This feed does not validate.
line 36, column 1: (50 occurrences) [help]
<enclosure url="https://www.eff.org/files/banner_library/supreme-court-3.jp ...
^
In addition, interoperability with the widest range of feed readers could be improved by implementing the following recommendations.
line 63, column 0: (400 occurrences) [help]
<description><div class="field field--name-body field--type-text ...
line 63, column 0: (190 occurrences) [help]
<description><div class="field field--name-body field--type-text ...
line 148, column 36: (25 occurrences) [help]
</div></div></div></description>
^
line 495, column 0: (7 occurrences) [help]
<img alt="Just Futures Law logo" title="Just Futures L ...
line 632, column 0: (2 occurrences) [help]
<img src="https://www.eff.org/sites/all/modules/custom/mytube/pl ...
line 646, column 0: (11 occurrences) [help]
<li data-leveltext="" data-font="Symbol" data-listid ...
line 646, column 0: (11 occurrences) [help]
<li data-leveltext="" data-font="Symbol" data-listid ...
line 646, column 0: (11 occurrences) [help]
<li data-leveltext="" data-font="Symbol" data-listid ...
line 646, column 0: (11 occurrences) [help]
<li data-leveltext="" data-font="Symbol" data-listid ...
line 646, column 0: (11 occurrences) [help]
<li data-leveltext="" data-font="Symbol" data-listid ...
line 646, column 0: (11 occurrences) [help]
<li data-leveltext="" data-font="Symbol" data-listid ...
line 1131, column 0: (5 occurrences) [help]
<p>The Nurture Originals, Foster Art and Keep Entertainment Safe (NO F ...
line 1202, column 0: (25 occurrences) [help]
<p data-block-key="93a0s">Those within the U.S. have Fourth ...
<p><strong><em><a data-cke-saved-href="https://sup ...
<p><strong><em><a data-cke-saved-href="https://sup ...
<?xml version="1.0" encoding="utf-8" ?><rss version="2.0" xml:base="https://www.eff.org/rss/updates.xml" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom"> <channel> <title>Deeplinks</title> <link>https://www.eff.org/rss/updates.xml</link> <description>EFF's Deeplinks Blog: Noteworthy news from around the internet</description> <language>en</language> <atom:link href="https://www.eff.org/rss/updates.xml" rel="self" type="application/rss+xml" /> <item> <title>Despite Supreme Court Setback, EFF Fights On Against Online Age Mandates</title> <link>https://www.eff.org/deeplinks/2025/07/despite-supreme-court-setback-eff-fights-against-online-age-mandates</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>The Supreme Court’s <a href="https://www.eff.org/deeplinks/2025/06/todays-supreme-court-decision-age-verification-tramples-free-speech-and-undermines">recent decision</a> in <em>Free Speech Coalition v. Paxton</em> did not end the legal debate over age-verification mandates for websites. Instead, it’s a limited decision: the court’s legal reasoning only applies to age restrictions on sexual materials that minors do not have a legal right to access. Although the ruling reverses decades of First Amendment protections for adults to access lawful speech online, the decision does not allow states or the federal government to impose broader age-verification mandates on social media, general audience websites, or app stores.</p><p>At EFF, <a href="https://www.eff.org/deeplinks/2024/12/effs-2024-battle-against-online-age-verification-defending-youth-privacy-and-free">we</a> <a href="https://www.eff.org/deeplinks/2024/06/mississippi-cant-wall-everyones-social-media-access-protect-children">continue</a> <a href="https://www.eff.org/deeplinks/2024/10/eff-new-york-age-verification-threatens-everyones-speech-and-privacy">to</a> <a href="https://www.eff.org/deeplinks/2024/10/eff-fifth-circuit-age-verification-laws-will-hurt-more-they-help">fight</a> age-verification <a href="https://www.eff.org/deeplinks/2024/02/eff-court-strike-down-age-estimation-california-not-consumer-privacy">mandates</a> in the many other <a href="https://www.eff.org/deeplinks/2025/03/first-porn-now-skin-cream-age-verification-bills-are-out-control">contexts</a> in which we see them <a href="https://www.eff.org/deeplinks/2025/06/eff-court-young-people-have-first-amendment-rights">throughout the country</a> <a href="https://www.eff.org/deeplinks/2023/09/uk-online-safety-bill-will-mandate-dangerous-age-verification-much-web">and</a> <a href="https://www.eff.org/deeplinks/2024/09/canadas-leaders-must-reject-overbroad-age-verification-bill">the</a> <a href="https://www.eff.org/deeplinks/2025/04/digital-identities-and-future-age-verification-europe">world</a>. These “age gates” remain a threat to the free speech <a href="https://www.eff.org/deeplinks/2024/06/hack-age-verification-company-shows-privacy-danger-social-media-laws">and</a> <a href="https://www.eff.org/deeplinks/2023/03/age-verification-mandates-would-undermine-anonymity-online">privacy</a> <a href="https://www.eff.org/deeplinks/2025/01/face-scans-estimate-our-age-creepy-af-and-harmful">rights</a> of both adults and minors.</p><p>Importantly, the Supreme Court’s decision does not approve of age gates when they are imposed on speech that is legal for minors and adults.</p><p>The court’s legal reasoning in <em>Free Speech Coalition v. Paxton</em> depends in all relevant parts on the Texas law only blocking minors’ access to speech to which they had no First Amendment right to access in the first place—what has been known since 1968 as “harmful to minors” sexual material. Although laws that limit access to certain subject matters are typically required to survive “strict scrutiny,” the Texas law was subject instead to the less demanding “intermediate scrutiny” only because the law was denying minors access to this speech that was unprotected for them. The Court acknowledged that having to prove age would create an obstacle for adults to access speech that is protected for them. But this obstacle was merely “incidental” to the lawful restriction on minors’ access. And “incidental” restrictions on protected speech need only survive intermediate scrutiny.</p><p>To be clear, we do not agree with this result, and vigorously <a href="https://www.eff.org/document/fsc-v-paxton-eff-amicus-brief">fought</a> <a href="https://www.eff.org/deeplinks/2024/05/eff-urges-supreme-court-reject-texas-speech-chilling-age-verification-law">against</a> it. The Court <a href="https://www.eff.org/document/age-verification-harms-users-all-ages">wrongly</a> downplayed the <a href="https://www.eff.org/deeplinks/2025/01/face-scans-estimate-our-age-creepy-af-and-harmful">very real and significant burdens</a> that age verification places on <a href="https://www.eff.org/deeplinks/2025/01/impact-age-verification-measures-goes-beyond-porn-sites">adults</a>. And we disagree with numerous other doctrinal aspects of the Court’s decision. The court had previously recognized that age-verification schemes significantly burden adult’s First Amendment rights and had protected adults’ constitutional rights. So <em>Paxton</em> is a significant loss of internet users’ free speech rights and a marked retreat from the court’s protections for online speech.</p><p class="pull-quote"><span>The decision does not allow states or the federal government to impose broader age-verification mandates</span></p><p>But the decision is limited to the specific context in which the law seeks to restrict access to sexual materials. The Texas law avoided strict scrutiny only because it directly targeted speech that is unprotected as to minors. You can see this throughout the opinion:</p><ul><li>The foundation of the Court’s decision was the history, tradition, and precedent that allows states to “prevent children from accessing speech that is obscene to children, rather than a more generalized concern for child welfare.</li><li>The Court’s entire ruling rested on its finding that “no person – adult or child –has a First Amendment right to access speech that is obscene to minors without first submitting proof of age.”</li><li>The Court explained that “because the First Amendment permits States to prohibit minors from accessing speech that is obscene to them, it likewise permits States to employ the ordinary and appropriate means of enforcing such a prohibition.” The permissibility of the age verification requirement was thus dependent on the unprotected nature of the speech.</li><li>The only reason the law could be justified without reference to protected speech, a requirement for a content-neutral law subject to only intermediate scrutiny, is that it did not “regulate the content of protected speech” either “‘on its face’ or in its justification.” As the Court explained, “where the speech in question is unprotected, States may impose “restrictions” based on “content” without triggering strict scrutiny.”</li><li>Intermediate scrutiny was applied only because “[a]ny burden experienced by adults is therefore only incidental to the statute's regulation of activity that is not protected by the First Amendment.”</li><li>But strict scrutiny remains “the standard for reviewing the direct targeting of fully protected speech.”</li></ul><p>There is only sentence in <em>Free Speech Coalition v. Paxton</em> addressing the restriction of First Amendment rights that is not cabined by the language of unprotected harmful to minors speech. The Court wrote: “And, the statute does not ban adults from accessing this material; it simply requires them to verify their age before accessing it on a covered website.” But that sentence was entirely surrounded by and necessarily referred to the limited situation of a law burdening only access to harmful to minors sexual speech.</p><p>We and the others fighting online age restrictions still have our work cut out for us. The momentum to widely adopt and normalize online age restrictions is strong. But <em>Free Speech Coalition v. Paxton</em> did not approve of age gates when they are imposed on speech that adults and minors have a legal right to access. And EFF will continue to fight for all internet users’ rights to speak and receive information online.</p> </div></div></div></description> <pubDate>Tue, 15 Jul 2025 18:07:34 +0000</pubDate> <guid isPermaLink="false">110891 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/free-speech">Free Speech</category> <category domain="https://www.eff.org/issues/anonymity">Anonymity</category> <category domain="https://www.eff.org/issues/social-networks">Social Networks</category> <dc:creator>David Greene</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/supreme-court-3.jpg" alt="" type="image/jpeg" length="180051" /> </item> <item> <title>EFF Tells Virginia Court That Constitutional Privacy Protections Forbid Cops from Finding out Everyone Who Searched for a Keyword</title> <link>https://www.eff.org/deeplinks/2025/07/eff-tells-virginia-court-constitutional-privacy-protections-forbid-cops-finding</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><strong><em>This post was co-authored by EFF legal intern Noam Shemtov.</em></strong></p><p>We are in a constant dialogue with Internet search engines, ranging from the mundane to the confessional. We ask search engines everything: <em>What movies are playing (and which are worth seeing)? Where’s the nearest clinic (and how do I get there)? Who’s running in the sheriff’s race (and what are their views)? </em>These online queries can give insight into our private details and innermost thoughts, but police increasingly access them without adhering to longstanding limits on government investigative power.</p><p>A Virginia appeals court is poised to review such a request in a case called <em>Commonwealth v. Clements</em>. In <em>Clements</em>, police sought evidence under a “reverse-keyword warrant,” a novel court order that compels search engines like Google to hand over information about every person who has looked up a word or phrase online. While the trial judge correctly recognized the privacy interest in our Internet queries, he overlooked the other wide-ranging harms that keyword warrants enable and upheld the search.</p><p>But as EFF and the ACLU explained in our <a href="https://www.eff.org/document/commonwealth-v-clements-eff-aclu-amicus">amicus brief</a> on appeal, reverse keyword warrants simply cannot be conducted in a lawful way. They invert privacy protections, threaten free speech and inquiry, and fundamentally conflict with the principles underlying the Fourth Amendment and <a href="https://law.lis.virginia.gov/constitution/article1/section10/">its analog in the Virginia Constitution</a>. The court of appeals now has a chance to say so and protect the rights of Internet users well beyond state lines.</p><p>To comply with a keyword warrant, a search engine has to trawl through its entire database of user queries to pinpoint the accounts or devices that made a responsive search. For a dominant service like Google, <a href="https://www.eff.org/files/2022/07/06/2022-07-05_13-22-16_attachment_-_declaration_of_nikki_adeli19.pdf#page=2">that means billions of records</a>. Such a wide dragnet will predictably pull in people with no plausible connection to a crime under investigation if their searches happened to include keywords police are interested in.</p><p>Critically, investigators seldom have a suspect in mind when they seek a reverse-keyword warrant. That isn’t surprising. True to their name, these searches “<a href="https://cases.justia.com/federal/appellate-courts/ca5/23-60321/23-60321-2024-08-09.pdf?ts=1723246217#page=6">work in reverse</a>” from the traditional investigative process. What makes them so useful is precisely their ability to identify Internet users on the sole basis of what they searched online. But what makes a search technique convenient to the government does not always make it constitutional. Quite the opposite: the constitution is anathema to inherently suspicionless dragnets.</p><p><a href="https://tile.loc.gov/storage-services/service/ll/usrep/usrep427/usrep427463/usrep427463.pdf">The Fourth Amendment forbids “exploratory rummaging”</a>—in fact, it was drafted in direct response to British colonial soldiers’ practice of indiscriminately searching people’s homes and papers for evidence of their opposition to the Crown. To secure a lawful warrant, police must have a specific basis to believe evidence will be found in a given location. They must also describe that location in some detail and say what evidence they expect to find there. It’s hard to think of a less specific description than “all the Internet searches in the world” or a weaker hunch than “whoever committed the crime probably looked up <strong>search term<em> x</em></strong>.” Because those airy assertions are all law enforcement can martial in support of keyword warrants, they are “<a href="https://www.courts.state.co.us/userfiles/file/Court_Probation/Supreme_Court/Opinions/2023/23SA12.pdf#page=47">tantamount to high-tech versions of the reviled ‘general warrants’ that first gave rise to the . . . Fourth Amendment</a>” and Virginia’s even stronger search-and-seizure provision.</p><p>What’s more, since keyword warrants compel search engine companies to hand over records about anyone anywhere who looked up a particular search term within a given timeframe, they effectively make a suspect out of every person whose online activity falls within the warrant’s sweep. As one court <a href="https://www.nacdl.org/getattachment/dc48746c-32f2-44d7-91c1-a32e3d153811/us-v-chatrieruling.pdf">has said</a> about related geofences, this approach “invert[s] probable cause” and “cannot stand.”</p><p>Keyword warrants’ fatal flaws are even more drastic considering that privacy rights <a href="https://tile.loc.gov/storage-services/service/ll/usrep/usrep436/usrep436547/usrep436547.pdf">apply with special force</a> to searches of items—like diaries, <a href="https://supreme.justia.com/cases/federal/us/379/476/">booklists</a>, and Internet search queries—that reflect a person’s free thought and expression. As both law and lived experience affirm, the Internet is “<a href="https://www.supremecourt.gov/opinions/16pdf/15-1194_08l1.pdf">the most important place[] . . . for the exchange of views</a>.” Using it—and using keyword searches to navigate the practical infinity of its contents—is “<a href="https://www.supremecourt.gov/opinions/17pdf/16-402_h315.pdf#page=21">indispensable to participation in modern society</a>.” We shouldn’t have to engage in that core endeavor with the fear that our searches will incriminate us, subject to police officers’ discretion about what keywords are worthy of suspicion. That outcome would predictably chill people from accessing information about sensitive and important topics like reproductive health, public safety, or events in the news that could be relevant to a criminal investigation.</p><p>The Virginia Court of Appeals now has the opportunity in <em>Clements </em>to protect privacy and speech rights by affirming that keyword warrants can’t be reconciled with constitutional protections guaranteed at the federal or state level. We hope it does so.</p> </div></div></div></description> <pubDate>Thu, 10 Jul 2025 20:17:05 +0000</pubDate> <guid isPermaLink="false">110886 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/privacy">Privacy</category> <category domain="https://www.eff.org/issues/search-engines">Search Engines</category> <dc:creator>Andrew Crocker</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/icon-2019-privacy.png" alt="" type="image/png" length="16605" /> </item> <item> <title> No Face, No Case: California’s S.B. 627 Demands Cops Show Their Faces </title> <link>https://www.eff.org/deeplinks/2025/07/no-face-no-case-californias-sb-627-demands-cops-show-their-faces</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span data-contrast="auto">Across the country, people are collecting and sharing </span><a href="https://www.eff.org/deeplinks/2025/02/yes-you-have-right-film-ice"><span>footage</span></a><span> </span><span data-contrast="auto">of </span><a href="https://www.npr.org/2025/07/09/nx-s1-5440311/ice-raids-masked-agents"><span data-contrast="none">masked law enforcement officers</span></a> from both <span data-contrast="auto">federal and local agencies deputized to do so-called immigration enforcement: arresting civilians, in some </span><a href="https://theintercept.com/2025/07/07/ice-raids-la-violence-video-bystanders/"><span data-contrast="none">cases</span></a> <a href="https://www.youtube.com/watch?v=7Yhox15fvDw"><span data-contrast="none">violently</span></a><span data-contrast="auto"> and/or </span><a href="https://www.snopes.com/news/2025/06/21/ice-arrest-people-warrants/"><span data-contrast="none">warrantlessly</span></a><span data-contrast="auto">. That footage is part of a long tradition of </span><a href="https://www.eff.org/issues/right-record"><span data-contrast="none">recording law enforcement</span></a><span data-contrast="auto"> during their operations to ensure some level of accountability if people observe misconduct and/or unconstitutional practices. However, as essential as recording police can be in proving allegations of misconduct, the footage is rendered far less useful when officers conceal their badges and/or faces. Further, lawyers, journalists, and activists cannot then identify officers in public records requests for body-worn camera footage to view the interaction from the officers’ point of view.</span><span data-ccp-props="{}"> </span></p><p><span data-contrast="auto">In response to these growing concerns, California has introduced </span><a href="https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260SB627"><span>S.B. 627</span></a><span data-contrast="auto"> to prohibit law enforcement from covering their faces during these kinds of public encounters. This builds on legislation (in California and some other states and municipalities) that requires police, for example, “</span><a href="https://california.public.law/codes/penal_code_section_830.10"><span data-contrast="none">to wear a badge, nameplate, or other device which bears clearly on its face the identification number or name of the officer</span></a><span data-contrast="auto">.” Similarly, </span><a href="https://california.public.law/codes/penal_code_section_832.7"><span data-contrast="none">police reform legislation passed in 2018</span></a><span data-contrast="auto"> requires greater transparency by opening individual personnel files of law enforcement to public scrutiny when there are use of force cases or allegations of violent misconduct. </span></p><p><span data-contrast="auto">But in the case of ICE detentions in 2025, federal and federally deputized officers are not only covering up their badges—they're covering their faces as well. This bill would offer an important tool to prevent this practice, and to ensure that civilians who record the police can actually determine the identity of the officers they’re recording, in case further investigation is warranted. The legislation explicitly </span><a href="https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260SB627"><span data-contrast="none">includes</span></a><span data-contrast="auto"> “any officer or anyone acting on behalf of a local, state, or federal law enforcement agency.”</span><span data-ccp-props="{}"> </span></p><p><span data-contrast="auto">This is a necessary move. The right to record police, and to hold government actors accountable for their actions, requires that we know who the government actors are in the first place. The new legislation seeks to cover federal officers in addition to state and local officials, protecting Californians from otherwise unaccountable law enforcement activity.</span><span data-ccp-props="{}"> </span></p><p><span data-contrast="auto">As EFF has stood up for the right to record police, we also stand up for the right to be able to identify officers in those recordings. We have </span><a href="https://www.eff.org/document/eff-letter-support-ca-sb-627"><span data-contrast="none">submitted a letter</span></a><span data-contrast="auto"> to the state legislature to that effect. California should pass S.B. 627, and more states should follow suit to ensure that the right to record remains intact.</span><span data-ccp-props="{}"> </span></p> </div></div></div></description> <pubDate>Thu, 10 Jul 2025 19:23:51 +0000</pubDate> <guid isPermaLink="false">110889 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/right-record">Right to Record</category> <category domain="https://www.eff.org/issues/free-speech">Free Speech</category> <dc:creator>José Martinez</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/OG-PoliceRecording.png" alt="Police car being recorded by phone video" type="image/png" length="19071" /> </item> <item> <title>Axon’s Draft One is Designed to Defy Transparency </title> <link>https://www.eff.org/deeplinks/2025/07/axons-draft-one-designed-defy-transparency</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span>Axon Enterprise’s Draft One — a generative artificial intelligence product that writes police reports based on audio from officers’ body-worn cameras — seems deliberately designed to avoid audits that could provide any accountability to the public, an EFF investigation has found.</span></p><p><span>Our review of public records from police agencies already using the technology — including police reports, emails, procurement documents, department policies, software settings, and more — as well as Axon’s own user manuals and marketing materials revealed that it’s often impossible to tell which parts of a police report were generated by AI and which parts were written by an officer.</span></p><p><em>You can read our full report, which details what we found in those documents, how we filed those public records requests, and how you can file your own, <a href="https://www.eff.org/deeplinks/2025/07/effs-guide-getting-records-about-axons-ai-generated-police-reports">here</a>. </em></p><p><span>Everyone should have access to answers, evidence, and data regarding the effectiveness and dangers of this technology. Axon and its customers claim this technology will revolutionize policing, but it remains to be seen how it will change the criminal justice system, and who this technology benefits most.</span></p><p><span>For months, </span><a href="https://www.eff.org/deeplinks/2024/05/what-can-go-wrong-when-police-use-ai-write-reports"><span>EFF</span></a><span> and other </span><a href="https://www.aclu.org/documents/aclu-on-police-departments-use-of-ai-to-draft-police-reports"><span>organizations</span></a><span> have warned about the threats this technology poses to accountability and transparency in an already flawed criminal justice system. Now we've concluded the situation is even worse than we thought: </span><b>There is no meaningful way to audit Draft One usage, whether you're a police chief or an independent researcher, because Axon designed it that way. </b></p><p><span>Draft One uses a ChatGPT variant to process body-worn camera audio of public encounters and create police reports based only on the captured verbal dialogue; it does not process the video. The Draft One-generated text is sprinkled with bracketed placeholders that officers are encouraged to add additional observations or information—or can be quickly deleted. Officers are supposed to edit Draft One's report and correct anything the Gen AI misunderstood due to a lack of context, troubled translations, or just plain-old mistakes. When they're done, the officer is prompted to sign an acknowledgement that </span><a href="https://vimeo.com/936340459"><span>the report was generated using Draft One and that they have reviewed the report and made necessary edits to ensure it is consistent with the officer’s recollection</span></a><span>. Then they can copy and paste the text into their report. When they close the window, the draft disappears.</span></p><p><span>Any new, untested, and problematic technology needs a robust process to evaluate its use by officers. In this case, one would expect police agencies to retain data that ensures officers are actually editing the AI-generated reports as required, or that officers can accurately answer if a judge demands to know whether, or which part of, reports used by the prosecution were written by AI. </span></p><p class="pull-quote"><span>"We love having new toys until the public gets wind of them."</span></p><p><span>One would expect audit systems to be readily available to police supervisors, researchers, and the public, so that anyone can make their own independent conclusions. And one would expect</span> <span>that Draft One would make it easy to discern its AI product from human product – after all, even your basic, free word processing software can track changes and save a document history.</span></p><p><span>But Draft One defies all these expectations, offering meager oversight features that deliberately conceal how it is used. </span></p><p><span>So when a police report includes biased language, inaccuracies, misinterpretations, or even outright lies, the record won't indicate whether the officer or the AI is to blame. That makes it extremely difficult, if not impossible, to assess how the system affects justice outcomes, because there is little non-anecdotal data from which to determine whether the technology is junk. </span></p><p><span>The disregard for transparency is perhaps best encapsulated by a short email that an administrator in the Frederick Police Department in Colorado, one of Axon's first Draft One customers, sent to a company representative after receiving a public records request related to AI-generated reports. </span></p><p><span>"We love having new toys until the public gets wind of them," the administrator </span><a href="https://www.documentcloud.org/documents/25979149-frederick-police-department-re-tss-5058-reports-utilizing-draft-one/"><span>wrote</span></a><span>.</span></p><h2><strong>No Record of Who Wrote What</strong></h2><p><span>The first question anyone should have about a police report written using Draft One is which parts were written by AI and which were added by the officer. Once you know this, you can start to answer more questions, like: </span></p><ul><li><span>Are officers meaningfully editing and adding to the AI draft? Or are they reflexively rubber-stamping the drafts to move on as quickly as possible? </span></li><li><span>How often are officers finding and correcting errors made by the AI, and are there patterns to these errors? </span></li><li><span>If there is inappropriate language or a fabrication in the final report, was it introduced by the AI or the officer? </span></li><li><span>Is the AI overstepping in its interpretation of the audio? If a report says, "the subject made a threatening gesture," was that added by the officer, or did the AI make a factual assumption based on the audio? If a suspect uses metaphorical slang, does the AI document literally? If a subject says "yeah" through a conversation as a verbal acknowledgement that they're listening to what the officer says, is that interpreted as an agreement or a confession?</span></li></ul><p class="pull-quote">"So we don’t store the original draft and that’s by design..."</p><p><span>Ironically, Draft One does not save the first draft it generates. Nor does the system store any subsequent versions. Instead, the officer copies and pastes the text into the police report, and the previous draft, originally created by Draft One, disappears as soon as the window closes. There is no log or record indicating which portions of a report were written by the computer and which portions were written by the officer, except for the officer's own recollection. If an officer generates a Draft One report multiple, there's no way to tell whether the AI interprets the audio differently each time.</span></p><p><span>Axon is open about not maintaining these records, at least when it markets directly to law enforcement.</span></p><p><span>In this video of a </span><a href="https://vimeo.com/941650612"><span>roundtable discussion about the Draft One product</span></a><span>, Axon’s senior principal product manager for generative AI is asked (at the 49:47 mark) whether or not it’s possible to see after-the-fact which parts of the report were suggested by the AI and which were edited by the officer. His response (bold and definition of RMS added): </span></p><p><span>“</span><b>So we don’t store the original draft and that’s by design and that’s really because the last thing we want to do is create more disclosure headaches for our customers and our attorney’s offices</b><span>—so basically the officer generates that draft, they make their edits, if they submit it into our Axon records system then that’s the only place we store it, if they copy and paste it into their third-party RMS [records management system] system as soon as they’re done with that and close their browser tab, it’s gone. It’s actually never stored in the cloud at all so you don’t have to worry about extra copies floating around.”</span></p><p><span>To reiterate: Axon deliberately does not store the original draft written by the Gen AI, because "the last thing" they want is for cops to have to provide that data to anyone (say, a judge, defense attorney or civil liberties non-profit). </span></p><p><span>Following up on the same question, Axon's Director of Strategic Relationships at Axon Justice suggests this is fine, since a police officer using a word processor wouldn't be required to save every draft of a police report as they're re-writing it. This is, of course, misdirection and not remotely comparable. An officer with a word processor is one thought process and a record created by one party; Draft One is two processes from two parties–Axon and the officer. Ultimately, it could and should be considered two records: the version sent to the officer from Axon and the version edited by the officer.</span></p><p><span>The days of there being unexpected consequences of police departments writing reports in word processors may be over, but Draft One is still unproven. After all, every AI-evangelist, including Axon, claims this technology is a game-changer. So, why wouldn't an agency want to maintain a record that can establish the technology’s accuracy? </span></p><p><span>It also appears that Draft One isn't simply hewing to </span><a href="https://post.ca.gov/portals/0/post_docs/basic_course_resources/workbooks/LD_18_V-3.5.pdf"><span>long</span></a><span>-</span><a href="https://www.lewisu.edu/writingcenter/pdf/police-report-resource-revised.pdf"><span>established</span></a> <a href="https://www.csus.edu/campus-safety/police-department/_internal/_documents/rwm.pdf"><span>norms</span></a><span> of police report-writing; it may fundamentally change them. In </span><a href="https://www.documentcloud.org/documents/25977598-campbell-pd-please-read-axon-draft-one-ai-generated-r/"><span>one email</span></a><span>, the Campbell Police Department's Police Records Supervisor tells staff, “You may notice a significant difference with the narrative format…if the DA’s office has comments regarding our report narratives, please let me know.” It's more than a little shocking that a police department would implement such a change without fully soliciting and addressing the input of prosecutors. In this case, the Santa Clara County District Attorney had already suggested police include a disclosure when Axon Draft One is used in each report, but Axon's engineers had yet to finalize the feature at the time it was rolled out. </span></p><p><span>One of the main concerns, of course, is that this system effectively creates a smokescreen over truth-telling in police reports. If an officer lies or uses inappropriate language in a police report, who is to say that the officer wrote it or the AI? An officer can be punished severely for official dishonesty, but the consequences may be more lenient for a cop who blames it on the AI. There has already been an occasion when engineers discovered a bug that allowed officers on at least three occasions to circumvent the "guardrails" that supposedly deter officers from submitting AI-generated reports without reading them first, as Axon </span><a href="https://www.documentcloud.org/documents/25979172-frederick-police-department-re-draft-one-guardrails-issue/?mode=document#document/p2"><span>disclosed</span></a><span> to the Frederick Police Department.</span></p><p><span>To serve and protect the public interest, the AI output must be continually and aggressively evaluated whenever and wherever it's used. But Axon has intentionally made this difficult. </span></p><h2><strong>What the Audit Trail Actually Looks Like </strong></h2><p><span>You may have seen </span><a href="https://my.axon.com/s/article/View-the-audit-trail-in-Axon-Evidence-Draft-One?language=en_US"><span>news stories or other public statements </span></a><span>asserting that Draft One does, indeed, have auditing features. So, we dug through the user manuals to figure out what that exactly means. </span></p><p><span>The first thing to note is that, based on our review of the documentation, there appears to be no feature in Axon software that allows departments to export a list of all police officers who have used Draft One. Nor is it possible to export a list of all reports created by Draft One, unless the department has customized its process (we'll get to that in a minute). </span></p><p><span>This is disappointing because, without this information, it's near impossible to do even the most basic statistical analysis: how many officers are using the technology and how often. </span></p><p><span>Based on the documentation, you can only export two types of very basic logs, with the process differing depending on whether an agency uses </span><a href="https://my.axon.com/s/article/View-the-audit-trail-in-Axon-Evidence-Draft-One?language=en_US"><span>Evidence</span></a><span> or Records/Standards products. These are:</span></p><ol><li><b>A log of basic actions taken on a particular report.</b><span> If the officer requested a Draft One report or signed the Draft One liability disclosure related to the police report, it will show here. But nothing more than that.</span></li><li><span> </span><b>A log of an individual officer/user's basic activity in the Axon Evidence/Records system</b><span>. This audit log shows things such as when an officer logs into the system, uploads videos, or accesses a piece of evidence. The only Draft One-related activities this tracks are whether the officer ran a Draft One request, signed the Draft One liability disclosure, or changed the Draft One settings. </span></li></ol><p><span>This means that, to do a comprehensive review, an evaluator may need to go through the record management system and look up each officer individually to identify whether that officer used Draft One and when. That could mean combing through dozens, hundreds, or in some cases, thousands of individual user logs. </span></p><p></p><div class="caption caption-center"><div class="caption-width-container"><div class="caption-inner"><img src="/files/2025/07/08/screenshot_2025-07-08_at_8.35.40_am.png" width="1212" height="482" alt="An audit log on Axon's Draft one which shows only when an officer as generated a report and when they have signed the liability disclosure." title="An audit log on Axon's Draft one which shows only when an officer as generated a report and when they have signed the liability disclosure." /><p class="caption-text">An example of Draft One usage in an audit log. </p></div></div></div> <p><span>An auditor could also go report-by-report as well to see which ones involved Draft One, but the sheer number of reports generated by an agency means this method would require a massive amount of time. </span></p><p><span>But can agencies even create a list of police reports that were co-written with AI? It depends on whether the agency has included a disclosure in the body of the text, such as "I acknowledge this report was generated from a digital recording using Draft One by Axon." If so, then an administrator can use "Draft One" as a keyword search to find relevant reports.