EFF update

Time and time again, researchers have found numerous compromised Android devices for sale at large online retailers like Amazon. When these devices get individually reported, we have seen some noted efforts to take them down. But this is a systemic problem and Amazon and other major online retailers must make a corresponding systemic and intentional effort to stop these devices from entering people’s homes and ultimately their networks.

As a refresher: Last year, Google wrote that one major campaign, deemed BADBOX, affected 10 million uncertified devices that were running Android’s open-source software (Android Open Source Project or AOSP). These devices span from TVs and streaming devices to digital picture frames. Even now, someone can go on Amazon and Walmart and buy one of these devices. Not all of them come from Amazon and Walmart, but it’s fair to assume since they have the lion’s share of the market.

Most well-known Android-based devices don’t come with just “stock Android.” The operating system is usually Android plus additional features that the manufacturer wanted. These custom versions of Android often come with pre-installed applications that range from useful to innocuous bloatware to actual malware. Many Android OEMs (original equipment manufacturers) pre-install apps that may not be visibly represented by an icon in your list of installed apps. This obscurity makes the issue particularly hard for users to identify any potential threats.

Since the initial BADBOX analysis, there have been more reports of large campaigns and clusters of different devices participating in malicious activities that utilize people’s home networks to engage in illegal activity. Task forces in the private sector have made an effort to take down these existing Command and Control structures, but these actors may pivot and evolve to flood the market with more devices. 

Online retailers can stop this cycle. A multi-billion dollar company like Amazon should offer more resources, like their anti-fraud efforts, given that these products may have facilitated conditions for large scale attacks and illegal activity. It would also be helpful if they communicated malware-related take downs in a more visible way to consumers who are seeking very similar devices with shared characteristics.

Identifying these devices can be tricky, but it’s not impossible because they tend to follow a pattern. For example, the FBI warned consumers this year to avoid TV streaming devices that claim to provide free sports, tv shows, and movies, a common tactic used by the makers of these malware-filled Android devices that leverages people’s exhaustion from spending money on countless streaming services. We detailed what sorts of indicators to look for on a device you’ve purchased.

But it’s not just the storefronts. There are other parts of this ecosystem that need to improve too, like increased engagement in firmware transparency and the actual manufacturers of the devices themselves being held accountable for these malware laced products.

On Prime Day, we urge retailers like Amazon to better empower users with information they need to make safe and smart decisions.

Seeking transparency and accountability in Paraguay’s use of facial recognition, EFF, the Association of Technology, Education, Development, Research, Communication (TEDIC), and the Centre for Justice and International Law (CEJIL) filed a complaint with the Inter-American Commission on Human Rights against the state for arbitrarily denying access to information about its implementation and use of the technology as a tool for mass surveillance that erodes people’s privacy rights. 

The case involves the Ministry of the Interior and National Police’s installation in 2019 of surveillance cameras with facial recognition technology in Asunción. Maricarmen Sequera, a lawyer and executive director of TEDIC, filed an information request with the ministry seeking details and protocols about the implementation and use of facial recognition systems and the personal data processing involved. 

The request sought information about, among other things, whether the state had conducted human rights or data protection impact assessments, as well as if it had developed measures and protocols for avoiding abuses, illicit uses of personal data, and other risks in the deployment of the facial recognition system.

The state denied most of the information requested, arguing that implementation details, protocols, and the processing of individuals' personal data were confidential security information. TEDIC contested the secrecy in courts, but the analyses lagged and ultimately sustained the denial of information. 

The petition filed last Friday (19) cites Inter-American standards upholding the public’s right to access information, particularly in relation to national security, that the Paraguayan authorities disregarded in denying TEDIC’s information request. The petition also argues that the refusal of information violated privacy and the right to informational self-determination.

The petition asks the Commission to recognize a violation of those rights and require the state to deliver the information requested. Further, the petition seeks an order compelling the state to adopt mandatory permanent mechanisms of active transparency regarding the acquisition, contracting, implementation, financing, functioning, and use of surveillance technologies by public bodies, especially those that incorporate processing of biometric data or artificial intelligence systems. 

It also asks the Commission to order the state to mandatory procedures for human rights impact assessments prior to acquiring and using surveillance technologies, particularly those that collect biometric data or use artificial intelligence.

The state’s lack of transparency in this case is not an isolated incident, both in Paraguay and in Latin America, where opacity in matters of security and surveillance is the unsettling rule. The situation gets worse with the increasing normalization of intrusive surveillance technologies by states in the region.

The Special Rapporteur for Freedom of Expression of the Inter-American Commission emphasized that states should disclose surveillance capabilities and contracts, and acknowledge state use of surveillance technologies at a meaningful level of detail, to facilitate essential public debate on the necessary limitations of surveillance in democratic societies and ensure compliance with international human rights law.

We hope that the Inter-American Commission upholds the robust safeguards in the Inter-American System and advances access to information and privacy rights in a case that can set a crucial precedent for the region.

This week marks four years since Dobbs v. Jackson Women’s Health Organization overturned Roe v. Wade’s constitutional protections for people seeking abortion care. Anniversaries are a moment to take stock, and over the last four years, EFF has seen firsthand how digital rights and reproductive rights have become increasingly intertwined. One major way this has happened: the fight over abortion has also become a fight over online speech and government censorship as a steady stream of proposed laws, cease-and-desist letters, lawsuits, and government investigations have targeted the websites and online resources that help people find and learn about reproductive healthcare.

This is an effort by anti-abortion government officials to mold the information ecosystem, restrict what people can read, and cut off the ways people communicate with one another. We’ve watched this build for years, and the encouraging news is that many of these efforts have failed. The worrying news is that they keep coming. And if they’re allowed to succeed, this could have repercussions for freedom of expression online beyond reproductive rights.

Targeting Sites That Just Share Information

The clearest tell that this is also a war on speech is that officials have aimed their efforts not just at abortion providers or the entities that prescribe and sell medication abortion, but also at websites that do nothing more than tell people what their options are, how to find a doctor, and where abortion remains legal.

Cease-and-Desists & Takedown Demands

State attorneys general have been hitting these online information hubs with cease-and-desist letters and takedown demands. Just this month, for example, Alabama Attorney General Steve Marshall sent cease-and-desist letters to multiple groups with abortion-related websites, including Plan C, a public health campaign that provides educational resources and research on abortion access. Plan C doesn’t sell or ship abortion pills. It simply provides information. Marshall’s office nonetheless claimed Plan C’s website “facilitates, aids, and abets” illegal abortion. The Arkansas attorney general similarly sent out cease-and-desists to several organizations regarding their websites, including Mayday Health, which, like Plan C, provides only information and does not directly prescribe or mail pills.

What’s especially concerning is that the state doesn’t have to win, or even file, a lawsuit to get what it wants.

In another example from earlier this year, North Dakota Attorney General Drew Wrigley threatened legal action and ordered the Prairie Abortion Fund to scrub information off of its website, not because the fund sold pills, but because its site linked to several outside informational resources. The Attorney General primarily focused on the fund’s link to Plan C, meaning the biggest alleged issue was a link to a website that links to other websites where pills can be accessed.

What’s especially concerning is that the state doesn’t have to win, or even file, a lawsuit to get what it wants. Especially for smaller organizations and funds, a letter threatening legal action can be enough to chill their speech, causing them to remove important content and go quiet.

Censorship Mandates

Legislators in multiple states have also attempted to make it illegal to share resources on how to obtain an abortion, including on purely informational websites with a national or global audience. South Dakota recently passed a law making it a felony to “advertise” anything “described in a manner calculated to lead another to use or apply it for producing an abortion.” Language this broad can easily apply to websites that simply engage in First Amendment-protected advocacy or provide educational resources. Mayday Health, which operates one such website, has since sued the state in federal court to block the law. The lawsuit argues the law could reach something as small as wearing a sweatshirt that carries Mayday’s web address.

Other state legislatures have made similar efforts. Last year, for example, Texas introduced a bill that would have made it illegal to “provide information” on how to obtain an abortion-inducing drug. If you exchanged emails, had an online chat, or created a website that shared information about legal abortion services in other states, you could have violated this bill. Luckily this particular bill did not pass, but Texas has attempted to pass similar laws for several years now.

Dressing Censorship Up as Consumer Protection

A major way anti-abortion officials are targeting online speech is by weaponizing consumer protection and deceptive advertising laws, claiming that providing information about abortion violates them. This tactic is a threat to free speech rights. The First Amendment protects publishing truthful information on a public issue, and the Supreme Court has expressly said that includes providing information about legal abortion in a state where it is illegal.

Yet states like South Dakota have continued to use deceptive advertising claims to go after abortion speech. Last year, South Dakota sent a cease-and-desist and then filed a lawsuit against Mayday Health for running ads that simply read: “Pregnant? Don’t want to be?” with a link to Mayday’s website. The state claimed the ads were “deceptive.” Mayday then counter-sued in federal court, challenging South Dakota’s actions under the First Amendment. Though the federal judge ultimately declined to step in while the parallel state case was pending, she made a point of saying she believed Mayday’s website constitutes “speech subject to protection under the First Amendment.”

