is proud to join with other groups in support of California’s A.B. 2564. You can read our support letter here.

Adam Schwartz

‘News’ Site Keeps Hallucinating EFF Staffers

1 week ago

What do EFF staffers Sarah Chen, Javier Morales, Caitlin Chin, Emma Rodriguez, and Mikko Kopponen have in common?

For one thing, they don’t exist.

For another, all have been quoted as EFF experts in articles published in the past two months on a site called News-USA Today, which describes itself as “an independent news publisher focused on clear, accurate, and useful journalism.”

Uh…

(Please don’t confuse this site with USA Today, in which real EFF experts are accurately quoted on a regular basis.)

News-USA Today is hardly the only slagheap that’s hallucinating or fabricating EFF personnel and quotes; as we wrote last September, media companies large and small are using AI to generate news content because it’s cheaper than paying for journalists’ salaries, but that savings can come at the cost of the outlets’ reputations— assuming they care about reputation at all.

But this many fake EFF sources in two months? That’s making a play for the championship title of bogus news content.

News-USA Today’s site proclaims, “Our goal is simple: give readers the facts and the context they need to make informed decisions.” It then defines its mission:

“Deliver timely, factual reporting grounded in verifiable sources and public documents.”
“Make complex topics understandable without losing nuance or accuracy.”
“Serve the public interest by surfacing stories that affect lives, institutions, and communities.”
“Maintain a clear separation between news, analysis, opinion, and sponsored content.”

Attempts to reach contacts listed on the site went unanswered. In fact, after we reached out to them, they published a story on June 9 with quotes from Electronic Frontier Foundation Executive Director Jared Cohen — who also doesn’t exist.

As we noted last year, EFF is all about having our words spread far and wide. Per our copyright policy, any and all original material on the EFF website may be freely distributed at will under the Creative Commons Attribution 4.0 International License (CC-BY), unless otherwise noted.

However, we don't want disreputable sites making up words (or false identities!) for us, whether or not they’re using AI. False quotations that misstate our positions damage the trust that the public and reputable media outlets have in us.

The best thing a news consumer can do is invest a little time and energy to learn how to discern the real from the fake. It’s unfortunate that it's the public’s burden to put in this much effort, but while we're adjusting to new tools and a new normal, a little effort now can go a long way.

As we’ve noted before in the context of election misinformation, the nonprofit journalism organization ProPublica has published a handy guide about how to tell if what you’re reading is accurate or “fake news,” as has FactCheck.org.

Josh Richman

LGBT Q&A: We’re Back With Season 2!

1 week ago

Last June during Pride, we launched a new initiative—LGBT Q&A—where we answered your most pressing queer-related digital rights questions on EFF’s Instagram and TikTok accounts. No question was too big or too small! You asked us things like what pictures to use on dating apps; how to remove your name from internet searches; why homophobic content doesn't get removed after you report it; and how to stay safe at Pride marches.

And this year, we’re doing it all again.

Both online and offline, LGBTQ+ individuals and the fight for queer liberation are under threat; and the need for guidance and protection from prying eyes and oppressive structures is increasingly pertinent. This is particularly true for those of us who face consequences when intimate details around gender or sexual identities are revealed without consent.

But we know that it can feel overwhelming to even start thinking about how you can protect yourself online in the face of these issues. That's why this Pride, we’re answering all your digital rights questions.

How to submit your questions?

If you would like to remain anonymous and away from social platforms, you can submit questions via this secure link.
Head to EFF’s Reddit or the r/LGBTQ subreddit and submit your questions underneath the posts.
Your questions can also be submitted under the linked posts on EFF’s Instagram and TikTok, as well as on our stories where you can submit questions directly.
If you prefer Mastodon and Bluesky, comment your questions under the linked posts.

As always, we will not engage with comments that discriminate against marginalized groups, including the LGBTQ+ community.

We’re here to help build an online space where you get to decide what aspects of yourself you share with others, how you present to the world, and what things you keep private. Join us to make the internet private, safe, and full of pride.

Paige Collings

Congress Just Rushed Through a Disastrous Copyright Office Overhaul

1 week 1 day ago

In a voice vote earlier this week, the House of Representatives passed H.R. 6028, the “Legislative Branch Agencies Clarification Act.” The legislation is presented as a technical reorganization of some government agencies, but it’s much more than that.

H.R. 6028 would fundamentally change the U.S. Copyright Office, and not in a good way. The bill removes the Library of Congress’ current supervisory role over the Copyright Office, transfers several powers directly to the Register of Copyrights, and makes the Register a presidential appointee, confirmed by the Senate.