</span></p><p><span>Agencies that do not require that language told us they could not identify which reports were written with Draft One. For example, one of those agencies and one of Axon's most promoted clients, the Lafayette Police Department in Indiana, told us: </span></p><p><span>"Regarding the attached request, we do not have the ability to create a list of reports created through Draft One. They are not searchable. This request is now closed."</span></p><p><span>Meanwhile, in response to a similar public records request, the Palm Beach County Sheriff's Office, which does require a disclosure at the bottom of each report that it had been written by AI, was able to isolate more than 3,000 Draft One reports generated between December 2024 and March 2025.</span></p><p><span>They told us: "We are able to do a keyword and a timeframe search. I used the words draft one and the system generated all the draft one reports for that timeframe."</span></p><p>We have requested further clarification from Axon, but they have yet to respond. </p><p><span>However, as we learned from email exchanges between the Frederick Police Department in Colorado and Axon, Axon is tracking police use of the technology at a level that isn't available to the police department itself. </span></p><p><span>In response to a request from Politico's Alfred Ng in August 2024 for Draft One-generated police reports, the police department was struggling to isolate those reports. </span></p><p><span>An Axon representative </span><a href="https://www.documentcloud.org/documents/25979141-frederick-police-deparmtent-email-re-media-request/?mode=document#document/p4"><span>responded</span></a><span>: "Unfortunately, there’s no filter for DraftOne reports so you’d have to pull a User’s audit trail and look for Draft One entries. To set expectations, it’s not going to be graceful, but this wasn’t a scenario we anticipated needing to make easy."</span></p><p><span>But then, Axon followed up: "We track which reports use Draft One internally so I exported the data." Then, a few days later, Axon provided Frederick with some custom JSON code to extract the data in the future. </span></p><h2><br />What is Being Done About Draft One</h2><p>The California Assembly is currently considering <a href="https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260SB524">SB 524</a>, a bill that addresses transparency measures for AI-written police reports. The legislation would require disclosure whenever police use artificial intelligence to partially or fully write official reports, as well as “require the first draft created to be retained for as long as the final report is retained.” Because Draft One is designed not to retain the first or any previous drafts of a report, it cannot comply with this common-sense and first-step bill, and any law enforcement usage would be unlawful.</p><p><span>Axon markets Draft One as a solution to a problem police have been complaining about for at least a century: that they do too much paperwork. Or, at least, they spend too much time doing paperwork. The current research on whether Draft One remedies this issue shows mixed </span><a href="https://www.crimrxiv.com/pub/nxbmzp2j"><span>results</span></a><span>, from some agencies claiming it has </span><a href="https://www.eff.org/deeplinks/2025/03/anchorage-police-department-ai-generated-police-reports-dont-save-time"><span>no real-time savings</span></a>, <span>with others agencies extolling its virtues (although their data also shows that </span><a href="https://www.documentcloud.org/documents/25973591-lake-havasu-police-department-draft-one-report-redacted-2/?mode=document#document/p17"><span>results</span></a><span> vary even within the department).</span></p><p><span>In the justice system, police must prioritize accuracy over speed. Public safety and a trustworthy legal system demand quality over corner-cutting. Time saved should not be the only metric, or even the most important one. It's like evaluating a drive-through restaurant based only on how fast the food comes out, while deliberately concealing the ingredients and nutritional information and failing to inspect whether the kitchen is up to health and safety standards. </span></p><p><span>Given how untested this technology is and how much the company is in a </span><a href="https://www.investors.com/news/axon-stock-earnings-q2-draft-one-ai/"><span>hurry to sell</span></a><span> Draft One, many local lawmakers and prosecutors have taken it upon themselves to try to regulate the product’s use. Utah is currently considering </span><a href="https://www.eff.org/deeplinks/2025/02/utah-bill-aims-make-officers-disclose-ai-written-police-reports"><span>a bill that would mandate disclosure </span></a><span>for any police reports generated by AI, thus sidestepping one of the current major transparency issues: it’s nearly impossible to tell which finished reports started as an AI draft. </span></p><p><span>In King County, Washington, which includes Seattle, the district attorney’s office has been clear in their instructions: </span><a href="https://www.eff.org/deeplinks/2024/10/prosecutors-washington-state-warn-police-dont-use-gen-ai-write-reports"><span>police should not use AI to write police reports</span></a><span>. Their</span><a href="https://komonews.com/amp/news/local/king-county-prosecutor-tells-police-not-to-use-ai-artificial-intelligence-for-official-reports-for-now-errors-concerns-law-enforcement-perjury-criminal-justice"><span> memo says</span></a></p><blockquote><p><span>We do not fear advances in technology – but we do have legitimate concerns about some of the products on the market now... AI continues to develop and we are hopeful that we will reach a point in the near future where these reports can be relied on. For now, our office has made the decision not to accept any police narratives that were produced with the assistance of AI.</span></p></blockquote><p><span>We urge other prosecutors to follow suit and demand that police in their jurisdiction not unleash this new, unaccountable, and intentionally opaque AI product. </span></p><h2><strong>Conclusion</strong></h2><p><span>Police should not be using AI to write police reports. There are just too many unanswered questions about how AI would translate the audio of situations and whether police will actually edit those drafts, while simultaneously, there is no way for the public to reliably discern what was written by a person and what was written by a computer. This is before we even get to the question of how these reports might compound and exacerbate existing problems or create new ones in an already unfair and untransparent criminal justice system. </span></p><p><span>EFF will continue to research and advocate against the use of this technology but for now, the lesson is clear: Anyone with control or influence over police departments, be they lawmakers or people in the criminal justice system, has a duty to be informed about the potential harms and challenges posed by AI-written police reports. </span></p> </div></div></div></description> <pubDate>Thu, 10 Jul 2025 16:00:31 +0000</pubDate> <guid isPermaLink="false">110875 at https://www.eff.org</guid> <dc:creator>Matthew Guariglia</dc:creator> <dc:creator>Dave Maass</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/robot-robot-2a.png" alt="a sinister police robot types a report" type="image/png" length="43805" /> </item> <item> <title>EFF's Guide to Getting Records About Axon's Draft One AI-Generated Police Reports </title> <link>https://www.eff.org/deeplinks/2025/07/effs-guide-getting-records-about-axons-ai-generated-police-reports</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span>The moment Axon Enterprise announced a new product, Draft One, that would allow law enforcement officers to use artificial intelligence to automatically generate incident report narratives based on body-worn camera audio, everyone in the police accountability community immediately started asking the same <a href="https://www.eff.org/deeplinks/2024/05/what-can-go-wrong-when-police-use-ai-write-reports">questions</a>. </span></p><p><span>What do AI-generated police reports look like? What kind of paper trail does this system leave? How do we get a hold of documentation using public records laws? </span></p><p><span>Unfortunately, obtaining these records isn't easy. In many cases, it's straight-up impossible. </span></p><p><strong>Read our full report on how Axon's Draft One defies transparency expectations by design <a href="https://www.eff.org/deeplinks/2025/07/axons-draft-one-designed-defy-transparency">here</a>. </strong></p><p><span>In some jurisdictions, the documents are walled off behind government-created barriers. For example, California fully exempts police narrative reports from public disclosure, while other states charge fees to access individual reports that become astronomical if you want to analyze the output in bulk. Then there are technical barriers: Axon's product itself does not allow agencies to isolate reports that contain an AI-generated narrative, although an agency can voluntarily institute measures to make them searchable by a keyword. </span></p><p><span>This spring, EFF tested out different public records request templates and sent them to dozens of law enforcement agencies we believed are using Draft One. </span></p><p><span>We asked each agency for the Draft One-generated police reports themselves, knowing that in most cases this would be a long shot. We also dug into Axon's user manuals to figure out what kind of logs are generated and how to carefully phrase our public records request to get them. We asked for the current system settings for Draft One, since there are a lot of levers police administrators can pull that drastically change how and when officers can use the software. We also requested the standard records that we usually ask for when researching new technologies: procurement documents, agreements, training manuals, policies, and emails with vendors. </span></p><p><span>Like all mass public records campaigns, the results were… mixed. Some agencies were refreshingly open with their records. Others assessed us records fees well outside the usual range for a non-profit organization. </span></p><p><span>What we learned about the process is worth sharing. Axon has thousands of clients nationwide that use its Tasers, </span><a href="https://atlasofsurveillance.org/search?locale=am&amp;vendor=Axon"><span>body-worn cameras</span></a><span> and </span><a href="https://www.eff.org/deeplinks/2025/04/beware-bundle-companies-are-banking-becoming-your-police-departments-favorite"><span>bundles of surveillance equipment</span></a><span>, and the company is using those existing relationships to heavily promote Draft One. We expect many more cities to deploy the technology over the next few years. Watchdogging police use of AI will require a nationwide effort by journalists, advocacy organizations and community volunteers.</span></p><p><span>Below we’re sharing some sample language you can use in your own public records requests about Draft One — but be warned. It’s likely that the more you include, the longer it might take and the higher the fees will get. The template language and our suggestions for filing public records requests are not legal advice. If you have specific questions about a public records request you filed, consult a lawyer. </span></p><h3><span>1. Police Reports</span></h3><table border="0" width="1351"> <tr><td><p><strong>Language to try in your public records request:</strong></p><ul><li>All police report narratives, supplemental report narratives, warrant affidavits, statements, and other narratives generated using Axon Draft One to document law enforcement-related incidents for the period between [DATE IN THE LAST FEW WEEKS] and the date this request is received. If your agency requires a Draft One disclosure in the text of the message, you can use "Draft One" as a keyword search term.</li></ul><p><strong>Or</strong></p><ul><li>The [NUMBER] most recent police report narratives that were generated using Axon Draft One between [DATE IN THE LAST FEW WEEKS] and the date this request is received.</li></ul><p><strong>If you are curious about a particular officer's Draft One usage, you can also ask for their reports specifically. However it may be helpful to obtain their usage log first (see section 2).</strong></p><ul><li>All police report narratives, supplemental report narratives, warrant affidavits, statements, and other narratives generated by [OFFICER NAME] using Axon Draft One to document law enforcement-related incidents for the period between [DATE IN THE LAST FEW WEEKS] and the date this request is received.</li></ul><p><strong>We suggest using weeks, not months, because the sheer number of reports can get costly very quickly.</strong></p></td></tr> </table><p><span>As an add-on to Axon's evidence and records management platforms, Draft One uses ChatGPT to convert audio taken from Axon body-worn cameras into the so-called first draft of the narrative portion of a police report. </span></p><p><span>When </span><a href="https://www.politico.com/newsletters/digital-future-daily/2024/09/04/axon-ai-police-reports-00177331"><span>Politico surveyed seven agencies</span></a><span> in September 2024, reporter Alfred Ng found that police administrators did not have the technical ability to identify which reports contained AI-generated language. As Ng reported. </span><b>“</b><span>There is no way for us to search for these on our end,” a Lafayette, IN police captain told Ng. Six months later, EFF received the same no-can-do response from the Lafayette Police Department. </span></p><p class="center-image"><span><img src="/files/2025/07/07/image10.png" width="814" height="323" alt=" Regarding the attached request, we do not have the ability to create a list of reports created through Draft One. They are not searchable. This request is now closed." title=" Regarding the attached request, we do not have the ability to create a list of reports created through Draft One. They are not searchable. This request is now closed." /></span></p><p><span>Although Lafayette Police could not create a list on their own, it turns out that Axon's engineers can generate these reports for police if asked. When the Frederick Police Department in Colorado received a similar request from Ng, the agency contacted Axon for help. The company does internally track reports written with Draft One and was able to provide a spreadsheet of Draft One reports (.</span><a href="https://www.eff.org/files/2025/06/18/frederick_police_deparment_-_draft_one_generated_reports_2024-02-22_to_2024-08-20.csv"><span>csv</span></a><span>) and even provided Frederick Police with computer code to allow the agency to create similar lists in the future. Axon told them they would look at making this a feature in the future, but that appears not to have happened yet. </span></p><p><span>But we also struck gold with two agencies: the Palm Beach County Sheriff's Office (PBCSO) in Florida and the Lake Havasu City Police Department in Arizona. In both cases, the agencies require officers to include a disclosure that they used Draft One at the end of the police narrative. Here's a slide from the <a href="https://www.documentcloud.org/documents/25972394-palm-beach-county-sheriffs-pffice-axon-draft-one-training-material/">Palm Beach County Sheriff's Draft One training:</a> </span></p><p class="center-image"><span><img src="/files/2025/07/07/image2.png" width="1183" height="659" alt="A slide titled &quot;Narrative Footer&quot; that tells officers they must include a disclosure at the bottom of their report." title="A slide titled &quot;Narrative Footer&quot; that tells officers they must include a disclosure at the bottom of their report." /></span></p><p><span>And here's the boilerplate disclosure: </span></p><blockquote><p>I acknowledge this report was generated from a digital recording using Draft One by Axon. I further acknowledge that I have I reviewed the report, made any necessary edits, and believe it to be an accurate representation of my recollection of the reported events. I am willing to testify to the accuracy of this report.</p></blockquote><p><span>As small a gesture as it may seem, that disclosure makes all the difference when it comes to responding to a public records request. Lafayette Police could not isolate the reports because its </span><a href="https://www.lafayette.in.gov/DocumentCenter/View/18516/2025-Policy-Manualpdf#page=186&amp;zoom=auto,-129,760"><span>policy</span></a><span> does not require the disclosure. A Frederick Police Department sergeant noted in an </span><a href="https://www.documentcloud.org/documents/25979141-frederick-police-deparmtent-email-re-media-request/?mode=document#document/p5"><span>email</span></a><span> to Axon that they could isolate reports when the auto-disclosure was turned on, but not after they decided to turn it off. This year, Utah legislators </span><a href="https://www.eff.org/about/staff/dr-matthew-guariglia-0"><span>introduced a bill</span></a><span> to require this kind of disclosure on AI-generated reports.</span></p><p><span>As the PBCSO records manager told us: "We are able to do a keyword and a timeframe search. I used the words ‘Draft One’ and the system generated all the Draft One reports for that timeframe." In fact, in Palm Beach County and Lake Havasu, records administrators dug up huge numbers of records. But, once we saw the estimated price tag, we ultimately narrowed our request to just 10 reports.</span></p><p><span>Here is an example of a report from PBCSO, which only allows Draft One to be used in incidents that don't involve a criminal charge. As a result, many of the reports were related to mental health or domestic dispute responses. </span></p><p class="center-image"><span><img src="/files/2025/07/07/image3.png" width="1090" height="980" alt="A police report peppered with redactions. " title="A police report peppered with redactions. " /></span></p><p class="center-image"><i><span>A machine readable text version of this report is available </span></i><a href="https://www.documentcloud.org/documents/25976449-25-052609-nrn/?mode=text"><i><span>here</span></i></a><i><span>. Full version <a href="https://www.documentcloud.org/documents/25976449-25-052609-nrn/?mode=document">here</a>.</span></i></p><p><span>And here is an example from the Lake Havasu City Police Department, whose clerk was kind enough to provide us with a diverse sample of requests. </span></p><p class="center-image"><span><img src="/files/2025/07/07/image4.png" width="663" height="633" alt="A police report peppered with redactions. " title="A police report peppered with redactions. " /></span></p><p class="center-image"><span><i>A machine readable text version of this report is available </i><a href="https://www.documentcloud.org/documents/25975605-dr-25-01306-redacted/?mode=text"><i>here.</i></a><i> Full version <a href="https://www.documentcloud.org/documents/25975605-dr-25-01306-redacted/?mode=document">here</a>.</i></span></p><p><span>EFF redacted some of these records to protect the identity of members of the public who were captured on body-worn cameras. Black-bar redactions were made by the agencies, while bars with X's were made by us. You can view all the examples we received below: </span></p><ul><li><a href="https://www.documentcloud.org/projects/221796-palm-beach-county-sheriffs-office-draft-one-reports-redacted/">10 Axon Draft One-assisted reports from the Palm Beach County Sheriff's Office</a></li><li><a href="https://www.documentcloud.org/projects/221797-lake-havasu-city-police-department-draft-one-report-redacted/">10 Axon Draft One-assisted reports from the Lake Havasu Police Department</a></li></ul><p><span>We also received police reports (perhaps unintentionally) from two other agencies that were contained as email attachments in response to another part of our request (see section 7).</span></p><ul><li><a href="https://www.documentcloud.org/documents/25979138-frederick-police-departent-24fe000605-redacted/">Frederick Police Department, Colorado</a></li><li><a href="https://www.documentcloud.org/documents/25979137-lone-tree-police-department-report-24-3778-redacted/">Lone Tree Police Department, Colorado</a></li></ul><h3>2. Audit Logs</h3><table> <tr><td><p><strong>Language to try in your public records request:</strong></p><p>Note: You can save time by determining in advance whether the agency uses Axon Evidence or Axon Records and Standards, then choose the applicable option below. If you don't know, you can always request both.</p><p><strong>Audit logs from Axon Evidence</strong></p><ul><li>Audit logs for the period December 1, 2024 through the date this request is received, for the 10 most recently active users. <br />According to Axon's online user manual, through Axon Evidence agencies are able to view audit logs of individual officers to ascertain whether they have requested the use of Draft One, signed a Draft One liability disclosure or changed Draft One settings (<a href="https://my.axon.com/s/article/View-the-audit-trail-in-Axon-Evidence-Draft-One?language=en_US">https://my.axon.com/s/article/View-the-audit-trail-in-Axon-Evidence-Draft-One?language=en_US</a>). In order to obtain these audit logs, you may follow the instructions on this Axon page: <a href="https://my.axon.com/s/article/View-the-audit-trail-in-Axon-Evidence-Draft-One?language=en_US">https://my.axon.com/s/article/Viewing-a-user-audit-trail?language=en_US</a>.<br />In order to produce a list of the 10 most recent active users, you may click the arrow next to "Last Active" then select the most 10 recent. The [...] menu item allows you to export the audit log. We would prefer these audits as .csv files if possible. <br />Alternatively, if you know the names of specific officers, you can name them rather than selecting the most recent.</li></ul><p>Or</p><p><strong>Audit logs from Axon Records and Axon Standards</strong></p><ul><li>According to Axon's online user manual, through Axon Records and Standards, agencies are able to view audit logs of individual officers to ascertain whether they have requested a Draft One draft or signed a Draft One liability disclosure. https://my.axon.com/s/article/View-the-audit-log-in-Axon-Records-and-Standards-Draft-One?language=en_US<br />To obtain these logs using the Axon Records Audit Tool, follow these instructions: https://my.axon.com/s/article/Audit-Log-Tool-Axon-Records?language=en_US<br />a. Audit logs for the period December 1, 2024 through the date this request is received for the first user who comes up when you enter the letter "M" into the audit tool. If no user comes up with M, please try "Mi." <br />b. Audit logs for the period December 1, 2024 through the date this request is received for the first user who comes up when you enter the letter "J" into the audit tool. If no user comes up with J, please try "Jo." <br />c. Audit logs for the period December 1, 2024 through the date this request is received for the first user who comes up when you enter the letter "S" into the audit tool. If no user comes up with S, please try "Sa."</li></ul><p>You could also tell the agency you are only interested in Draft One related items, which may save the agency time in reviewing and redacting the documents.</p></td></tr> </table><p><span>Generally, many of the basic actions a police officer takes using Axon technology — whether it's signing in, changing a password, accessing evidence or uploading BWC footage — is logged in the system. </span></p><p><span>This also includes some actions when an officer uses Draft One. However, the system only logs three types of activities: requesting that Draft One generate a report, signing a Draft One liability disclosure, or changing Draft One's settings. And these reports are one of the only ways to identify which reports were written with AI and how widely the technology is used. </span></p><p><span>Unfortunately, Axon appears to have </span><a href="https://www.documentcloud.org/documents/25979141-frederick-police-deparmtent-email-re-media-request/?mode=document#document/p4"><span>designed its system</span></a><span> so that administrators cannot create a list of all Draft One activities taken by the entire police force. Instead, all they can do is view an individual officer's audit log to see when they used Draft One or look at the log for a particular piece of evidence to see if Draft One was used. These can be exported as a spreadsheet or a PDF. (When the Frederick Police Department asked Axon how to create a list of Draft One reports, the Axon rep </span><a href="https://www.documentcloud.org/documents/25979141-frederick-police-deparmtent-email-re-media-request/?mode=document#document/p4"><span>told</span></a><span> them that feature wasn't available and they would have to follow the above method. "To set expectations, it’s not going to be graceful, but this wasn’t a scenario we anticipated needing to make easy," Axon wrote in August 2024, then suggested it might come up with a long-term solution. We emailed Axon back in March to see if this was still the case, but they did not provide a response.) </span></p><p><span>Here's an excerpt from a PDF version from the </span><a href="https://www.documentcloud.org/projects/221792-bishop-police-department-axon-draft-one-records/"><span>Bishop Police Department</span></a><span> in California:</span></p><p class="center-image"><span><img src="/files/2025/07/07/image7.png" width="629" height="693" alt="A document titled &quot;Audit Trail&quot; for user Brian Honenstein that has entries on February 6, 2025 for &quot;Draft One Request Received&quot; and &quot;Signed for a Draft One Liability Disclosure&quot;" title="A document titled &quot;Audit Trail&quot; for user Brian Honenstein that has entries on February 6, 2025 for &quot;Draft One Request Received&quot; and &quot;Signed for a Draft One Liability Disclosure&quot;" /></span></p><p><span>Here are some additional audit log examples: </span></p><ul><li><a href="https://www.muckrock.com/foi/campbell-3137/axon-draft-one-reports-audit-logs-and-settings-campbell-police-department-183078/#files">Campbell Police Department, California</a> (XLSX)</li><li><a href="https://www.muckrock.com/foi/lafayette-12781/axon-draft-one-reports-audit-logs-and-settings-lafayette-police-department-183103/#files">Lafayette Police Department, Indiana</a> (XLSX)</li><li><a href="https://www.documentcloud.org/projects/221986-bishop-police-department-axon-draft-one-audit-logs/">Bishop Police Department, California</a> (PDF)</li><li><a href="https://www.muckrock.com/foi/pasco-8475/axon-draft-one-reports-audit-logs-and-settings-pasco-police-department-183107/#files">Pasco Police Department, Washington</a> (CSV)</li></ul><p><span>If you know the name of an individual officer, you can try to request their audit logs to see if they used Draft One. Since we didn't have a particular officer in mind, we had to get creative. </span></p><p><span>An agency may manage their documents with one of a few different Axon offerings: Axon Evidence, Axon Records, or Axon Standards. The process for requesting records is slightly different depending on which one is used. We dug through the user manuals and came up with a few ways to export a random(ish) example. We also linked the manuals and gave clear instructions for the records officers.</span></p><p><span>With Axon Evidence, an administrator can simply sort the system to show the 10 most recent users then export their usage logs. With Axon Records/Standard, the administrator has to start typing in a name and then it auto-populates with suggestions. So, we ask them to export the audit logs for the first few users who came up when they typed the letters M, J, and S into the search (since those letters are common at the beginning of names). </span></p><p><span><span>Unfortunately, this method is a little bit of a gamble. Many officers still aren't using Draft One, so you may end up with hundreds of pages of logs that don't mention Draft One at all (as was the case with the </span><a href="https://www.documentcloud.org/documents/25976993-25-0888redacted-redacted/"><span>records</span></a><span> we received from Monroe County, NY). </span></span></p><h3><span><span>3. Settings</span></span></h3><table> <tr><td><p><span><strong>Language to try in your public records request: </strong></span></p><ul><li>A copy of all settings and configurations made by this agency in its use of the Axon Draft One platform, including all opt-in features that the department has elected to use and the incident types for which the software can be used. A screen capture of these settings will suffice.</li></ul></td></tr> </table><p><span>We knew the Draft One system offers department managers the option to customize how it can be used, including the categories of crime for which reports can be generated and whether or not there is a disclaimer automatically added to the bottom of the report disclosing the use of AI in its generation. So we asked for a copy of these settings and configurations. In some cases, agencies claimed this was exempted from their public records laws, while other agencies did provide the information. </span><a href="https://www.documentcloud.org/documents/25979291-campbell-pd-draft-one-settings/"><span>Here</span></a><span> is an example from the Campbell Police Department in California: </span></p><p class="center-image"><span><img src="/files/2025/07/07/image11.png" width="780" height="815" alt="A screengrab of the settings menu within Draft One, with &quot;Default acknowledgement,&quot; &quot;Narration as input for Draft One, and &quot;Default Footer&quot; selected." title="A screengrab of the settings menu within Draft One, with &quot;Default acknowledgement,&quot; &quot;Narration as input for Draft One, and &quot;Default Footer&quot; selected." /></span></p><p><span>(It's worth noting that while Campbell does require each police report to contain a disclosure that Draft One was used, the California Public Records Act exempts police reports from being released.)</span></p><p><span>Examples of settings: </span></p><ul><li><a href="https://www.documentcloud.org/documents/25984492-bishop-draft-one-settings-png/"><span>Bishop Police Department, California</span></a></li><li><a href="https://www.documentcloud.org/documents/25979291-campbell-pd-draft-one-settings/"><span>Campbell Police Department, California </span></a></li><li><a href="https://www.documentcloud.org/documents/25984484-pasco-police-draft-one-settings/"><span>Pasco Police Department, Washington</span></a></li></ul><h3>4. Procurement-related Documents and Agreements</h3><table> <tr><td><p><strong>Language to try in your public records request:</strong></p><ul><li>All contracts, memorandums of understanding, and any other written agreements between this agency and Axon related to the use of Draft One, Narrative Assistant, or any other AI-assisted report generation tool provided by Axon. Responsive records include all associated amendments, exhibits, and supplemental and supporting documentation, as well as all relevant terms of use, licensing agreements, and any other guiding materials. If access to Draft One or similar tools is being provided via an existing contract or through an informal agreement, please provide the relevant contract or the relevant communication or agreement that facilitated the access. This includes all agreements, both formal and informal, including all trial access, even if that access does not or did not involve financial obligations.</li></ul></td></tr> </table><p><span>It can be helpful to know how much Draft One costs, how many user licenses the agency paid for, and what the terms of the agreement are. That information is often contained in records related to the contracting process. Agencies will often provide these records with minimal pushback or redactions. Many of these records may already be online, so a requester can save time and effort by looking around first. These are often found in city council agenda packets. Also, law enforcement agencies often will bump these requests to the city or county clerk instead. </span></p><p><span>Here's an excerpt from the<a href="https://www.documentcloud.org/documents/25976635-25-0949-packet/"> Monroe County Sheriff's Office</a> in New York:</span></p><p class="center-image"><span><img src="/files/2025/07/07/image9.png" width="701" height="777" alt="An Axon purchasing agreement indicating the agency is adding Draft One to its existing suite of services. " title="An Axon purchasing agreement indicating the agency is adding Draft One to its existing suite of services. " /></span></p><p><span>These kinds of procurement records describe the nature and cost of the relationship between the police department and the company. They can be very helpful for understanding how much a continuing service subscription will cost and what else was bundled in as part of the purchase. Draft One, so far, is often accessed as an additional feature along with other Axon products. </span></p><p>We received too many documents to list them all, but <a href="https://www.documentcloud.org/documents/25976599-111224-bwc-contract-dacono-signed-cora/">here</a> is a representative example of some of the other documents you might receive, courtesy of the Dacono Police Department in Colorado.</p><h3><span>5. Training, Manuals and Policies</span></h3><table> <tr><td><p>All training materials relevant to Draft One or Axon Narrative Assistant generated by this agency, including but not limited to:</p><ul><li>All training material provided by Axon to this agency regarding its use of Draft One;</li><li>All internal training materials regarding the use of Draft One;</li><li>All user manuals, other guidance materials, help documents, or related materials;</li><li>Guides, safety tests, and other supplementary material that mention Draft One provided by Axon from January 1, 2024 and the date this request is received;</li><li>Any and all policies and general orders related to the use of Draft One, the Narrative Assistant, or any other AI-assisted report generation offerings provided by Axon (An example of one such policy can be found here: <a href="https://cdn.muckrock.com/foia_files/2024/11/26/608_Computer_Software_and_Transcription-Assisted_Report_Generation.pdf">https://cdn.muckrock.com/foia_files/2024/11/26/608_Computer_Software_and_Transcription-Assisted_Report_Generation.pdf</a>).</li></ul></td></tr> </table><p><span>In addition to seeing when Draft One was used and how it was acquired, it can be helpful to know what rules officers must follow, what directions they're given for using it, and what features are available to users. That's where manuals, policies and training materials come in handy. </span></p><p><span>User manuals are typically going to come from Axon itself. In general, if you can get your hands on one, this will help you to better understand the mechanisms of the system, and it will help you align the way you craft your request with the way the system actually works. Luckily, Axon has published many of the materials </span><a href="https://my.axon.com/s/draft-one?language=en_US"><span>online</span></a><span> and we've already obtained the user manual from multiple agencies. However, Axon does update the manual from time to time, so it can be helpful to know which version the agency is working from. </span></p><p><span>Here's one from December 2024:</span></p><ul><li><p><a href="https://www.documentcloud.org/documents/25973560-dacono-police-department-axon-draft-one-user-guide/">Dacono Police Department - Axon Draft One User Guide</a></p></li></ul><p><span>Policies are internal police department guidance for using Draft One. Not all agencies have developed a policy, but the ones they do have may reveal useful information, such as other records you might be able to request. Here are some examples: </span></p><ul><li><a href="https://www.documentcloud.org/documents/25972395-palm-beach-county-sheriffs-office-axon-draft-one-general-order/">Palm Beach County Sheriff's Office General Order 563 - Axon Draft One</a></li><li><a href="https://www.documentcloud.org/documents/25972391-colorado-springs-police-department-general-order-1904-use-of-specialized-axon-system/">Colorado Springs Police Department General Order 1904 - Use of Specialized Axon System</a></li><li><a href="https://www.documentcloud.org/documents/25972390-lake-havasu-police-department-report-preparation/">Lake Havasu Police Department Policy 342 - Report Preparation</a></li><li><a href="https://www.documentcloud.org/documents/25972389-campbell-police-department-report-preparation/">Campbell Police Department Policy 344 - Report Preparation</a></li><li><a href="https://www.lafayette.in.gov/DocumentCenter/View/18516/2025-Policy-Manualpdf#page=186&amp;zoom=auto,-129,760">Lafayette Police Department Policy 608 - Computer Software and Transcription-Assisted Report Generation</a></li></ul><p><span>Training and user manuals also might reveal crucial information about how the technology is used. In some cases these documents are provided by Axon to the customer. These records may illuminate the specific direction that departments are emphasizing about using the product. </span></p><p class="center-image"><span><img src="/files/2025/07/07/image5.png" width="1476" height="826" alt=" &quot;A Dummies Guide to AI in Police Report Writing&quot; from the Pasco Police Department" title=" &quot;A Dummies Guide to AI in Police Report Writing&quot; from the Pasco Police Department" /></span></p><p><span>Here are a few examples of training presentations:</span></p><ul><li><a href="https://www.documentcloud.org/documents/25972388-colorado-springs-police-department-2025-q1-draft-one-training/">Colorado Springs Police Department 2025-Q1-Draft-One-Training</a></li><li><a href="https://www.documentcloud.org/documents/25972394-palm-beach-county-sheriffs-pffice-axon-draft-one-training-material/">Palm Beach County Sheriff's Office - Axon Draft One Training Material</a></li><li><a href="https://www.documentcloud.org/documents/25976921-pasco-police-department-2024-axon-draft-one-presentation/">Pasco Police Department - Axon Draft One Presentation</a></li></ul><h3><span> 6. Evaluations</span></h3><table> <tr><td><p><span><strong>Language to try in your public records request:</strong></span></p><ul><li>All final reports, evaluations, reports, or other documentation concluding or summarizing a trial or evaluation period or pilot project</li></ul></td></tr> </table><p><span>Many departments are getting access to Draft One as part of a trial or pilot program. The outcome of those experiments with the product can be eye-opening or eyebrow-raising. There might also be additional data or a formal report that reviews what the department was hoping to get from the experience, how they structured any evaluation of its time-saving value for the department, and other details about how officers did or did not use Draft One. </span></p><p><span>Here are some examples we received: </span></p><ul><li><a href="https://www.documentcloud.org/documents/25973591-lake-havasu-police-department-draft-one-report-redacted-2/">The Effect of Artificial Intelligence has on Time Spent Writing Reports: An analysis of data from the Lake Havasu City Police Department</a></li><li><a href="https://www.eff.org/files/2025/06/16/colorado_springs_police_department_-_axon_draft_one_user_data.zip">Colorado Springs Police Department: Spreadsheets measuring amount of time officers spent writing reports versus using Draft One</a> (zip) </li></ul><h3>7. Communications</h3><table> <tr><td><p><span><strong>Language to try in your public records request:</strong></span></p><p>• All communications sent or received by any representative of this agency with individuals representing Axon referencing the following term, including emails and attachments:</p><ul><li>Draft One</li><li>Narrative Assistant</li><li>AI-generated report</li></ul><p>• All communications sent to or received by any representative of this agency with each of the following email addresses, including attachments:</p><ul><li>[INSERT EMAIL ADDRESSES]</li></ul><p>Note: We are not including the specific email addresses here that we used, since they are subject to change when employees are hired, promoted, or find new gigs. However, you can find the emails we used in our <a href="https://www.muckrock.com/foi/pasco-8475/axon-draft-one-records-pasco-police-department-182898/#comms">requests</a> on MuckRock.