Other states have attempted to run the same play. Missouri sued Planned Parenthood in 2025 under its consumer-protection statute, calling a webpage that says abortion pills are safe an “unfair and deceptive” trade practice. Florida went even further, invoking its RICO law—a law typically used for organized crime—over the same kind of statement. Florida leaned heavily on a single study funded by an anti-abortion think tank, even as major medical organizations and decades of research put the serious-complication rate below half a percent. States should not be able to cherry-pick studies in order to erase online speech.

Going After Intermediaries & Erasing Whole Websites

Some officials aren’t content to restrict only certain abortion-related content—they want the websites gone entirely.

Take, for example, the cease-and-desist letters sent by the Arkansas attorney general last year. Letters were sent directly to internet intermediaries (entities that facilitate use of the internet, such as internet service providers, web-hosting providers, or things like search engines and social media platforms). The letters demanded that both a domain registry company and a web host stop supporting a site that discusses abortion drugs. But as we know, if we cut off the host or the domain, the speech disappears for everyone—not just for people in Arkansas.

Likewise, Texas’s 2025 bill would have required intermediaries to take down abortion-related content. It’s worth remembering that the imposition of civil and criminal liability on intermediaries also conflicts with a federal law that protects online intermediaries’ ability to host user-generated speech, 47 U.S.C. § 230 (“Section 230”), including speech about abortion medication.

The push has gone federal, too. In March 2026, Senator Bill Cassidy and colleagues on the Senate Health, Education, Labor and Pensions Committee pressed the FDA to use every tool it has against online sellers, including leaning on the domain registrars that keep these sites online.

Why This Should Worry Everyone

It’s tempting to see this as limited to the fight over reproductive rights. That would be a mistake. For people seeking care, the immediate harm is obvious: the internet is often the only place to find accurate, potentially life-saving information, and every letter, lawsuit, and takedown threat makes that information harder to find and riskier to share.

But the damage doesn’t stop there. We’re witnessing a live experiment in how to use consumer-protection laws, criminal statutes, and pressure on intermediaries to suppress a disfavored viewpoint, pull information offline, and make websites disappear. To think these tactics can only be used against abortion speech would be naïve. 

We hope courts and legislatures will continue to protect free speech online. But the continued drumbeat of threatening letters, lawsuits, and investigations is its own kind of harm. Here at EFF, we’ll keep defending the right to share and read information online—about abortion, and about everything else.

The Federal Communications Commission wants to require telecommunications providers to collect vast amounts of personal information from every person who wants a phone number in the name of combatting scam and spam calls. This plan will fail to combat the deluge of unwanted calls people in the United States receive every day while giving untrustworthy companies a gold mine of information that would harm everyday consumer’s privacy, access to communications, and ability to speak freely. 

The requirement to provide ID and an address would completely cut off the ability to have an anonymous phone line, which would mean many people in the most precarious situations imaginable: domestic violence and human trafficking survivors, unhoused people, and children without stable homes, would not be able to gain access to a crucial lifeline. EFF, along with ACLU, has submitted comments advising the FCC to abandon this proposal entirely. 

This Rule Will Not Decrease Spam Calls 

Requiring phone providers to collect consumers’ information will not appreciably decrease or eliminate unwanted calls. The FCC knows this because it confesses in its own rulemaking that “the most effective way to prevent unwanted calls from reaching American consumers is by ensuring they never enter the network.” Further, the Federal Trade Commission found that “a significant proportion, if not the majority, of unwanted robocalls originate from overseas.” Collecting the personal information of everyone who wants to make a phone call will not put a dent in fraudulent calls. 

What will address unwanted calls is the FCC’s STIR/SHAKEN technical standards, which already exist. While STIR/SHAKEN is not perfect, it is actually a technical solution to the problem of spam calls. And where less than 50% of American telecommunication providers have fully implemented the protocol, the FCC should put its energy toward 100% compliance to reduce the scale of unwanted calls, instead of collecting consumer’s private information. 

The FCC gives away the true reason for this proposal in their own comments: this is a move to shut down the very existence of anonymous phones, aka burner phones. FCC says in their comments: 

“Enhanced KYC information can assist law enforcement to more easily identify callers that use the network to perpetuate crimes by ensuring that voice providers have accurate and complete customer information. The KYC information gathered and verified would help ensure that law enforcement gets accurate information in response to subpoenas when investigating crimes. For example, can enhanced KYC rules assist law enforcement in investigating organized criminal groups that use the network to facilitate illegal activities? Can they be used to deter or detect trafficking operations that use communication networks to buy and sell illicit goods?”

Anonymous phones are not just used by people to break the law, they are also used by activists who wish to remain anonymous, privacy conscious consumers, people escaping domestic violence, people escaping human trafficking, journalists who need to reach out to confidential sources, and other people in desperate situations. Anonymous phone lines are a lifeline to many, one which this proposal would cut off without any alternative. 

Mass Data Collection Makes Us All Less Safe

Mass data collection of individuals does not address unwanted calls, but it does 

make us all less safe online. The telecommunications industry has proven time and again that they’re poor stewards of personal information. They’ve been at the center of several large-scale data breaches in recent years and their data practices leave much to be desired.

In 2024, AT&T disclosed two large data breaches. One in which 7.6 million existing account holders and more than 65 million former customers had their information leaked onto the dark web, and another in which more than 100 million customer account call and text logs were downloaded. Another large provider, Comcast, suffered a data breach in 2023 where nearly 36 million account holder’s information was stolen, including the last four digits of their Social Security Number and date of birth. 

In 2024, the nation’s CALEA infrastructure, which law enforcement uses to tap and trace calls, was breached in the Salt Typhoon attacks. Experts maintain that U.S. communications networks remain vulnerable, and even this administration acknowledges these attacks as an ongoing threat. 

If telecoms can’t even protect the most sensitive communications infrastructure in the nation how can we expect that they will protect our identities?

In addition to their poor cybersecurity practice, these providers themselves abuse the information in their possession. In Scott v AT&T, AT&T, among others, made consumer information available to hundreds of third parties without the consumer’s express consent. Though the case was dismissed because AT&T forces its consumers to sign arbitration agreements, it shows the complete lack of care for their consumers' privacy. 

A Lack of Anonymity Silences People 

Mass data collection of individuals just to have a phone number will also harm and silence people. Anonymity in calls provides people the safety they may require to organize themselves, speak freely, and seek services. Anonymous phone calls give people the courage to participate in politics, organize themselves, reach out to a suicide or sexual-assault hotline, an addiction-recovery sponsor, seek medical care, seek escape from a violent and coercive situation, and do much more. Without this anonymity, people may otherwise not do any of these things. 

It will prevent many from obtaining phone numbers at all. 

Not everyone has all the information the FCC wants to require. The FCC wants people’s physical addresses, defined so narrowly that it’s essentially a home address. Not everyone has a stable home address, so those individuals would be not able to get phone service. 

FCC suggests that a government-issued identification should be required for any phone service. About 15 million adult U.S. citizens do not have a driver’s license, while about 2.6 million do not have any form of government-issued photo ID. Others don’t have access to their identifying documents, they may be controlled by an abusive spouse or parent, human trafficker, cult, or someone else from whom a secondary phone line could help a person escape. Estimates show another 21 million adult U.S. citizens do not have a non-expired driver’s license, and over 34.5 million adult citizens have neither a driver’s license nor a state ID card with their current name or address. 

These numbers do not include non-U.S. citizens who do not have current government-issued identification, including undocumented immigrants who cannot obtain a state ID or driver’s license. Black American and Hispanic Americans are disproportionately less likely to have current drivers’ licenses, and Americans with disabilities and Americans with lower annual incomes are also less likely to have current driver’s licenses. 

The FCC’s proposal will not decrease the amount of unwanted calls. All it will do is set up a data collection regime that harms everyday, law abiding Americans. This proposal makes us less secure online, strips away our right to anonymous speech in calls, and actively disconnects those Americans who are already at the margins. EFF recommends the FCC discard this proposal in its entirety. 

The window for reply comments can still be filed until July 26th. Express comments, which are appropriate for most individuals, can be filed on the FCC website. See the suggested language below to help you get started. 

When a car passes an automated license plate reader (ALPR), its plate is captured and instantly compared against a list of vehicles that police are actively looking for or that police have identified for real-time surveillance. These are called “hotlists,” and EFF has learned that one used by agencies across the country targets immigrants on behalf of Immigration and Customs Enforcement (ICE). 

Agencies using Flock Safety ALPR systems commonly allow the plates their cameras collect to be compared against the FBI's National Crime Information Center (NCIC) hotlists. These hotlists are broken into "topics," such as "Gang or Suspected Terrorist," "Stolen Vehicle," and "Missing Person." 