These changes would make an office that’s already hugely influential in copyright and tech policy much more political. EFF first explained why that’s a terrible idea when it came up nearly a decade ago. This bill, like the older one, weakens the few public-interest checks and balances that do exist. We hope the Senate promptly rejects this bill.

The Copyright Office Doesn’t Need More Politics—Or More Power

The Copyright Office's main responsibilities are administrative and advisory. It registers copyrights, maintains records, grows the Library of Congress’s collections, and provides expertise to Congress on copyright law. But over the past two decades, the Office has also become increasingly influential in copyright policy debates that affect free expression, libraries, educators, competition—and everyday internet users. Unfortunately, it has not been a neutral advocate. The office’s recent report on the role of AI severely bungled the issue of fair use, prioritizing private licensing market “solutions” over user rights.

Going further back, the Copyright Office supported one of the most infamous anti-internet proposals of all time—the Stop Online Piracy Act (SOPA), a disastrous internet censorship proposal that sparked one of the largest online protests in history. The Office has repeatedly advanced positions that favored large entertainment-industry interests over the public interest.

The Office also plays a major role in the Digital Millennium Copyright Act (DMCA) Section 1201 rulemaking process, which determines when the public may lawfully bypass digital locks for activities such as security research, repair, preservation, or accessibility. EFF has used this process repeatedly to mitigate some of the worst harms of the DMCA. H.R. 6028 would move rulemaking authority over 1201 from the Librarian of Congress to the Register of Copyrights, further consolidating power within the Copyright Office itself.

The bill also makes the Register of Copyrights a presidential appointee confirmed by the Senate. Each administration will be pressured to pick nominees aligned with their own policy preferences, and the powerful copyright owning industries will invest even more heavily in lobbying to get their way, and influence the selection. This position should be focused on administrative ability and actual expertise, not lobbying and politics.

The Copyright Office Should Stay Connected To The Library of Congress

H.R. 6028 would do more than change who appoints the Register of Copyrights. It would sever the Copyright Office from Library of Congress supervision and transfer many Librarian powers directly to the Register.

The supervisory relationship exists for good reason, as the nation’s libraries have pointed out for years. The Library, while far from perfect, at least has the mission of preserving and providing access to knowledge. That should be an important public-interest counterweight in copyright debates. Congress has not explained how weakening the ties between the Library and the Copyright Office would serve the public better, or even seriously inquired about it.

This Bill Was Rushed Through

Back in March, EFF joined Public Knowledge, the Center for Democracy and Technology, library organizations and tech groups, urging Congress not to fast-track this legislation. We told them changes to the Copyright Office will have major consequences for the “speech rights, educational opportunities, and creative freedoms of all Americans.”

Yet Congress moved forward without any hearings on the bill, and without meaningful examination. H.R. 6028 creates a years-long separation of the Copyright Office from the Library of Congress, transfers significant legal authority, and restructures the appointment process for the nation’s top copyright official. Changes like that deserve hearings, debate, and public scrutiny. H.R. 6028 got none of that.

The Senate Should Stop This Bill

Copyright law exists to serve the public and “promote the progress” of science and learning. The institutions that administer copyright law should do the same.

H.R. 6028 would move the Copyright Office further away from that goal. Congress should be strengthening public-interest oversight of copyright policymaking, not looking for ways to concentrate more authority in a single presidentially appointed official.

The Senate should reject H.R. 6028. The Copyright Office should serve the public—not presidential administrations, and not industry lobbyists.

Joe Mullin

The 702 Ultimatum: Warrant Requirement or Bust

1 week 1 day ago

For months now, Congress has been kicking the ball down the road—temporarily postponing the expiration of the mass surveillance authority Section 702 of FISA in hopes that some consensus could be reached. Now, with the deadline looming, the stakes have never been higher. Nearly every time the statute has come up for renewal, the people demanding privacy and civil liberties have had to compromise, but with current negotiations seemingly at an impasse, it’s time for surveillance maximalist lawmakers to come to the table.

We say to the Intelligence Community crowd: Section 702 should require a warrant before the Federal Bureau of Investigation can look at digital communications collected from Americans. If not, we should let the whole thing expire.

This is a serious proposition. The intelligence community can keep a useful national security surveillance tool if and only if they make FBI agents get a warrant signed by a judge before they sift through and read out private communications. A warrant requirement is not the only demand EFF has been making for changing Section 702, but it is the most important reform and it should happen before there is any more reauthorization of the policy.