</p></td></tr> </table><p><span>The communications we wanted were primarily the emails between Axon and the law enforcement agency. As you can imagine, these emails could reveal the back-and-forth between the company and its potential customers, and these conversations could include the marketing pitch made to the department, the questions and problems police may have had with it, and more. </span></p><p><span>In some cases, these emails reveal cozy relationships between salespeople and law enforcement officials. Take, for example, this </span><a href="http://www.documentcloud.org/documents/25976460-dickinson-police-department-emails-with-axon/"><span>email exchange</span></a><span> between the Dickinson Police Department and an Axon rep: </span></p><p class="center-image"><span><img src="/files/2025/07/07/image6.png" width="820" height="1016" alt="An email exchange in which a Dickinson Police officer invites an Axon rep to a golf tournament, and the Axon rep calls him &quot;brother.&quot;" title="An email exchange in which a Dickinson Police officer invites an Axon rep to a golf tournament, and the Axon rep calls him &quot;brother.&quot;" /></span></p><p><span><span>Or this </span><a href="https://www.documentcloud.org/documents/25979172-frederick-police-department-re-draft-one-guardrails-issue/"><span>email</span></a><span> between a Frederick Police Department sergeant and an Axon representative, in which a sergeant describes himself as "doing sales" for Axon by providing demos to other agencies. </span></span></p><p class="center-image"><span><span><img src="/files/2025/07/07/image8.png" width="1098" height="496" alt="An email from a Frederick Police Officer to an Axon rep. " title="An email from a Frederick Police Officer to an Axon rep. " /></span></span></p><p class="center-image"><i><span>A machine readable text version of this email is available <a href="https://www.documentcloud.org/documents/25979172-frederick-police-department-re-draft-one-guardrails-issue/?mode=text">here</a>.</span></i></p><p><span>Emails like this also show what other agencies are considering using Draft One in the future. For example, in this </span><a href="https://www.documentcloud.org/documents/25976571-campbell-police-department-email-axon-draft-one-materials-sfpd-r-1/"><span>email</span></a><span> we received from the Campbell Police Department shows that the San Francisco Police Department was testing Draft One as early as October 2024 (the usage was confirmed in June 2025 by the </span><a href="https://sfstandard.com/2025/06/10/sfpd-using-ai-police-reports/"><i><span>San Francisco Standard</span></i></a><i><span>)</span></i><span>.</span></p><p class="center-image"><span> <img src="/files/2025/07/07/image1.png" width="761" height="721" alt="An SFPD email asking for advice on using Draft One." title="An SFPD email asking for advice on using Draft One." /></span></p><p class="center-image"><i><i><span>A machine readable text version of this email is available </span></i><a href="https://www.documentcloud.org/documents/25976571-campbell-police-department-email-axon-draft-one-materials-sfpd-r-1/?mode=text"><i><span>here</span></i></a><i><span>.</span></i></i></p><p>Your mileage will certainly vary for these email requests, in part because the ability for agencies to search their communications can vary. Some agencies can search by a keyword like "Draft One” or "Axon" and while other agencies can only search by the specific email address. </p><p>Communications can be one of the more expensive parts of the request. We've found that adding a date range and key terms or email addresses has helped limit these costs and made our requests a bit clearer for the agency. Axon sends a lot of automated emails to its subscribers, so the agency may quote a large fee for hundreds or thousands of emails that aren't particularly interesting. Many agencies respond positively if a requester reaches out to say they're open to narrowing or focusing their request. </p><h3>Asking for Body-Worn Camera Footage </h3><p>One of the big questions is how do the Draft One-generated reports compare to the BWC audio the narrative is based on? Are the reports accurate? Are they twisting people's words? Does Draft One hallucinate?</p><p>Finding these answers requires both obtaining the police report and the footage of the incident that was fed into the system. The laws and process for obtaining BWC footage vary dramatically state to state, and even department to department. Depending on where you live, it can also get expensive very quickly, since some states allow agencies to charge you not only for the footage but the time it takes to redact the footage. So before requesting footage, read up on your state’s public access laws or consult a lawyer.</p><p>However, once you have a copy of a Draft One report, you should have enough information to file a follow-up request for the BWC footage. </p><p>So far, EFF has not requested BWC footage. In addition to the aforementioned financial and legal hurdles, the footage can implicate both individual privacy and transparency regarding police activity. As an organization that advocates for both, we want to make sure we get this balance right. Afterall, BWCs are a surveillance technology that collects intelligence on suspects, victims, witnesses, and random passersby. When the Palm Beach County Sheriff's Office gave us an AI-generated account of a teenager being hospitalized for suicidal ideations, we of course felt that the minor's privacy outweighed our interest in evaluating the AI. But do we feel the same way about a Draft One-generated narrative about a spring break brawl in Lake Havasu? </p><p>Ultimately, we may try to obtain a limited amount of BWC footage, but we also recognize that we shouldn't make the public wait while we work it out for ourselves. Accountability requires different methods, different expertise, and different interests, and with this guide we hope to not only shine light on Draft One, but to provide the schematics for others–including academics, journalists, and local advocates–to build their own spotlights to expose police use of this problematic technology.</p><h3>Where to Find More Docs </h3><p>Despite the variation in how agencies responded, we did have some requests that proved fruitful. You can find these requests and the documents we got via the linked police department names below.</p><p>Please note that we filed two different types of requests, so not all the elements above may be represented in each link.</p><p><b>Via Document Cloud (PDFs)</b></p><ul><li><a href="https://www.documentcloud.org/projects/221787-dacono-police-department-axon-draft-one-records/">Dacono Police Department, Colorado</a></li><li><a href="https://www.documentcloud.org/projects/221788-mount-vernon-police-department-axon-draft-one-records/">Mount Vernon Police Department, Illinois</a></li><li><a href="https://www.documentcloud.org/projects/221789-monroe-county-sheriff-draft-one-records/">Monroe County Sheriff's Office, New York</a></li><li><a href="https://www.documentcloud.org/projects/221790-joliet-police-department-axon-draft-one-records/">Joliet Police Department, Illinois</a></li><li><a href="https://www.documentcloud.org/projects/221791-elgin-police-department-axon-draft-one-records/">Elgin Police Department, Illinois</a></li><li><a href="https://www.documentcloud.org/projects/221792-bishop-police-department-axon-draft-one-records/">Bishop Police Department, California</a></li><li><a href="https://www.documentcloud.org/projects/221784-palm-beach-county-sheriffs-office-draft-one-reports-redacted/">Palm Beach County Sheriff's Office</a></li><li><a href="https://www.documentcloud.org/projects/221775-lake-havasu-city-police-department-draft-one-report-redacted/">Lake Havasu City Police Department, Arizona</a></li><li><a href="https://www.documentcloud.org/documents/25976460-dickinson-police-department-emails-with-axon/">Dickinson Police Department, ND</a> </li><li><a href="https://www.documentcloud.org/projects/221800-firestone-police-department-axon-draft-one-records/">Firestone Police Department, Colo.</a></li><li>Frederick Police Department (<a href="https://www.documentcloud.org/projects/221983-frederick-pd-draft-one-emails/">DocumentCloud</a> and <a href="https://drive.google.com/drive/folders/1dkjyEDanznxVV8Q0Ihq1oNgx-WPUwVQE?usp=sharing">Google Drive</a>. Frederick provided us a large number of emails in a difficult-to-manage PST format. We unpacked that PST into individual EML files. Because the agency did a keyword search, you may find that some of the emails are not relevant to the issue, but do include the term "draft one." To reduce the noise, we removed emails that were generated prior to the existence of Draft One. We also removed emails that contained police reports with PII. We redacted those reports and <a href="https://www.documentcloud.org/documents/25979138-frederick-police-departent-24fe000605-redacted/">uploaded</a> <a href="https://www.documentcloud.org/documents/25979137-lone-tree-police-department-report-24-3778-redacted/">them</a> independently. While Document Cloud allowed us to convert EML files to PDF files, it did not allow us to keep the relationship between the emails and attachments. You can find those records with the relationships somewhat maintained in Google Drive.)</li></ul><p><b>Via MuckRock (Assorted filetypes)</b></p><ul><li>Pasco Police Department, Washington (<a href="https://www.muckrock.com/foi/pasco-8475/axon-draft-one-records-pasco-police-department-182898/#files">Part 1</a>,<a href="https://www.muckrock.com/foi/pasco-8475/axon-draft-one-reports-audit-logs-and-settings-pasco-police-department-183107/#"> Part 2</a>)</li><li><a href="https://www.muckrock.com/foi/colorado-springs-5791/axon-draft-one-records-colorado-springs-police-department-182890/#files">Colorado Springs Police Department, Colorado</a></li><li><a href="https://www.muckrock.com/foi/fort-collins-5829/axon-draft-one-records-city-of-fort-collins-police-department-182897/#comms">Fort Collins Police Department, Colorado</a></li><li>Campbell Police Department, California (<a href="https://www.muckrock.com/foi/campbell-3137/axon-draft-one-records-campbell-police-department-182886/">Part 1</a>, <a href="https://www.muckrock.com/foi/campbell-3137/axon-draft-one-reports-audit-logs-and-settings-campbell-police-department-183078/">Part 2</a>)</li><li><a href="https://www.muckrock.com/foi/lafayette-12781/axon-draft-one-reports-audit-logs-and-settings-lafayette-police-department-183103/">Lafayette Police Department, Indiana</a></li><li><a href="https://www.muckrock.com/foi/east-palo-alto-3194/axon-draft-one-records-east-palo-alto-police-department-182883/#comms">East Palo Alto Police Department, California</a></li></ul><p>Special credit goes to EFF Research Assistant Jesse Cabrera for public records request coordination. </p> </div></div></div></description> <pubDate>Thu, 10 Jul 2025 16:00:24 +0000</pubDate> <guid isPermaLink="false">110870 at https://www.eff.org</guid> <dc:creator>Dave Maass</dc:creator> <dc:creator>Beryl Lipton</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/robot-robot-1.png" alt="a robot writing a police report " type="image/png" length="46848" /> </item> <item> <title>It's EFF's 35th Anniversary (And We're Just Getting Started)</title> <link>https://www.eff.org/deeplinks/2025/07/its-effs-35th-anniversary-and-were-just-getting-started</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><a href="https://www.eff.org/35">Today we celebrate 35 years of EFF</a> bearing the torch for digital rights against the darkness of the world, and I couldn’t be prouder. EFF was founded at a time when governments were hostile toward technology and clueless about how it would shape your life. While threats from state and commercial forces grew alongside the internet, so too did EFF’s expertise. Our mission has become even larger than pushing back on government ignorance and increasingly dangerous corporate power. In this moment, we're doing our part to preserve the necessities of democracy: privacy, free expression, and due process. It's about guarding the security of our society, along with our loved ones and the vulnerable communities around us.</p><p><a href="https://eff.org/r.l8mw">With the support of EFF’s members</a>, we use law, technology, and activism to create the conditions for human rights and civil liberties to flourish, and for repression to fail.</p><p class="pull-quote">In this moment, we're doing our part to preserve the necessities of democracy: privacy, free expression, and due process.</p><p>EFF believes in commonsense freedom and fairness. We’re working toward an environment where your technology works the way you want it to; you can move through the world without the threat of surveillance; and you can have private conversations with the people you care about and support the causes you believe in. We’ve won many fights for encryption, free expression, innovation, and your personal data throughout the years. The opposition is tough, but—with a powerful vision for a better future and <a href="https://eff.org/r.l8mw">you on our side</a>—EFF is formidable.</p><p>Throughout EFF’s year-long 35th Anniversary celebration, our dedicated activists, investigators, technologists, and attorneys will share the lessons from EFF’s long and rich history so that we can help overcome the obstacles ahead. Thanks to you, EFF is here to stay.</p><h2>Together for the Digital Future</h2><p><a href="https://eff.org/r.l8mw">As a member-supported nonprofit</a>, everything EFF does depends on you. Donate to help fuel the fight for privacy, free expression, and a future where we protect digital freedom for everyone.</p><p class="take-action"><a href="https://eff.org/r.l8mw">JOIN EFF</a></p><p>Powerful forces may try to chip away at your rights—but when we stand together, we win.</p><p></p><center><a href="https://eff.org/r.l8mw"><img src="https://www.eff.org/files/2025/06/05/shirts-both-necklines-wider-square-750px.jpg" title="Get 35th Anniversary Member Swag and More When You Join" /></a></center><br /><h2>Watch Today: EFFecting Change Live</h2><p>Just hours from now, join me for the <a href="https://www.eff.org/event/effecting-change-eff-turns-35">35th Anniversary edition of our EFFecting Change livestream</a>. I’m leading this Q&amp;A with EFF Director for International Freedom of Expression Jillian York, EFF Legislative Director Lee Tien, and Professor and EFF Board Member Yoshi Kohno. Together, we’ve seen it all and today we hope you'll join us for what’s next.</p><p class="take-action"><strong><a href="https://livestream.eff.org">WATCH LIVE</a></strong></p><p class="take-explainer"><strong>11:00 AM Pacific (<em><a href="https://dateful.com/eventlink/1636667650">check local time</a></em>)</strong></p><p>EFF supporters around the world sustain our mission to defend technology creators and users. Thank you for being a part of this community and helping it thrive.</p> </div></div></div></description> <pubDate>Thu, 10 Jul 2025 07:03:16 +0000</pubDate> <guid isPermaLink="false">110884 at https://www.eff.org</guid> <dc:creator>Cindy Cohn</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/circuit-city-og-static.png" alt="Green EFF 35th Anniversary digital cityscape on a black background." type="image/png" length="189965" /> </item> <item> <title>Data Brokers are Selling Your Flight Information to CBP and ICE </title> <link>https://www.eff.org/deeplinks/2025/07/data-brokers-are-selling-your-flight-information-cbp-and-ice</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span>For many years, </span><a href="https://www.eff.org/deeplinks/2025/06/why-are-hundreds-data-brokers-not-registering-states"><span>data brokers</span></a><span> have existed in the shadows, exploiting gaps in privacy laws to harvest our information—all for their own profit. They sell our </span><a href="https://www.eff.org/deeplinks/2022/06/what-fog-data-science-why-surveillance-company-so-dangerous"><span>precise movements</span></a><span> without our knowledge or meaningful consent to a variety of private and state actors, including law enforcement agencies. And they show no sign of stopping.</span></p><p><span>This incentivizes other bad actors. If companies collect any kind of personal data and want to make a quick buck, there’s a data broker willing to buy it and sell it to the highest bidder–often law enforcement and intelligence agencies.</span></p><p><span>One </span><a href="https://www.404media.co/airlines-dont-want-you-to-know-they-sold-your-flight-data-to-dhs/"><span>recent investigation by 404 Media</span></a><span> revealed that the Airlines Reporting Corporation (ARC), a data broker </span><a href="https://www.documentcloud.org/documents/25964404-ice-documents-on-arc/"><span>owned and operated</span></a><span> by at least eight major U.S. airlines, including United Airlines and American Airlines, collected travelers’ domestic flight records and </span><a href="https://www.wired.com/story/airlines-dont-want-you-to-know-they-sold-your-flight-data-to-dhs/"><span>secretly sold access</span></a><span> to U.S. Customs and Border Protection (CBP). Despite selling passengers’ names, full flight itineraries, and financial details, the data broker prevented U.S. border forces from revealing it as the origin of the </span><a href="http://information.so"><span>information.</span></a><span> So, not only is the government doing </span><a href="https://www.brennancenter.org/our-work/research-reports/closing-data-broker-loophole"><span>an end run</span></a><span> around the Fourth Amendment to get information where they would otherwise need a warrant<span>—</span>they’ve also been trying to hide how they know these things about us. </span></p><p><span>ARC’s </span><a href="https://govtribe.com/opportunity/federal-contract-opportunity/travel-intelligence-program-70cmsd25p00000033"><span>Travel Intelligence Program (TIP)</span></a> <a href="https://www.documentcloud.org/documents/25965376-raven-pia-update/"><span>aggregates</span></a><span> passenger data and contains more than one billion records spanning 39 months of past and future travel by both U.S. and non-U.S. citizens. CBP, which sits within the U.S. Department of Homeland Security (DHS), claims it needs this data to support local and state police keeping track of </span><a href="https://www.documentcloud.org/documents/25965393-cbp-statement-of-work-for-arc/"><span>people of interest</span></a><span>. But at a time of </span><a href="https://www.nbcnews.com/news/world/trump-immigration-detained-visitors-border-search-device-visa-passport-rcna197736"><span>growing concerns</span></a><span> about increased immigration enforcement at U.S. ports of entry, including unjustified searches, law enforcement officials will use this additional surveillance tool to expand the web of suspicion to even larger numbers of innocent travelers. </span></p><p><span>More than </span><a href="https://redact.dev/blog/meet-the-airline-owned-data-broker-selling-over-50-of-flight-data-to-ice"><span>200 airlines</span></a><span> settle tickets through ARC, with information on more than 54% of flights taken globally. ARC’s </span><a href="https://www2.arccorp.com/about-us/leadership-governance?utm_source=Global_Navigation#board-of-directors"><span>board of directors</span></a><span> includes representatives from U.S. airlines like JetBlue and Delta, as well as international airlines like Lufthansa, Air France, and Air Canada. </span></p><p><span>In selling law enforcement agencies bulk access to such sensitive information, these airlines—through their data broker—are putting their own profits over travelers' privacy. U.S. Immigration and Customs Enforcement (ICE) recently </span><a href="https://www.levernews.com/airlines-are-collecting-your-data-and-selling-it-to-ice/"><span>detailed its own</span></a><span> purchase of personal data from ARC. In the current climate, this can have a detrimental impact on people’s lives. </span></p><p><span>Movement unrestricted by governments is a hallmark of a free society. In our current moment, when the federal government is threatening legal consequences based on people’s </span><a href="https://www.cfr.org/article/guide-countries-trumps-2025-travel-ban-list"><span>national</span></a><span>, </span><a href="https://www.aclu-wa.org/pages/timeline-muslim-ban"><span>religious</span></a><span>, and </span><a href="https://www.theguardian.com/us-news/2025/jul/01/trump-zohran-mamdani-citizenship"><span>political</span></a><span> affiliations, having air travel in and out of the United States tracked by any ARC customer is a recipe for state retribution. </span></p><p><span>Sadly, data brokers are doing even broader harm to our privacy. </span><a href="https://www.404media.co/location-data-firm-offers-to-help-cops-track-targets-via-doctor-visits/"><span>Sensitive location data</span></a><span> is harvested from smartphones and sold to cops, </span><a href="https://www.404media.co/us-counterintel-buys-netflow-data-team-cymru-track-vpns/"><span>internet backbone data</span></a><span> is sold to federal counterintelligence agencies, and </span><a href="https://www.washingtonpost.com/technology/2021/02/26/ice-private-utility-data/"><span>utility databases</span></a><span> containing phone, water, and electricity records are shared with ICE officers. </span></p><p><span>At a time when immigration authorities are eroding fundamental freedoms through increased—and arbitrary—actions at the U.S. border, this news further exacerbates concerns that creeping authoritarianism can be fueled by the extraction of our most personal data—all without our knowledge or consent.</span></p><p><span>The new revelations about ARC’s data sales to CBP and ICE is a fresh reminder of the need for “</span><a href="https://www.eff.org/wp/privacy-first-better-way-address-online-harms"><span>privacy first</span></a><span>” legislation that imposes consent and minimization limits on corporate processing of our data. We also need to pass the “</span><a href="https://www.eff.org/deeplinks/2024/04/fourth-amendment-not-sale-act-passed-house-now-it-should-pass-senate"><span>Fourth Amendment is not for sale</span></a><span>” act to stop police from bypassing judicial review of their data seizures by means of purchasing data from brokers. And let’s enforce </span><a href="https://www.eff.org/deeplinks/2025/06/why-are-hundreds-data-brokers-not-registering-states"><span>data broker registration</span></a><span> laws. </span></p> </div></div></div></description> <pubDate>Wed, 09 Jul 2025 23:06:47 +0000</pubDate> <guid isPermaLink="false">110881 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/privacy">Privacy</category> <dc:creator>Paige Collings</dc:creator> <dc:creator>Matthew Guariglia</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/locationdata_v2.mov1_.gif" alt="An animated image showing location pins dropping onto a street map from above, tracing several paths" type="image/gif" length="2071190" /> </item> <item> <title>Electronic Frontier Foundation to Present Annual EFF Awards to Just Futures Law, Erie Meyer, and Software Freedom Law Center, India</title> <link>https://www.eff.org/press/releases/electronic-frontier-foundation-present-annual-eff-awards-just-futures-law-erie-meyer</link> <description><div class="field field--name-field-pr-subhead field--type-text field--label-hidden"><div class="field__items"><div class="field__item even">2025 Awards Will Be Presented in a Live Ceremony Wednesday, Sept. 10 in San Francisco </div></div></div><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span data-contrast="auto">SAN FRANCISCO—The Electronic Frontier Foundation (EFF) is honored to announce that Just Futures Law, Erie Meyer, and Software Freedom Law Center, India will receive the 2025 EFF Awards for their vital work in ensuring that technology supports privacy, freedom, justice, and innovation for all people. </span><span data-ccp-props="{}"> </span></p><p><span data-contrast="auto">The EFF Awards recognize specific and substantial technical, social, economic, or cultural contributions in diverse fields including journalism, art, digital access, legislation, tech development, and law. </span><span data-ccp-props="{}"> </span></p><p><span data-contrast="auto"> The EFF Awards ceremony will start at 6 p.m. PT on Wednesday, Sept. 10, 2025 at the San Francisco Design Center Galleria, 101 Henry Adams St. in San Francisco. Guests can register at </span><a href="http://www.eff.org/effawards" target="_blank" rel="noopener noreferrer"><span data-contrast="none">http://www.eff.org/effawards</span></a><span data-contrast="auto">. </span><span data-contrast="auto">The ceremony will</span><span data-contrast="auto"> be recorded and shared online on Sept. 12.</span><span data-ccp-props="279}"> </span></p><p><span data-contrast="auto">For the past 30 years, the EFF Awards—previously known as the Pioneer Awards—have recognized and honored key leaders in the fight for freedom and innovation online. Started when the internet was new, the Awards now reflect the fact that the online world has become both a necessity in modern life and a continually evolving set of tools for communication, organizing, creativity, and increasing human potential.</span><span data-ccp-props="279}"> </span></p><p><span data-contrast="auto">“Whether fighting the technological abuses that abet criminalization, detention, and deportation of immigrants and people of color, or working and speaking out fearlessly to protect Americans’ data privacy, or standing up for digital rights in the world’s most populous country, all of our 2025 Awards winners contribute to creating a brighter tech future for humankind,” EFF Executive Director Cindy Cohn said. “We hope that this recognition will bring even more support for each of these vital efforts.”</span><span data-ccp-props="{}"> </span></p><h3><b><span data-contrast="auto">Just Futures Law: Leading Immigration and Surveillance Litigation</span></b><span data-ccp-props="{}"> </span></h3><p><a href="https://www.justfutureslaw.org/" target="_blank" rel="noopener noreferrer"><span data-contrast="none"><div class="media media-element-container media-wysiwyg_medium media-wysiwyg-align-right"><div id="file-57850" class="file file-image file-image-png" class="file file-image file-image-png"> <h2 class="element-invisible"><a href="/file/jfliconmediumpng-0">jfl_icon_medium.png</a></h2> <div class="content"> <img alt="Just Futures Law logo" title="Just Futures Law logo" class="media-element file-wysiwyg-medium" data-delta="4" src="https://www.eff.org/files/styles/kittens_types_wysiwyg_medium/public/jfl_icon_medium_0.png?itok=G5-_C2Hy" width="250" height="250" /> </div> </div></div>Just Futures Law</span></a><span data-contrast="auto"> is a women-of-color-led law project that recognizes how surveillance disproportionately impacts immigrants and people of color in the United States. It uses litigation to fight back as part of defending and building the power of immigrant rights and criminal justice activists, organizers, and community groups to prevent criminalization, detention, and deportation of immigrants and people of color. Just Futures was founded in 2019 using a movement lawyering and racial justice framework and seeks to transform how litigation and legal support serves communities and builds movement power. </span><span data-ccp-props="240}"> </span></p><p><span data-contrast="auto">In the past year, Just Futures </span><a href="https://www.justfutureslaw.org/legal-filings/dhsaifoia" target="_blank" rel="noopener noreferrer"><span data-contrast="none">sued the Department of Homeland Security</span></a><span data-contrast="auto"> and its subagencies seeking a court order to compel the agencies to release records on their use of AI and other algorithms, and </span><a href="https://www.justfutureslaw.org/legal-filings/tpshaiti" target="_blank" rel="noopener noreferrer"><span data-contrast="none">sued the Trump Administration</span></a><span data-contrast="auto"> for prematurely halting Haiti’s Temporary Protected Status, a humanitarian program that allows hundreds of thousands of Haitians to temporarily remain and work in the United States due to Haiti’s current conditions of extraordinary crises. It has represented activists in their fight against tech giants like <a href="https://www.justfutureslaw.org/legal-filings/clearview" target="_blank" rel="noopener noreferrer">Clearview AI</a>, it has worked with </span><a href="https://mijente.net/" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Mijente</span></a><span data-contrast="auto"> to launch the TakeBackTech fellowship to train new advocates on grassroots-directed research, and it has worked with </span><a href="https://www.grassrootsleadership.org/" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Grassroots Leadership</span></a><span data-contrast="auto"> to fight for the release of detained individuals under </span><a href="https://en.wikipedia.org/wiki/Operation_Lone_Star" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Operation Lone Star</span></a><span data-contrast="auto">.</span><span data-ccp-props="240}"> </span></p><h3><b><span data-contrast="auto">Erie Meyer: Protecting Americans' Privacy</span></b><span data-ccp-props="240}"> </span></h3><p><span data-contrast="auto"><div class="media media-element-container media-wysiwyg_medium media-wysiwyg-align-right"><div id="file-57851" class="file file-image file-image-png" class="file file-image file-image-png"> <h2 class="element-invisible"><a href="/file/eriemeyerpng">eriemeyer.png</a></h2> <div class="content"> <img alt="Erie Meyer" title="Erie Meyer" class="media-element file-wysiwyg-medium" data-delta="5" src="https://www.eff.org/files/styles/kittens_types_wysiwyg_medium/public/eriemeyer.png?itok=rNIWzvWO" width="250" height="250" /> </div> </div></div>Erie Meyer is a Senior Fellow at the </span><a href="https://www.vanderbilt.edu/vanderbilt-policy-accelerator/" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Vanderbilt Policy Accelerator</span></a><span data-contrast="auto"> where she focuses on the intersection of technology, artificial intelligence, and regulation, and a Senior Fellow at the </span><a href="https://www.law.georgetown.edu/tech-institute/" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Georgetown Law Institute for Technology Law &amp; Policy</span></a><span data-contrast="auto">. She is former Chief Technologist at both the </span><a href="https://www.consumerfinance.gov/complaint/" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Consumer Financial Protection Bureau</span></a><span data-contrast="auto"> (CFPB) and the </span><a href="https://www.ftc.gov/" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Federal Trade Commission</span></a><span data-contrast="auto">. Earlier, she was senior advisor to the U.S. Chief Technology Officer at the White House, where she co-founded the </span><a href="https://www.usds.gov/" target="_blank" rel="noopener noreferrer"><span data-contrast="none">United States Digital Service</span></a><span data-contrast="auto">, a team of technologists and designers working to improve digital services for the public. Meyer also worked as senior director at </span><a href="https://codeforamerica.org/" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Code for America</span></a><span data-contrast="auto">, a nonprofit that promotes civic hacking to modernize government services, and in the Ohio Attorney General's office at the height of the financial crisis.</span><span data-ccp-props="279}"> </span></p><p><span data-contrast="auto">Since January 20, Meyer has helped organize former government technologists to stand up for the privacy and integrity of governmental systems that hold Americans’ data. In addition to organizing others, she </span><a href="https://storage.courtlistener.com/recap/gov.uscourts.dcd.277287/gov.uscourts.dcd.277287.18.0_1.pdf" target="_blank" rel="noopener noreferrer"><span data-contrast="none">filed a declaration in federal court</span></a><span data-contrast="auto"> in February warning that 12 years of critical records could be irretrievably lost in the CFPB’s purge by the Trump Administration’s Department of Government Efficiency. In April, she filed </span><a href="https://storage.courtlistener.com/recap/gov.uscourts.mdd.577321/gov.uscourts.mdd.577321.111.9.pdf" target="_blank" rel="noopener noreferrer"><span data-contrast="none">a declaration in another case</span></a><span data-contrast="auto"> warning about using private-sector AI on government information. That same month, she </span><a href="https://oversight.house.gov/wp-content/uploads/2025/04/Testimony-of-Erie-Meyer-2.pdf" target="_blank" rel="noopener noreferrer"><span data-contrast="none">testified to the House Oversight Subcommittee on Cybersecurity, Information Technology, and Government Innovation</span></a><span data-contrast="auto"> that DOGE is centralizing access to some of the most sensitive data the government holds—Social Security records, disability claims, even data tied to national security—without a clear plan or proper oversight, warning that “DOGE is burning the house down and calling it a renovation.”</span><span data-ccp-props="279}"> </span></p><h3><b><span data-contrast="auto">Software Freedom Law Center, India: Defending Digital Freedoms</span></b><span data-ccp-props="{}"> </span></h3><p><a href="https://sflc.in/" target="_blank" rel="noopener noreferrer"><span data-contrast="none"><div class="media media-element-container media-wysiwyg_medium media-wysiwyg-align-right"><div id="file-57852" class="file file-image file-image-png" class="file file-image file-image-png"> <h2 class="element-invisible"><a href="/file/sflclogopng">sflc_logo.png</a></h2> <div class="content"> <img alt="Software Freedom Law Center, India logo" title="Software Freedom Law Center, India logo" class="media-element file-wysiwyg-medium" data-delta="6" src="https://www.eff.org/files/styles/kittens_types_wysiwyg_medium/public/sflc_logo.png?itok=XeqAf0IN" width="250" height="250" /> </div> </div></div>Software Freedom Law Center, India</span></a><span data-contrast="auto"> is a donor-supported legal services organization based in India that brings together lawyers, policy analysts, students, and technologists to protect freedom in the digital world. It promotes innovation and open access to knowledge by helping developers make great free and open-source software, protects privacy and civil liberties for Indians by educating and providing free legal advice, and helps policymakers make informed and just decisions about use of technology.