Flock Safety told EFF via email: "Local agencies add/remove license plates from the NCIC list. The FBI curates the NCIC list, and pushes it out to local agencies. Once the list leaves the FBI, they do not see any agency alerts. They only see when a local agency adds or removes plates from the list."

But one list is different: The "Immigration Violator" hotlist is populated exclusively by ICE, and it is the only agency authorized to enter or maintain records in this system, according to the NCIC operator manual. It includes license plates associated with administrative warrants, which are issued by ICE agents without judicial review. The manual further describes the data:

The Immigration Violator File contains records on criminal aliens who have been deported for drug trafficking, firearms trafficking, or serious violent crimes and on foreign-born individuals who have violated some section of the Immigration and Nationality Act.

And: 

If the ICE has reasonable grounds to believe that the subject may be operating a particular vehicle or a vehicle bearing a particular license plate, the vehicle and/or license data may be included in the record.

Buried in the Flock Safety administrative interface, there is a drop-down menu where agencies select which NCIC topics to subscribe to. If Immigration Violator is selected, the local agency will receive an alert that a vehicle ICE is looking for has been sighted. According to Flock Safety, ICE itself does not get an alert, although the local agency may contact ICE to let them know. Many agencies also participate or collaborate with immigration enforcement (through, for example, 287(g) agreements) and may take steps to stop a vehicle based on one of these alerts. 

In many places, using ALPRs for immigration enforcement is against city or state law–or at minimum, against agency policy. But using this hotlist is immigration enforcement. 

For example, Sparks Police Department's ALPR transparency portal lists immigration enforcement among the "prohibited uses." Yet, records show Sparks utilizes ICE's Immigration Violator hotlist.

Many agencies publicly acknowledge using NCIC hotlists, but don't publish which ones. So, EFF filed public records requests with agencies around the country to figure how to identify at least which agencies may be using the Immigration Violator hotlist. Here are links to the documents from the 13 agencies that have responded so far. 

Agencies with the Immigration Violators Hotlist Enabled

• Blue Island Police Department, IL
• Sparks Police Department, NV

Agencies Using NCIC Hotslists, But Immigration Violators Is Disabled

• Baraboo Police Department, WI
• Boonsboro Police Department, MD
• Elmira Police Department, NY
• Franklin Township Police Department, NJ
• Medford Police Department, OR
• New Braunfels Police Department, TX
• Oro Valley Police Department, AZ
• Quincy Police Department, MA
• Reno Police Department, NV
• Roselle Police Department, IL
• Sterling Police Department, IL

Knowing whether your agency has this box checked isn't just useful information—it's the kind of evidence that can change how officials vote when a contract comes up for renewal. So, how can you find out if your local agency is using the Immigration Violator list? It takes some digging, and you may not be successful. But here's what has worked for us in some instances. 

STEP 1: Conduct background research. 

The first questions you want to try to answer are: 

• Does your local agency use Flock Safety ALPRs, and if so, 
• Are they using NCIC hotlists? 

To answer the first question, here are two sites to try: 

• AtlasofSurveillance.org - This is an EFF project to catalog the technologies law enforcement agencies use. You can search for your agency to see if they use ALPR.

• EyesonFlock.com  - This site includes an index of every agency that maintains a Flock Safety "Transparency Portal." These portals often disclose what hotlists an agency uses. You'll want to look for your agency, then click the outbound link to their transparency portal, if they have one. 

Once you're on the transparency portal, you'll want to look for two things. 

• Is "immigration enforcement" a prohibited use? If it is, you might find that the agency is violating its own policies. 

• Does the agency list "NCIC" as one of its hot lists? 

Not all agencies disclose this information, so even if you don't find anything, you can move on to these next steps. 

STEP 2: File a public records request. 

Every state has a law that allows the public to request information from the government. This can often be done by emailing the police department or sheriff’s office, using the agency's online public records portal. You can usually find these emails or portals quickly online by searching for the agency's website and contact information. You can also subscribe to a service like MuckRock, which is how we filed these requests. 

We have developed language to request the hotlist topics. It doesn't always work, due to differences in how agencies interpret public records laws, but it is still worth a shot. 

Note: This is template language. A Google doc version is available here (Google's Privacy Policy applies). 

To Whom It May Concern:

Pursuant to the [INSERT LOCAL PUBLIC RECORDS LAW - FIND THAT HERE], I hereby request the following information:

- The NCIC topics that the agency has selected.

Within the Flock Safety ALPR administrative controls for hotlists, there is an NCIC drop-down menu to allow an agency to choose which NCIC "Topics" it will alert on. For example, "Gang or Suspected Terrorist" or "Missing Person." 

You may provide this as a print out or a screen grab, or simply copy-paste the selected items. If you'd prefer to do a full CSV export, that is also acceptable but may take more effort.

I leave the format at your discretion, but I would prefer to use as little of your agency's resources as possible for this request. You can see an example here: https://www.documentcloud.org/documents/28277589-20260414084201725/

The requested documents will be made available to the general public, and this request is not being made for commercial purposes.

In the event that there are fees, I would be grateful if you would inform me of the total charges in advance of fulfilling my request. I would prefer the request filled electronically, by e-mail attachment if available or CD-ROM if not.

Thank you in advance for your anticipated cooperation in this matter. Please do not hesitate to contact me with any questions at [CONTACT DETAILS].

Sincerely,

[Your Name]

STEP 3: Wait for a response.

Depending on the agency and the state law, it may take anywhere from days to weeks to receive a response. 

If the agency provides the records, they might look something like this: 

If "Immigration Violator" is checked, then yes–police are scanning vehicles for immigration enforcement. 

You can then put this information to work, sharing it with local reporters or bringing it directly to city officials who have the authority to modify, restrict, or cancel your agency's Flock contract. This is especially important if the agency has the box checked but also claims ALPR data is not used for immigration enforcement. Government officials like easy fixes, and "uncheck the box" is about as easy as it gets. But remember: If that's where it stops, the infrastructure for immigration surveillance stays fully intact, and the system is one policy, personnel change, or error away from being switched back on.

In many cases, you will not receive records. The agency may claim it's protected under legal exemptions or that it is not actually a public record under state law. For example, we received rejections from the Abington Police Department in Massachusetts and the Akron Police Department in Ohio.

If that happens, push back politely. You can explain that many other agencies across the country have produced this information and that it would greatly help inform the public. You can try contacting the police department's public information officer. Another option is alerting local press that the agency is refusing to disclose basic information about a public surveillance system, shutting residents out of decisions about how that system is being used. If you have the resources and time, you may also consider litigating a denial or lack of response.

You can also email your city council or board of supervisors member. Explain why this matters: The law enforcement agency may be facilitating immigration enforcement in secret, potentially in violation of its own policies. Ask them to use their oversight authority to demand answers from the agency, including pressing the vendor directly. Elected officials hold real leverage here: In most cities, either the council or the city manager controls the contract, and both are accountable to the public. If your agency's contract is up for renewal—or if a new pilot program is on the horizon—this is exactly the kind of information that should be part of that public debate before officials sign anything.

While we have filed dozens of these requests, we need locals to help gather even more. Drop us a line with the records you receive (or don't) at aos@eff.org. 

Within the next week, Congress is preparing to vote on the KIDS Act, a sprawling package of legislation that seeks to control Americans’ web browsing and private messaging. The package includes a revised version of the Kids Online Safety Act, or KOSA, combined with a collection of other internet bills, study bills, reporting requirements, and new regulations. Instead of debating any of these proposals on their merits, lawmakers are attempting to move them all at once under an ultra-expedited process. 

The package of cobbled-together bills is a mess, with different age-gating schemes for different services, using different standards. It’s a lot of complexity, and a lot of legal risk. Faced with that, many companies will conclude that the safest option is restrictive age-checking practices across their entire platforms.

Buried inside the KIDS Act are provisions that will push online services to verify all users’ ages, require government-directed moderation policies for online speech, and even create new rules about private and encrypted communications. While supporters continue to claim this bill protects minors online, its requirements come at the expense of privacy, free expression, and the ability of people of all ages to use the internet without revealing sensitive data. 

Take action

Tell Congress to reject this age-gating bill

The KIDS Act Pressures Platforms to Check Everyone's Age

Supporters of KOSA have said the bill doesn’t require age verification. And technically, the KOSA section of the bill does say that KOSA shouldn’t be read to require age verification. 

But if you read the rest of the bill, that disclaimer starts to look hollow. 

Throughout the KOSA section of the legislation, special protections, controls, messaging settings, and parental tools are required whenever a website or app “knows or should have known” a user is a child (defined in the bill as anyone under 13) or a teen (defined as anyone between 13 and 16 years old). 

The problem is a website operator doesn’t need actual knowledge that a user is a minor to get in legal trouble. It applies when a platform “knows or should have known” a user’s age—a low, negligence-style standard of knowledge. If an online service gets it wrong, it’s going to be up to courts and regulators to decide, after the fact, if an online service “should” have known a user was 16. 