For too long, the FBI has been able to piggyback on a major national security tool as an unconstitutional backdoor way of reading Americans’ communications. 702 collects communications going to, from, or between people in other countries—including when they are contacted by people in the United States. Mass surveillance is just that—mass. It’s lacking any of the individualized suspicion that our legal system is based on.

TELL congress: 702 Needs Reform

So, what’s been happening?

On one side are surveillance hawks and intelligence community-devotees who think the mass surveillance of Americans is an acceptable, even valuable, product of this authority. This bipartisan coalition of privacy deniers think that 702 should be extended without any change, and they seem to be willing to let the authority expire rather than compromise with the lawmakers and public that are demanding common-sense reforms. They’ve been given a number of chances to pass bills that would implement some key incremental reforms, but those opportunities have not moved the needle.

On the other side of the debate is a bipartisan coalition of people who understand that this authority can no longer operate as is. Section 702 is rife with problems, loopholes, and compliance issues that need fixing. The National Security Agency collects full conversations being conducted by and with overseas targets—including conversations by and with Americans in the U.S.—and stores them in massive databases. The NSA then allows other agencies, specifically the FBI, to access untold amounts of that information. In turn, the FBI takes a “finders keepers” approach to this data: they reason that since it's already collected under one law, it’s OK for them to see it. If the FBI wanted to get that data on their own, it would require them to get a warrant signed by a judge certifying that there is probable cause. Instead, under current practice, the FBI can query and even read the U.S. side of that communication without a warrant. What’s more, victims of this surveillance won’t know and have very few ways of finding out that their communications have been surveilled.

Complicating this matter more is that the Trump administration has announced Bill Pulte as the new Director of National Intelligence, whose job it will be to oversee and direct U.S. intelligence agencies. This is particularly concerning because of Pulte’s history of using private information held by the government as a political weapon. In his FHFA role, he has accused several of the President’s political foes and targets—including New York State Attorney General Letitia James, U.S. Sen. Adam Schiff, D-Calif., and Federal Reserve governor Lisa Cook—of mortgage fraud based on private data held by his agency. Because of his looming appointment, many Democrats have vowed not to reauthorize Section 702 unless he is removed from the position. They shouldn’t stop there—they should use that leverage to demand a warrant requirement. The integrity of the people in charge of a program should not be the only thing that stands between Americans and violations of their civil liberties.

What happens if 702 expires?

As the New York Times reports, “The law, however, has a built-in safety net for a temporary lapse that allows the surveillance program to endure until annual certifications issued by the nation’s intelligence court expire, though such a scenario could invite legal challenges. The court recertified the program in March, meaning the N.S.A. could continue to operate the program through March 2027 even if the statute were to expire.”

If Section 702 does stay expired past March 2027, the United States government will likely revert to using other programs and authorities to justify the surveillance of overseas national security targets, namely 12333, a shadowy executive order from the 1980s that gives the U.S. government nearly unlimited power to spy on people overseas. Even if this does come to pass, standing our ground on warrant requirements and allowing Section 702 to expire is important for several reasons. First, just because the government continues surveillance under a different authority does not mean it is legally justified in doing so—this was the lesson of the post 9/11 Presidential Surveillance Program, which was only retroactively immunized by Congress. Second, seeing how the government responds to the end of Section 702 might give us opportunities to push for transparency in other parts of information collection and better understand how the inner workings of the intelligence apparatus pivot and adapt as new legal authorities take precedence.

Where do we go from here?

Every few years, for almost two decades now, we’ve been fighting to reform Section 702 so that it will no longer enable the warrantless mass surveillance of Americans. A bipartisan coalition in Congress supports this goal, but the White House and Congressional leadership won’t listen. It’s past time we make at least one serious reform to a mass surveillance law that has been abused for decades. Tell your elected official: Put a warrant requirement in Section 702 or let it expire.

TELL congress: 702 Needs Reform

Matthew Guariglia

Enshittification Merch That Actually Fights Enshittification

1 week 1 day ago

Enshittification isn't just a sweary word to describe the accelerating decay of the online platforms, apps, and services that we rely on.

It's a framework for understanding the structural incentives that make tech companies enemies of their own users over time—the surveillance business model, the erosion of privacy, the monopoly power that eliminates alternatives, the regulatory capture that prevents accountability.

SUPPORT EFF

GET LimITED EDITION MERCH + FIGHT ENSHITTIFICATION

These are some of EFF's core fights and have been for over 35 years. EFF sues. EFF advocates. EFF codes. And EFF wins. EFF is the most profound and powerful disenshittifying force on the planet Earth, and I’ve been proud to fight alongside them for nearly 25 of those years.