</span><span data-ccp-props="{}"> </span></p><p><span data-contrast="auto">Founded in 2010 by technology lawyer and online civil liberties activist </span><a href="https://mishichoudhary.com/" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Mishi Choudhary</span></a><span data-contrast="auto">, SFLC.IN tracks and participates in litigation, AI regulations, and free speech issues that are defining Indian technology. It also tracks </span><a href="https://internetshutdowns.in/" target="_blank" rel="noopener noreferrer"><span data-contrast="none">internet shutdowns</span></a><span data-contrast="auto"> and </span><a href="https://freespeech.sflc.in/" target="_blank" rel="noopener noreferrer"><span data-contrast="none">censorship incidents</span></a><span data-contrast="auto"> across India, provides </span><a href="https://security.sflc.in/" target="_blank" rel="noopener noreferrer"><span data-contrast="none">digital security training</span></a><span data-contrast="auto">, and has launched the </span><a href="https://ddn.sflc.in/" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Digital Defenders Network</span></a><span data-contrast="auto">, a pan-Indian network of lawyers committed to protecting digital rights. It has conducted landmark litigation cases, petitioned the government of India on freedom of expression and internet issues, and campaigned for WhatsApp and Facebook to fix a feature of their platform that has been used to harass women in India.</span><span data-ccp-props="{}"> </span></p><p><b><span data-contrast="auto">To register for this event:</span></b><span data-contrast="auto"> </span><a href="http://www.eff.org/effawards" target="_blank" rel="noopener noreferrer"><span data-contrast="none">http://www.eff.org/effawards</span></a><span data-ccp-props="{}"> </span></p><p><b><span data-contrast="auto">For past honorees: </span></b><a href="https://www.eff.org/awards/past-winners" target="_blank" rel="noopener noreferrer"><span data-contrast="none">https://www.eff.org/awards/past-winners</span></a><span data-ccp-props="{}"> </span></p> </div></div></div></description> <pubDate>Wed, 09 Jul 2025 21:00:26 +0000</pubDate> <guid isPermaLink="false">110871 at https://www.eff.org</guid> <dc:creator>Josh Richman</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/eff-awards-2023.png" alt="EFF Awards text on circuitboard texture" type="image/png" length="139073" /> </item> <item> <title>EFF to US Court of Appeals: Protect Taxpayer Privacy</title> <link>https://www.eff.org/deeplinks/2025/07/eff-us-court-appeals-protect-taxpayer-privacy</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span>EFF has filed an amicus brief in </span><i><span>Trabajadores v. Bessent</span></i><span>, a case concerning the Internal Revenue Service (IRS) sharing protected personal tax information with the Department of Homeland Security for the purposes of immigration enforcement. Our expertise in privacy and </span><span>data sharing</span><span> makes us the ideal organization to step in and inform the judge: government actions like this have real-world consequences. The IRS’s sharing, and especially bulk sharing, of data is improper and makes taxpayers vulnerable to inevitable mistakes. As a practical matter, the sharing of data that IRS had previously claimed was protected undermines the trust important civil institutions require in order to be effective. </span></p><p><span>You can read the entire brief <a href="https://www.eff.org/document/trabajadores-v-bessent-amicus-brief">here</a>. </span></p><p><span>The brief makes two particular arguments. The first is that if the Tax Reform Act, the statute under which the IRS found the authority to share the data, is considered to be ambiguous, and that the statute should be interpreted in light of the legislative intent and historical background, which disfavors disclosure. The brief reads, </span></p><blockquote><p><em>Given the historical context, and decades of subsequent agency promises to protect taxpayer confidentiality and taxpayer reliance on those promises, the Administration’s abrupt decision to re-interpret §6103 to allow sharing with ICE whenever a potential “criminal proceeding” can be posited, is a textbook example of an arbitrary and capricious action even if the statute can be read to be ambiguous.</em></p></blockquote><p><span>The other argument we make to the court is that data scientists agree: when you try to corroborate information between two databases in which information is only partially identifiable, mistakes happen. We argue:</span></p><blockquote><p><em>Those errors result from such mundane issues as outdated information, data entry errors, and taxpayers or tax preparer submission of incorrect names or addresses. If public reports are correct, and officials intend to share information regarding 700,000 or even 7 million taxpayers, the errors will multiply, leading to the mistaken targeting, detention, deportation, and potentially even physical harm to regular taxpayers.</em></p></blockquote><p><span>Information silos in the government exist for a reason. Here, it was designed to protect individual privacy and prevent executive abuse that can come with unfettered access to properly-collected information. The concern motivating Congress to pass the Tax Reform Act was the same as that behind </span><a href="https://www.justice.gov/opcl/privacy-act-1974"><span>Privacy Act of 1974 </span></a><span>and the </span><a href="https://www.fdic.gov/resources/supervision-and-examinations/consumer-compliance-examination-manual/documents/8/viii-3-1.pdf"><span>1978 Right to Financial Privacy Act</span></a><span>. These laws were part of a wave of reforms Congress considered necessary to address the </span><a href="https://thereader.mitpress.mit.edu/60-years-ago-congress-warned-us-about-the-surveillance-state-what-happened/"><span>misuse of tax data to spy</span></a><span> on and harass political opponents, dissidents, civil rights activists, and anti-war protestors in the 1960s and early 1970s. Congress saw the need to ensure that data collected for one purpose should only be used for that purpose, with very narrow exceptions, or else it is prone to abuse. Yet the IRS is currently sharing information to allow ICE to enforce immigration law.</span></p><p><span>Taxation in the United States operates through a very simple agreement: the government requires taxes from people working inside the United States in order to function. In order to get people to pay their taxes, including undocumented immigrants living and working in the United States, the IRS has previously promised that the data they collect will not be used against a person for punitive reasons. This increases people to pay taxes and alleviates concerns of people people may have to avoid interacting with the government. But the IRS’s reversal has greatly harmed that trust and has potential to have far reaching and negative ramifications, including decreasing future tax revenue.</span></p><p><a href="https://www.eff.org/deeplinks/2025/06/dangers-consolidating-all-government-information"><span>Consolidating government information</span></a><span> so that the agencies responsible for healthcare, taxes, or financial support are linked to agencies that police, surveil, and fine people is a recipe for disaster. For that reason, EFF is proud to submit this amicus brief in <i>Trabajadores v. Bessent</i> in support of taxpayer privacy. </span></p> </div></div></div><div class="field field--name-field-related-cases field--type-node-reference field--label-above"><div class="field__label">Related Cases:&nbsp;</div><div class="field__items"><div class="field__item even"><a href="/cases/american-federation-government-employees-v-us-office-personnel-management">American Federation of Government Employees v. U.S. Office of Personnel Management</a></div></div></div></description> <pubDate>Tue, 08 Jul 2025 19:10:27 +0000</pubDate> <guid isPermaLink="false">110877 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/privacy">Privacy</category> <dc:creator>Matthew Guariglia</dc:creator> <dc:creator>Hannah Zhao</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/capitol-2.jpg" alt="" type="image/jpeg" length="19833" /> </item> <item> <title>How to Build on Washington’s “My Health, My Data” Act</title> <link>https://www.eff.org/deeplinks/2025/06/how-build-washingtons-my-health-my-data-act</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>In 2023, the State of Washington enacted one of the strongest consumer data privacy laws in recent years: the “<a href="https://app.leg.wa.gov/RCW/default.aspx?cite=19.373&amp;full=true&amp;pdf=true">my health my data</a>” act (<a href="https://lawfilesext.leg.wa.gov/biennium/2023-24/Pdf/Bills/House%20Passed%20Legislature/1155-S.PL.pdf?q=20250610130508">HB 1155</a>). EFF commends the civil rights, data privacy, and reproductive justice <a href="https://lawfilesext.leg.wa.gov/biennium/2023-24/Pdf/Bill%20Reports/House/1155-S.E%20HBR%20PL%2023.pdf?q=20250610130508">advocates</a> who worked to pass this law.</p><p>This post suggests ways for legislators and advocates in other states to build on the Washington law and draft one with even stronger protections. This post will separately address the law’s scope (such as who is protected); its safeguards (such as consent and minimization); and its enforcement (such as a private right of action). While the law only applies to one category of personal data – our health information – its structure could be used to protect all manner of data.</p><h4><strong>Scope of Protection</strong></h4><p>Authors of every consumer data privacy law must make three decisions about scope: What kind of data is protected? Whose data is protected? And who is regulated?</p><p>The Washington law protects “consumer health data,” <a href="https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.010">defined</a> as information linkable to a consumer that identifies their “physical or mental health status.” This includes all manner of conditions and treatments, such as gender-affirming and reproductive care. While EFF’s ultimate goal is protection of all types of personal information, bills that protect at least <a href="https://www.eff.org/deeplinks/2023/05/eff-supports-my-body-my-data">some</a> <a href="https://www.eff.org/deeplinks/2020/08/sen-merkley-leads-biometric-privacy">types</a> can be a great start.</p><p>The Washington law protects “consumers,” <a href="https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.010">defined</a> as all natural persons who reside in the state or had their health data collected there. It is best, as here, to protect all people. If a data privacy law protects just some people, that can incentivize a regulated entity to collect even more data, in order to distinguish protected from unprotected people. Notably, Washington’s definition of “consumers” applies only in “an individual or household context,” but not “an employment context”; thus, Washingtonians will need a different health privacy law to protect them from <a href="https://www.eff.org/deeplinks/2021/03/dystopia-prime-amazon-subjects-its-drivers-biometric-surveillance">their</a> <a href="https://www.eff.org/deeplinks/2020/06/inside-invasive-secretive-bossware-tracking-workers">snooping</a> <a href="https://www.eff.org/deeplinks/2022/12/privacy-doesnt-stop-when-you-clock-2022-review">bosses</a>.</p><p>The Washington law <a href="https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.010">defines</a> a “regulated entity” as “any legal entity” that both: “conducts business” in the state or targets residents for products or services; and “determines the purpose and means” of processing consumer health data. This appears to include many non-profit groups, which is good, because such groups can harmfully process a lot of personal data.</p><p>The law excludes government from regulation, which is not unusual for data privacy bills focused on non-governmental actors. State and local government will likely need to be regulated by another data privacy law.</p><p>Unfortunately, the Washington law also excludes “contracted service providers when processing data on behalf of government.” A data broker or other surveillance-oriented business should not be free from regulation just because it is working for the police.</p><h4><strong>Consent or Minimization to Collect or Share Health Data</strong></h4><p>The most important part of Washington’s law requires either <a href="https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.030">consent or minimization</a> for a regulated entity to collect or share a consumer’s health data.</p><p>The law has a strong <a href="https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.010">definition</a> of “consent.” It must be “a clear affirmative act that signifies a consumer’s freely given, specific, informed, opt-in, voluntary, and unambiguous agreement.” Consent cannot be obtained with “broad terms of use” or “deceptive design.”</p><p>Absent consent, a regulated entity cannot collect or share a consumer’s health data except as <a href="https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.030">necessary</a> to provide a good or service that the consumer requested. Such rules are often called “<a href="https://en.wikipedia.org/wiki/Data_minimization">data minimization</a>.” Their virtue is that a consumer does not need to do anything to enjoy their statutory privacy rights; the burden is on the regulated entity to process less data.</p><p>As to data “<a href="https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.070">sale</a>,” the Washington law requires enhanced consent (which the law calls “valid authorization”). Sale is the most dangerous form of sharing, because it incentivizes businesses to collect the most possible data in hopes of later selling it. For this reason, some laws flatly ban sale of sensitive data, like the Illinois biometric information privacy act (<a href="https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004">BIPA</a>).</p><p>For context, there are four ways for a bill or law to configure consent and/or minimization. Some require just consent, like BIPA’s provisions on data collection. Others require just minimization, like the federal “<a href="https://www.congress.gov/bill/118th-congress/house-bill/3420/text?s=2&amp;r=1&amp;q=%7B%22search%22%3A%5B%22%22%5D%7D">my body my data” bill</a>. Still others require both, like the Massachusetts <a href="https://malegislature.gov/Bills/194/S197">location data privacy bill</a>. And some require either one or the other. In various times and places, EFF has supported all four configurations. “Either/or” is weakest, because it allows regulated entities to choose whether to minimize or to seek consent – a choice they will make based on their profit and not our privacy.</p><h4><strong>Two Protections of Location Data Privacy</strong></h4><p>Data brokers <a href="https://www.eff.org/issues/location-data-brokers">harvest our location information</a> and sell it to anyone who will pay, including advertisers, police, and other adversaries. Legislators are <a href="https://www.eff.org/deeplinks/2025/04/privacy-map-how-states-are-fighting-location-surveillance">stepping forward</a> to address this threat.</p><p>The Washington law does so in two ways. First, the “consumer health data” protected by the consent-or-minimization rule is <a href="https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.010">defined</a> to include “precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies.” In turn, “precise location” is <a href="https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.010">defined</a> as within 1,750’ of a person.</p><p>Second, the Washington law bans a “<a href="https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.080">geofence</a>” around an “in-person health care service,” if “used” for one of three forbidden purposes (to track consumers, to collect their data, or to send them messages or ads). A “geofence” is <a href="https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.010">defined</a> as technology that uses GPS or the like “to establish a virtual boundary” of 2,000’ around the perimeter of a physical location.</p><p>This is a good start. It is also much better than weaker rules that only apply to the immediate vicinity of sensitive locations. Such rules allow adversaries to use location data to track us as we move towards sensitive locations, observe us enter the small no-data bubble around those locations, and infer what we may have done there. On the other hand, Washington’s rules apply to sizeable areas. Also, its consent-or-minimization rule applies to <em>all</em> locations that could indicate pursuit of health care (not just health facilities). And its geofence rule forbids use of location data to track people.</p><p>Still, the better approach, as in <a href="https://www.eff.org/deeplinks/2025/04/privacy-map-how-states-are-fighting-location-surveillance">several recent bills</a>, is to simply protect all location data. Protecting just one kind of sensitive location, like houses of worship, will leave out others, like courthouses. More fundamentally, all locations are sensitive, given the risk that others will use our location data to determine where – and with whom – we live, work, and socialize.</p><h4><strong>More Data Privacy Protections</strong></h4><p>Other safeguards in the Washington law deserve attention from legislators in other states:</p><ul><li>Regulated entities must publish a <a href="https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.020">privacy policy</a> that discloses, for example, the categories of data collected and shared, and the purposes of collection. Regulated entities must not collect, use, or share additional categories of data, or process them for additional purposes, without consent.</li><li>Regulated entities must provide consumers the rights to <a href="https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.040">access and delete</a> their data.</li><li>Regulated entities must restrict data access to just those employees who need it, and maintain industry-standard <a href="https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.050">data security</a></li></ul><h4><strong>Enforcement</strong></h4><p>A law is only as strong as its teeth. The best way to ensure enforcement is to empower people to sue regulated entities that violate their privacy; this is often called a “<a href="https://www.eff.org/deeplinks/2019/01/you-should-have-right-sue-companies-violate-your-privacy">private right of action</a>.”</p><p>The Washington law <a href="https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.090">provides</a> that its violation is “an unfair or deceptive act” under the state’s separate <a href="https://app.leg.wa.gov/RCW/default.aspx?cite=19.86">consumer protection act</a>. That law, in turn, <a href="https://app.leg.wa.gov/RCW/default.aspx?cite=19.86.020">bans</a> unfair or deceptive acts in the conduct of trade or commerce. Upon a violation of the ban, that law provides a <a href="https://app.leg.wa.gov/RCW/default.aspx?cite=19.86.090">civil action</a> to “any person who is injured in [their] business or property,” with the remedies of injunction, actual damages, treble damages up to $25,000, and legal fees and costs. It remains to be seen how Washington’s courts will apply this old civil action to the new “my health my data” act.</p><p>Washington legislators are demonstrating that privacy is important to public policy, but a more explicit claim would be cleaner: invasion of the fundamental human right to data privacy. Sadly, there is a <a href="https://www.eff.org/deeplinks/2022/11/let-data-breach-victims-sue-marriott">nationwide debate</a> about whether injury to data privacy, by itself, should be enough to go to court, without also proving a more tangible injury like identity theft. The <a href="https://www.eff.org/deeplinks/2025/04/privacy-map-how-states-are-fighting-location-surveillance">best legislative models</a> ensure full access to the courts in two ways. First, they provide: “A violation of this law regarding an individual’s data constitutes an injury to that individual, and any individual alleging a violation of this law may bring a civil action.” Second, they provide a baseline amount of damages (often called “liquidated” or “statutory” damages), because it is often difficult to prove actual damages arising from a data privacy injury.</p><p>Finally, data privacy laws must protect people from “<a href="https://www.eff.org/deeplinks/2020/10/why-getting-paid-your-data-bad-deal">pay for privacy</a>” schemes, where a business charges a higher price or delivers an inferior product if a consumer exercises their statutory data privacy rights. Such schemes will lead to a society of privacy “haves” and “have nots.”</p><p>The Washington law has two helpful provisions. First, a regulated entity “may not unlawfully <a href="https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.030">discriminate</a> against a consumer for exercising any rights included in this chapter.” Second, there can be no data sale without a “statement” from the regulated entity to the consumer that “the provision of goods or services may not be <a href="https://app.leg.wa.gov/RCW/default.aspx?cite=19.373.070">conditioned</a> on the consumer signing the valid authorization.”</p><p><a href="https://www.eff.org/deeplinks/2025/04/privacy-map-how-states-are-fighting-location-surveillance">Some privacy bills</a> contain more-specific language, for example along these lines: “a regulated entity cannot take an adverse action against a consumer (such as refusal to provide a good or service, charging a higher price, or providing a lower quality) because the consumer exercised their data privacy rights, unless the data at issue is essential to the good or service they requested and then only to the extent the data is essential.”</p><h4><strong>What About Congress?</strong></h4><p>We still desperately need comprehensive federal consumer data privacy law built on “<a href="https://www.eff.org/wp/privacy-first-better-way-address-online-harms">privacy first</a>” principles. In the meantime, states are taking the lead. The <a href="https://www.eff.org/deeplinks/2025/05/stopping-states-passing-ai-laws-next-decade-terrible-idea">very</a> <a href="https://www.eff.org/deeplinks/2024/06/eff-opposes-american-privacy-rights-act">worst</a> <a href="https://www.eff.org/deeplinks/2024/10/preemption-playbook-big-techs-blueprint-comes-straight-big-tobacco">thing</a> Congress could do now is preempt states from protecting their residents’ data privacy. Advocates and legislators from across the country, seeking to take up this mantle, would benefit from looking at – and building on – Washington’s “my health my data” law.</p> </div></div></div></description> <pubDate>Sun, 06 Jul 2025 22:49:16 +0000</pubDate> <guid isPermaLink="false">110832 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/privacy">Privacy</category> <dc:creator>Adam Schwartz</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/medical-privacy_1.png" alt="Four medical symbols with keys" type="image/png" length="26686" /> </item> <item> <title>🤫 Meta's Secret Spying Scheme | EFFector 37.7</title> <link>https://www.eff.org/deeplinks/2025/06/metas-secret-spying-scheme-effector-377</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>Keeping up on the latest digital rights news has never been easier. With a new look, <a href="https://eff.org/effector/37/7">EFF's EFFector newsletter</a> covers the latest details on our work defending your rights to privacy and free expression online.</p><p><a href="https://eff.org/effector/37/7">EFFector 37.7</a> covers some of the very sneaky tactics that Meta has been using <a href="https://www.eff.org/deeplinks/2025/06/protect-yourself-metas-latest-attack-privacy">to track you online</a>, and how you can mitigate some of this tracking. In this issue, we're also explaining the legal processes <a href="https://www.eff.org/deeplinks/2025/06/how-cops-can-get-your-private-online-data">police use to obtain your private online data</a>, and providing an update on the <a href="https://www.eff.org/deeplinks/2025/06/no-fakes-act-has-changed-and-its-so-much-worse">NO FAKES Act</a>—a U.S. Senate bill that takes a flawed approach to concerns about AI-generated "replicas." </p><p>And, in case you missed it in the previous newsletter, we're debuting a <a href="https://youtu.be/AVdo2IYxUEg">new audio companion</a> to EFFector as well! This time, Lena Cohen breaks down the ways that Meta tracks you online and what you—and lawmakers—can do to prevent that tracking. You can listen now on <a href="https://youtu.be/AVdo2IYxUEg">YouTube</a> or the <a href="https://archive.org/details/37.7_20250702">Internet Archive</a>.</p><p class="take-action"><a href="https://youtu.be/AVdo2IYxUEg">Listen TO EFFECTOR</a></p><p class="take-action take-explainer"><span>EFFECTOR 37.7 - META'S SECRET SPYING SCHEME</span></p><p><span>Since 1990 EFF has published EFFector to help keep readers on the bleeding edge of their digital rights. We know that the intersection of technology, civil liberties, human rights, and the law can be complicated, so EFFector is a great way to stay on top of things. The newsletter is chock full of links to updates, announcements, blog posts, and other stories to help keep readers—and listeners—up to date on the movement to protect online privacy and free expression. </span></p><p><span>Thank you to the supporters around the world who make our work possible! If you're not a member yet, <a href="https://eff.org/effect">join EFF today</a> to help us fight for a brighter digital future.</span></p> </div></div></div></description> <pubDate>Wed, 02 Jul 2025 17:15:55 +0000</pubDate> <guid isPermaLink="false">110862 at https://www.eff.org</guid> <dc:creator>Christian Romero</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/effector_banner_5.jpeg" alt="" type="image/jpeg" length="130379" /> </item> <item> <title>Podcast Episode: Cryptography Makes a Post-Quantum Leap </title> <link>https://www.eff.org/deeplinks/2025/06/podcast-episode-cryptography-makes-post-quantum-leap</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span data-contrast="auto">The cryptography that protects our privacy and security online relies on the fact that even the strongest computers will take essentially forever to do certain tasks, like factoring prime numbers and finding discrete logarithms which are important for </span><a href="https://en.wikipedia.org/wiki/RSA_cryptosystem" target="_blank" rel="noopener noreferrer"><span data-contrast="none">RSA encryption</span></a><span data-contrast="auto">, </span><a href="https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Diffie-Hellman key exchanges</span></a><span data-contrast="auto">, and </span><a href="https://en.wikipedia.org/wiki/Elliptic-curve_cryptography" target="_blank" rel="noopener noreferrer"><span data-contrast="none">elliptic curve</span></a><span data-contrast="auto"> encryption. But what happens when those problems – and the cryptography they underpin – are no longer infeasible for computers to solve? Will our online defenses collapse? </span></p><p><div class="mytube" style="width: 100%px;"> <div class="mytubetrigger" tabindex="0"> <img src="https://www.eff.org/sites/all/modules/custom/mytube/play.png" class="mytubeplay" alt="play" style="top: -4px; left: 20px;" /> <div hidden class="mytubeembedcode">%3Ciframe%20height%3D%2252px%22%20width%3D%22100%25%22%20frameborder%3D%22no%22%20scrolling%3D%22no%22%20seamless%3D%22%22%20src%3D%22https%3A%2F%2Fplayer.simplecast.com%2Fcf786418-1f0e-452e-8026-ef1a38c77f4e%3Fdark%3Dtrue%26amp%3Bcolor%3D000000%22%20allow%3D%22autoplay%22%3E%3C%2Fiframe%3E</div> </div> <div class="mytubetext"> <span><a href="https://www.eff.org/deeplinks/2008/02/embedded-video-and-your-privacy" rel="noreferrer" target="_blank">Privacy info.</a></span> <span>This embed will serve content from <em><a rel="nofollow" href="https://player.simplecast.com/cf786418-1f0e-452e-8026-ef1a38c77f4e?dark=true&amp;color=000000">simplecast.com</a></em><br /></span> </div></div></p><p><span data-contrast="auto"></span><span data-contrast="auto"><i><a href="https://open.spotify.com/show/4UAplFpPDqE4hWlwsjplgt" target="_blank" rel="noopener noreferrer"><img src="https://www.eff.org/files/2021/11/01/spotify-podcast-badge-blk-wht-330x80.png" alt="Listen on Spotify Podcasts Badge" width="198" height="48" /></a> <a href="https://podcasts.apple.com/us/podcast/effs-how-to-fix-the-internet/id1539719568" target="_blank" rel="noopener noreferrer"><img src="https://www.eff.org/files/2021/11/01/applebadge2.png" alt="Listen on Apple Podcasts Badge" width="195" height="47" /></a> <a href="https://music.amazon.ca/podcasts/bf81f00f-11e1-431f-918d-374ab6ad07cc/how-to-fix-the-internet?ref=dmm_art_us_HTFTI" target="_blank" rel="noopener noreferrer"><img height="47" width="195" src="https://www.eff.org/files/styles/kittens_types_wysiwyg_small/public/2024/02/15/us_listenon_amazonmusic_button_charcoal.png?itok=YFXPE4Ii" /></a> <a href="https://feeds.eff.org/howtofixtheinternet" target="_blank" rel="noopener noreferrer"><img src="https://www.eff.org/files/2021/11/01/subscriberss.png" alt="Subscribe via RSS badge" width="194" height="50" /></a></i></span></p><p><span data-contrast="auto">(You can also find this episode on the <a href="https://archive.org/details/htfti-s6e5-deirdre-connolly-vfinal" target="_blank" rel="noopener noreferrer">Internet Archive</a> and on <a href="https://youtu.be/aAofveEC5kg?si=Kn8w1BuuRz-gGhaa" target="_blank" rel="noopener noreferrer">YouTube</a>.)</span><span data-ccp-props="279}"> </span></p><p><span data-contrast="auto">Not if Deirdre Connolly can help it. As a cutting-edge thinker in post-quantum cryptography, Connolly is making sure that the next giant leap forward in computing – </span><a href="https://en.wikipedia.org/wiki/Quantum_computing" target="_blank" rel="noopener noreferrer"><span data-contrast="none">quantum machines</span></a><span data-contrast="auto"> that use principles of subatomic mechanics to ignore some constraints of classical mathematics and solve complex problems much faster – don’t reduce our digital walls to rubble. Connolly joins EFF’s Cindy Cohn and Jason Kelley to discuss not only how post-quantum cryptography can shore up those existing walls but also help us find entirely new methods of protecting our information.</span><span data-ccp-props="279}"> </span></p><p><span data-contrast="auto">In this episode you’ll learn about:</span><span data-ccp-props="240}"> </span></p><ul><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="&quot;hybridMultilevel&quot;}" data-aria-posinset="1" data-aria-level="1"><span data-contrast="auto">Why we’re not yet sure exactly what quantum computing can do yet, and that’s exactly why we need to think about post-quantum cryptography now</span><span data-ccp-props="240}"> </span></li><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="&quot;hybridMultilevel&quot;}" data-aria-posinset="1" data-aria-level="1"><span data-contrast="auto">What a “Harvest Now, Decrypt Later” attack is, and what’s happening today to defend against it</span></li><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="&quot;hybridMultilevel&quot;}" data-aria-posinset="1" data-aria-level="1"><span data-contrast="auto">How cryptographic collaboration, competition, and community are key to exploring a variety of paths to post-quantum resilience</span></li><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="&quot;hybridMultilevel&quot;}" data-aria-posinset="1" data-aria-level="1"><span data-contrast="auto">Why preparing for post-quantum cryptography is and isn’t like fixing the Y2K bug</span></li><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="&quot;hybridMultilevel&quot;}" data-aria-posinset="1" data-aria-level="1"><span data-contrast="auto">H</span><span data-contrast="auto">ow the best impact that end users can hope for from post-quantum cryptography is no visible impact at all</span></li><li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="&quot;hybridMultilevel&quot;}" data-aria-posinset="1" data-aria-level="1"><span data-contrast="auto">Don’t worry—you won’t have to know, or learn, any math for this episode! </span><span data-ccp-props="240}"> </span></li></ul><p><a href="https://durumcrustulum.com/" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Deirdre Connolly</span></a><span data-contrast="auto"> is a research and applied cryptographer at </span><a href="https://www.sandboxaq.com/" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Sandbox AQ</span></a><span data-contrast="auto"> with particular expertise in post-quantum encryption. She also co-hosts the “</span><a href="https://securitycryptographywhatever.com/" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Security Cryptography Whatever</span></a><span data-contrast="auto">” podcast about modern computer security and cryptography, with a focus on engineering and real-world experiences. Earlier, she was an engineer at the </span><a href="https://zfnd.org/" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Zcash Foundation</span></a><span data-contrast="auto"> – a nonprofit that builds financial privacy infrastructure for the public good – as well as at </span><a href="https://www.brightcove.com/" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Brightcove</span></a><span data-contrast="auto">, </span><a href="https://www.akamai.com/" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Akamai</span></a><span data-contrast="auto">, and </span><a href="https://www.hubspot.com/" target="_blank" rel="noopener noreferrer"><span data-contrast="none">HubSpot</span></a><span data-contrast="auto">.</span><span data-ccp-props="{}"> </span></p><p><span data-contrast="auto">Resources:</span><span data-ccp-props="{}"> </span></p><ul><li data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="&quot;hybridMultilevel&quot;}" data-aria-posinset="1" data-aria-level="1"><span data-contrast="auto">A Few Thoughts on Cryptographic Engineering: “</span><a href="https://blog.cryptographyengineering.com/2019/09/24/looking-back-at-the-snowden-revelations/" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Looking back at the Snowden revelations</span></a><span data-contrast="auto">” by Matthew Green (Sept. 24, 2019)</span></li><li data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="&quot;hybridMultilevel&quot;}" data-aria-posinset="1" data-aria-level="1"><span data-contrast="auto">The National Security Agency’s </span><a href="https://en.wikipedia.org/wiki/PRISM" target="_blank" rel="noopener noreferrer"><span data-contrast="none">PRISM</span></a><span data-contrast="auto"> program</span></li><li data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="&quot;hybridMultilevel&quot;}" data-aria-posinset="1" data-aria-level="1"><span data-contrast="auto">National Institute of Standards and Technology (NIST) Information Technology Laboratory Computer Security Resource Center’s </span><a href="https://csrc.nist.gov/projects/post-quantum-cryptography" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Post-Quantum Cryptography Project</span></a></li><li data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="&quot;hybridMultilevel&quot;}" data-aria-posinset="1" data-aria-level="1"><span data-contrast="auto">NIST Information Technology Laboratory Computer Security Research Center </span><a href="https://csrc.nist.gov/glossary" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Glossary</span></a></li><li data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="&quot;hybridMultilevel&quot;}" data-aria-posinset="1" data-aria-level="1"><span data-contrast="auto">Deirdre Connolly’s </span><a href="https://www.youtube.com/@durumcrustulum" target="_blank" rel="noopener noreferrer"><span data-contrast="none">YouTube channel</span></a><span data-ccp-props="240}"> </span></li></ul><p><span data-contrast="auto">What do you think of “How to Fix the Internet?” </span><a href="https://forms.office.com/pages/responsepage.aspx?id=qalRy_Njp0iTdV3Gz61yuZZXWhXf9ZdMjzPzrVjvr6VUNUlHSUtLM1lLMUNLWE42QzBWWDhXU1ZEQy4u&amp;web=1&amp;wdLOR=c90ABD667-F98F-9748-BAA4-CA50122F0423" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Share your feedback here</span></a><span data-contrast="auto">.</span></p><h3><span data-ccp-props="259}">Transcript</span></h3><p><strong>DEIRDRE CONNOLLY:</strong> I only got into cryptography and especially post quantum quickly after that. further into my professional life. I was a software engineer for a whil,e and the Snowden leaks happened, and phone records get leaked. All of Verizon's phone records get leaked. and then Prism and more leaks and more leaks. And as an engineer first, I felt like everything that I was building and we were building and telling people to use was vulnerable. <br />I wanted to learn more about how to do things securely. I went further and further and further down the rabbit hole of cryptography. And then, I think I saw a talk which was basically like, oh, elliptic curves are vulnerable to a quantum attack. And I was like, well, I, I really like these things. They're very elegant mathematical objects, it's very beautiful. I was sad that they were fundamentally broken, and, I think it was, Dan Bernstein who was like, well, there's this new thing that uses elliptic curves, but is supposed to be post quantum secure. <br />But the math is very difficult and no one understands it. I was like, well, I want to understand it if it preserves my beautiful elliptic curves. That's how I just went, just running, screaming downhill into post quantum cryptography.</p><p><strong>CINDY COHN:</strong> That's Deirdre Connolly talking about how her love of beautiful math and her anger at the Snowden revelations about how the government was undermining security, led her to the world of post-quantum cryptography.<br />I'm Cindy Cohn, the executive director of the Electronic Frontier Foundation.</p><p><strong>JASON KELLEY:</strong> And I'm Jason Kelley, EFF's activism director. You're listening to How to Fix the Internet.</p><p><strong>CINDY COHN:</strong> On this show we talk to tech leaders, policy-makers, thinkers, artists and engineers about what the future could look like if we get things right online.</p><p><strong>JASON KELLEY:</strong> Our guest today is at the forefront of the future of digital security. And just a heads up that this is one of the more technical episodes that we've recorded -- you'll hear quite a bit of cryptography jargon, so we've written up some of the terms that come up in the show notes, so take a look there if you hear a term you don't recognize.