To try to avoid liability, services will have to determine which users are teenagers and which are not. Most won’t be able to simply trust their users. They’ll have to collect more information about age, before any lawsuit or government action arises. Some companies may respond by requesting driver's licenses or passports. Others will rely on age-estimation systems that attempt to guess users' ages by looking at existing activity or doing facial scans. Existing estimation systems make mistakes when estimating children’s ages correctly, which is a big problem when that is the population KOSA is trying to protect. And the systems fail more frequently for people of color, people with disabilities, and trans and nonbinary people.

The bill’s authors seem to know this is a problem. On the one hand, the new KOSA section says age verification is not required. On the other, it repeatedly imposes obligations that depend on knowing whether a user is under 17. But a disclaimer doesn’t magically eliminate legal risk, especially for smaller services and startups that can’t afford to defend lawsuits or fight regulators.  

Take action

The "KIDS Act" Is an Age Surveillance Bill

KOSA is not the only part of this package that creates age-verification pressure. The SAFE BOTS Act, like KOSA, goes back to the standard that if a service “knows or should have known” that a user is a minor it can’t offer certain chatbot features. 

The SCREEN Act requires services that host sexually explicit content to determine whether users are “more likely than not” under the relevant age limit, before allowing access to certain content. 

The consequences of this liability will not be limited to minors. If websites and apps are expected to reliably identify teenagers, adults will be asked to prove they are adults. The result is a less private internet for everyone.

The KIDS Act Pressures Platforms To Police Lawful Speech 

The new version of KOSA removes the bill’s infamous "duty of care" provision, a significant change. The revised KOSA requires covered platforms to "establish, implement, maintain, and enforce" policies and procedures addressing several categories of content and conduct. 

Some categories, such as true threats and sexual exploitation, involve unlawful activity. Others are much broader. The bill specifically requires policies addressing the "sale or use" of narcotic drugs, tobacco products, cannabis products, gambling, and alcohol. It also restricts discussions around financial fraud.

Sounds straightforward enough. Then you remember how people actually talk—online and off. Can teens discuss addiction and recovery? Can a 15-year-old post that she’s worried she has a friend who is drinking too much? Can they seek advice about a parent’s gambling problem, or get help if they or a family member have been scammed? Can they participate in harm-reduction communities or discuss substance abuse treatment? All of these young people would be engaging in lawful speech when discussing topics covered by KOSA’s enumerated harms. 

The bill does not directly ban those conversations. But it places platforms under huge pressure to create and enforce moderation policies around broad categories of lawful speech. Faced with legal risk, many services will inevitably choose to remove that speech or restrict those discussions to spaces where they know only adults can participate. We’ve seen this movie before. When legal risk goes up, platforms will take down more speech. 

The KIDS Act Regulates Private Messages, Too 

Several provisions of the bill create new rules around direct messages, disappearing or “ephemeral” messages, and AI chat services. 

The bill includes language stating that certain KOSA requirements should not be construed to override strong encryption. But the protection is incomplete. The carve-out applies to certain features and messaging controls, but doesn’t apply to KOSA’s separate requirement that platforms "address" a list of harms to minors. 

The KIDS Act never answers an obvious question: how exactly is a platform supposed to address those activities if they’re inside encrypted communications that it can’t read? That will create pressure for providers to weaken private communications or limit features on encrypted private services. 

That approach is especially troubling when it comes to ephemeral messaging. Disappearing messages are not a “loophole” or a dangerous design trick. They are a useful privacy feature that allows online conversations to function more like ordinary real-world conversations, which are not preserved forever in a permanent database.

Like many other parts of the KIDS Act, these private messaging provisions also depend on websites and apps knowing who is a minor and who is not. The result is more age checks, more restrictions, and less privacy online.

Take action

Tell congress: no online age checkpoints

Sold to the public as a foreign surveillance tool, Section 702 is the law has let intelligence agencies spy on millions of Americans’ private conversations without a warrant. Despite years of revelations about this law's misuse, Congress has repeatedly reauthorized Section 702 without meaningful reform. Until this month, that is, when it finally lapsed in a major victory for privacy. In our latest EFFector newsletter, we're covering the expiration of Section 702 and what happens next.

JOIN OUR NEWSLETTER

For over 35 years, EFFector has been your guide to understanding the intersection of technology, civil liberties, and the law. This issue covers a disastrous plan to overhaul the U.S. Copyright Office, why the UK's social media ban will cause more harm than it prevents, and a new Senate bill taking aim at government pressure to silence lawful speech online.

Prefer to listen in? EFFector is now available on all major podcast platforms. This time, we're chatting with EFF Senior Policy Analyst Matthew Guariglia on what the expiration of Section 702 means for warrantless domestic spying. You can find the episode and subscribe on your podcast platform of choice:

%3Ciframe%20height%3D%22200px%22%20width%3D%22100%25%22%20frameborder%3D%22no%22%20scrolling%3D%22no%22%20seamless%3D%22%22%20src%3D%22https%3A%2F%2Fplayer.simplecast.com%2Faa8b6660-bde6-466d-80e3-156cddad0e95%3Fdark%3Dfalse%22%20allow%3D%22autoplay%22%3E%3C%2Fiframe%3E Privacy info. This embed will serve content from simplecast.com

   

Want to protect your private conversations? Sign up for EFF's EFFector newsletter for updates, ways to take action, and new merch drops. You can also fuel the fight for privacy and free speech online when you support EFF today!

This week, politicians in the UK pushed forward with plans to eviscerate privacy and free speech on the internet by announcing a ban on social media for users under 16 that is set to take effect in Spring 2027. 

The UK government continues to falsely characterize this policy as a necessary response to growing concerns about online harms for young people. In reality, much like the Online Safety Act, it will cause more harm than it will prevent. 

Users of all ages are burdened with proving their age before accessing content, with social media platforms such as Snapchat, TikTok, YouTube, Instagram, Facebook, and X included in the ban. There remains no reliable, privacy-preserving method of verifying the age of every internet user and methods vary from one platform to the next.

Young people will not simply be protected from being contacted by adults or endlessly scrolling—they’ll also lose access to educational videos on YouTube, local events on Facebook, and potentially cut off from distant friends and family. 

Public policy must be effective, proportionate and respectful of fundamental rights. Young people deserve better than a policy built on panic, and all internet users deserve a safe and free internet. A social media ban generates headlines, but it will not solve the problem. 

A Brief History of Age-Gating in the UK

Age restriction proposals in the UK date back to a decade ago, when the proposed Digital Economy Bill was put forth to (among other things) restrict young people from accessing pornographic websites. While the Digital Economy Act of 2017 passed without age-based restrictions, it laid the groundwork for later age verification measures.

Over the next few years, age checks for porn websites were announced then delayed several times. But it wasn’t until a consultation under the 2016-2019 May government and the 2020 publication of the Online Harms Whitepaper that age verification became a broader idea.

In 2023, the UK passed the controversial Online Safety Act, establishing powers that could weaken privacy protections and freedom of expression for internet users worldwide. In July 2025, the government implemented age assurance measures on sites hosting “harmful” content. 

And despite politicians affirming repeatedly that the Online Safety Act would solve all of the problems with online safety, this year they decided it in fact did not go far enough. American social psychologist and The Anxious Generation author Jonathan Haidt—who has called for age-related social media bans around the world, despite significant scientific doubt about his research—met with the UK Health Secretary in February to push for the ban.

In March, politicians introduced plans for a social media ban into the Children’s Wellbeing and Schools Bill to “prevent children under the age of 16 from becoming or being users” of “all regulated user-to-user services,” to be implemented by “highly-effective age assurance measures”—effectively banning under-16s from social media. 

When this proposal came before the House of Commons, MPs defeated and proposed their own amendment: enabling the Secretary of State to introduce provisions “requiring providers of specified internet services” to prevent access by children, under age 18 rather than 16, to specified internet services or to specified features; and to restrict access by children to specified internet services which ministers provide. 

But the social media ban does not stop there. The provision also requires internet service providers to limit the time kids spend online, and has rules about who can contact them online. These extreme rules will take decisions about using technology away from families and put them in the hands of government regulators. 

The history of this proposal shows that the UK government has repeatedly returned to the same flawed idea: restricting access to online services by requiring age checks for everyone. But the fundamental problems have not changed. There is still no widely available way to verify age online without compromising privacy—but even if there were, broad restrictions on social media will inevitably limit access to lawful speech, and valuable online communities, and arts and culture.

This week, EFF joined Foxglove, Human Rights Watch, and 60 other organizations in writing to the UK’s Minister of State for Border Security and Asylum, Alex Norris, raising serious concern about the Home Office’s decision to deploy Facial Age Estimation (FAE) to assess asylum-seeking children from 2027. 