One of the lessons you learn in battles with very long timelines against very powerful actors is that these battles are deeply serious, and because of that they must also be fun. “Enshittification” took off as a shorthand in part because of the minor license to vulgarity it confers. It's slightly crass for a reason: getting people to engage with the abstract issues of tech policy can be hard at the best of times. No one knows this better than my colleagues at EFF, who consistently surprise me with their ability to make complex, technical concepts concrete, memorable, and sometimes even joyful.

Words matter, but so do visuals. For the cover of the U.S. edition of my book, Enshittification, designer Devin Washburn of No Ideas studio created an iconic variation of the "pile of poo" emoji, with angry eyebrows and a grawlix-scrawled censor bar over its mouth. It instantly became the symbol of enshittification I’d been looking for.

I liked it so much I ordered a couple hundred enamel pins and a couple thousand vinyl stickers and handed them out to people I met on my 33-city book tour. Even when giving them away, I was inundated with requests to buy more of them.

I've since bought out Devin's rights to the image and released it under a Creative Commons Attribution 4.0 license—free for anyone to use, remix, or build on, including commercially, with attribution. The high-resolution files are on Wikimedia Commons, Flickr, and the Internet Archive (including a PSD with an ink-density adjustment layer). It belongs to the commons now.

But I made sure EFF had first crack at the design for their “official merch,” and they've done right by it. There are two items available now in the EFF shop, and all proceeds go directly to EFF's work defending digital rights. I’ve spent years admiring EFF’s merch and consistent, creative visual identity, so it fills me with pride to see this more-than-a-mere-poop-emoji in their shop.

A recognizable visual shorthand is a genuine organizing tool. When someone sees the enshittification emoji, they know what the conversation is about. When you wear the pin or slap the sticker on your laptop, you're signaling that you understand what's happening to the internet, and that you know we can do better.

You can get a $5 sticker:

Or a $10 pin:

Because the design is CC-licensed, you don't have to buy one. You can make your own merch, your own swag, your own illustrations. I made a lawn flag for my front garden.

But if you do want to buy a sticker or pin, you can do so while supporting the most profound and powerful disenshittifying force on the planet Earth—the Electronic Frontier Foundation.

SUPPORT EFF

GET LimITED EDITION MERCH + FIGHT ENSHITTIFICATION

Cory Doctorow

🔊 Mass Surveillance for… Loud Music? | EFFector 38.11

1 week 1 day ago

Across the country, surveillance companies have spun a vast web of tens of thousands of license plate cameras. The people selling this tech want you to believe that it's for your safety, but how are authorities really using automated license plate readers (ALPR)? In this week's EFFector newsletter, we're looking at how these powerful surveillance networks have become universal people-trackers used for noise complaints and other low-level investigations.

JOIN OUR NEWSLETTER

For over 35 years, EFFector has been your guide to understanding the intersection of technology, civil liberties, and the law. This week's issue covers a victory for facial privacy, EFF's testimony to Congress about AI and surveillance, and troubling new examples of ALPR mission creep.

Prefer to listen in? EFFector is now available on all major podcast platforms. This week, we're chatting with EFF Associate Director of State Affairs Rindala Alajaji about what she uncovered about police use of ALPR. And don't miss the EFFector news quiz. You can find the episode and subscribe on your podcast platform of choice:

%3Ciframe%20height%3D%22200px%22%20width%3D%22100%25%22%20frameborder%3D%22no%22%20scrolling%3D%22no%22%20seamless%3D%22%22%20src%3D%22https%3A%2F%2Fplayer.simplecast.com%2F733a5637-dec4-4949-8c0f-976a5222c48a%3Fdark%3Dfalse%22%20allow%3D%22autoplay%22%3E%3C%2Fiframe%3E Privacy info. This embed will serve content from simplecast.com

Want to stay in the fight for privacy and free speech online? Sign up for EFF's EFFector newsletter for updates, ways to take action, and new merch drops. You can also fuel the fight against online surveillance when you support EFF today!

Hudson Hongo

How and Why to Fight Back Against Social Media Bans

1 week 2 days ago

Several U.S. states are pushing to ban young people from social media entirely. This marks the latest wave of censorship bills masquerading as “children’s online safety” measures, with states like Massachusetts, Idaho, Minnesota, North Carolina, South Carolina, Illinois, and EFF’s home state of California leading the charge.