</p><p><strong>CINDY COHN:</strong> Deidre Connolly is a research engineer and applied cryptographer at Sandbox AQ, with a particular expertise in post-quantum encryption. She also co-hosts the Security, Cryptography, Whatever podcast, so she's something of a cryptography influencer too. When we asked our tech team here at EFF who we should be speaking with on this episode about quantum cryptography and quantum computers more generally, everyone agreed that Deirdre was the person. So we're very glad to have you here. Welcome, Deirdre.</p><p><strong>DEIRDRE CONNOLLY:</strong> Thank you very much for having me. Hi.</p><p><strong>CINDY COHN:</strong> Now we obviously work with a lot of technologists here and, and certainly personally cryptography is near and dear to my heart, but we are not technologists, neither Jason nor I. So can you just give us a baseline of what post-quantum cryptography is and why people are talking about it?</p><p><strong>DEIRDRE CONNOLLY:</strong> Sure. So a lot of the cryptography that we have deployed in the real world relies on a lot of math and security assumptions on that math based on things like abstract groups, Diffie-Hellman, elliptic curves, finite fields, and factoring prime numbers such as, uh, systems like RSA. <br />All of these, constructions and problems, mathematical problems, have served us very well in the last 40-ish years of cryptography. They've let us build very useful, efficient, small cryptography that we've deployed in the real world. It turns out that they are all also vulnerable in the same way to advanced cryptographic attacks that are only possible and only efficient when run on a quantum computer, and this is a class of computation, a whole new class of computation versus digital computers, which is the main computing paradigm that we've been used to for the last 75 years plus. <br />Quantum computers allow these new classes of attacks, especially, variants of Shore's algorithm – named Dr. Peter Shore – that basically when run on a sufficiently large, cryptographically relevant quantum computer, makes all of the asymmetric cryptography based on these problems that we've deployed very, very vulnerable. <br />So post-quantum cryptography is trying to take that class of attack into consideration and building cryptography to both replace what we've already deployed and make it resilient to this kind of attack, and trying to see what else we can do with these fundamentally different mathematical and cryptographic assumptions when building cryptography.</p><p><strong>CINDY COHN:</strong> So we've kind of, we've secured our stuff behind a whole lot of walls, and we're slowly building a bulldozer. This is a particular piece of the world where the speed at which computers can do things has been part of our protection, and so we have to rethink that.</p><p><strong>DEIRDRE CONNOLLY:</strong> Yeah, quantum computing is a fundamentally new paradigm of how we process data that promises to have very interesting, uh, and like, applications beyond what we can envision right now. Like things like protein folding, chemical analysis, nuclear simulation, and cryptanalysts, or very strong attacks against cryptography.<br />But it is a field where it's such a fundamentally new computational paradigm that we don't even know what its applications fully would be yet, because like we didn't fully know what we were doing with digital computers in the forties and fifties. Like they were big calculators at one time.</p><p><strong>JASON KELLEY:</strong> When it was suggested that we talk to you about this. I admit that I have not heard much about this field, and I realized quickly when looking into it that there's sort of a ton of hype around quantum computing and post-quantum cryptography and that kind of hype can make it hard to know whether or not something is like actually going to be a big thing or, whether this is something that's becoming like an investment cycle, like a lot of things do. And one of the things that quickly came up as an actual, like real danger is what's called sort of “save now decrypt later.”</p><p><strong>DEIRDRE CONNOLLY:</strong> Oh yeah.</p><p><strong>JASON KELLEY:</strong> Right? We have all these messages, for example, that have been encrypted with current encryption methods. And if someone holds onto those, they can decrypt them using quantum computers in the future. How serious is that danger?</p><p><strong>DEIRDRE CONNOLLY:</strong> It’s definitely a concern and it's the number one driver I would say to post-quantum crypto adoption in broad industry right now is mitigating the threat of a Store Now/Decrypt Later attack, also known as Harvest Now/Decrypt Later, a bunch of names that all mean the same thing.<br />And fundamentally, it's, uh, especially if you're doing any kind of key agreement over a public channel, and doing key agreement over a public channel is part of the whole purpose of like, you want to be able to talk to someone who you've never really, touched base with before, and you all kind of know, some public parameters that even your adversary knows and based on just the fact that you can send messages to each other and some public parameters, and some secret values that only you know, and only the other party knows you can establish a shared secret, and then you can start encrypting traffic between you to communicate. And this is what you do in your web browser when you have an HTTPS connection, that's over TLS.<br />This is what you do with Signal or WhatsApp or any, or, you know, Facebook Messenger with the encrypted communications. They're using Diffie-Helman as part of the protocol to set up a shared secret, and then you use that to encrypt their message bodies that you're sending back and forth between you.<br />But if you can just store all those communications over that public channel, and the adversary knows the public parameters 'cause they're freely published, that's part of Kerckhoff’s Principle about good cryptography - the only thing that the adversary shouldn't know about your crypto system is the secret key values that you're actually using. It should be secure against an adversary that knows everything that you know, except the secret key material. <br />And you can just record all those public messages and all the public key exchange messages, and you just store them in a big database somewhere. And then when you have your large cryptographically relevant quantum computer, you can rifle through your files and say, hmm, let's point it at this.<br />And that's the threat that's live now to the stuff that we have already deployed and the stuff that we're continuing to do communications on now that is protected by elliptic curve Diffie Hellman, or Finite Field Diffie Hellman, or RSA. They can just record that and just theoretically point an attack at it at a later date when that attack comes online. <br />So like in TLS, there's a lot of browsers and servers and infrastructure providers that have updated to post-quantum resilient solutions for TLS. So they're using a combination of the classic elliptic curve, Diffie Hellman and a post-quantum KEM, uh, called ML Kem that was standardized by the United States based on a public design that's been, you know, a multi international collaboration to help do this design. <br />I think that's been deployed in Chrome, and I think it's deployed by CloudFlare and it's getting deployed – I think it's now become the default option in the latest version of Open SSL. And a lot of other open source projects, so that's TLS similar, approaches are being adopted in open SSH, the most popular SSH implementation in the world. Signal, the service has updated their key exchange to also include a post quantum KEM and their updated key establishments. So when you start a new conversation with someone or reset a conversation with someone that is the latest version of Signal is now protected against that sort of attack. <br />That is definitely happening and it's happening the most rapidly because of that Store now/Decrypt later attack, which is considered live. Everything that we're doing now can just be recorded and then later when the attack comes online, they can attack us retroactively. So that's definitely a big driver of things changing in the wild right now.</p><p><strong>JASON KELLEY:</strong> Okay. I'm going to throw out two parallels for my very limited knowledge to make sure I understand. This reminds me a little bit of sort of the work that had to be done before Y2K in, in the sense of like, now people think nothing went wrong and nothing was ever gonna go wrong, but all of us working anywhere near the field know actually it took a ton of work to make sure that nothing blew up or stopped working. <br />And the other is that in, I think it was 1998, EFF was involved in something we called Deep Crack, where we made, that's a, I'm realizing now that's a terrible name. But anyway, the DES cracker, um, we basically wanted to show that DES was capable of being cracked, right? And that this was a - correct me if I'm wrong - it was some sort of cryptographic standard that the government was using and people wanted to show that it wasn't sufficient.</p><p><strong>DEIRDRE CONNOLLY:</strong> Yes - I think it was the first digital encryption standard. And then after its vulnerability was shown, they, they tripled it up to, to make it useful. And that's why Triple DES is still used in a lot of places and is actually considered okay. And then later came the advanced encryption standard, AES, which we prefer today.</p><p><strong>JASON KELLEY:</strong> Okay, so we've learned the lesson, or we are learning the lesson, it sounds like.</p><p><strong>DEIRDRE CONNOLLY:</strong> Uh huh.</p><p><strong>CINDY COHN:</strong> Yeah, I think that that's, that's right. I mean, EFF built the DES cracker because in the nineties the government was insisting that something that everybody knew was really, really insecure and was going to only get worse as computers got stronger and, and strong computers got in more people's hands, um, to basically show that the emperor had no clothes, um, that this wasn't very good. <br />And I think with the NIST standards and what's happening with post-quantum is really, you know, the hopeful version is we learned that lesson and we're not seeing government trying to pretend like there isn't a risk in order to preserve old standards, but instead leading the way with new ones. Is that fair?</p><p><strong>DEIRDRE CONNOLLY:</strong> That is very fair. NIST ran this post-quantum competition almost over 10 years, and it had over 80 submissions in the first round from all over the world, from industry, academia, and a mix of everything in between, and then it narrowed it down to. the three that are, they're not all out yet, but there's the key agreement, one called ML Kem, and three signatures. And there's a mix of cryptographic problems that they're based on, but there were multiple rounds, lots of feedback, lots of things got broken. <br />This competition has absolutely led the way for the world of getting ready for post-quantum cryptography. There are some competitions that have happened in Korea, and I think there's some work happening in China for their, you know, for their area.<br />There are other open standards and there are standards happening in other standards bodies, but the NIST competition has led the way, and it, because it's all open and all these standards are open and all of the work and the cryptanalysis that has gone in for the whole stretch. It's all been public and all these standards and drafts and analysis and attacks have been public. It's able to benefit everyone in the world.</p><p><strong>CINDY COHN:</strong> I got started in the crypto wars in the nineties where the government was kind of the problem and they still are. And I do wanna ask you about whether you're seeing any role of the kinda national social security, FBI infrastructure, which has traditionally tried to put a thumb on the scales and make things less secure so that they could have access, if you're seeing any of that there. <br />But on the NIST side, I think this provides a nice counter example of how government can help facilitate building a better world sometimes, as opposed to being the thing we have to drag kicking and screaming into it.<br />But let me circle around to the question I embedded in that, which is, you know, one of the problems that that, that we know happened in the nineties around DES, and then of course some of the Snowden revelations indicated some mucking about in security as well behind the scenes by the NSA. Are you seeing anything like that and, and what should we be on the lookout for?</p><p><strong>DEIRDRE CONNOLLY:</strong> Not in the PQC stuff. Uh, there, like there have been a lot of people that were paying very close attention to what these independent teams were proposing and then what was getting turned into a standard or a proposed standard and every little change, because I, I was closely following the key establishment stuff.<br />Um, every little change people were trying to be like, did you tweak? Why did you tweak that? Did, like, is there a good reason? And like, running down basically all of those things. And like including trying to get into the nitty gritty of like. Okay. We think this is approximately these many bits of security using these parameter and like talking about, I dunno, 123 versus 128 bits and like really paying attention to all of that stuff.<br />And I don't think there was any evidence of anything like that. And, and for, for plus or minus, because there were. I don't remember which crypto scheme it was, but it, there was definitely an improvement from, I think some of the folks at NSA very quietly back in the day to, I think it was the S boxes, and I don't remember if it was DES or AES or whatever it was.<br />But people didn't understand at the time because it was related to advanced, uh, I think it was a differential crypto analysis attacks that folks inside there knew about, and people in outside academia didn't quite know about yet. And then after the fact they were like, oh, they've made this better. Um, we're not, we're not even seeing any evidence of anything of that character either.<br />It's just sort of like, it's very open letting, like if everything's proceeding well and the products are going well of these post-quantum standards, like, you know, leave it alone. And so everything looks good. And like, especially for NSA, uh, national Security Systems in the, in the United States, they have updated their own targets to migrate to post-quantum, and they are relying fully on the highest security level of these new standards.<br />So like they are eating their own dog food. They're protecting the highest classified systems and saying these need to be fully migrated to fully post quantum key agreement. Uh, and I think signatures at different times, but there has to be by like 2035. So if they were doing anything to kind of twiddle with those standards, they'd be, you know, hurting themselves and shooting themselves in the foot.</p><p><strong>CINDY COHN:</strong> Well fingers crossed.</p><p><strong>DEIRDRE CONNOLLY:</strong> Yes.</p><p><strong>CINDY COHN:</strong> Because I wanna build a better internet and a better. Internet means that they aren't secretly messing around with our security. And so this is, you know, cautiously good news.<br /><br /><strong>JASON KELLEY:</strong> Let's take a quick moment to thank our sponsor.<br />“How to Fix the Internet” is supported by The Alfred P. Sloan Foundation’s Program in Public Understanding of Science and Technology. Enriching people’s lives through a keener appreciation of our increasingly technological world and portraying the complex humanity of scientists, engineers, and mathematicians.<br />We also want to thank EFF members and donors. EFF has been fighting for digital rights for 35 years, and that fight is bigger than ever, so please, if you like what we do, go to eff.org/pod to donate. Also, we’d love for you to join us at this year’s EFF awards, where we celebrate the people working towards the better digital future that we all care so much about. Those are coming up on September 12th in San Francisco. You can find more information about that at eff.org/awards.<br />We also wanted to share that our friend Cory Doctorow has a new podcast. Listen to this. [Who Broke the Internet trailer]</p><p><strong>JASON KELLEY:</strong> And now, back to our conversation with Deirdre Connolly.</p><p><strong>CINDY COHN:</strong> I think the thing that's fascinating about this is kind of seeing this cat and mouse game about the ability to break codes, and the ability to build codes and systems that are resistant to the breaking, kind of playing out here in the context of building better computers for everyone.<br />And I think it's really fascinating and I think it also for people I. You know, this is a pretty technical conversation, um, even, you know, uh, for our audience. But this is the stuff that goes on under the hood of how we keep journalists safe, how we keep activists safe, how we keep us all safe, whether it's our bank accounts or our, you know, people are talking about mobile IDs now and other, you know, all sorts of sensitive documents that are going to not be in physical form anymore, but are gonna be in digital form. <br />And unless we get this lock part right, we're really creating problems for people. And you know, what I really appreciate about you and the other people kind of in the midst of this fight is it's very unsung, right? It's kind of under the radar for the rest of us, but yet it's the, it's the ground that we need to stand on to, to be safe moving forward.</p><p><strong>DEIRDRE CONNOLLY:</strong> Yeah, and there's a lot of assumptions, uh, that even the low level theoretical cryptographers and the people implementing their, their stuff into software and the stuff, the people trying to deploy, that there's a, a lot of assumptions that have been baked into what we've built that to a degree don't quite fit in some of the, the things we've been able to build in a post-quantum secure way, or the way we think it's a post-quantum secure way.<br />Um, we're gonna need to change some stuff and we think we know how to change some stuff to make it work. but we are hoping that we don't accidentally introduce any vulnerabilities or gaps. <br />We're trying, but also we're not a hundred percent sure that we're not missing something, 'cause these things are new. And so we're trying, and we're also trying to make sure we don't break things as we change them because we're trying to change them to be post quantum resilient. But you know, once you change something, if there's a possibility, you, you just didn't understand it completely. And you don't wanna break something that was working well in one direction because you wanna improve it in another direction.</p><p><strong>CINDY COHN:</strong> And that's why I think it's important to continue to have a robust community of people who are the breakers, right? Who are, are hackers, who are, who are attacking. And that is a, you know, that's a mindset, right? That's a way of thinking about stuff that is important to protect and nurture, um, because, you know, there's an old quote from Bruce Schneider: Anyone can build a crypto system that they themselves cannot break. Right? It takes a community of people trying to really pound away at something to figure out where the holes are. <br />And you know, a lot of the work that EFF does around coders rights and other kinds of things is to make sure that there's space for that. and I think it's gonna be as needed in a quantum world as it was in a kind of classical computer world.</p><p><strong>DEIRDRE CONNOLLY:</strong> Absolutely. I'm confident that we will learn a lot more from the breakers about this new cryptography because, like, we've tried to be robust through this, you know, NIST competition, and a lot of those, the things that we learn apply to other constructions as they come out. but like there's a whole area of people who are going to be encountering this kind of newish cryptography for the first time, and they kind of look at it and they're like. Oh, uh, I, I think I might be able to do something interesting with this, and we're, we'll all learn more and we'll try to patch and update as quickly as possible</p><p><strong>JASON KELLEY:</strong> And this is why we have competitions to figure out what the best options are and why some people might favor one algorithm over another for different, different processes and things like that.</p><p><strong>DEIDRE CONNOLLY:</strong> And that's why we're probably gonna have a lot of different flavors of post-quantum cryptography getting deployed in the world because it's not just, ah, you know, I don't love NIST. I'm gonna do my own thing in my own country over here. Or, or have different requirements. There is that at play, but also you're trying to not put all your eggs in one basket as well.</p><p><strong>CINDY COHN:</strong> Yeah, so we want a menu of things so that people can really pick, from, you know, vetted, but different strategies. So I wanna ask the kind of core question for the podcast, which is, um, what does it look like if we get this right, if we get quantum computing and, you know, post-quantum crypto, right?<br />How does the world look different? Or does it just look the same? How, what, what does it look like if we do this well?</p><p><strong>DEIRDRE CONNOLLY:</strong> Hopefully to a person just using their phone or using their computer to talk to somebody on the other side of the world, hopefully they don't notice. Hopefully to them, if they're, you know, deploying a website and they're like, ah, I need to get a Let’s Encrypt certificate or whatever.<br />Hopefully Let's Encrypt just, you know, insert bot just kind of does everything right by default and they don't have to worry about it. <br />Um, for the builders, it should be, we have a good recommended menu of cryptography that you can use when you're deploying TLS, when you're deploying SSH, uh, when you're building cryptographic applications, especially. <br />So like if you are building something in Go or Java or you know, whatever it might be, the crypto library in your language will have the updated recommended signature algorithm or key agreement algorithm and be, like, this is how we, you know, they have code snippets to say like, this is how you should use it, and they will deprecate the older stuff. <br />And, like, unfortunately there's gonna be a long time where there's gonna be a mix of the new post-quantum stuff that we know how to use and know how to deploy and protect. The most important, you know, stuff like to mitigate Store now/Decrypt later and, you know, get those signatures with the most important, uh, protected stuff.<br />Uh, get those done. But there's a lot of stuff that we're not really clear about. How we wanna do it yet, and kind of going back to one of the things you mentioned earlier, uh, comparing this to Y2K, there was a lot of work that went into mitigating Y2K before, during, immediately after.<br />Unfortunately, the comparison to the post quantum migration kind of falls down because after Y2K, if you hadn't fixed something, it would break. And you would notice in usually an obvious way, and then you could go find it. You, you fix the most important stuff that, you know, if it broke, like you would lose billions of dollars or, you know, whatever. You'd have an outage. <br />For cryptography, especially the stuff that's a little bit fancier. Um, you might not know it's broken because the adversary is not gonna, it's not gonna blow up.<br />And you have to, you know, reboot a server or patch something and then, you know, redeploy. If it's gonna fail, it's gonna fail quietly. And so we're trying to kind of find these things, or at least make the kind of longer tail of stuff, uh, find fixes for that upfront, you know, so that at least the option is available. <br />But for a regular person, hopefully they shouldn't notice. So everyone's trying really hard to make it so that the best security, in terms of the cryptography is deployed with, without downgrading your experience. We're gonna keep trying to do that.<br />I don't wanna build crap and say “Go use it.” I want you to be able to just go about your life and use a tool that's supposed to be useful and helpful. And it's not accidentally leaking all your data to some third party service or just leaving a hole on your network for any, any actor who notices to walk through and you know, all that sort of stuff.<br />So whether it's like implementing things securely in software, or it's cryptography or you know, post-quantum weirdness, like for me, I just wanna build good stuff for people, that's not crap.</p><p><strong>JASON KELLEY:</strong> Everyone listening to this agrees with you. We don't want to build crap. We want to build some beautiful things. Let's go out there and do it.</p><p><strong>DEIRDRE CONNOLLY:</strong> Cool.</p><p><strong>JASON KELLEY:</strong> Thank you so much, Deirdre.</p><p><strong>DEIRDRE CONNOLLY:</strong> Thank you!</p><p><strong>CINDY COHN:</strong> Thank you Deirdre. We really appreciate you coming and explaining all of this to, you know, uh, the lawyer and activist at EFF.<br /><br /><strong>JASON KELLEY:</strong> Well, I think that was probably the most technical conversation we've had, but I followed along pretty well and I feel like at first I was very nervous based on the, save and decrypt concerns. But after we talked to Deirdre, I feel like the people working on this. Just like for Y2K are pretty much gonna keep us out of hot water. And I learned a lot more than I did know before we started the conversation. What about you, Cindy?</p><p><strong>CINDY COHN:</strong> I learned a lot as well. I mean, cryptography and, attacks on security is always, you know, it's a process, and it's a process by which we do the best we can, and then, then we also do the best we can to rip it apart and find all the holes, and then we, we iterate forward. And it's nice to hear that that model is still the model, even as we get into something like quantum computers, which, um, frankly are still hard to conceptualize. <br />But I agree. I think that what the good news outta this interview is I feel like there's a lot of pieces in place to try to do this right, to have this tremendous shift in computing that we don't know when it's coming, but I think that the research indicates that it SI coming, be something that we can handle, um, rather than something that overwhelms us.<br />And I think that's really,it's good to hear that good people are trying to do the right thing here since it's not inevitable.</p><p><strong>JASON KELLEY:</strong> Yeah, and it is nice when someone's sort of best vision for what the future looks like is hopefully your life. You will have no impacts from this because everything will be taken care of. That's always good. <br />I mean, it sounds like, you know, the main thing for EFF is, as you said, we have to make sure that security engineers, hackers have the resources that they need to protect us from these kinds of threats and, and other kinds of threats obviously.<br />But, you know, that's part of EFF's job, like you mentioned. Our job is to make sure that there are people able to do this work and be protected while doing it so that when the. Solutions do come about. You know, they work and they're implemented and the average person doesn't have to know anything and isn't vulnerable.</p><p><strong>CINDY COHN:</strong> Yeah, I also think that, um, I appreciated her vision that this is a, you know, the future's gonna be not just one. Size fits all solution, but a menu of things that take into account, you know, both what works better in terms of, you know, bandwidth and compute time, but also what you know, what people actually need.<br />And I think that's a piece that's kind of built into the way that this is happening that's also really hopeful. In the past and, and I was around when EFF built the DES cracker, um, you know, we had a government that was saying, you know, you know, everything's fine, everything's fine when everybody knew that things weren't fine. <br />So it's also really hopeful that that's not the position that NIST is taking now, and that's not the position that people who may not even pick the NIST standards but pick other standards are really thinking through.</p><p><strong>JASON KELLEY:</strong> Yeah, it's very helpful and positive and nice to hear when something has improved for the better. Right? And that's what happened here. We had this, this different attitude from, you know, government at large in the past and it's changed and that's partly thanks to EFF, which is amazing.</p><p><strong>CINDY COHN:</strong> Yeah, I think that's right. And, um, you know, we'll see going forward, you know, the governments change and they go through different things, but this is, this is a hopeful moment and we're gonna push on through to this future. <br />I think there's a lot of, you know, there's a lot of worry about quantum computers and what they're gonna do in the world, and it's nice to have a little vision of, not only can we get it right, but there are forces in place that are getting it right. And of course it does my heart so, so good that, you know, someone like Deirdre was inspired by Snowden and dove deep and figured out how to be one of the people who was building the better world. We've talked to so many people like that, and this is a particular, you know, little geeky corner of the world. But, you know, those are our people and that makes me really happy.</p><p><strong>JASON KELLEY:</strong> Thanks for joining us for this episode of How to Fix the Internet.<br />If you have feedback or suggestions, we'd love to hear from you. Visit EFF dot org slash podcast and click on listener feedback. While you're there, you can become a member, donate, maybe even pick up some merch and just see what's happening in digital rights this week and every week.<br />Our theme music is by Nat Keefe of BeatMower with Reed Mathis<br />How to Fix the Internet is supported by the Alfred P. Sloan Foundation's program in public understanding of science and technology.<br />We’ll see you next time.<br />I’m Jason Kelley…</p><p><strong>CINDY COHN:</strong> And I’m Cindy Cohn.</p><p><em><strong>MUSIC CREDITS:</strong> This podcast is licensed creative commons attribution 4.0 international, and includes the following music licensed creative commons attribution 3.0 unported by its creators: Drops of H2O, The Filtered Water Treatment by Jay Lang. Sound design, additional music and theme remixes by Gaetan Harris.</em></p> </div></div></div></description> <pubDate>Wed, 02 Jul 2025 07:05:17 +0000</pubDate> <guid isPermaLink="false">110848 at https://www.eff.org</guid> <category domain="https://www.eff.org/how-to-fix-the-internet-podcast">How to Fix the Internet: Podcast</category> <category domain="https://www.eff.org/issues/security">Security</category> <dc:creator>Josh Richman</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/2025-htfi-deirdre-blog.png" alt="How to Fix the Internet - Deirdre Connolly - Cryptography Makes a Post-Quantum Leap " type="image/png" length="524894" /> </item> <item> <title>EFFecting Change: EFF Turns 35!</title> <link>https://www.eff.org/deeplinks/2025/06/effecting-change-eff-turns-35</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><a href="https://www.eff.org/35">We're wishing EFF a happy birthday on July 10!</a> Since 1990, EFF's lawyers, activists, analysts, and technologists have used everything in their toolkit to ensure that technology supports freedom, justice, and innovation for all people of the world. They've seen it all and in this special edition of our EFFecting Change livestream series, leading experts at EFF will explore what's next for technology users.</p><p></p><center><strong><em>EFFecting Change Livestream Series:<br />EFF Turns 35!<br />Thursday, July 10th<br />11:00 AM - 12:00 PM Pacific - <a href="https://dateful.com/eventlink/1636667650" target="_blank" rel="noopener noreferrer">Check Local Time</a><br />This event is LIVE and FREE!</em><strong><em><br /></em></strong></strong><br /><p class="subhead"><strong><em><a href="https://www.eff.org/event/effecting-change-eff-turns-35"><img alt="RSVP Today" height="51" src="https://www.eff.org/files/2024/03/20/rsvptoday_0.png" width="193" /></a></em></strong></p><p></p></center><p>Join EFF <a href="https://www.eff.org/event/effecting-change-eff-turns-35#Cindy">Executive Director Cindy Cohn</a>, EFF <a href="https://www.eff.org/event/effecting-change-eff-turns-35#Lee">Legislative Director Lee Tien</a>, <span>EFF </span><a href="https://www.eff.org/event/effecting-change-eff-turns-35#Jillian">Director for International Freedom of Expression Jillian C. York</a><span>, </span>and <a href="https://www.eff.org/event/effecting-change-eff-turns-35#Yoshi">Professor / EFF Board Member Yoshi Kohno</a> for this live Q&amp;A. Learn what they have seen and how we can fuel the fight for privacy, free expression, and a future where digital freedoms are protected for everyone. </p><p><a href="https://www.eff.org/event/effecting-change-eff-turns-35" target="_blank" rel="noopener noreferrer">We hope you and your friends can join us live</a>! Be sure to spread the word, and share our past livestreams.<span> </span><a href="https://www.eff.org/EFFectingChangeRecordings" target="_blank" rel="noopener noreferrer">Please note that all events will be recorded for later viewing on our YouTube page</a>.</p><p>Want to make sure you don’t miss our next livestream? Here’s a link to sign up for updates about this series:<a href="https://www.eff.org/ECUpdates" target="_blank" rel="noopener noreferrer">eff.org/ECUpdates</a>.</p> </div></div></div></description> <pubDate>Tue, 01 Jul 2025 22:09:36 +0000</pubDate> <guid isPermaLink="false">110864 at https://www.eff.org</guid> <dc:creator>Aaron Jue</dc:creator> <dc:creator>Melissa Srago</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/effectingeffturns35_banner_updated_0.png" alt="Words &quot;EFFecting Change&quot; on a black with red, white, and grey ribbons with photos of the panelists" type="image/png" length="255393" /> </item> <item> <title>Flock Safety’s Feature Updates Cannot Make Automated License Plate Readers Safe</title> <link>https://www.eff.org/deeplinks/2025/06/flock-safetys-feature-updates-cannot-make-automated-license-plate-readers-safe</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span>Two recent statements from the surveillance company—one </span><a href="https://www.flocksafety.com/articles/flock-safetys-response-to-illinois-lpr-data-use-and-out-of-state-sharing-concerns"><span>addressing Illinois privacy violations</span></a><span> and another </span><a href="https://www.flocksafety.com/articles/statement-network-sharing-use-cases-federal-cooperation"><span>defending the company's national surveillance network</span></a><span>—reveal a troubling pattern: when confronted by evidence of widespread abuse, Flock Safety has blamed users, downplayed harms, and doubled down on the very systems that enabled the violations in the first place.</span></p><p><span>Flock's aggressive public relations campaign to salvage its reputation comes as no surprise. Last month, we </span><a href="https://www.eff.org/deeplinks/2025/05/she-got-abortion-so-texas-cop-used-83000-cameras-track-her-down"><span>described</span></a><span> how investigative reporting from 404 Media revealed that a sheriff's office in Texas searched data from more than 83,000 automated license plate reader (ALPR) cameras to track down a woman suspected of self-managing an abortion. (A scenario that may have been avoided, it's worth noting, had Flock taken action when they were first warned about this </span><a href="https://www.theguardian.com/world/2022/oct/06/how-expanding-web-of-license-plate-readers-could-be-weaponized-against-abortion"><span>threat three years ago</span></a><span>).</span></p><p><span>Flock calls the reporting on the Texas sheriff's office "</span><a href="https://www.flocksafety.com/articles/statement-network-sharing-use-cases-federal-cooperation"><span>purposefully misleading</span></a><span>," claiming the woman was searched for as a missing person at her family's request rather than for her abortion. But that ignores the core issue: this officer used a nationwide surveillance dragnet (again: over 83,000 cameras) to track someone down, and used her suspected healthcare decisions as a reason to do so. Framing this as concern for her safety plays directly into </span><a href="https://www.motherjones.com/politics/2024/03/abortion-mifepristone-supreme-court-domestic-violence-abuse/"><span>anti-abortion narratives</span></a><span> that depict abortion as dangerous and traumatic in order to justify increased policing, criminalization, control—and, ultimately, surveillance.</span></p><p class="pull-quote"><span>Flock Safety has blamed users, downplayed harms, and doubled down on the very systems that enabled the violations in the first place.</span></p><p><span>As if that weren't enough, the company has also come under fire for how its ALPR network data is being actively used to assist in mass deportation. Despite U.S. Immigration and Customs Enforcement (ICE) having no formal agreement with Flock Safety, public records revealed "more than 4,000 nation and statewide lookups by local and state police done either at the behest of the federal government or as an 'informal' favor to federal law enforcement, or with a potential immigration focus." The network audit data </span><a href="https://www.404media.co/ice-taps-into-nationwide-ai-enabled-camera-network-data-shows/"><span>analyzed by 404</span></a><span> exposed an </span><a href="https://www.404media.co/emails-reveal-the-casual-surveillance-alliance-between-ice-and-local-police/"><span>informal data-sharing environment</span></a><span> that creates an end-run around oversight and accountability measures: federal agencies can access the surveillance network through local partnerships without the transparency and legal constraints that would apply to direct federal contracts.