The letter points to four key concerns:

Discrimination 

As with most face estimation and recognition tools, there is ongoing bias in the deployment of these technologies. With FAE, many have highlighted its baked-in failures and discrimination, particularly in relation to women and people of color. Evidence shows that FAE is most accurate for estimating the ages of Eastern European men, but even then it consistently produces errors. The Home Office itself noted “that FAE performance can vary depending on ethnicity” and skin tone. 

Inaccuracy

The Home Office has admitted that FAE systems are imprecise for analyzing 16-to 18-year-olds, with even the “top systems” having an “error margin of around 2.5 years here.” This is exactly the age range for which the Home Office has chosen to deploy this technology. And this error margin will be widened yet further because children seeking asylum often suffer from trauma-induced aging. 

Lawfulness of Use of Children’s Data

Major concerns exist around the lawful basis on which the Home Office, or its chosen third-party FAE vendors, could have sought consent to collect and process photographs or data from asylum-seeking children to train this system. Further, there is no clarity on the images and/or data that this technology has been trained on. 

Lack of Necessary Disclosure 

The Home Office claims “extensive testing has already been carried out across diverse groups, including different ethnicities, genders and age ranges, indicating promising performance and accuracy.” But these purported “promising” results have not been published, nor have any Equality or Data Protection Impact Assessments. 

The letter continues by requesting clarification on several key questions regarding these concerns. EFF and partners have provided the UK government 21 days for a response, and we urge the Home Office to take on this uphill task in good faith and release the information.

You can read the letter in full here. 

With no serious debate, including on proposed amendments, Canada is blazing full speed ahead with Bill C-22, which would threaten encryption and increase surveillance. Also known as the Lawful Access Bill, Bill C-22 is currently moving forward quickly to a vote despite the many, many criticisms civil liberty groups and the tech industry have hurled at it.

As we’ve discussed before, Bill C-22 is dangerous on multiple levels. It pushes for requirements for metadata retention, expands information sharing with foreign governments, and establishes a mechanism that allows Canada’s Ministry of Public Safety to demand that companies create backdoors, effectively breaking encryption. That mechanism was a key facet of Part 2 in Bill C-22, and the government prevented it from being independently debated.

In a deep analysis of the bill, Citizen Lab and the Canadian Civil Liberties Association detail every one of flaws of this proposal, concluding that most elements are unsalvageable. 

A wide range of tech companies agree. Signal, Apple, Google, and several VPN providers oppose the bill, and some have said they’d likely be forced to either cut Canadians off from certain features or shut down services in Canada altogether.

The Canadian government wants this dangerous, complicated, overreaching bill passed before June 19. Bill C-22 is riddled with privacy problems that affect millions of people. It should be debated and studied fully, not jammed through on an arbitrary deadline. 

OpenMedia is offering a tool for Canadians to contact their elected representatives about the bill. Actions taken on OpenMedia's website are governed by OpenMedia's privacy policy, not EFF's.

EFF is grateful for SerpApi’s generous support, helping us fight for your rights to speak and access information online. SerpApi has been giving to EFF every year since 2018, and alongside our 32,000 individual donors, their gift is critical to keeping up the fight.

Whether in the courts, halls of power, or broader policy debates, we appreciate the work this support has made possible over the years. Some examples:

• We sued the U.S. Department of Homeland Security and Department of State to stop an unconstitutional social media surveillance program to identify and punish individuals who express viewpoints the government disagrees with.
• We helped develop the Santa Clara Principles, a framework to reign in overbroad content moderation so that all users are treated fairly and offered consistent tools for recourse if their speech is censored by tech companies.
• In the whitepaper Unfiltered: How YouTube’s Content ID Discourages Fair Use and Dictates What We See Online, we pushed back on YouTube for silencing individual creators in the interest of protecting a small number of giant copyright holders.
• We stood with whistleblowers and dissidents persecuted for their online speech.
• We continued the fight to protect Section 230.

We live in an era when lawful speech and the right to access information are being targeted by Big Tech and governments around the world that are hostile to dissent. Free speech online is core to EFF’s mission, and SerpApi’s support will help us continue the fight to protect everyone’s right to free expression.

This Pride season, join EFF and the Queer Arts Collective in building a creative space at the intersection of digital justice and artistic expression. 

We’re looking for fresh, untold, historically censored takes on digital liberation. 

Whether it’s pointing the lens towards an issue you feel is underrepresented in digital justice efforts; sharing personal accounts of joy, pleasure, or sorrow under surveillance; painting your widest imagination for our communities using technology for good instead of carcerality and doom—we want to see it and we want it to expand our own understanding of what’s important and beautiful. 

We’re going to be curating between five and nine art pieces across writing (fiction, nonfiction, poetry) and visual arts (photography, drawing, painting). We welcome fluidity in medium and genre, and cross-genre works of all kinds, such as graphic storytelling and collaborations. 

We are looking for works that convey the importance of digital liberation and ways of achieving it, particularly from under-represented perspectives. Pieces will be selected based on interpretation of the theme, emotional resonance (does it surprise, move, frighten, delight?), and overall curatorial cohesion for each issue. 

Submissions that adhere to the following length guidelines are preferred: 

(NON)FICTION - max 1500 words
POETRY - max 2 poems 
VISUAL ARTS - max 1 artwork, which can be a serialized collection. 

Please submit to paige+pride@eff.org by June 30, 2026, including your piece as an attachment and a short bio in the body of the email, alongside anything else we should know about your submission. You can expect to hear back from us around July 31, and we aim to have the first issue published in September. If we select your submission for publication on both EFF and Queer Arts Collective websites, we will compensate you between $25 - $50, depending on the number of pieces published. 

There is no fee for entry. Please only submit one piece or a contained series for this call, and wait for us to get back to you before submitting again. If you plan to submit both individually and as part of a collective, one submission in each of these categories applies. 

Your submission must be your original work and you must have the legal right to authorize us to publish it, but it need not be created specifically for this project; you may submit a work you have published previously. Please disclose any use of AI in a note in your application—this will not disqualify your entry, though we value transparency of labor exchange. 

As attempting to witness art is a highly subjective endeavor, please don't consider not being selected as anything other than circumstantial. We are looking to foster a community of artists working for digital justice, and would love to see more from you in the future. 

You will retain all legal rights to your work, but agree to provide EFF and Queer Arts Collective with a non-exclusive and non-time-limited license to publish your work on their websites and other promotional materials, such as in zines. 

Meet the Judges

Kit Walsh is an EFF attorney who works to protect the rights of activists, journalists, researchers, and dissenters in order to build a better world. She is also a Nebula-award-winning author and is best known for her tabletop roleplaying game Thirsty Sword Lesbians.

Paige Collings is an EFF activist working to dismantle systems of oppression and advance collective liberation. Her work focuses on highlighting how state surveillance and corporate restrictions stifle marginalized communities and perpetuate historic injustices and harm. She works with activists across the globe to facilitate systemic change by speaking truth to power and creating spaces for alternative imaginations.

The Queer Arts Collective is an NYC-based collective run by queer and racialized artist-activists, looking to make space for art that is deliberately disruptive of structural hierarchies that power the status quo.

Last week, Senators Ted Cruz and Ron Wyden introduced the Justice Against Weaponized Bureaucratic Overreach to Networked Expression, or JAWBONE Act. The bipartisan legislation creates a federal cause of action against government officials who coerce or attempt to coerce broadcasters, interactive computer services, or AI providers into taking actions against lawful, First-Amendment-protected speech, and establishes a transparency system for government communications with those intermediaries about user expression.

We thank the Senators for their leadership on this important issue. Jawboning occurs when the government pressures private companies to censor speech protected by the First Amendment, and it’s not always obvious to the public or to the victims what has actually happened. Deleting posts or cancelling accounts because a government official or agency demanded it or even made threats in making those demands—just like spying on people’s communications on behalf of the government—raises serious free speech concerns. Among other things, this bill would provide a new legal right to bring claims against the government in federal court, in addition to what the First Amendment provides.

At EFF, we’re continuing to fight back on behalf of those censored by government coercion. One recent example: we represent the creator of ICEBlock, an app that allows the public to report immigration enforcement activity in their communities. In June 2025, high-ranking federal officials began threatening to investigate and prosecute the creator of ICEBlock, Joshua Aaron. In October 2025, the U.S. Attorney General demanded Apple remove ICEBlock from the App Store, and the company complied. The government’s coercion violated Aaron’s First Amendment rights.

We’ve also filed a Freedom of Information Act lawsuit against the same government agencies that threatened Aaron and other services that provided forums to report ICE activity. The lawsuit seeks the disclosure of the government’s communications with Apple, Google, and Meta that forced the services to remove lawful speech.

When federal officials pressure private companies into censoring protected speech, it can violate the First Amendment. But, not every communication from a government agency to a platform is unconstitutionally coercive. Treating legitimate communication and information-sharing between the government and private actors as though it were always unconstitutional would chill the valuable, good-faith engagement that supports a healthier and safer internet and nation for all Americans. This is a complex issue, and one that is important for Congress and the courts to get right. 