Just a few years ago, lawmakers supporting age-gating laws insisted their efforts were narrowly targeted at limiting young people’s access to adult content. At the time, we warned that they would not stop there: once the government established the authority and built the infrastructure to collect and “verify” massive troves of user data, it would inevitably sweep broader and broader categories of lawful speech into this mass surveillance and censorship system.

Unfortunately, our predictions came true. As legislators across the country advance proposals that would block all young people from accessing the “modern public square,” the Overton window has shifted dramatically towards mass censorship—and the speed of this shift should concern all of us.

This primer breaks down this dangerous wave of social media bans: how they work (and why they don’t), who they harm, and how we can fight back.

How to Spot a Social Media Ban

The details of these bills vary from state to state. Some (like California’s AB 1709) are a flat-out social media ban for all young people under a certain age, while other states (like South Carolina and Minnesota) allow access to young users who hand over even more data to show verifiable parental consent. Many bills regulate certain social media features, too, including by setting default privacy settings, time limits, or notification preferences for all accounts that fail the age-gate.

As for the age-gating mechanism itself, most proposals fall into two broad categories: age verification bills and behavioral age estimation bills.

Age Verification Bills require online services to collect highly sensitive data, including government ID and biometric information, from all users before either restricting or allowing them access.

For example, take California’s social media ban (AB 1709). Starting in January 2027, operating systems will be required to collect enough information from users to sort them into age groups, or “brackets.” Under AB 1709, social media apps would then use that age bracket information to completely block anyone under 16, while supposedly letting everyone else through. By contrast, Florida’s law (HB 3) takes a more aggressive route by forcing platforms to verify users' identities directly, usually by contracting with private third-party companies to perform verification services.

Behavioral Age Estimation Bills, on the other hand, are a more recent innovation of states like Minnesota (HF 1438) and South Carolina (H 4591). These bills require platforms to estimate the ages of users based largely on data that they already collect, including self-attested age, behavioral information, and account history and activity. In practice, these bills enable tech companies to use algorithms and/or AI to analyze our online behavior and estimate age based on that.

Proponents of behavioral age estimation bills claim that their proposals avoid the massive security risks that come with mandatory age verification bills. However, much of the data that social media platforms collect from us “in the ordinary course of operation” is collected in order to serve us targeted behavioral ads. If we force platforms to use this imperfect data to make more important judgments about who can access their services, we risk entrenching those insidious data collection practices. Surely we don’t want to give social media companies more reasons to justify and sustain their reliance on this exploitative business model.

If you want to dig into the nuance here, our terminology guide sheds more light on the technical differences between age verification and age estimation bills.

Overall, it’s a lose-lose scenario: either platforms collect new forms of our most sensitive and immutable data, or they unleash their AI and algorithms on our existing behavioral data to make creepy guesses about who we are and what we deserve to see. No matter which age-gating method your state chooses to execute its social media ban, there will be lots of error at the margins—and lots of users who will be blocked or chilled from access to lawful online speech.

Why Social Media Bans Are So Dangerous

Social media bans are unconstitutional, discriminatory, and deeply misguided. They reinforce existing structures of oppression, and they are broadly unsupported by young people, whose voices are conspicuously absent from this conversation. They undermine parental decision-making and replace tailored family-level solutions with a one-size-fits-all band-aid. And, in the places we have seen social media bans go into effect, early reports show that they don't even work.

For example, in Australia, where a social media ban has been in effect since late 2025, a majority of young people can still access social media, those who can’t have lost their access to the news, and crisis helplines are reporting skyrocketing numbers of calls from youth left stranded without online community or resources.

We could go on and on about all of the inherent harms here, but we’ll try to keep this short as we walk through some of the major issues.

1. Security Risks and Privacy Harms

In order to ban some users, social media platforms first must confirm the ages of all users, regardless of age. Bans thus incentivize companies to force users of all ages to hand over government IDs, face scans, and other sensitive information. When parental consent is required, companies must collect even more verification data and often create explicit links between child and parent accounts—further destroying users’ anonymity.

Both of these databases create massive data "honeypots" that invite identity theft and permanent surveillance. We’ve already seen repeated data breaches involving age- and identity-verification services. Yet these laws would force both adults and the youth they claim to protect to feed their most sensitive data into this growing surveillance ecosystem.

If we don’t trust tech companies with our private information now, we shouldn't pass laws that force us to give them even more of it.