</span></p><p><span>Flock Safety is adamant this is "not Flock's decision," and by implication, not their fault. Instead, the responsibility lies with each individual local law enforcement agency. In the same breath, they insist that data sharing is essential, loudly claiming credit when the technology is </span><a href="https://www.flocksafety.com/articles/solving-cross-jurisdictional-crime-in-real-time-how-flock-safetys-unified-platform-makes-it-possible"><span>involved in cross-jurisdictional investigations</span></a><span>—but failing to show the same attitude when that data-sharing ecosystem is used to terrorize abortion seekers or immigrants. </span></p><h3><span>Flock Safety: The Surveillance Social Network</span></h3><p><span>In growing from a 2017 startup to a $7.5 billion company "</span><a href="https://www.flocksafety.com/"><span>serving over 5,000 communities</span></a><span>," Flock allowed individual agencies wide berth to set and regulate their own policies. In effect, this approach offered cheap surveillance technology with minimal restrictions, leaving major decisions and actions in the hands of law enforcement while the company scaled rapidly.</span></p><p><span>And they have no intention of slowing down. Just this week, Flock launched its Business Network, facilitating unregulated data sharing amongst its private sector security clients. "For years, our law enforcement customers have used the power of a shared network to identify threats, connect cases, and reduce crime. Now, we're extending that same network effect to the private sector," Flock Safety's CEO </span><a href="https://www.flocksafety.com/articles/flock-launches-first-ever-business-network-strengthen-private-sector-security-collaboration"><span>announced</span></a><span>. </span></p><p><span><div class="caption caption-center"><div class="caption-width-container"><div class="caption-inner"><img src="/files/2025/06/27/flock_safety_at_iacp_2023.jpg" width="1600" height="1067" alt="A crowd around the Flock Safety set-up at a police conference." title="A crowd around the Flock Safety set-up at a police conference." /><p class="caption-text">Flock Safety wooing law enforcement officers at the 2023 International Chiefs of Police Conference.</p></div></div></div></span></p><p><span>The company is building out a new mass surveillance network using the exact template that ended with the company having to retrain thousands of officers in Illinois on how not to break state law—the same template that made it easy for officers to do so in the first place. Flock's continued integration of disparate surveillance networks across the public and private spheres—despite the harms that have already occurred—is owed in part to the one thing that it's gotten really good at over the past couple of years: facilitating a surveillance social network. </span></p><p><span>Employing marketing phrases like "collaboration" and "force multiplier," Flock encourages as much sharing as possible, </span><a href="https://www.flocksafety.com/resources/how-many-crimes-do-automated-license-plate-readers-alprs-solve-anyway"><span>going as far as to claim</span></a><span> that network effects can significantly improve case closure rates. They cultivate a sense of shared community and purpose among users so they opt into good faith sharing relationships with other law enforcement agencies across the country. But it's precisely that social layer that creates uncontrollable risk.</span></p><p><span>The possibility of human workarounds at every level undermines any technical safeguards Flock may claim. Search term blocking relies on officers accurately labeling search intent—a system easily defeated by entering vague reasons like "investigation" or incorrect justifications, made either intentionally or not. And, of course, words like "investigation" or "missing person" can mean virtually anything, offering no value to meaningful oversight of how and for what the system is being used. Moving forward, sheriff's offices looking to avoid negative press can surveil abortion seekers or immigrants with ease, so long as they use vague and unsuspecting reasons. </span></p><p><span>The same can be said for case number requirements, which depend on manual entry. This can easily be circumvented by reusing legitimate case numbers for unauthorized searches. Audit logs only track inputs, not contextual legitimacy. Flock's proposed AI-driven audit alerts, something that may be able to flag suspicious activity after searches (and harm) have already occurred, relies on local agencies to self-monitor misuse—despite their </span><a href="https://www.mountprospect.org/Home/Components/News/News/10311/1042"><span>demonstrated inability</span></a><span> to do so.</span></p><p class="pull-quote"><span>Flock operates as a single point of failure that can compromise—and has compromised—the privacy of millions of Americans simultaneously.</span></p><p><span>And, of course, even the most restrictive department policy may not be enough. Austin, Texas, <em>had</em> implemented one of the most restrictive ALPR programs in the country, and the program </span><a href="https://cbsaustin.com/news/local/flock-ceo-responds-to-austin-backlash-as-city-contract-nears-expiration"><span>still failed</span></a><span>: the city's own audit revealed systematic compliance failures that rendered its guardrails meaningless. The company's continued appeal to "local policies" means nothing when Flock's data-sharing network does not account for how law enforcement policies, regulations, and accountability vary by jurisdiction. You may have a good relationship with your local police, who solicit your input on what their policy looks like; you don't have that same relationship with hundreds or thousands of other agencies with whom they share their data. So if an officer on the other side of the country violates your privacy, it’d be difficult to hold them accountable. </span></p><p><span>ALPR surveillance systems are inherently vulnerable to both technical exploitation and human manipulation. These </span><a href="https://joplin.virington.com/shares/c7oMWtTnGw15wUJiKW2EYd"><span>vulnerabilities</span></a><span> are not theoretical—they represent </span><a href="https://www.aclu.org/news/privacy-technology/bostons-license-plate-reader-database-was-online-plain"><span>real pathways</span></a><span> for bad actors to access vast databases containing millions of Americans' location data. When surveillance databases are </span><a href="https://www.cnn.com/2019/06/17/politics/customs-and-border-protection-data-breach-license-plates-leaked"><span>breached</span></a><span>, the consequences extend far beyond typical data theft—this information can be used to harass, </span><a href="https://www.kwch.com/2022/10/31/kechi-police-lieutenant-arrested-using-police-technology-stalk-wife/"><span>stalk</span></a><span>, or even extort. The intimate details of people's daily routines, their associations, and their political activities may become available to anyone with malicious intent. Flock operates as a single point of failure that can compromise—and has compromised—the privacy of millions of Americans simultaneously.</span></p><h3><span>Don't Stop de-Flocking</span></h3><p><span>Rather than addressing legitimate concerns about privacy, security, and constitutional rights, Flock has only </span><a href="https://www.flocksafety.com/articles/flock-safetys-response-to-illinois-lpr-data-use-and-out-of-state-sharing-concerns"><span>promised updates</span></a><span> that fall short of meaningful reforms. These software tweaks and feature rollouts cannot assuage the fear engendered by the massive surveillance system it has built and continues to expand.</span></p><p><span><div class="caption caption-center"><div class="caption-width-container"><div class="caption-inner"><img src="/files/2025/06/27/flock_camera_close_up.jpg" width="1600" height="1067" alt="A close-up of a Flock Safety camera on a pole " title="A close-up of a Flock Safety camera on a pole " /><p class="caption-text">A typical specimen of Flock Safety's automated license plate readers.</p></div></div></div></span></p><p><span>Flock's insistence that what's happening with abortion criminalization and immigration enforcement has nothing to do with them—that these are just red-state problems or the fault of rogue officers—is concerning. Flock designed the network that is being used, and the public should hold them accountable for failing to build in protections from abuse that cannot be easily circumvented.</span></p><p><span>Thankfully, that's exactly what's happening: cities like </span><a href="https://www.handsoffcentraltx.org/alpr"><span>Austin</span></a><span>, </span><a href="https://cbsaustin.com/news/local/san-marcos-city-council-votes-to-deny-flock-camera-expansion-after-hours-of-heated-debate"><span>San Marcos</span></a><span>, </span><a href="https://denverite.com/2025/05/05/denver-rejects-flock-camera-license-plate-readers/"><span>Denver</span></a><span>, </span><a href="https://ij.org/press-release/federal-court-rejects-flock-safetys-late-bid-to-join-and-block-ijs-lawsuit-challenging-norfolks-mass-surveillance-cameras/"><span>Norfolk</span></a><span>, and </span><a href="https://www.eff.org/deeplinks/2025/06/san-diegans-push-back-flock-alpr-surveillance"><span>San Diego</span></a><span> are pushing back. And it's not nearly as hard a choice as Flock would have you believe: </span><a href="https://www.kvue.com/article/news/local/austin-license-plate-readers-ends-privacy-concerns/269-4dc64690-c6c0-4ace-a009-fd8a13f69113"><span>Austinites</span></a><span> are weighing the benefits of a surveillance system that generates a hit </span><a href="https://www.austintexas.gov/sites/default/files/files/Auditor/Audit_Reports/APD_License_Plate_Reader_May2025.pdf"><span>less than 0.02% of the time</span></a><span> against the possibility that scanning 75 million license plates will result in an abortion seeker being tracked down by police, or an immigrant being flagged by ICE in a so-called "sanctuary city." These are not hypothetical risks. It is already happening.</span></p><p><span>Given how pervasive, sprawling, and ungovernable ALPR sharing networks have become, the only feature update we can truly rely on to protect people's rights and safety is no network at all. And we applaud the communities taking decisive action to dismantle its surveillance infrastructure.</span></p><p><span>Follow their lead: don't stop </span><a href="https://deflock.me/"><span>de-flocking</span></a><span>.</span></p> </div></div></div></description> <pubDate>Sat, 28 Jun 2025 00:36:58 +0000</pubDate> <guid isPermaLink="false">110866 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/street-level-surveillance">Street-Level Surveillance</category> <dc:creator>Sarah Hamid</dc:creator> <dc:creator>Rindala Alajaji</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/truck_passing_flock.jpg" alt="A red truck carrying a lawnmower passes two Flock Safety automated license plate readers attached to poles." type="image/jpeg" length="156412" /> </item> <item> <title>Today's Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy</title> <link>https://www.eff.org/deeplinks/2025/06/todays-supreme-court-decision-age-verification-tramples-free-speech-and-undermines</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span data-contrast="auto">Today’s decision in </span><i><span data-contrast="auto">Free Speech Coalition v. Paxton </span></i><span data-contrast="auto">is a direct blow to the free speech rights of adults. The Court ruled that “no person—adult or child—has a First Amendment right to access speech that is obscene to minors without first submitting proof of age.” This ruling allows states to enact onerous age-verification rules that will block adults from accessing lawful speech, curtail their ability to be anonymous, and jeopardize their data security and privacy. These are real and immense burdens on adults, and the Court was wrong to ignore them in upholding Texas’ law.</span> <span data-ccp-props="{}"> </span></p><p><span data-contrast="none">Importantly, the Court's reasoning applies only to age-verification rules for certain </span><span data-contrast="none">sexual material, and not to age limits in general. We will continue to fight against age restrictions on online access more broadly, such as on social media and specific online features.</span><span data-contrast="auto"> </span><span data-ccp-props="{}"> </span></p><p><span data-contrast="auto">Still, the decision has immense consequences for internet users in Texas and in other states that have enacted similar laws. The Texas law forces adults to submit personal information over the internet to access entire websites that hold some amount of sexual material, not just pages or portions of sites that contain specific sexual materials. Many sites that cannot reasonably implement age verification measures for reasons such as cost or technical requirements will likely block users living in Texas and other states with similar laws wholesale. </span><span data-ccp-props="240}"> </span></p><p class="pull-quote"><span data-ccp-props="240}">Importantly, the Court's reasoning applies only to age-verification rules for certain sexual material, and not to age limits in general. </span></p><p><span data-contrast="auto">Many users will not be comfortable sharing private information to access sites that do implement age verification, for reasons of privacy or concern for data breaches. Many others do not have a driver’s license or photo ID to complete the age verification process. This decision will, ultimately, deter adult users from speaking and accessing lawful content, and will endanger the privacy of those who choose to go forward with verification.</span><span data-ccp-props="240}"> </span></p><h3><b><span data-contrast="auto">What the Court Said Today</span></b><span data-ccp-props="0}"> </span></h3><p><span data-contrast="auto">In the 6-3 decision, the Court ruled that Texas’ </span><a href="https://capitol.texas.gov/tlodocs/88R/billtext/html/HB01181H.htm"><span data-contrast="none">HB 1181</span></a><span data-contrast="auto"> is constitutional. This law requires websites that Texas decides are composed of “one-third” or more of “sexual material harmful to minors” to confirm the age of users by collecting age-verifying personal information from all visitors—even to access the other two-thirds of material that is not adult content. </span><span data-ccp-props="0}"> </span><span data-ccp-props="0}"> </span></p><p><span data-contrast="auto">In 1997, the Supreme Court struck down a federal online age-verification law in Reno v. American Civil Liberties Union. In that case the court ruled that many elements of the Communications Decency Act </span><a href="https://www.aclu.org/cases/reno-v-aclu-challenge-censorship-provisions-communications-decency-act"><span data-contrast="none">violated the First Amendment</span></a><span data-contrast="auto">, including part of the law making it a crime for anyone to engage in online speech that is "indecent" or "patently offensive" if the speech could be viewed by a minor. Like HB 1181, that law </span><a href="https://www.eff.org/effector/8/10"><span data-contrast="none">would have resulted</span></a><span data-contrast="auto"> in many users being unable to view constitutionally protected speech, as many websites would have had to implement age verification, while others would have been forced to shut down. </span><span data-ccp-props="0}"> </span></p><p><span data-contrast="auto">In Reno and in subsequent cases, the Supreme Court ruled that laws that burden adults’ access to lawful speech are subjected to the highest level of review under the First Amendment, known as strict scrutiny. This level of scrutiny requires a law to be very narrowly tailored or the least speech-restrictive means available to the government. </span><span data-ccp-props="0}"> </span></p><p><span data-contrast="auto">That all changed with the Supreme Court’s decision today</span><span data-contrast="auto">. </span><span data-ccp-props="0}"> </span></p><p><span data-contrast="auto">The Court now says that laws that burden adults</span><span>’</span><span data-contrast="auto"> access to sexual materials that are obscene to minors are subject to less-searching First Amendment review, known as intermediate scrutiny. And under that lower standard, the Texas law does not violate the First Amendment.</span> <span data-contrast="auto">The Court did not have to respond to arguments that there are less speech-restrictive ways of reaching the same goal—for example, encouraging parents to install content-filtering software on their children’s devices. <br /></span></p><p><span data-contrast="auto">The court reached this decision by incorrectly assuming that online age verification is functionally equivalent to flashing an ID at a brick-and-mortar store. As we explained in our amicus brief, this ignores the many ways in which verifying age online is significantly more burdensome and invasive than doing so in person. As we and many others have </span><a href="https://www.eff.org/deeplinks/2023/03/age-verification-mandates-would-undermine-anonymity-online"><span data-contrast="none">previously</span></a> <a href="https://www.eff.org/deeplinks/2025/01/face-scans-estimate-our-age-creepy-af-and-harmful"><span data-contrast="none">explained</span></a><span data-contrast="auto">, unlike with in-person age-checks, the only viable way for a website to comply with an age verification requirement is to require all users to upload and submit—not just momentarily display—a data-rich government-issued ID or other document with personal identifying information. </span><span data-ccp-props="{}"> </span></p><p><span data-contrast="auto">This leads to a host of serious anonymity, privacy, and security concerns—all of which the majority failed to address. A person who submits identifying information online can never be sure if websites will keep that information or how that information might be used or disclosed. This leaves users highly vulnerable to data breaches and other security harms. Age verification also undermines anonymous internet browsing, even though courts have consistently ruled that anonymity is an aspect of the freedom of speech protected by the First Amendment. </span><span data-ccp-props="{}"> </span></p><p class="pull-quote"><span data-ccp-props="{}">This Supreme Court broke a fundamental agreement between internet users and the state that has existed since its inception</span></p><p><span data-contrast="auto">The Court side</span><span data-contrast="auto">stepped its previous online age verification decisions by claiming </span><span>t</span><span data-contrast="auto">he internet has changed too much to follow the precedent from </span><i><span data-contrast="auto">Reno </span></i><span data-contrast="auto">that requires these laws to survive strict scrutiny. Writing for the minority, Justice Kagan disagreed with the premise that the internet has changed: “the majority’s claim—again mistaken—that the internet has changed too much to follow our precedents’ lead.” </span><span data-ccp-props="0}"> </span><span data-ccp-props="0}"> </span></p><p><span data-contrast="auto">But the majority argues that past precedent does not account for the dramatic expansion of the internet since the 1990s, which has led to easier and greater internet access and larger amounts of content available to teens online.</span> <span data-contrast="auto">The majority’s opinion entirely fails to address the obvious corollary: the internet’s expansion also has benefited adults. Age verification requirements now affect exponentially more adults than they did in the 1990s and burden vastly more constitutionally protected online speech. The majority's argument actually demonstrates that the burdens on adult speech have grown dramatically </span><i><span data-contrast="auto">larger</span></i><span data-contrast="auto"> because of technological changes, yet the Court bizarrely interprets this expansion as justification for weaker constitutional protection.</span><span data-ccp-props="0}"> </span></p><h3><b><span data-contrast="auto">What It Means Going Forward</span></b><span data-ccp-props="0}"> </span></h3><p><span data-contrast="auto">This Supreme Court broke a fundamental agreement between internet users and the state that has existed since its inception: the government will not stand in the way of people accessing First Amendment-protected material. There is no question that multiple states will now introduce similar laws to Texas. Two dozen already have, though they are not all in effect. At least three of those states have no limit on the percentage of material required before the law applies—a sweeping restriction on every site that contains </span><i><span data-contrast="auto">any</span></i><span data-contrast="auto"> material that the state believes the law includes. These laws will force U.S.-based adult websites to implement age-verification or block users in those states, as many have in the past when similar laws were in effect. </span><span data-ccp-props="240}"> </span></p><p><span data-contrast="auto">Rather than submit to verification, </span><a href="https://reason.com/2025/03/12/study-age-verification-laws-dont-work/"><span data-contrast="none">research</span></a><span data-contrast="auto"> has found that people will choose a variety of other paths: </span><a href="https://www.eff.org/deeplinks/2025/01/vpns-are-not-solution-age-verification-laws"><span data-contrast="none">using VPNs</span></a><span data-contrast="auto"> to indicate that they are outside of the state, accessing similar sites that don’t comply with the law, often because the site is operating in a different country. While many users will simply not access the content as a result, others may accept the risk, at </span><a href="https://www.eff.org/deeplinks/2024/06/hack-age-verification-company-shows-privacy-danger-social-media-laws"><span data-contrast="none">their peril</span></a><span data-contrast="auto">. </span><span data-ccp-props="240}"> </span></p><p><span data-contrast="auto">We expect some states to push the envelope in terms of what content they consider “harmful to minors,” and to expand the type of websites that are covered by these laws, either through updated language or threats of litigation. Even if these attacks are struck down, operators of sites that involve sexual content of any type may be under threat, especially if that information is politically divisive. We worry that the point of some of these laws will be to deter queer folks and others from accessing lawful speech and finding community online by requiring them to identify themselves. We will continue to fight to protect against the disclosure of this critical information and for people to maintain their anonymity.</span><span data-ccp-props="240}"> </span></p><h3><b><span data-contrast="auto">EFF Will Continue to Fight for All Users’ Free Expression and Privacy</span></b><span data-ccp-props="0}"> </span></h3><p><span data-contrast="auto">That said, the ruling does not give states or Congress the green light to impose age-verification regulations on the broader internet. The majority’s decision rests on the fact that minors do not have a First Amendment right to access sexual material that would be obscene. In short, adults have a First Amendment right to access those sexual materials, while minors do not. Although it was wrong, the majority’s opinion ruled that because Texas is blocking minors from speech they have no constitutional right to access, the age-verification requirement only incidentally burdens adult’s First Amendment rights. </span><span data-ccp-props="240}"> </span></p><p><span data-contrast="auto">But the same rationale does not apply to general-audience sites and services, including social media. Minors and adults have coextensive rights to both speak and access the speech of other users on these sites because the vast majority of the speech is not sexual materials that would be obscene to minors. Lawmakers should be careful not to interpret this ruling to mean that broader restrictions on minors’ First Amendment rights, like those included in the </span><a href="https://www.eff.org/deeplinks/2025/05/kids-online-safety-act-will-make-internet-worse-everyone"><span data-contrast="none">Kids Online Safety Act</span></a><span data-contrast="auto">, would be deemed constitutional. </span><span data-ccp-props="240}"> </span></p><p><i><span data-contrast="auto">Free Speech Coalition v. Paxton</span></i><span data-contrast="auto"> will have an effect on nearly every U.S. adult internet user for the foreseeable future. It marks a worrying shift in the ways that governments can restrict access to speech online. But that only means we must work harder than ever to protect privacy, security, and free speech as central tenets of the internet. </span><span data-ccp-props="240}"> </span></p> </div></div></div></description> <pubDate>Fri, 27 Jun 2025 20:16:03 +0000</pubDate> <guid isPermaLink="false">110863 at https://www.eff.org</guid> <dc:creator>Aaron Mackey</dc:creator> <dc:creator>Lisa Femia</dc:creator> <dc:creator>Jason Kelley</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/supreme-court-3b.jpg" alt="Supreme Court" type="image/jpeg" length="206874" /> </item> <item> <title>Georgia Court Rules for Transparency over Private Police Foundation</title> <link>https://www.eff.org/deeplinks/2025/06/georgia-court-rules-transparency-over-private-police-foundation</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span data-contrast="auto">A </span><a href="https://atlpresscollective.com/2025/06/02/acpc-lpl-open-records-apf/"><span data-contrast="none">Georgia court has decided</span></a><span data-contrast="auto"> that private non-profit </span><a href="https://atlpresscollective.com/tag/atlanta-police-foundation/"><span data-contrast="none">Atlanta Police Foundation</span></a><span data-contrast="auto"> (APF) must comply with public records requests under the Georgia Open Records Act for some of its functions on behalf of the Atlanta Police Department. This is a major win for transparency in the state.</span><span data-ccp-props="279}"> </span></p><p><span data-contrast="auto"> The </span><a href="https://www.eff.org/deeplinks/2024/03/lucy-parsons-labs-takes-police-foundation-court-open-records-requests"><span data-contrast="none">lawsuit was brought last year</span></a><span data-contrast="auto"> by the Atlanta Community Press Collective (ACPC) and </span><a href="https://efa.eff.org"><span data-contrast="none">Electronic Frontier Alliance</span></a><span data-contrast="auto"> member Lucy Parsons Labs (LPL). It concerns the APF’s refusal to disclose records about its role as the leaser and manager of the site of so-called Cop City, the Atlanta Public Safety Training Center at the heart of a years-long battle that pitted local social and environmental movements against the APF. We’ve previously written about how APF and </span><a href="https://www.eff.org/deeplinks/2020/09/how-police-fund-surveillance-technology-part-problem"><span>similar groups fund</span></a><span data-contrast="auto"> police surveillance technology, and how the Atlanta Police Department </span><a href="https://www.eff.org/deeplinks/2024/08/atlanta-police-must-stop-high-tech-spying-political-movements"><span>spied on the social media</span></a><span data-contrast="auto"> of activists opposed to Cop City. </span><span data-ccp-props="279}"> </span></p><p><span data-contrast="auto">This is a big win for transparency and for local communities who want to maintain their right to know what public agencies are doing.</span><span data-ccp-props="279}"> </span></p><p><span data-contrast="auto">Police Foundations often provide resources to police departments that help them avoid public oversight, and the Atlanta Police Foundation leads the way with its maintenance of the Loudermilk Video Inte</span><span data-contrast="auto">gration Center and its role in Cop City, which will be used by public agencies including the Atlanta and other police departments.</span><span data-ccp-props="279}"> </span></p><p><span data-contrast="auto">ACPC and LPL were represented by attorneys Joy Ramsingh, Luke Andrews, and Samantha Hamilton who had won the release of some materials this past December. The plaintiffs had earlier been represented by the University of Georgia School of Law First Amendment Clinic. </span><span data-ccp-props="279}"> </span></p><p><span data-contrast="auto">The win comes at just the right time. Last Summer, the Georgia Supreme Court </span><a href="https://georgiarecorder.com/briefs/state-supreme-court-rules-open-records-act-applies-to-private-contractors-working-for-governments/"><span data-contrast="none">ruled</span></a><span data-contrast="auto"> that private contractors working for public entities are subject to open records laws. The Georgia state legislature then </span><a href="https://georgiarecorder.com/2025/06/04/atlanta-police-foundation-ordered-to-comply-with-open-records-requests-over-cop-city-documents/"><span data-contrast="none">passed a bill</span></a><span data-contrast="auto"> to make it harder to file public records requests against private entities. </span><span data-contrast="auto">With this month’s ruling, there is still time for the Atlanta Police Foundation to appeal the decision, but failing that, they will have to begin to comply with public records requests by the beginning of July. </span><span data-ccp-props="279}"> </span></p><p><span data-contrast="auto">We hope that this will help ensure transparency and accountability when government agencies farm out public functions to private entities, so that local activists and journalists will be able to uncover materials that should be available to the general public.</span><span data-ccp-props="279}"> </span></p> </div></div></div></description> <pubDate>Fri, 27 Jun 2025 15:51:03 +0000</pubDate> <guid isPermaLink="false">110861 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/community-control-police-surveillance-ccops">Community Control of Police Surveillance (CCOPS)</category> <category domain="https://www.eff.org/issues/street-level-surveillance">Street-Level Surveillance</category> <category domain="https://www.eff.org/fight">Electronic Frontier Alliance</category> <dc:creator>José Martinez</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/efa-logo-banner.png" alt="Logo for the Electronic Frontier Alliance" type="image/png" length="11034" /> </item> <item> <title>Two Courts Rule On Generative AI and Fair Use — One Gets It Right</title> <link>https://www.eff.org/deeplinks/2025/06/two-courts-rule-generative-ai-and-fair-use-one-gets-it-right</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>Things are speeding up in generative AI legal cases, with two judicial opinions just out on an issue that will <a href="https://www.eff.org/deeplinks/2025/02/copyright-and-ai-cases-and-consequences">shape the future</a> of generative AI: whether training gen-AI models on copyrighted works is fair use. One gets it spot on; the other, not so much, but fortunately in a way that future courts can and should discount.</p><p>The core question in both cases was whether using copyrighted works to train Large Language Models (LLMs) used in AI chatbots is a lawful fair use. Under the US Copyright Act, answering that question requires courts to consider:</p><ol><li>whether the use was transformative;</li><li>the nature of the works (Are they more creative than factual? Long since published?)</li><li>how much of the original was used; and</li><li>the harm to the market for the original work.</li></ol><p>In both cases, the judges focused on factors (1) and (4).</p><h3>The right approach</h3><p>In <a href="https://www.courtlistener.com/docket/69058235/231/bartz-v-anthropic-pbc/"><em>Bartz v. Anthropic</em></a>, three authors sued Anthropic for using their books to train its Claude chatbot. In his order deciding parts of the case, Judge William Alsup confirmed what EFF has <a href="https://www.eff.org/deeplinks/2023/04/how-we-think-about-copyright-and-ai-art-0">said for years:</a> fair use protects the use of copyrighted works for training because, among other things, training gen-AI is “transformative—spectacularly so” and any alleged harm to the market for the original is pure speculation. Just as copying books or images to create search engines is fair, the court held, copying books to create a new, “transformative” LLM and related technologies is also protected:</p><blockquote><p>[U]sing copyrighted works to train LLMs to generate new text was quintessentially transformative. Like any reader aspiring to be a writer, Anthropic’s LLMs trained upon works not to race ahead and replicate or supplant them—but to turn a hard corner and create something different. If this training process reasonably required making copies within the LLM or otherwise, those copies were engaged in a transformative use.</p></blockquote><p>Importantly, <em>Bartz </em>rejected the copyright holders’ attempts to claim that any model capable of generating new written material that might compete with existing works by emulating their “sweeping themes, “substantive points,” or “grammar, composition, and style” was an infringement machine. As the court rightly recognized, building gen-AI models that create new works is beyond “anything that any copyright owner rightly could expect to control.” </p><p>There’s a lot more to like about the <em>Bartz</em> ruling, but just as we were digesting it <a href="https://www.eff.org/deeplinks/2025/04/eff-urges-court-avoid-fair-use-shortcuts-kadrey-v-meta-platforms"><em>Kadrey v. Meta Platforms</em></a> came out. Sadly, this decision bungles the fair use analysis.</p><h3>A fumble on fair use</h3><p><em>Kadrey</em> is another suit by authors against the developer of an AI model, in this case Meta’s ‘Llama’ chatbot. The authors in Kadrey asked the court to rule that fair use did not apply.</p><p>Much of the <em>Kadrey</em> ruling by Judge Vince Chhabria is<em> dicta—</em>meaning, the opinion spends many paragraphs on what it thinks<em> could</em> justify ruling in favor of the author plaintiffs, if only they had managed to present different facts (rather than pure speculation). The court then rules in Meta’s favor because the plaintiffs only offered speculation. </p><p>But it makes a number of errors along the way to the right outcome. At the top, the ruling broadly proclaims that training AI without buying a license to use each and every piece of copyrighted training material will be “illegal” in “most cases.” The court asserted that fair use usually won’t apply to AI training uses even though training is a “highly transformative” process, because of hypothetical “market dilution” scenarios where competition from AI-generated works could reduce the value of the books used to train the AI model..</p><p>That theory, in turn, depends on three mistaken premises. First, that the most important factor for determining fair use is whether the use might cause market harm. That’s not correct. Since its seminal 1994 opinion in <em><a href="https://www.oyez.org/cases/1993/92-1292">Cambell v Acuff-Rose</a></em>, the Supreme Court has been very clear that no single factor controls the fair use analysis.</p><p>Second, that an AI developer would typically seek to train a model entirely on a certain type of work, and then use that model to generate new works in the exact same genre, which would then compete with the works on which it was trained, such that the market for the original works is harmed. As the <em>Kadrey</em> ruling notes, there was no evidence that Llama was intended to to, or does, anything like that, nor will most LLMs for the exact reasons discussed in <em>Bartz</em>.</p><p>Third, as a matter of law, copyright doesn't prevent “market dilution” unless the new works are otherwise infringing. In fact, the whole purpose of copyright is to be an engine for new expression. If that new expression competes with existing works, that’s a feature, not a bug.</p><p>Gen-AI is spurring the kind of <a href="https://xkcd.com/1227/">tech panics</a> we’ve seen <a href="https://www.forbes.com/sites/joshbarro/2012/01/18/thirty-years-before-sopa-mpaa-feared-the-vcr/">before</a>; then, as now, thoughtful <a href="https://www.eff.org/deeplinks/2024/01/what-home-videotaping-can-tell-us-about-generative-ai">fair use opinions</a> helped ensure that copyright law served innovation and creativity. Gen-AI does raise a host of other serious concerns about fair labor practices and misinformation, but copyright wasn’t designed to address those problems. Trying to force copyright law to play those roles only hurts important and legal uses of this technology.</p><p>In keeping with that tradition, courts deciding fair use in other AI copyright cases should look to <em>Bartz, </em>not <em>Kadrey.</em></p> </div></div></div></description> <pubDate>Thu, 26 Jun 2025 19:22:26 +0000</pubDate> <guid isPermaLink="false">110856 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/intellectual-property">Fair Use</category> <dc:creator>Tori Noble</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/robotai.png" alt="A robot painting a self-portrait" type="image/png" length="177967" /> </item> <item> <title>Ahead of Budapest Pride, EFF and 46 Organizations Call on European Commission to Defend Fundamental Rights in Hungary</title> <link>https://www.eff.org/deeplinks/2025/06/ahead-budapest-pride-eff-and-46-organizations-call-european-commission-defend</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>This week, EFF joined EDRi and nearly 50 civil society organizations <a href="https://edri.org/our-work/open-letter-the-european-commission-must-act-now-to-defend-fundamental-rights-in-hungary/">urging</a> the European Commission’s President Ursula von der Leyen, Executive Vice President Henna Virkunnen, and Commissioners Michael McGrath and Hadja Lahbib to take immediate action and defend human rights in Hungary.