Finally, contrary to what many in Congress have been saying, social media platforms and other internet intermediaries have their own First Amendment rights to decide how they moderate users’ speech. They are not “state actors” and do not have an obligation under the First Amendment to allow all user speech on their platforms. EFF filed an amicus brief setting out our position in 2018, and we’ve said it in many cases since. The Supreme Court recognized again in the Netchoice cases that these services have a right to curate and edit their users’ speech, whether or not it aligns with the government’s position. And, it’s important to defend that First Amendment right so that governments cannot dictate how to edit a company’s site according to the government’s wishes and desires. To prevent jawboning by default, companies must be free to curate their platforms as they wish.

EFF applauds Senators Cruz and Wyden for taking this critical issue seriously, and we look forward to working with Congress on this bipartisan bill as it moves through the process. We hope it lands on the right balance to provide additional protections for everyday users around freedom of expression. 

Court records belong to the public. Yet anyone seeking access to federal court filings through PACER, a government software system that stands for Public Access to Court Electronic Records, is usually required to pay hefty fees to search for and view documents. PACER’s fees have long acted as a barrier that makes it hard, especially for low income people, to see and understand the work produced by our own public servants. 

That's why EFF joined a broad group of organizations supporting the Open Courts Act of 2026, legislation that would modernize the federal courts' electronic filing systems and eliminate PACER fees. 

Public access to the courts is a cornerstone of democratic accountability.

The bill would replace the aging PACER and CM/ECF systems with a modern, unified platform designed to improve public access, strengthen cybersecurity, and reduce long-term costs. Supporters note that PACER currently collects more than $150 million annually in fees from the public, despite court records being public documents.

The Open Courts Act would also make court records easier to find, access, and understand. The legislation builds on a similar proposal, also supported by EFF, that previously won bipartisan support in the Senate Judiciary Committee but did not become law before the end of the congressional session.

This is not a new issue for EFF. More than a decade ago, we criticized PACER's paywalls and the removal of some court records from online access, arguing that the public should not have to pay to read the law and the judicial decisions that shape it. The Open Courts Act would move U.S. courts a big step closer to that goal. 

In addition to EFF, the bill is supported by Fix the Court, the group pushing this bill forward; the Free Law Project, which maintains RECAP, software that has created a large archive of legal opinions and other court records; as well as civil society groups, open government watchdogs, and media groups. 

Public access to the courts is a cornerstone of democratic accountability. Let’s eliminate unnecessary barriers to court records, and bring the federal judiciary’s tech into the modern era. 

• Read the full letter supporting the Open Courts Act of 2026

Late last year, as part of our annual “Year in Review” series, we summarized our efforts providing digital privacy and security advice to at-risk communities. OPSEC trainings (short for operational security, a catch-all term we use to describe any kind of workshop, advising session, assessment, or presentation about operational security for individuals and organization) are something we've long provided, but until recently, something we’ve never broadcasted.

This has become a critical aspect of our work over the years, keeping us grounded and in touch with the realities of tech-enabled violence as well as evolving resistance strategies used by movement workers. Hoping other security trainers and organizers copy our homework, here’s a more thorough breakdown.

NOT TRADITIONAL PENTESTING

To be clear, we're not a 'pentesting' company, which refers to the methodological process of testing a person or organization's security and privacy posture, nor an information security (infosec) firm that offers anything within scopes of traditional security assessments.  Infosec companies almost always adhere to a cycle of: discovery/reconnaissance; > vulnerability scanning and testing; > exploitation of vulnerabilities found; > and a reportback of recommended mitigation strategies. Such full-spectrum audits can run the gamut of testing network security, physical security, organization posture against phishing or ransomware attacks, web app security, and more. For many organizations, the value of such engagements is immeasurable.

Such companies—although equipped with the technical sophistication to do full-spectrum digital security auditing and testing—often lack the critical points of view of human rights defenders and activists. Many human rights defenders and liberation movement workers are critically under-resourced and unable to meet the high costs of engagement with such infosec companies.  But that’s not what we offer. Our trainings center the needs of people on the ground, and offer this work pro bono. 

The cycle of engagement our work tends to take is similar to the lifecycle of pentesting outlined above, but with some key differences better suited to people-powered movements. 

We begin with a period of discovery about the organization we’re engaging with, learning about their work, the issue space they’re working in, and the types of threats their peers have faced in the past. Relying on our knowledge of known threat actors (state-operated threats, non-state actors, surveillance mechanisms, and more), we conduct a thorough threat modeling and risk assessment exercise, surfacing critical pieces of information about what we ought to prioritize protecting and from what. Sometimes that’s enough for a group to get started on improving their security plans, and we send them on their way.

After receiving consent from the group to do so, we may perform some OSINT (open source intelligence) investigation and map out a sketch of their digital footprint. This often looks like some combination of discoverability through public records, data broker ecosystems, and breach databases, as well as risks they may incur through the services they rely on for their web presence. That latter part can be done with typical pentesting reconnaissance tools, as well as our own project Privacy Badger for mapping the trackers on their website, which pose them and their users some amount of risk. Working from this sketch of their digital footprint, opportunities to lessen the reach of their data exposure, or at least the more sensitive areas they ought to be aware of, become apparent.

For a more in-depth engagement, we take the information gathered from the guided threat modeling exercises, as well as the digital footprint we’ve developed for them, and we move on to training the participants on what they need to address their threats. Sometimes that looks like a deep dive on encryption and how it can be used to protect data backups and secure communications. Other times it looks like getting very knowledgeable and practiced on the various ways to stay safe from surveillance threats encountered at a protest. Often though, our engagement with those asking for advice on how to strengthen their OPSEC is as simple as presenting materials covered in our Surveillance Self-Defense (SSD) project, but with EFF staff to help apply those lessons to their context.

MOVEMENTS AND COMMUNITIES ADVISED

Requests for such training mostly arise organically, either via referral, from our participation in external media, or driven by an interest in SSD. Naturally, the demand for accessible OPSEC advice escalates along with the general sophistication and reach of surveillance technology. And as authoritarianism creeps and continues to threaten the movement workers fighting against it, there's a marked urgency for that demand.

The types of communities and liberation movement workers that reach out run a wide array of experiences, but some commonalities stick out. Since the fall of Roe v. Wade, we've seen a huge uptick in abortion access activists like clinic escorts and information distribution networks reaching out. So too are providers of criminalized healthcare services, both abortion services and gender affirming care alike. The list goes on: advocates for transgender rights such as art collectives and archivists, sex worker rights activists, survivors of intimate partner violence, climate justice activists, legal defense groups focusing on immigrant justice and Black liberation. And many, many others, often stemming from experiences of distinct marginalization and state-powered violence.

We’re dressing the wounds the violence of surveillance inflicts.

TAXONOMY OF THREATS

When there's a cast of common threat actors that so often emerge during risk assessment (ideologically motivated harassers, lawmakers, cops, negligent leadership at large tech platforms, etc) there is a level of predictability about their capabilities. We use that information to make knowledgeable risk assessments for those we’re working with, determining the means that threat actors have to cause them harm, as well as the likelihood.

For community organizers and grassroots activists we most often see concerns around doxxing (and harassment driven by OSINT), social media monitoring, content suppression on tech platforms, and insider threats such as infiltration within trusted communication channels. Often this comes with a tension between publicity and privacy—needing to spread their message and further their cause, while recognizing that digital privacy has a profound impact on their personal safety. Some activists may instead hope to organize other more covert forms of direct action. They're more likely to be concerned about the types of street level surveillance that they may encounter.

Small organizations nonprofit and otherwise may share the concerns around doxxing, as well as traditional digital security concerns around their web presence. Website defacement and data exfiltration are particular concerns for organizations that don't have the resources to commit to IT security staff. And for those that do have meager budgets for such things, organizational compliance and ease-of-use regarding privacy and security technologies are a whole other concern. The question then becomes how to manage a system of distributed devices that are uncontrolled by the organization, but operationally necessary for each member of their community. 

Generally speaking, the threats most commonly encountered in these spaces have to do with the opacity and unchecked reach of surveillance systems. With every single individual or group that we encounter in this type of work, threat modeling comes number one in terms of priority. There is no way to protect against every theoretical threat. Instead, we walk others through the process of identifying and then prioritizing known and perceived threats, based on their specific context and the type of work that they do, before moving on to recommended mitigation and resistance strategies. 

STRATEGIES OF RESISTANCE

Developing a threat model without a course of action often does more to stoke privacy nihilism than remedy the risks communities face. The more we engage with at-risk communities and offer reasonable, accessible OPSEC advice, the greater our instinct develops for recognizing such strategies. At the core of these recommendations lie the backbones of privacy and security fundamentals, such as encryption, access controls, sophisticated backup plans, OSINT skills, and resistance to online tracking.

Over the years, we've found it easiest to begin with non-technical recommendations first. These strategies often mesh well with the community's extant organizing procedures, such as designating team roles and thought out contingency plans for specific risks. This may look like identifying those extant plans and tacking on responsibilities like data backups, code words for community vetting, and developing workarounds or contingency plans for if they lose access to specific technologies. 