2. Disproportionate Harm to Vulnerable Communities

Age-verification technology is deeply flawed and prone to discrimination. These systems frequently misidentify or lock out people of color, people with disabilities, and trans or gender-nonconforming individuals whose IDs may not match their appearance.

Where these bills require parental consent, they impose disproportionate access barriers on low-income, non-traditional, and immigrant families. These sorts of families are more likely to share a single family device or have strong reasons to not want the government to track family associations and ID documents.

Beyond the technical failures, these bans cut off a vital lifeline. For LGBTQ+ youth, foster kids, and those stuck in unsupportive home environments, social media is often the only place to find community, explore their identity, or access life-saving resources. Forcibly removing young people isolates those who need connection the most, while creating massive new barriers for adults.

You can read a breakdown of the diverse groups vulnerable to these laws here.

3. Based on Shoddy Science

The current legislative push to ban young people from social media relies heavily on the idea that the "great rewiring" of the adolescent brain is a proven fact. This simply isn’t true.

Social science indicates that moderate internet use is a net positive for teens’ development, and negative outcomes are usually due to either lack of access or excessive use. For LGBTQ+ and marginalized youth in particular, social media offers an essential space to access support they might lack offline. By forcing youth into digital isolation, these bans cut off vital access to political news, community, and health resources. They also completely ignore the calls of young people themselves who favor digital literacy and education over restrictive government control.

Instead of cutting off these lifelines, we should support measures that arm all youth (and the adults in their lives) with the knowledge they need to navigate online spaces safely.

4. Reckless Free Speech Violations for Users of All Ages

No matter your age, the First Amendment protects your right to speak and access information.

Blanket social media bans immensely and unconstitutionally chill all users’ exercise of this right. They cut off young people’s access to lawful speech, or ruin their privacy in the home by mandating parental consent and sometimes even parental access to their account activities and settings. They force all users (adults and young people alike) to hand private information over to tech companies before speaking or accessing information on social media platforms, imposing annoying obstacles on lawful online expression and wrongfully blocking some adults outright.

Critically, these bans destroy our right to online anonymity—a cornerstone of our right to free expression that protects whistleblowers, journalists, activists, immigrants, and everyone who has ever used a private browser or account to ask the internet an embarrassing question.

How to Fight Back

Social media bans weaponize parents’ concerns about children’s safety to justify unprecedented levels of surveillance and censorship. In the process, these laws deny young people their rights, threaten online anonymity for everyone, expose our sensitive personal data to breach and abuse, and replace parental decision-making with state authority. This is a battle over the future of the open, private, and free internet, and we must act now to protect it.

Here’s how you can help us fight back: Talk to your community (including young people!) about what’s at stake. If you’re a parent, lean on open conversations and platforms’ existing tools to tailor your child’s experiences instead of handing that power over to the government. And no matter where you live, contact your government representatives and tell them clearly that social media bans are not the answer to kids’ online safety.

Molly Buckley

Tell Congress: Just Say No to NO FAKES

1 week 2 days ago

The Senate Judiciary Committee is set to consider and vote on the Nurture Originals, Foster Art, and Keep Entertainment Safe Act (NO FAKES). Instead of targeting the real privacy harms posed by AI-generated replicas, this law would create another layer of internet censorship on top of the already existing legal and voluntary takedown systems. Congress should reject NO FAKES.

As currently written, NO FAKES proposes to tackle the problems of misleading AI-generated replicas by creating a broad property right in someone's look, voice, and general style. However, there are all kinds of First Amendment-protected expression that would be swept under the NO FAKES regime—think about parody, news, criticism.

NO FAKES also does a laughable job of protecting artists from use of their image in misleading ways. It doesn’t create a privacy right, but rather a property right that can easily be signed away—as major studios and record labels are almost certain to require in their contracts with artists. As a result, NO FAKES actually creates a new avenue for the exploitation of artists by companies instead of protection from misleading replicas.

The bill also makes it trivially easy for protected speech to be censored. It is a supercharged version of the already flawed copyright takedown regime. It would essentially require platforms to institute filters that don't just look for exact matches of copyrighted material, as current filters do, but anything that might be a digital replica. Even though the latest version of this bill adds some forms of redress for bad faith takedowns, those provisions lack the teeth required to deter a malicious actor.

NO FAKES targets speech, tools, and innovation instead of focusing on the real concern posed by these replicas: privacy. This bill was a bad idea when it was introduced, and got even worse when it was amended last year. Tell Congress to just say no to NO FAKES.

Katharine Trendacosta

VICTORY: Meta Strips Facial Recognition Code From Smart Glasses App After Public Outcry