</p><p class="pull-quote">The European Commission has a responsibility to protect EU fundamental rights, including the rights of LGBTQ+ individuals in Hungary and across the Union</p><p>With Budapest Pride just two days away, Hungary has criminalized Pride marches and is planning to deploy real-time facial recognition technology to identify those participating in the event. This is a flagrant violation of fundamental rights, particularly the rights to free expression and assembly.</p><p>On April 15, a new amendment package went into effect in Hungary which authorizes the use of real-time facial recognition to identify protesters at ‘banned protests’ like LGBTQ+ events, and includes harsh penalties like excessive fines and imprisonment. This is <a href="https://edri.org/our-work/hungarys-new-biometric-surveillance-laws-violate-the-ai-act/">prohibited</a> by the EU Artificial Intelligence (AI) Act, which does not permit the use of real-time face recognition for these purposes.</p><p>This came on the back of members of Hungary’s Parliament rushing through <a href="https://ecnl.org/news/hungarys-new-biometric-surveillance-laws-violate-ai-act">three amendments</a> in March to ban and criminalize Pride marches and their organizers, and permit the use of real-time facial recognition technologies for the identification of protestors. These amendments were passed without public consultation and are in express violation of the EU AI Act and Charter of Fundamental Rights. In response, civil society organizations <a href="https://edri.org/our-work/civil-society-to-european-commission-act-now-to-defend-fundamental-rights-from-hungarys-pride-ban-and-the-use-of-facial-recognition-against-protesters/">urged</a> the European Commission to put interim measures in place to rectify the violation of fundamental rights and values. The Commission is yet to respond—a real cause of concern.</p><p>This is an attack on LGBTQ+ individuals, as well as an attack on the rights of all people in Hungary. The letter urges the European Commission to take the following actions:</p><ul><li>Open an infringement procedure against any new violations of EU law, in particular the violation of Article 5 of the AI Act</li><li>Adopt interim measures on ongoing infringement against Hungary’s 2021 anti LGBT law which is used as a legal basis for the ban on LGBTQIA+ related public assemblies, including Budapest Pride.</li></ul><p>There's no question that, when EU law is at stake, the European Commission has a responsibility to protect EU fundamental rights, including the rights of LGBTQ+ individuals in Hungary and across the Union. This includes ensuring that those organizing and marching at Pride in Budapest are safe and able to peacefully assemble and protest. If the EU Commission does not urgently act to ensure these rights, it risks hollowing out the values that the EU is built from.</p><p>Read our full letter to the Commission <a href="https://edri.org/our-work/open-letter-the-european-commission-must-act-now-to-defend-fundamental-rights-in-hungary/">here</a>.</p> </div></div></div></description> <pubDate>Thu, 26 Jun 2025 16:10:29 +0000</pubDate> <guid isPermaLink="false">110855 at https://www.eff.org</guid> <dc:creator>Paige Collings</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/eu-flag-11.png" alt="EU-flag-circuits" type="image/png" length="48177" /> </item> <item> <title>How Cops Can Get Your Private Online Data</title> <link>https://www.eff.org/deeplinks/2025/06/how-cops-can-get-your-private-online-data</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>Can the cops get your online data? In short, yes. There are a variety of US federal and state laws which give law enforcement powers to obtain information that you provided to online services. But, there are steps you as a user and/or as a service provider can take to improve online privacy.</p><p>Law enforcement demanding access to your private online data goes back to the beginning of the internet. In fact, one of EFF’s first cases, <a href="https://www.eff.org/cases/steve-jackson-games-v-secret-service-case-archive">Steve Jackson Games v. Secret Service</a>, exemplified the now all-too-familiar story where unfounded claims about illegal behavior resulted in overbroad seizures of user messages. But it’s not the ’90s anymore, the internet has become an integral part of everyone’s life. Everyone now relies on organizations big and small to steward our data, from huge service providers <a href="https://www.eff.org/deeplinks/2024/08/federal-appeals-court-finds-geofence-warrants-are-categorically-unconstitutional">like Google</a>, Meta, or your ISP, to hobbyists hosting a blog or <a href="https://www.eff.org/deeplinks/2023/07/fbi-seizure-mastodon-server-wakeup-call-fediverse-users-and-hosts-protect-their">Mastodon server</a>. </p><p>There is no “cloud,” just someone else's computer—and when the cops come knocking on their door, these hosts need to be willing to stand up for privacy, and know how to do so to the fullest extent under the law. These legal limits are also important for users to know, not only to mitigate risks in their <a href="https://ssd.eff.org/module/your-security-plan">security plan</a> when choosing where to share data, but to understand whether these hosts are going to bat for them. Taking action together, service hosts and users can curb law enforcement getting more data than they’re allowed, protecting not just themselves but <a href="https://www.eff.org/deeplinks/2022/05/what-companies-can-do-now-protect-digital-rights-post-roe-world">targeted populations</a>, present and future.</p><p>This is distinct from law enforcement’s methods of collecting <em>public</em> data, such as the information now <a href="https://www.npr.org/2025/06/19/g-s1-73572/us-resumes-visas-foreign-students-access-social-media">being collected on student visa applicants</a>. Cops may use <a href="https://www.eff.org/deeplinks/2024/11/eff-lawsuit-discloses-documents-detailing-governments-social-media-surveillance">social media monitoring tools</a> and <a href="https://www.eff.org/deeplinks/2019/04/facebook-must-take-these-four-steps-counter-police-sock-puppets">sock puppet accounts</a> to collect what you share publicly, or even within “private” communities. Police may also obtain the contents of communication in other ways that do not require court authorization, such as monitoring network traffic passively to catch metadata and possibly using advanced tools to partially reveal encrypted information. They can even outright buy information from <a href="https://www.eff.org/deeplinks/2022/08/inside-fog-data-science-secretive-company-selling-mass-surveillance-local-police">online data brokers</a>. Unfortunately there are few restrictions or oversight for these practices—something EFF is fighting to change.</p><p>Below however is a general breakdown of the legal processes used by US law enforcement for accessing <em>private</em> data, and what categories of private data these processes can disclose. Because this is a generalized summary, it is neither exhaustive nor should be considered legal advice. Please <a href="https://www.eff.org/pages/legal-assistance">seek legal help</a> if you have specific data privacy and security needs.</p><table><thead><tr style="color: white; font-size: 1.1rem;"><th style="background-color: #432a46; border: 0; font-weight: 600;"><p>Type of data</p></th><th style="background-color: #432a46; border: 0; font-weight: 600;"><p>Process used</p></th><th style="background-color: #432a46; border: 0; font-weight: 600;"><p>Challenge prior to disclosure?</p></th><th style="background-color: #432a46; border: 0; font-weight: 600;"><p>Proof needed</p></th></tr></thead><tbody style="font-size: 1rem;"><tr><td style="border: 0;"><p>Subscriber information</p></td><td style="border: 0;"><p>Subpoena</p></td><td style="border: 0;"><p>Yes</p></td><td style="border: 0;"><p><strong>Relevant</strong> to an investigation</p></td></tr><tr style="background-color: #f6bdb9;"><td style="border: 0;"><p>Non-content information, <strong>metadata</strong></p></td><td style="border: 0;"><p>Court order; sometimes subpoena</p></td><td style="border: 0;"><p>Yes</p></td><td style="border: 0;"><p><strong>Specific and articulable facts</strong> that info is relevant to an investigation</p></td></tr><tr><td style="border: 0;"><p>Stored content</p></td><td style="border: 0;"><p>Search warrant</p></td><td style="border: 0;"><p>No</p></td><td style="border: 0;"><p><strong>Probable cause</strong> that info will provide evidence of a crime</p></td></tr><tr style="background-color: #f6bdb9; border: 0;"><td style="border: 0;"><p><strong>Content</strong> <strong>in transit</strong></p></td><td style="border: 0;"><p>Super warrant</p></td><td style="border: 0;"><p>No</p></td><td style="border: 0;"><p>Probable cause <em>plus</em> <strong>exhaustion</strong> and <strong>minimization</strong></p></td></tr></tbody></table><h2>Types of Data that Can be Collected</h2><p>The laws protecting private data online generally follow a pattern: the more sensitive the personal data is, the greater factual and legal burden police have to meet before they can obtain it. Although this is not exhaustive, here are a few categories of data you may be sharing with services, and why police might want to obtain it.</p><ul><ul><li><strong>Subscriber Data:</strong> Information you provide in order to use the service. Think about ID or payment information, IP address location, email, phone number, and other information you provided when signing up. <ul><li><em>Law enforcement can learn who controls an anonymous account, and find other service providers to gather information from.</em></li></ul></li><li><strong>Non-content data, or "metadata":</strong> This is saved information about your interactions on the service; like when you used the service, for how long, and with whom. Analogous to what a postal worker can infer from a sealed letter with addressing information.</li><ul><li><em>Law enforcement can use this information to infer a social graph, login history, and other information about a suspect’s behavior.</em></li></ul></ul></ul><ul><ul><ul></ul><li><strong>Stored content:</strong> This is the actual content you are sending and receiving, like your direct message history or saved drafts. This can cover any private information your service provider can access. </li><ul><li><em>This most sensitive data is collected to reveal criminal evidence. Overly broad requests also allow for retroactive searches, information on other users, and can take information out of its original context. </em></li></ul><li><strong>Content in transit:</strong> This is the content of your communications as it is being communicated. This real-time access may also collect info which isn’t typically stored by a provider, like your voice during a phone call.<ul><li><em>Law enforcement can compel providers to wiretap their own services for a particular user—which may also implicate the privacy of users they interact with.</em></li></ul></li></ul></ul><h2>Legal Processes Used to Get Your Data</h2><p>When US law enforcement has identified a service that likely has this data, they have a few tools to legally compel that service to hand it over and prevent users from knowing information is being collected.</p><h4><span style="background-color: #f6bdb9;"><strong>Subpoena</strong></span></h4><p>Subpoenas are demands from a prosecutor, law enforcement, or a grand jury which do not require approval of a judge before being sent to a service. The only restriction is this demand be relevant to an investigation. Often the only time a court reviews a subpoena is when a service or user challenges it in court.</p><p>Due to the lack of direct court oversight in most cases, subpoenas are <a href="https://www.eff.org/deeplinks/2009/11/effs-secret-files-anatomy-bogus-subpoena">prone to abuse</a> and overreach. Providers should scrutinize such requests carefully with a lawyer and push back before disclosure, particularly when law enforcement tries to use subpoenas to obtain more private data, such as the contents of communications.</p><h4><span style="background-color: #f6bdb9;"><strong>Court Order</strong></span></h4><p>This is a similar demand to subpoenas, but usually pertains to a specific statute which requires a court to authorize the demand. Under the Stored Communications Act, for example, a court can issue an order for non-content information if police provide specific facts that the information being sought is relevant to an investigation. </p><p>Like subpoenas, providers can usually challenge court orders before disclosure and inform the user(s) of the request, subject to law enforcement obtaining a gag order (more on this below). </p><h4><span style="background-color: #f6bdb9;"><strong>Search Warrant</strong></span></h4><p>A warrant is a demand issued by a judge to permit police to search specific places or persons. To obtain a warrant, police must submit an affidavit (a written statement made under oath) establishing that there is a fair probability (or “probable cause”) that evidence of a crime will be found at a particular place or on a particular person. </p><p>Typically services cannot challenge a warrant before disclosure, as these requests are already approved by a magistrate. Sometimes police request that judges also enter gag orders against the target of the warrant that prevent hosts from informing the public or the user that the warrant exists.</p><h4><span style="background-color: #f6bdb9;"><strong>Super Warrant</strong></span></h4><p>Police seeking to intercept communications as they occur generally face the highest legal burden. Usually the affidavit needs to not only establish probable cause, but also make clear that other investigation methods are not viable (exhaustion) and that the collection avoids capturing irrelevant data (minimization). </p><p>Some laws also require high-level approval within law enforcement, such as leadership, to approve the request. Some laws also limit the types of crimes that law enforcement may use wiretaps in while they are investigating. The laws may also require law enforcement to periodically report back to the court about the wiretap, including whether they are minimizing collection of non-relevant communications. </p><p>Generally these demands cannot be challenged while wiretapping is occurring, and providers are prohibited from telling the targets about the wiretap. But some laws require disclosure to targets and those who were communicating with them after the wiretap has ended. </p><h4><span style="background-color: #f6bdb9;"><strong>Gag orders</strong></span></h4><p>Many of the legal authorities described above also permit law enforcement to simultaneously prohibit the service from telling the target of the legal process or the general public that the surveillance is occurring. These non-disclosure orders are prone to abuse and EFF has repeatedly <a href="https://www.eff.org/issues/national-security-letters">fought them</a> because they violate the First Amendment and prohibit public understanding about the breadth of law enforcement surveillance.</p><h2>How Services Can (and Should) Protect You</h2><p>This process isn't always clean-cut, and service providers must ultimately comply with lawful demands for user’s data, even when they challenge them and courts uphold the government’s demands. </p><p>Service providers outside the US also aren’t totally in the clear, as they must often comply with US law enforcement demands. This is usually because they either have a legal presence in the US or because they can be compelled through mutual legal assistance treaties and other international legal mechanisms. </p><p>However, services can do a lot by following a few <a href="https://www.eff.org/files/eff-ospbp-whitepaper.pdf">best practices</a> to <a href="https://www.eff.org/deeplinks/2022/05/what-companies-can-do-now-protect-digital-rights-post-roe-world">defend user privacy</a>, thus limiting the impact of these requests and in some cases make their service a less appealing door for the cops to knock on.</p><h4><span style="background-color: #f6bdb9;"><strong>Put Cops through the Process</strong></span></h4><p>Paramount is the service provider's willingness to stand up for their users. Carving out exceptions or volunteering information outside of the legal framework erodes everyone's right to privacy. Even in extenuating and urgent circumstances, the responsibility is not on you to decide what to share, but on the legal process. </p><p>Smaller hosts, like those of <a href="https://www.eff.org/deeplinks/2022/12/user-generated-content-and-fediverse-legal-primer">decentralized services</a>, might be intimidated by these requests, but consulting legal counsel will ensure requests are challenged when necessary. Organizations like EFF can sometimes provide legal help directly or connect service providers with alternative counsel.</p><h4><span style="background-color: #f6bdb9;"><strong>Challenge Bad Requests</strong></span></h4><p>It’s not uncommon for law enforcement to overreach or make burdensome requests. Before offering information, services can push back on an improper demand informally, and then continue to do so in court. If the demand is overly broad, violates a user's First or Fourth Amendment rights, or has other legal defects, a court may rule that it is invalid and prevent disclosure of the user’s information.</p><p>Even if a court doesn’t invalidate the legal demand entirely, pushing back informally or in court can limit how much personal information is disclosed and mitigate privacy impacts.</p><h4><span style="background-color: #f6bdb9;"><strong>Provide Notice </strong></span></h4><p>Unless otherwise restricted, service providers should give notice about requests and disclosures as soon as they can. This notice is vital for users to seek legal support and prepare a defense.</p><h4><span style="background-color: #f6bdb9;"><strong>Be Clear With Users </strong></span></h4><p>It is important for users to understand if a host is committed to pushing back on data requests to the full extent permitted by law. Privacy policies with fuzzy thresholds like "when deemed appropriate" or “when requested” make it ambiguous if a user’s right to privacy will be respected. The <a href="https://www.eff.org/who-has-your-back-2017?language=el">best practices</a> for providers not only require clarity and a willingness to push back on law enforcement demands, but also a commitment to be transparent with the public about law enforcement’s demands. For example, with regular transparency reports breaking down the countries and states making these data requests.</p><p>Social media services should also consider clear guidelines for finding and removing <a href="https://www.eff.org/deeplinks/2019/04/facebook-must-take-these-four-steps-counter-police-sock-puppets">sock puppet accounts operated by law enforcement</a> on the platform, as these serve as a backdoor to government surveillance.</p><h4><span style="background-color: #f6bdb9;"><strong>Minimize Data Collection </strong></span></h4><p><strong>You can't be compelled to disclose data you don’t have.</strong> If you collect lots of user data, law enforcement will eventually come demanding it. Operating a service typically requires some collection of user data, even if it’s just login information. But the problem is when information starts to be collected beyond what is strictly necessary. </p><p>This excess collection can be seen as convenient or useful for running the service, or often as potentially valuable like <a href="https://www.eff.org/deeplinks/2025/06/protect-yourself-metas-latest-attack-privacy">behavioral tracking</a> used for advertising. However, the more that’s collected, the more the service becomes a target for both legal demands and illegal data breaches. </p><p>For data that enables desirable features for the user, <a href="https://www.eff.org/deeplinks/2019/02/designing-welcome-mats-invite-user-privacy-0">design choices</a> can make privacy the default and give users additional (preferably opt-in) sharing choices. </p><h4><span style="background-color: #f6bdb9;"><strong>Shorter Retention</strong></span></h4><p>As another minimization strategy, hosts should regularly and automatically delete information when it is no longer necessary. For example, deleting logs of user activity can limit the scope of law enforcement’s retrospective surveillance—maybe limiting a court order to the last 30 days instead of the lifetime of the account. </p><p>Again design choices, like giving users the ability to send disappearing messages and deleting them from the server once they’re downloaded, can also further limit the impact of future data requests. Furthermore, these design choices should have privacy-preserving default</p><h4><span style="background-color: #f6bdb9;"><strong>Avoid Data Sharing </strong></span></h4><p>Depending on the service being hosted there may be some need to rely on <em>another</em> service to make everything work for users. Third-party login or ad services are common examples with some amount of tracking built in. Information shared with these third-parties should also be minimized and avoided, as they may not have a strict commitment to user privacy. Most notoriously, data brokers who sell advertisement data can provide another legal work-around for law enforcement by letting them <a href="https://www.eff.org/deeplinks/2022/08/fog-revealed-guided-tour-how-cops-can-browse-your-location-data">simply buy collected data across many apps</a>. This extends to decisions about what information is made public by default, thus accessible to many third parties, and if that is clear to users.<em><br /></em></p><h4><span style="background-color: #f6bdb9;"><strong>(True) End-to-End Encryption</strong></span></h4><p>Now that <a href="https://www.eff.org/deeplinks/2021/09/https-actually-everywhere">HTTPS is actually everywhere</a>, most traffic between a service and a user can be easily secured—<a href="https://certbot.eff.org/">for free</a>. This limits what onlookers can collect on users of the service, since messages between the two are in a secure “envelope.” However, this doesn’t change the fact the service is opening this envelope before passing it along to other users, or returning it to the same user. With each opened message, this is more information to defend.</p><p>Better, is end-to-end encryption (e2ee), which just means providing users with secure envelopes that even the service provider cannot open. This is how a featureful messaging app <a href="https://ssd.eff.org/module/how-to-use-signal">like Signal</a> can <a href="https://tech.hindustantimes.com/mobile/news/recent-court-filing-reveals-exactly-how-much-data-signal-collects-about-you-71619595504148.html">respond to requests</a> with only three pieces of information: the account identifier (phone number), the date of creation, and the last date of access. Many services should follow suit and limit access through encryption.</p><p>Note that while e2ee has become a popular marketing term, it is simply inaccurate for describing any encryption use designed to be broken or circumvented. Implementing “<a href="https://www.eff.org/deeplinks/2025/02/uks-demands-apple-break-encryption-emergency-us-all">encryption backdoors</a>” to break encryption when desired, or simply collecting information before or after the envelope is sealed on a user’s device (“<a href="https://www.eff.org/deeplinks/2019/11/why-adding-client-side-scanning-breaks-end-end-encryption">client-side scanning</a>”) is antithetical to encryption. Finally, note that e2ee does not protect against law enforcement obtaining the contents of communications should they gain access to any device used in the conversation, or if message history is stored on the server unencrypted.</p><h2>Protecting Yourself and Your Community</h2><p>As outlined, often the security of your personal data depends on the service providers you choose to use. But as a user you do still have some options. EFF’s <a href="https://ssd.eff.org/">Surveillance Self-Defense</a> is a maintained resource with many detailed steps you can take. In short, you need to assess your risks, limit the services you use to those you can trust (as much as you can), improve settings, and when all else fails, accessorize with tools that prevent data sharing in the first place—like EFF’s <a href="https://privacybadger.org/">Privacy Badger</a> browser extension.</p><p>Remember that privacy is a team sport. It’s not enough to make these changes as an individual, it’s just as important to share and educate others, as well as fighting for better digital privacy policy on all levels of governance. Learn, <a href="https://efa.eff.org/">get organized</a>, and <a href="https://act.eff.org/">take action</a>.</p><p> </p> </div></div></div></description> <pubDate>Thu, 26 Jun 2025 15:13:40 +0000</pubDate> <guid isPermaLink="false">110845 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/privacy">Privacy</category> <category domain="https://www.eff.org/issues/end-end-encryption">End-to-End Encryption</category> <category domain="https://www.eff.org/issues/security">Security</category> <dc:creator>Rory Mir</dc:creator> <dc:creator>Aaron Mackey</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/police-surveillance-hat.jpg" alt="A silhouette of a police officer, with spying eye on his hat" type="image/jpeg" length="124291" /> </item> <item> <title>California’s Corporate Cover-Up Act Is a Privacy Nightmare</title> <link>https://www.eff.org/deeplinks/2025/06/californias-corporate-cover-act-privacy-nightmare</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span>California lawmakers are pushing one of the <a href="https://www.eff.org/deeplinks/2025/06/statement-california-state-senate-advancing-dangerous-surveillance-bill" target="_blank" rel="noopener noreferrer">most dangerous privacy rollbacks</a> we’ve seen in years. <a href="https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202520260SB690" target="_blank" rel="noopener noreferrer">S.B. 690</a>, what we’re calling the <em>Corporate Cover-Up Act</em>, is a brazen attempt to let corporations spy on us in secret, gutting long-standing protections without a shred of accountability.</span></p><p><em><span>The Corporate Cover-Up Act </span></em><span>is a massive carve-out that would gut <a href="https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=PEN&amp;part=1.&amp;title=15.&amp;chapter=1.5">California’s Invasion of Privacy Act </a>(CIPA) and give Big Tech and data brokers a green light to spy on us without consent for just about any reason. If passed, S.B. 690 would let companies secretly record your clicks, calls, and behavior online—then share or sell that data with whomever they’d like, all under the banner of a “commercial business purpose.” </span></p><p><span>Simply put, <em>The Corporate Cover-Up Act </em>(S.B. 690) is a blatant attack on digital privacy, and is written to eviscerate long-standing privacy laws and legal safeguards Californians rely on. If passed, it would:</span></p><ul><li><span> </span><span>Gut California’s Invasion of Privacy Act (CIPA)—a law that protects us from being secretly recorded or monitored</span></li><li><span> </span><span>Legalize corporate wiretaps, allowing companies to intercept real-time clicks, calls, and communications</span></li><li><span> </span><span>Authorize pen registers and trap-and-trace tools, which track who you talk to, when, and how—without consent</span></li><li><span> </span><span>Let companies use all of this surveillance data for “commercial business purposes”—with zero notice and no legal consequences</span></li></ul><p><span>This isn’t a small fix. It’s a sweeping rollback of hard-won privacy protections—the kind that helped expose serious abuses by companies like <a href="https://law.justia.com/cases/federal/district-courts/california/candce/5:2012md02314/251223/87/">Facebook</a>, <a href="https://law.justia.com/cases/federal/district-courts/california/candce/5:2020cv03664/360374/330/">Google</a>, and <a href="https://law.justia.com/cases/federal/district-courts/california/candce/3:2022cv04792/399500/180/">Oracle</a>. </span></p><p class="take-action"><a href="https://act.eff.org/action/ca-stop-the-corporate-cover-up-act-s-b-690" target="_blank" rel="noopener noreferrer"><strong>TAKE ACTION</strong></a></p><h2><strong><span>You Can't Opt Out of Surveillance You Don't Know Is Happening</span></strong></h2><p><span>Proponents of <em>The Corporate Cover-Up Act </em> claim it’s just a “clarification” to align CIPA with the California Consumer Privacy Act (CCPA). That’s misleading. The truth is, CIPA and CCPA don’t conflict. CIPA stops secret surveillance. The CCPA governs how data is used <em>after</em> it’s collected, such as through the right to opt out of your data being shared. </span></p><p><span>You can't opt out of being spied on if you’re never told it’s happening in the first place. Once companies collect your data under S.B. 690, they can:</span></p><ul><li><span> </span><span>Sell it to data brokers</span></li><li><span> </span><span>Share it with immigration enforcement or other government agencies</span></li><li><span> </span><span>Use it to against abortion seekers, LGBTQ+ people, workers, and protesters, and</span></li><li><span> </span><span>Retain it indefinitely for profiling</span></li></ul><p><span>…with no consent; no transparency; and no recourse.</span></p><h2><strong>The Communities Most at Risk</strong></h2><p><span>This bill isn’t just a tech policy misstep. It’s a civil rights disaster. If passed, S.B. 690 will put the most vulnerable people in California directly in harm’s way:</span></p><ul><li><span> </span><span>Immigrants, who may be tracked and targeted by ICE</span></li><li><span> </span><span>LGBTQ+ individuals, who could be outed or monitored without their knowledge</span></li><li><span> </span><span>Abortion seekers, who could have location or communications data used against them</span></li><li><span> </span><span>Protesters and workers, who rely on private conversations to organize safely</span></li></ul><p><span>The message this bill sends is clear: corporate profits come before your privacy.</span></p><h2><strong><span>We Must Act Now</span></strong></h2><p><span>S.B. 690 isn’t just a bad tech bill—it’s a dangerous precedent. It tells every corporation: Go ahead and spy on your consumers—we’ve got your back. </span></p><p><span>Californians deserve better.</span></p><p><span>If you live in California, now is the time to call your lawmakers and demand they vote NO on the Corporate Cover-Up Act.</span></p><p class="take-action"><a href="https://act.eff.org/action/ca-stop-the-corporate-cover-up-act-s-b-690"><strong>TAKE ACTION</strong></a></p><p><span>Spread the word, amplify the message, and help stop this attack on privacy before it becomes law.</span></p> </div></div></div></description> <pubDate>Wed, 25 Jun 2025 17:21:46 +0000</pubDate> <guid isPermaLink="false">110846 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/privacy">Privacy</category> <category domain="https://www.eff.org/issues/big-tech">Big Tech</category> <dc:creator>Rindala Alajaji</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/california-sunshine_0.png" alt="California Sunshine" type="image/png" length="34671" /> </item> <item> <title>FBI Warning on IoT Devices: How to Tell If You Are Impacted</title> <link>https://www.eff.org/deeplinks/2025/06/fbi-warning-iot-devices-how-tell-if-you-are-impacted</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span>On June 5th, the FBI </span><a href="https://www.ic3.gov/PSA/2025/PSA250605" target="_blank" rel="noopener noreferrer"><span>released a PSA</span></a><span> titled “Home Internet Connected Devices Facilitate Criminal Activity.” This PSA largely references devices impacted by the latest generation of </span><a href="https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0/"><span>BADBOX</span></a><span> malware (as named by HUMAN’s Satori Threat Intelligence and Research team) that EFF researchers </span><a href="https://www.eff.org/deeplinks/2023/05/android-tv-boxes-sold-amazon-come-pre-loaded-malware" target="_blank" rel="noopener noreferrer"><span>also encountered</span></a><span> primarily on Android TV set-top boxes. However, the malware has impacted tablets, digital projectors, aftermarket vehicle infotainment units, picture frames, and other types of IoT devices. </span></p><p><span>One goal of this malware is to create a network proxy on the devices of unsuspecting buyers, potentially making them hubs for various potential criminal activities, putting the owners of these devices at risk from authorities. This malware is particularly insidious, coming pre-installed out of the box from major online retailers such as Amazon and AliExpress. If you search “Android TV Box” on Amazon right now, many of the same models that have been impacted are still up being sold by sellers of opaque origins. Facilitating the sale of these devices even led us to </span><a href="https://www.eff.org/press/releases/eff-urges-ftc-address-american-resellers-malware-android-tv-set-top-boxes" target="_blank" rel="noopener noreferrer"><span>write an open letter</span></a><span> to the FTC, urging them to take action on resellers.</span></p><p><span>The FBI listed some indicators of compromise (IoCs) in the PSA for consumers to tell if they were impacted. But the average person isn’t running network detection infrastructure in their homes, and cannot hope to understand what IoCs can be used to determine if their devices generate “unexplained or suspicious Internet traffic.” Here, we will attempt to help give more comprehensive background information about these IoCs. If you find any of these on devices you own, then we encourage you to follow through by contacting the FBI's Internet Crime Complaint Center (IC3) at</span><a href="https://www.ic3.gov/" target="_blank" rel="noopener noreferrer"> <span>www.ic3.gov</span></a><span>.</span></p><p><span>The FBI lists these IoC:</span></p><ul><li><span>The presence of suspicious marketplaces where apps are downloaded.</span></li><li><span>Requiring Google Play Protect settings to be disabled.</span></li><li><span>Generic TV streaming devices advertised as unlocked or capable of accessing free content.</span></li><li><span>IoT devices advertised from unrecognizable brands.</span></li><li><span>Android devices that are not Play Protect certified.</span></li><li><span>Unexplained or suspicious Internet traffic.</span></li></ul><p><span>The following adds context to above, as well as some added IoCs we have seen from our research.</span></p><p><b>Play Protect Certified</b></p><p><span>“Android devices that are not Play Protect certified” refers to any device brand or partner not listed here: </span><a href="https://www.android.com/certified/partners/" target="_blank" rel="noopener noreferrer"><span>https://www.android.com/certified/partners/</span></a><span>. Google subjects devices to compatibility and security tests in their criteria for inclusion in the Play Protect program, though the mentioned list’s criteria are not made completely transparent outside of Google. But this list does change, as we saw with the tablet brand we researched </span><a href="https://www.eff.org/deeplinks/2024/11/one-down-many-go-pre-installed-malware-android" target="_blank" rel="noopener noreferrer"><span>being de-listed</span></a><span>. This encompasses “devices advertised from unrecognizable brands.” The list includes international brands and partners as well.</span></p><p><b>Outdated Operating Systems</b></p><p><span>Other issues we saw were really outdated Android versions. For posterity, </span><a href="https://www.msn.com/en-us/news/technology/android-16-is-here-but-its-big-redesign-isn-t-ready/ar-AA1GsNfP"><span>Android 16</span></a><span> just started rolling out. Android 9-12 appeared to be the most common versions routinely used. This could be a result of “copied homework” from previous legitimate Android builds, and often come with their own update software that can present a problem on its own and deliver second-stage payloads for device infection in addition to what it is downloading and updating on the device.</span></p><p><span>You can check which version of Android you have by going to Settings and searching “Android version”.</span></p><p><b>Android App Marketplaces</b></p><p><span>We’ve </span><a href="https://www.eff.org/document/brief-amicus-curiae-eff-support-plaintiff" target="_blank" rel="noopener noreferrer"><span>previously argued</span></a><span> how the availability of different app marketplaces leads to greater consumer choice, where users can choose alternatives even more secure than the Google Play Store. While this is true, the FBI’s warning about suspicious marketplaces is also prudent. Avoiding “downloading apps from unofficial marketplaces advertising free streaming content” is sound (if somewhat vague) advice for set-top boxes, yet this recommendation comes without further guidelines on how to identify which marketplaces might be suspicious for other Android IoT platforms. Best practice is to investigate any app stores used on Android devices separately, but to be aware that if a suspicious Android device is purchased, it can contain preloaded app stores that mimic the functionality of legitimate ones but also contain unwanted or malicious code.