Eventually, though, the strategies must become more technical, like switching to more private and secure technology alternatives, developing a sophisticated and encrypted data backup plan, and having technical contingency plans in place for if/when they are deplatformed or their services interrupted. Developing patience and compassion when walking groups through unfamiliar technologies is an essential tool of this work. So too is the habit of checking ourselves, as privacy and security nerds, to know the difference between the most secure technologies and those which will actually be used by at-risk community members. Any step towards more thoughtful OPSEC is better than one too difficult to use. The last thing we want is a recommendation that results in people frustratedly giving up on doing anything at all. After all, the whole point of this is to empower movement workers, not inhibit them.

HOLISTIC MITIGATIONS

It is painfully obvious how many identified threats could be protected against if there were comprehensive data privacy legislation protecting all people. The lack of such is an existential threat to everyone. Bills that undermine peoples' right to privacy are never clear about what they're doing, and often come wrapped in some paternalistic guise of addressing some other harm elsewhere. They often use confusing, oblique language that preys on the public's interest to correct the course of other social harms. The reality is that when it’s clearly explained, every person online wants better privacy. And as we know, every individual's personal security and wellbeing are entwined with their access to privacy. The capacity with which a person can decide what to share online, rather than have sensitive information non-consensually taken from them by creepy surveillance technologies, is a matter of self-determination. And it's in all our best interests to fight for the right to self-determination.

WHAT WE GET BACK

An unexpected outcome of identifying so many common threat actors across such varied issue spaces is revealing potential avenues of collaboration and camaraderie. Some movements are already keen on this allyship, such as those focusing on various aspects of bodily autonomy and self-determination. Abortion access activists and trans liberation activists are often in concerted allyship. Other less obvious connections are legal defense groups that offer "know-your-rights" style educational materials and other issue-specific activists who have questions about the legal threats they're facing while fighting for their cause. 

Recognizing the common threat actors across different issue spaces begins to highlight opportunities for collective action against those threats. As a digital rights organization, this is very much our wheelhouse, and precisely why our technologist team is self-described as one working toward the public interest. It’s also from this point of view that we continue to win. And why it’s critical for lawmakers to pay attention when we say particular pieces of bad legislation are harmful to public safety. And finally, why it is necessary for public interest technologists and digital rights activists to connect with other communities to learn about the specific technology risks they’re worried about. As Mariame Kaba says, “Nothing that we do that is worthwhile is done alone.” This very blog post is in an effort to provoke thought for digital security trainers, so that we as a community don’t work atomized and alone, reproducing the same work, exhausting ourselves and creating unnecessary redundancy.

We do what we can to keep up. And thankfully, we participate within an ecosystem of digital security providers that have a keen mind towards fighting for digital rights. We share resources, referrals, and expertise. Our Surveillance Self-Defense project is stress-tested by the experiences shared by the liberation movement workers we engage with and provide this work to. If you’re interested in becoming a digital security resource for your community, start with the SSD. If you’re a human rights defender with questions about how to stay safe, reach out. And if you’re not sure what else to do, you can always help us keep it going.

The Trump administration’s approach to AI safety, particularly the generative AI models that regularly grab headlines, has been haphazard at best. At worst, it’s unconstitutional. As EFF and our allies explained in an amicus brief, the Pentagon’s actions against one company, Anthropic, violate the First Amendment because they were motivated by the administration’s desire to punish an uncooperative company, not legitimate concerns about national security.

By and large, the Trump administration’s AI strategy has minimized regulation in the name of “winning” the global “race” to develop leading frontier models. It has pared back regulations intended to address even the most serious AI threats—like AI-enabled cyberattacks on government systems—to protect AI innovation.

Yet it has repeatedly singled out one AI company for arbitrary, heavy-handed rules and sanctions. For years, the federal government relied on Anthropic’s models for use in its classified systems. But after Anthropic resisted the government’s demands to use Anthropic’s models to autonomously kill people or spy on Americans, the government declared war on the “woke” company. It designated the company a “supply chain risk,” effectively banning agencies and government contractors from doing business with the company.

A court issued a preliminary injunction preventing these sanctions from taking effect, as EFF and other civil liberties organizations urged it to do in an amicus brief filed earlier this year. But absent judicial action, these sanctions would’ve cost the company hundreds of millions of dollars. Either way, it sent a clear signal that companies must adhere to the government’s wishes or face similar consequences.

As we explained in our brief filed today, these sanctions were clear retaliation for the company’s public refusal to allow the Pentagon to use its models to develop fully autonomous weapons and spy on Americans. This kind of retaliation is unconstitutional.

In a recent executive order, the Trump administration took its war on Anthropic even further, by imposing “export controls” that ban any foreign nationals from using Anthropic’s new Mythos and Fable models. To comply with this order, Anthropic shut down the models altogether.

These extreme measures were purportedly justified by security concerns. The administration said it feared that Anthropic’s Mythos-class models could be used to find and exploit existing vulnerabilities in software code—hardly a new feat for an LLM. Anthropic itself has contributed to public anxieties about its Mythos-class models, initially claiming that Mythos was too dangerous for public release and restricting access to a handful of partners. The company’s CEO called for a pause on AI development, citing fears that the technology was becoming too powerful.

But regulators should be cutting through the hype, not feeding it. Even if Mythos’s capabilities were a modest improvement over existing technology, others are already closing the gap. In other words, nothing about Mythos is so uniquely dangerous that it warrants exceptional export controls to protect the public. Yet other LLMs with similar offensive cybersecurity capabilities are not subject to export controls. Instead, the government has embraced a voluntary system in which companies are encouraged to submit models to the government for cybersecurity testing 30 days before releasing them to the public.

AI policy should be reasonably responsive to real-world risk, grounded in the realities of the technology, and no more burdensome than necessary to protect the public. But the government’s haphazard decision to impose export controls on Mythos-class models, while subjecting other AI models to nothing more than a voluntary, light-touch framework, meets none of these criteria. As leading cybersecurity experts and executives recently explained in an open letter, these sanctions prevent developers and security teams from using the best models to find and fix vulnerabilities before adversaries, armed with nearly as capable AI, can exploit them.

Decades Later, Code Is Still Speech

More importantly, export controls on important software tools like LLMs can undermine the free flow of digital communications and technologies that activists, innovators, and ordinary users desperately need. Freedom of expression requires access to these tools. Depriving the public of the best AI threatens our rights without making us any safer.

EFF has long opposed government efforts to restrict the publication of non-classified software to the general public. In the 1990s, EFF challenged export controls on encryption software, helping establish the principle that “code is speech,” protected by the First Amendment. Courts recognized that software is not just a functional tool—it’s a means of ideas, knowledge, and technical know-how. And they recognized that the government was overreaching in trying to restrict private developers from sharing their improvements in computer security with the public.

While AI models raise new questions, efforts to restrict access to them implicate the same constitutional and speech concerns as older efforts to restrict encryption. Export controls are uniquely susceptible to abuse. And they are especially suspect when they are unilaterally imposed without clear and fair standards.

Whether these export controls were another attempt to punish Anthropic or simply a misguided security measure, the public loses. The real cybersecurity risks of advanced AI may ultimately justify limited regulations to protect the public from legitimate threats. But whether the government ultimately chooses to heavily regulate the technology or hold off to promote innovation, its rules must be rational and evenhanded. 

• Read EFF's Amicus Brief in Anthropic v. Department of War

The ability to access publicly available information using automated tools is a central value and benefit of a free and open internet. Automated access—often called crawling or scraping—powers important, useful tools for locating, preserving, and analyzing online information. For example, crawling and scraping helps journalists, researchers, and watchdog organizations report the news, find security flaws, and investigate discrimination. Crawling the web allows non-profits like the Internet Archive to preserve historical copies of websites. Tools for automated comparison shopping allow consumers to find the best deals on items they want to buy. And so on.

Yet the open internet access is increasingly under threat from publishers and Big Tech companies alike. Fearing lost advertising and licensing revenues, website operators increasingly claim that they need to lock down their sites from bots that crawl public web content to train or operate AI models. Some companies are even trying to embed their business models into internet standards by changing Internet Engineering Task Force (IETF) technical standards that shape much of the internet.

Many of their economic anxieties are understandable. AI bots can strain websites’ infrastructure, in some cases, degrading site performance or taking them offline altogether. Upgrading systems costs money that some sites may not have. And AI is likely to disrupt the business models many publishers adopted in response to the rise of the internet, if users rely on AI overviews instead of visiting source websites.

However reasonable these fears may be, the answer is not to change the IETF standards from neutral protocols that encourage openness to restrictive requirements designed to monetize internet access.

The worst of these proposed standards would give websites far greater ability to automatically block legitimate, lawful scraping and crawling. For example, the AI Preferences working group is working on proposals to give publishers a way to express “preference signals” against crawling web data for AI-related purposes, including to train models, generate outputs, and help users search the web. These preference signals would be expressed through robots.txt and could potentially become legally binding in some jurisdictions.

Another working group, called Web Bot Auth, is pursuing efforts to protect sites from overly-aggressive bots that strain website resources—a positive goal that could meaningfully improve the internet in the AI era. But Web Bot Auth is simultaneously pursuing a much more dangerous path as well: standards changes that would enable sites to cryptographically identify bots so that they can more easily block anyone they wish—not just “bad” actors, but competitors, dissidents, or anyone who hasn’t paid for the right to access sites using automated tools. If sites restrict crawling to a preapproved list of cryptographically authenticated bots, they could require licensing payments from those wishing to crawl their sites. This would close off the open web to researchers, archivists, and startups without the ability to pay for automated access.  

Websites may have legitimate reasons to worry about AI’s impacts on their traffic and advertising revenue, but those reasons must be weighed against the benefits of the open web. These proposals would effectively give website operators veto power over a wide range of important uses—from the investigations and archival works described above to accessibility tools for people with disabilities, to research efforts aimed at holding governments accountable.

That is why we are fighting back against these threats to open access. EFF and our allies in the open internet community have successfully resisted some of the most dangerous IETF proposals thus far—and won’t stop working to protect the open web from efforts to manipulate internet standards to undermine the right to freely access the internet in any legal way, including with automated tools.

The NO FAKES Act is supposed to target harmful AI-generated impersonations. But in reality, it will make it easier to suppress commentary, satire, and other lawful speech. That's why EFF has signed a letter urging the Senate Judiciary Committee not to advance the bill in its current form.

Take action

Tell Congress to Say No to NO FAKES

In the letter, EFF joins a coalition of civil society groups in pointing out that the bill would import many of the worst features of the DMCA notice-and-takedown system into an even broader range of online expression. Faced with a “heckler’s veto” over legal speech, platforms will have incentives to remove content first and ask questions later. 

The bill offers no protection for a platform’s judgment about an often difficult question—whether a particular piece of content is satire, parody, commentary, or news. Any platform that guesses wrong faces penalties of up to $750,000 per work. 

NO FAKES could also undermine the rights of the people it is supposed to protect. The new federal “likeness” right could be licensed or transferred to others, so individuals will lose control over the use of their own face and voice. That’s not theoretical—workers in the entertainment industry are routinely asked to sign broad contracts about the future use of their likenesses.

As the letter notes: 

A background actor who signs a release on set or an ordinary person who clicks through a platform's terms of service could end up with the right to their own face and voice in someone else's hands, for years, with federal enforcement behind it. 

EFF and the other signatories urge Congress to examine existing legal remedies and pursue narrowly tailored solutions to genuine harms. The last thing we need is a sweeping new intellectual property right that threatens free expression. 

In addition to EFF, the letter is signed by the Center for Democracy & Technology, the American Civil Liberties Union, Fight for the Future, Foundation for Individual Rights and Expression, the Organization for Transformative Works, Public Knowledge, the R Street Institute, The Future of Free Speech, and the Woodhull Freedom Foundation. Read the full letter here. 

Take action

Tell Congress to Say No to NO FAKES

After 26 years, today is my last day at EFF. It's been a terrific and wild ride — the organization has grown from a tiny band of fighty people trying to plant a flag for freedom and justice in the coming digital world into a large, established band of fighty people doing, well, much the same. The world around us has changed enormously. Our core values haven't budged.

I'm proud of what we've achieved: freeing encryption, defending coders, pushing to rein in government and corporate surveillance and ensure the right to have a private conversation online, standing up for free speech and anonymous speech, fighting for network neutrality and safe voting machines, busting stupid patents, and making sure copyright didn't become the one law that rules the internet. That's only the start. We've stopped more bad legislative, regulatory, and legal ideas than I can count, built tools that millions rely on to protect their privacy, and helped encrypt the web. I've long said EFF is the plumber of the internet — finding the clogs and barriers that prevent technology from serving freedom, justice, and innovation for everyone.  

In addition to presenting cases in courts across the land, testifying in Congress and in California, in the European Parliament and at the United Nations, I went onto the internet with Stephen Colbert and engaged in a healthy disagreement with Jon Stewart.  I wrote a lot of it down in a book, hoping to recruit others to the cause.  The work has been hard and often frustrating at times.  But looking back, the fun parts are what I remember most.   

None of it would have been possible without EFF’s stalwart members. More than 30,000 people, some with big wallets and some with small ones, give us what we need to stand up to bullies and fight for the long haul. EFF has always served as a beacon for people who know that for technology to support freedom, justice, and innovation for all the people of the world, we need a dedicated band of folks working overtime on behalf of users, innovators, and creators. 

There's still plenty left to do. We haven't killed the third-party doctrine, tamed the surveillance business model, or gotten metadata the constitutional protection it deserves. Stupid patents persist as does the overreach of DMCA section 1201 and the Computer Fraud and Abuse Act. The government is now the largest purchaser of data from shady brokers, communities everywhere are fighting license plate readers and other street-level surveillance, and we haven't reined in NSA and FBI spying nearly enough. Meanwhile, the rise of AI is supercharging problems we've fought against for years.

But I'm proud of what we've built together. I'm grateful to every EFFer — past, present, and future — who threw in with us when the odds were long and the pay was much better elsewhere. I'm grateful to the EFF Board and especially to my mentors and friends Pam Samuelson and Shari Steele, along with my longtime partner in justice, Lee Tien, who has been working with me since the Bernstein case. Fighting for justice is easier when you have a posse: coworkers, co-counsel, coalitions, interns, volunteers, and the heroic clients who trusted us to steward their cases in ways that bent the law toward everyone's benefit. Twenty-six years later, EFF is part of a global diaspora of organizations defending internet freedom — and I'm proud of that too. 

I'm stepping down because good leaders should make way for new ones, and the time feels right. EFF is strong and full of fight. My successor Nicole Ozer — a longtime friend and collaborator — is exactly the right person for this moment. She understands EFF's role and values at a deep level and will protect them while helping the organization rise to meet what's coming. 

As for me, I'm not going far. After a few months off to reflect and walk dogs, I plan to get back into the fight for justice — likely heading back into the courtroom. And I'll be watching, cheering, donating, and wearing the merch from EFF, just like the rest of you.

LGBTQ+ communities are facing an escalating wave of censorship and targeted surveillance, but we can push back through mutual solidarity. Join us live to learn how safer virtual spaces get built, how platform policies and government pressure are reshaping the digital landscape, and what platform accountability actually looks like. Our panel will share ideas for direct action and concrete strategies you can bring back to your community. Whether you’re an activist, an ally, or just paying attention, this conversation is for you. Join the livestream online followed by live Q&A.

EFFecting Change Livestream Series:
LGBTQ+ Solidarity Against the Tide of Surveillance
Wednesday, June 17th
9:00 am - 10:00 am Pacific - Check Local Time
Livestream followed by Q&A

This event is LIVE and FREE!

About the Speakers

Paige Collings
As a lawyer, digital policy activist and community organizer, Paige works to dismantle systems of oppression and advance collective liberation. Her work focuses on highlighting how state surveillance and corporate restrictions stifle marginalized communities and perpetuate historic injustices and harm. She has worked with activists across the globe to facilitate systemic change by speaking truth to power and creating spaces for alternative imaginations; and her writing on digital justice has been featured in Wired, Politico, Teen Vogue, the Daily Beast and more.

Jillian C. York
Jillian is EFF's Director for International Freedom of Expression, based in London. Her work examines state and corporate censorship and its impact on culture and human rights, with a focus on historically marginalized communities. At EFF, she organizes coalitions, writes about and researches topics related to freedom of expression, leads the Speaking Freely interview series, and contributes to various other areas of the organization's work. Jillian is the author of Silicon Values: The Future of Free Speech Under Surveillance Capitalism (Verso, 2021), a contributor to several academic volumes, and has written for MIT Technology Review, The Guardian, and WIRED, among others. She is also a visiting professor at the College of Europe Natolin in Warsaw, and a regular speaker at global events.

Soatok Dreamseeker
Soatok Dreamseeker is a gay furry security engineer. He blogs about applied cryptography on his blog, Dhole Moments, and is developing key transparency to enable end-to-end encryption on the Fediverse. His puns are 100% whole groan.

Luísa Franco Machado
Luísa Franco Machado is an award-winning international expert in digital rights and data justice. She has also been a technical advisor in data governance and AI ethics for governments, NGOs, and international organizations worldwide, including the UN, OECD.AI, GIZ, and others. Luísa has carried on policy research at the London School of Economics and Political Science (LSE) and Sciences Po Paris on the intersection between technology and socio-economic development. In 2022, the United Nations recognized them as a global Young Leader for the Sustainable Development Goals (SDGs) among more than 6,500 advocates. In 2025 she was featured in Apolitical's Government AI 100 list as a rising star.