</span></p><p><b>Models Listed from the Badbox Report</b></p><p><span>We also recommend looking up device names and models that were listed in the </span><a href="https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0/" target="_blank" rel="noopener noreferrer"><span>BADBOX 2.0</span></a><span> report. We investigated the T95 models along with other </span><a href="https://github.com/DesktopECHO/T95-H616-Malware" target="_blank" rel="noopener noreferrer"><span>independent researchers</span></a><span> that initially found this malware present. A lot of model names could be grouped in families with the same letters but different numbers. These operations are iterating fast, but the naming conventions are often lazy in this respect. If you're not sure what model you own, you can usually find it listed on a sticker somewhere on the device. If that fails, you may be able to find it by pulling up the original receipt or looking through your order history.</span></p><p><b>A Note from Satori Researchers:</b></p><p><i><span>“Below is a list of device models known to be targeted by the threat actors. Not all devices of a given model are necessarily infected, but Satori researchers are confident that infections are present on some devices of the below device models:”</span></i></p><p><i><span><div class="caption caption-center"><div class="caption-width-container"><div class="caption-inner"><img src="/files/2025/06/24/screenshot_2025-06-18_at_09-36-33_satori_threat_intelligence_disruption_badbox_2.0_targets_consumer_devices_with_multiple_fraud_schemes_-_human_security.png" width="800" height="821" alt="List of Impacted Models" title="List of Impacted Models" /><p class="caption-text">List of Potentially Impacted Models</p></div></div></div></span></i></p><p><b>Broader Picture: The Digital Divide</b></p><p><span>Unfortunately, the only way to be sure that an Android device from an unknown brand is safe is not to buy it in the first place. Though initiatives like the </span><a href="https://www.fcc.gov/CyberTrustMark" target="_blank" rel="noopener noreferrer"><span>U.S. Cyber Trust Mark</span></a><span> are welcome developments intended to encourage demand-side trust in vetted products, recent shake ups in federal regulatory bodies means the future of this assurance mark is unknown. This means those who face budget constraints and have trouble affording top-tier digital products for streaming content or other connected purposes may rely on cheaper imitation products that are rife with not only vulnerabilities, but even come out-of-the-box preloaded with malware. This puts these people disproportionately at legal risk when these devices are used to provide the buyers’ home internet connection as a proxy for nefarious or illegal purposes.</span></p><p><span>Cybersecurity and trust that the products we buy won’t be used against us is essential: not just for those that can afford name-brand digital devices, but for everyone. While we welcome the IoCs that the FBI has listed in its PSA, more must be done to protect consumers from a myriad of dangers that their devices expose them to.</span></p> </div></div></div></description> <pubDate>Wed, 25 Jun 2025 04:03:14 +0000</pubDate> <guid isPermaLink="false">110847 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/security">Security</category> <dc:creator>Alexis Hancock</dc:creator> <dc:creator>Bill Budington</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/2019-security.png" alt="crossed keys security icon banner" type="image/png" length="17853" /> </item> <item> <title>Why Are Hundreds of Data Brokers Not Registering with States?</title> <link>https://www.eff.org/deeplinks/2025/06/why-are-hundreds-data-brokers-not-registering-states</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><em>Written in collaboration with Privacy Rights Clearinghouse</em></p><p>Hundreds of data brokers have not registered with state consumer protection agencies. These findings come as more states are passing data broker transparency laws that require brokers to provide information about their business and, in some cases, give consumers an easy way to opt out.</p><p>In recent years, <a href="https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240SB362">California</a>, <a href="https://statutes.capitol.texas.gov/Docs/BC/htm/BC.509.htm">Texas</a>, <a href="https://olis.oregonlegislature.gov/liz/2023R1/Downloads/MeasureDocument/HB2052/Enrolled">Oregon</a>, and <a href="https://legislature.vermont.gov/statutes/section/09/062/02446">Vermont</a> have passed data broker registration laws that require brokers to identify themselves to state regulators and the public. A new analysis by <a href="https://privacyrights.org/">Privacy Rights Clearinghouse</a> (PRC) and the Electronic Frontier Foundation (EFF) reveals that many data brokers registered in one state aren’t registered in others.</p><p>Companies that registered in one state but did not register in another include: 291 companies that did not register in California, 524 in Texas, 475 in Oregon, and 309 in Vermont. These numbers come from data analyzed from early April 2025.</p><p>PRC and EFF sent letters to state enforcement agencies urging them to investigate these findings. More investigation by states is needed to determine whether these registration discrepancies reflect widespread noncompliance, gaps and definitional differences in the various state laws, or some other explanation.</p><p>New data broker transparency laws are an essential first step to reining in the data broker industry. This is an ecosystem in which your personal data taken from apps and other web services can be bought and sold largely without your knowledge. The data can be highly sensitive like location information, and can be used to <a href="https://www.eff.org/deeplinks/2022/03/ban-online-behavioral-advertising">target you with ads</a>, <a href="https://www.eff.org/deeplinks/2023/04/digital-privacy-legislation-civil-rights-legislation">discriminate against you</a>, and even <a href="https://www.eff.org/deeplinks/2022/08/inside-fog-data-science-secretive-company-selling-mass-surveillance-local-police">enhance government surveillance</a>. The widespread sharing of this data also makes it more susceptible to data breaches. And its easy availability allows personal data to be obtained by bad actors for phishing, harassment, or stalking.</p><p>Consumers need robust deletion mechanisms to remove their data stored and sold by these companies. But the potential registration gaps we identified threaten to undermine such tools. California’s <a href="https://www.eff.org/deeplinks/2023/08/californias-delete-act-protects-us-data-brokers">Delete Act</a> will soon provide consumers with an easy tool to delete their data held by brokers—but it can only work if brokers register. California has already brought a handful of <a href="https://cppa.ca.gov/announcements/2025/20250508.html">enforcement actions</a> against brokers who failed to register under that law, and such compliance efforts are becoming even more critical as deletion mechanisms come online.</p><p>It is important to understand the scope of our analysis.</p><p>This analysis only includes companies that registered in at least one state. It does not capture data brokers that completely disregard state laws by failing to register in any state. A total of 750 data brokers have registered in at least one state. While harder to find, shady data brokers who have failed to register anywhere should remain a primary enforcement target.</p><p>This analysis also does not claim or prove that any of the data brokers we found broke the law. While the definition of “data broker” is similar across states, there are variations that could require a company to register in one state and not another. To take one example, a data broker registered in Texas that only brokers the data of Texas residents would not be legally required to register in California. To take another, a data broker that registered with Vermont in 2020 that then changed its business model and is no longer a broker, would not be required to register in 2025. More detail on variations in data broker laws is outlined in our letters to regulators.</p><p>States should investigate compliance with data broker registration requirements, enforce their laws, and plug any loopholes. Ultimately, consumers deserve protections regardless of where they reside, and Congress should also work to pass baseline federal data broker legislation that minimizes collection and includes strict use and disclosure limits, transparency obligations, and consumer rights.</p><p><strong>Read more here:</strong></p><p><a href="https://www.eff.org/document/california-data-broker-registration-letter">California letter</a></p><p><a href="https://www.eff.org/document/texas-data-broker-registration-letter">Texas Letter</a></p><p><a href="https://www.eff.org/document/oregon-data-broker-registration-letter">Oregon Letter</a></p><p><a href="https://www.eff.org/document/vermont-data-broker-registration-letter">Vermont Letter</a></p><p><a href="https://www.eff.org/document/appendix-b-databrokerfullregistry2025">Spreadsheet of data brokers</a></p> </div></div></div></description> <pubDate>Tue, 24 Jun 2025 17:58:01 +0000</pubDate> <guid isPermaLink="false">110843 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/privacy">Privacy</category> <category domain="https://www.eff.org/issues/location-data-brokers">Location Data Brokers</category> <dc:creator>Mario Trujillo</dc:creator> <dc:creator>Hayley Tsukayama</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/icon-2019-privacy.png" alt="" type="image/png" length="16605" /> </item> <item> <title>Major Setback for Intermediary Liability in Brazil: Risks and Blind Spots </title> <link>https://www.eff.org/deeplinks/2025/06/major-setback-intermediary-liability-brazil-risks-and-blind-spots</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><i><span data-contrast="none">This is the third post of a series about internet intermediary liability in Brazil. Our </span></i><a href="https://www.eff.org/deeplinks/2024/10/brazils-internet-intermediary-liability-rules-under-trial-what-are-risks"><i><span data-contrast="none">first post</span></i></a><i><span data-contrast="none"> gives an overview of Brazil's current internet intermediary liability regime, set out in a law known as </span></i><a href="https://www.planalto.gov.br/ccivil_03/_ato2011-2014/2014/lei/l12965.htm"><i><span data-contrast="none">"Marco Civil da Internet,"</span></i></a><i><span data-contrast="none"> the context of its approval in 2014, and the beginning of the Supreme Court's judgment of such regime in November 2024. Our <a href="https://www.eff.org/deeplinks/2025/06/major-setback-intermediary-liability-brazil-how-did-we-get-here ">second post</a> </span></i><i><span data-contrast="none">provides a bigger picture of the Brazilian context underlying the court's analysis and its most likely final decision.</span></i><span data-ccp-props="0}"> </span></p><p><em>Update: Brazil’s Supreme Court analysis of the country’s intermediary liability regime concluded on June 26, 2025. With three dissenting votes in favor of Article 19’s constitutionality, the majority of the court deemed it partially unconstitutional. Much of the perils we pointed out have unfortunately come true. The ruling does include some (though not all) of the minimum safeguards we had recommended. The full content of the final thesis approved is available here. Some highlights: importantly, the court preserved Article 19’s regime for crimes against honor (such as defamation). However, the notice-and-takedown regime set in Article 21 became the general rule for platforms’ liability for user content. Platforms are liable regardless of notification for paid content they distribute (including ads) and for posts shared through “artificial distribution networks” (i.e., networks of bots). The court established a duty of care regarding the distribution of specific serious unlawful content. This monitoring duty approach is <a href="https://www.eff.org/deeplinks/2023/07/repel-rules-and-interpretations-can-lead-general-content-monitoring-and-filtering">quite controversial</a>, especially considering the varied nature and size of platforms. Fortunately, the ruling emphasizes that platforms can only be held liable for these specific contents without a previous notice if they fail to tackle them in a systemic way (rather than for individual posts). Article 19’s liability regime remains the general rule for applications like email services, virtual conference platforms, and messaging apps (regarding inter-personal messages). The entirety of the ruling, including the full content of Justice’s votes, will be published in the coming weeks. </em></p><p><span data-contrast="none">The court’s examination of Marco Civil’s Article 19 began with Justice Dias Toffoli in November last year. We explained </span><a href="https://www.eff.org/deeplinks/2024/10/brazils-internet-intermediary-liability-rules-under-trial-what-are-risks"><span data-contrast="none">here</span></a><span data-contrast="none"> about the cases under trial, the reach of the Supreme Court’s decision, and Article 19’s background related to Marco Civil’s approval in 2014. We also highlighted some aspects and risks of Justice Dias Toffoli’s vote, who considered the intermediary liability regime established in Article 19 unconstitutional. </span><span data-ccp-props="0}"> </span></p><p><span data-contrast="none">Most of the justices have agreed to find this regime at least partially unconstitutional, but differ on the specifics. Relevant elements of their votes include:</span><span data-ccp-props="0}"> </span></p><ul><li><p><span lang="en-GB" xml:lang="en-GB"><em>Notice-and-takedown is likely to become the general rule for platforms' liability for third-party content (based on Article 21 of Marco Civil)</em>. Justices still have to settle whether this applies to internet applications in general or if some distinctions are relevant, for example, applying only to those that curate or recommend content. Another open question refers to the type of content subject to liability under this rule: votes pointed to <em>unlawful</em></span> <span lang="en-GB" xml:lang="en-GB">content/acts, <em>manifestly criminal</em></span> <span lang="en-GB" xml:lang="en-GB">or <em>clearly unlawful</em> content, or opted to focus on <em>crimes</em>. Some justices didn’t explicitly qualify the nature of the restricted content under this rule. </span> </p></li><li><p><span lang="en-US" xml:lang="en-US"><em>If partially valid, the need for a previous judicial order to hold intermediaries liable for user posts (Article 19 of Marco Civil) remains in force for certain types of content (or certain types of internet applications)</em>.</span> <span lang="en-US" xml:lang="en-US">For some justices, Article 19 should be the liability regime in the case of crimes against honor, such as defamation. Justice Luís Roberto Barroso also considered this rule should apply for any unlawful acts under civil law. Justice Cristiano Zanin has a different approach. For him, Article 19 should prevail for internet applications that don’t curate, recommend or boost content (what he called “neutral” applications) or when there’s reasonable doubt about whether the content is unlawful. <br /></span></p></li></ul><ul><li><p><span lang="en-GB" xml:lang="en-GB"><em>Platforms are considered liable for ads and boosted content that they deliver to users</em>. This was the position held by most of the votes so far. Justices did so either by presuming platforms</span>’ <span lang="en-GB" xml:lang="en-GB">knowledge of the paid content they distribute, holding them strictly liable for paid posts, or by considering the delivery of paid content as platforms</span>’ <span lang="en-GB" xml:lang="en-GB">own act (rather than “third-party” conduct).</span> <span lang="en-GB" xml:lang="en-GB">Justice Dias Toffoli went further, including also non-paid recommended content. Some justices extended this regime to content posted by inauthentic or fake accounts, or when the non-identification of accounts hinders holding the content authors liable for their posts. </span> </p></li></ul><ul><li><p><span lang="en-US" xml:lang="en-US"><em>Monitoring duty of specific types of harmful and/or criminal content</em>.</span> <span lang="en-US" xml:lang="en-US">Most concerning is that different votes establish some kind of active monitoring and likely automated restriction duty for a list of contents, subject to internet applications' liability. Justices have either recognized a “monitoring duty” or considered platforms liable for these types of content regardless of a previous notification. Justices Luís Roberto Barroso, Cristiano Zanin, and Flávio Dino adopt a less problematic <em>systemic flaw</em></span> <span lang="en-US" xml:lang="en-US">approach, by which applications’ liability would not derive from each piece of content individually, but from an analysis of whether platforms employ the proper means to tackle these types of content. The list of contents also varies. In most of the cases they are restricted to criminal offenses, such as crimes against the democratic state, racism, and crimes against children and adolescents; yet they may also include vaguer terms, like “any violence against women,” as in Justice Dias Toffoli’s vote.</span> </p></li></ul><ul><li><p><span lang="en-US" xml:lang="en-US"><em>Complementary or procedural duties</em>.</span> <span lang="en-US" xml:lang="en-US">Justices have also voted to establish complementary or procedural duties. These include providing a notification system that is easily accessible to users, a due process mechanism where users can appeal against content restrictions, and the release of periodic transparency reports. Justice Alexandre de Moraes also specifically mentioned algorithmic transparency measures.</span> </p></li></ul><ul><li><p><span lang="en-US" xml:lang="en-US"><em>Oversight</em>.</span> <span lang="en-US" xml:lang="en-US">Justices also discussed which entity or oversight model should be used to monitor compliance while Congress doesn’t approve a specific regulation. They raised different possibilities, including the National Council of Justice, the General Attorney’s Office, the National Data Protection Authority, a self-regulatory body, or a multistakeholder entity with government, companies, and civil society participation.</span> </p></li></ul><p><span data-contrast="none">Three other justices have yet to present their votes to complete the judgment. As we </span><a href="https://www.eff.org/deeplinks/2024/10/brazils-internet-intermediary-liability-rules-under-trial-what-are-risks"><span data-contrast="none">pointed out</span></a><span data-contrast="none">, the ruling will both decide the individual cases that entered the Supreme Court through appeals and the “general repercussion” issues underlying these individual cases. For addressing such general repercussion issues, the Supreme Court approves a thesis that orients lower court decisions in similar cases. The final thesis will reflect the majority of the court's agreements around the topics we outlined above.</span><span data-ccp-props="0}"> </span></p><p><span data-contrast="none">Justice Alexandre de Moraes argued that the final thesis should equate the liability regime of social media and private messaging applications to the one applied to traditional media outlets. This disregards important differences between both: even if social media platforms curate content, it involves a massive volume of third-party posts, mainly organized through algorithms. Although such curation reflects business choices, it does not equate to media outlets that directly create or individually purchase specific content from approved independent producers. This is even more complicated with messaging applications, seriously endangering privacy and end-to-end encryption.</span><span data-ccp-props="0}"> </span></p><p><span data-contrast="none">Justice André Mendonça was the only one so far to preserve the full application of Article 19. His proposed thesis highlighted the necessity of safeguarding privacy, data protection, and the secrecy of communications in messaging applications, among other aspects. It also indicated that judicial takedown orders must provide specific reasoning and be made available to platforms, even if issued within a sealed proceeding. The platform must also have the ability to appeal the takedown order. These are all important points the final ruling should endorse.</span><span data-ccp-props="0}"> </span></p><h3><b><span data-contrast="none">Risks and Blind Spots</span></b><span data-ccp-props="0}"> </span></h3><p><span data-contrast="none">We have stressed the </span><a href="https://www.eff.org/deeplinks/2024/10/brazils-internet-intermediary-liability-rules-under-trial-what-are-risks"><span data-contrast="none">many problems</span></a><span data-contrast="none"> entangled with broad notice-and-takedown mandates and expanded content monitoring obligations. Extensively relying on AI-based content moderation and tying it to intermediary liability for user content will likely </span><a href="https://sur.conectas.org/en/artificial-intelligence-and-online-hate-speech-moderation/"><span data-contrast="none">exacerbate</span></a><span data-contrast="none"> the </span><a href="https://7amleh.org/post/report-on-palestinian-digital-rights-in-the-context-of-genocide-and-big-tech-accountability-one-year-after-the-war-on-gaza-en"><span data-contrast="none">detrimental effects</span></a><span data-contrast="none"> of these systems’ </span><a href="https://cdt.org/insights/lost-in-translation-large-language-models-in-non-english-content-analysis/"><span data-contrast="none">limitations</span></a><span data-contrast="none"> and </span><a href="https://www.nature.com/articles/s43588-024-00695-4"><span data-contrast="none">flaws</span></a><span data-contrast="none">. The perils and concerns that grounded Article 19's approval remain valid and should have led to a position of the court preserving its regime. </span><span data-ccp-props="0}"> </span></p><p><span data-contrast="none">However, given the judgement’s current stage, there are still some minimum safeguards that justices should consider or reinforce to reduce harm. </span><span data-ccp-props="0}"> </span></p><p><span data-contrast="none">It’s crucial to put in place guardrails against the abuse and weaponization of notification mechanisms. At a minimum, platforms shouldn’t be liable following an extrajudicial notification when there’s reasonable doubt concerning the content’s lawfulness. In addition, notification procedures should make sure that notices are sufficiently precise and properly substantiated indicating the content’s specific location (e.g. URL) and why the notifier considers it to be illegal. Internet applications must also provide reasoned justification and adequate appeal mechanisms for those who face content restrictions.</span><span data-ccp-props="0}"> </span><span data-ccp-props="0}"> </span></p><p><span data-contrast="none">On the other hand, holding intermediaries liable for individual pieces of user content regardless of notification, by massively relying on AI-based content flagging, is a recipe for over censorship. Adopting a systemic flaw approach could minimally mitigate this problem. Moreover, justices should clearly set apart private messaging applications, as mandated content-based restrictions would erode secure and end-to-end encrypted implementations.</span><span data-ccp-props="0}"> </span></p><p><span data-contrast="none">Finally, we should note that justices generally didn’t distinguish large internet applications from other providers when detailing liability regimes and duties in their votes. This is one major blind spot, as it could significantly impact the feasibility of </span><a href="https://internetlab.org.br/pt/noticias/uma-solucao-unica-para-%20toda-a-internet-internetlab-lanca-documento-sobre-plataformas-de-conhecimento/"><span data-contrast="none">alternate</span></a><span data-contrast="none"> and </span><a href="https://fediverse.party/"><span data-contrast="none">decentralized</span></a><span data-contrast="none"> alternatives to Big Tech’s business models, entrenching platform concentration. Similarly, despite criticism of platforms’ business interests in monetizing and capturing user attention, court debates mainly failed to address the pervasive surveillance infrastructure lying underneath Big Tech’s power and abuses. </span><span data-ccp-props="0}"> </span></p><p><span data-contrast="none">Indeed, while justices have called out Big Tech’ enormous power over the online flow of information – over what’s heard and seen, and by whom – the consequences of this decision can actually deepen this powerful position.</span><span data-ccp-props="0}"> </span></p><p><span data-contrast="none">It’s worth recalling a line of Aaron Schwarz in the film </span><a href="https://youtu.be/9vz06QO3UkQ?t=1261"><span data-contrast="none">“The Internet’s Own Boy”</span></a><span data-contrast="none"> when comparing broadcasting and the internet. He said: “[…] what you see now is not a question of who gets access to the airwaves, it’s a question of who gets control over the ways you find people.” As he puts it, today’s challenge is less about who gets to speak, but rather about who gets to be heard. </span><span data-ccp-props="0}"> </span></p><p><span data-contrast="none">There’s an undeniable source of power in operating the inner rules and structures by which the information flows within a platform with global reach and millions of users. The crucial interventions must aim at this source of power, putting a stop to </span><a href="https://www.eff.org/pt-br/deeplinks/2022/03/ban-online-behavioral-advertising"><span data-contrast="none">behavioral surveillance ads</span></a><span data-contrast="none">, breaking </span><a href="https://www.eff.org/wp/interoperability-and-privacy"><span data-contrast="none">Big Tech’s gatekeeper</span></a><span data-contrast="none"> dominance, and </span><a href="https://www.eff.org/deeplinks/2022/11/leaving-twitters-walled-garden"><span data-contrast="none">redistributing</span></a><span data-contrast="none"> the information flow. </span><span data-ccp-props="0}"> </span></p><p><span data-contrast="none">That’s not to say that we shouldn’t care about how each platform organizes its online environment. We should, </span><a href="https://santaclaraprinciples.org/"><span data-contrast="none">and we do</span></a><span data-contrast="none">. The EU </span><i><span data-contrast="none">Digital Services Act</span></i><span data-contrast="none">, for example, established rules in this sense</span><span>,</span><span data-contrast="none"> leaving the traditional liability regime largely intact. Rather than leveraging platforms as users’ speech watchdogs by potentially holding intermediaries liable for each piece of user content, platform accountability efforts should broadly look at </span><a href="https://www.eff.org/deeplinks/2022/05/platform-liability-trends-around-globe-conclusions-and-recommendations-moving"><span data-contrast="none">platforms’ processes</span></a><span data-contrast="none"> and business choices. Otherwise, we will end up focusing on monitoring users instead of targeting platforms’ abuses.</span><span data-ccp-props="0}"> </span></p> </div></div></div></description> <pubDate>Tue, 24 Jun 2025 15:33:19 +0000</pubDate> <guid isPermaLink="false">110835 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/international">International</category> <category domain="https://www.eff.org/issues/free-speech">Free Speech</category> <category domain="https://www.eff.org/issues/privacy">Privacy</category> <dc:creator>Veridiana Alimonti</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/intermediary-4.jpg" alt="A person holding a megaphone that another person speaks through" type="image/jpeg" length="90260" /> </item> <item> <title>Major Setback for Intermediary Liability in Brazil: How Did We Get Here?</title> <link>https://www.eff.org/deeplinks/2025/06/major-setback-intermediary-liability-brazil-how-did-we-get-here</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><em>This is the second post of a series about intermediary liability in Brazil. Our <a href="https://www.eff.org/deeplinks/2024/10/brazils-internet-intermediary-liability-rules-under-trial-what-are-risks">first post</a> gives an overview of Brazil's current intermediary liability regime, the context of its approval in 2014, and the beginning of the Supreme Court's analysis of such regime in November 2024. Our <a href="https://www.eff.org/deeplinks/2025/06/major-setback-intermediary-liability-brazil-risks-and-blind-spots">third post</a> provides an outlook on justices' votes up until June 23, underscoring risks, mitigation measures, and blind spots of their potential decision.</em></p><p><em>Update: Brazil’s Supreme Court analysis of the country’s intermediary liability regime concluded on June 26, 2025. With three dissenting votes in favor of Article 19’s constitutionality, the majority of the court deemed it partially unconstitutional. Much of the perils we <a href="https://www.eff.org/deeplinks/2025/06/major-setback-intermediary-liability-brazil-risks-and-blind-spots">pointed out</a> have unfortunately come true. The ruling does include some (though not all) of the minimum safeguards we had recommended. The full content of the final thesis approved is available here. Some highlights: importantly, the court preserved Article 19’s regime for crimes against honor (such as defamation). However, the notice-and-takedown regime set in Article 21 became the general rule for platforms’ liability for user content. Platforms are liable regardless of notification for paid content they distribute (including ads) and for posts shared through “artificial distribution networks” (i.e., networks of bots). The court established a duty of care regarding the distribution of specific serious unlawful content. This monitoring duty approach is <a href="https://www.eff.org/deeplinks/2023/07/repel-rules-and-interpretations-can-lead-general-content-monitoring-and-filtering">quite controversial</a>, especially considering the varied nature and size of platforms. Fortunately, the ruling emphasizes that platforms can only be held liable for these specific contents without a previous notice if they fail to tackle them in a systemic way (rather than for individual posts). Article 19’s liability regime remains the general rule for applications like email services, virtual conference platforms, and messaging apps (regarding inter-personal messages). The entirety of the ruling, including the full content of Justice’s votes, will be published in the coming weeks. </em></p><p><span data-contrast="none">The Brazilian Supreme Court has formed a majority to overturn the country’s current online intermediary liability regime. With eight out of eleven justices having presented their opinions, the court has reached enough votes to mostly remove the need for a previous judicial order demanding content takedown to hold digital platforms liable for user posts, which is currently the general rule. </span><span data-ccp-props="0}"> </span></p><p><span data-contrast="none">The judgment relates to Article 19 of Brazil’s </span><a href="https://www.planalto.gov.br/ccivil_03/_ato2011-2014/2014/lei/l12965.htm"><span data-contrast="none">Civil Rights Framework for the Internet</span></a><span data-contrast="none"> (“Marco Civil da Internet,” </span><a href="https://www.cgi.br/pagina/marco-civil-law-of-the-internet-in-brazil/180"><span data-contrast="none">Law n. 12.965/2014</span></a><span data-contrast="none">), wherein internet applications can only be held liable for third-party content if they fail to comply with a judicial decision ordering its removal. Article 19 aligns with the </span><a href="https://manilaprinciples.org/"><span data-contrast="none">Manila Principles</span></a><span data-contrast="none"> and </span><a href="https://www.oas.org/en/iachr/expression/topics/internet.asp"><span data-contrast="none">reflects</span></a><span data-contrast="none"> the </span><a href="https://unesdoc.unesco.org/ark:/48223/pf0000231162"><span data-contrast="none">important</span></a> <a href="https://www.oas.org/en/iachr/expression/reports/Digital_inclusion_eng.pdf"><span data-contrast="none">understanding</span></a><span data-contrast="none"> that holding platforms liable for user content without a judicial analysis creates strong incentives for </span><a href="https://www.cigionline.org/static/documents/no.276_jOG5wer.pdf"><span data-contrast="none">enforcement overreach</span></a><span data-contrast="none"> and </span><a href="https://cyberlaw.stanford.edu/blog/2021/02/empirical-evidence-over-removal-internet-companies-under-intermediary-liability-laws/"><span data-contrast="none">over censorship</span></a><span data-contrast="none"> of protected speech. </span><span data-ccp-props="0}"> </span></p><p><span data-contrast="none">Nonetheless, while Justice André Mendonça voted to preserve Article 19’s application, four other justices stated it should prevail only in specific cases, mainly for crimes against honor (such as defamation). The remaining three justices considered that Article 19 offers insufficient protection to constitutional guarantees, such as the integral protection of children and teenagers. </span><span data-ccp-props="0}"> </span></p><p><span data-contrast="none">The judgment will resume on June 25th, with the three final justices completing the analysis by the plenary of the court. Whereas Article 19’s partial unconstitutionality (or its interpretation “in accordance with” the Constitution) seems to be the position the majority of the court will take, the details of each vote vary, indicating important agreements still to sew up and critical tweaks to make. </span><span data-ccp-props="0}"> </span></p><p><span data-contrast="none">As </span><a href="https://www.eff.org/deeplinks/2024/10/brazils-internet-intermediary-liability-rules-under-trial-what-are-risks"><span data-contrast="none">we previously noted</span></a><span data-contrast="none">, the outcome of this ruling can seriously undermine free expression and privacy safeguards if they lead to general content monitoring obligations or broadly expand notice-and-takedown mandates. This trend could negatively shape developments globally in other courts, parliaments, or with respect to executive powers. Sadly, the votes so far have aggravated these concerns. </span><span data-ccp-props="0}"> </span></p><p><span data-contrast="auto">But before we get <a href="https://www.eff.org/deeplinks/2025/06/major-setback-intermediary-liability-brazil-risks-and-blind-spots">to them</a></span><span data-contrast="auto">, let's look at some circumstances underlying the Supreme Court's analysis.</span><span data-ccp-props="0}"> </span></p><h3><b><span data-contrast="none">2014 vs. 2025: The Brazilian Techlash After Marco Civil's Approval</span></b><span data-ccp-props="0}"> </span></h3><p><span data-contrast="none">How did Article 19 end up (mostly) overturned a decade after Marco Civil’s much-celebrated approval in Brazil back in 2014? </span><span data-ccp-props="0}"> </span></p><p><span data-contrast="none">In addition to the broader techlash following the impacts of an increasing concentration of power in the digital realm, developments in Brazil have leveraged a harsher approach towards internet intermediaries. Marco Civil became a scapegoat, especially Article 19, within regulatory approaches that largely diminished the importance of the free expression concerns that informed its approval. Rather than viewing the provision as a milestone to be complemented with new legislation, this context has reinforced the view that Article 19 should be left behind.</span><span data-ccp-props="0}"> </span></p><p><span data-ccp-props="0}"> The tougher approach to internet intermediaries gained steam after former President Jair Bolsonaro’s election in 2018 and throughout the legislative debates around </span><a href="https://www.eff.org/deeplinks/2023/07/settled-human-rights-standards-building-blocks-platform-accountability-and"><span data-contrast="none">draft bill 2630</span></a><span data-contrast="none">, also known as the “Fake News bill.” </span><span data-ccp-props="279}"> </span></p><p><span data-contrast="none">Specifically, though not exhaustive, concerns around the spread of disinformation, online-fueled discrimination</span><span>,</span><span data-contrast="none"> and political violence, as well as threats to election integrity, constitute an important piece of this scenario. This includes the use of social media by the far right within the escalation of acts seeking to undermine the integrity of elections and ultimately overthrow the legitimately elected President Luis Inácio da Silva in January 2023. Investigations later unveiled that related plans included killing the new president, the vice-president, and Justice Alexandre de Moraes. </span><span data-ccp-props="279}"> </span></p><p><span data-contrast="none">Concerns over child and adolescents’ rights and safety are another part of the underlying context. Among others, a wave of violent threats and actual attacks in schools in early 2023 was bolstered by online content. Social media challenges also led to injuries and deaths of young people. </span><span data-ccp-props="0}"> </span></p><p><span data-contrast="none">Finally, the political reactions to Big Tech’s alignment with far-right politicians and </span><a href="https://www.context.news/big-tech/opinion/x-ban-in-brazil-disdainful-defiance-meets-tough-enforcement"><span data-contrast="none">feuds</span></a><span data-contrast="none"> with </span><a href="https://www.eff.org/deeplinks/2024/10/x-corp-shutdown-brazil-what-we-can-learn"><span data-contrast="none">Brazilian authorities</span></a><span data-contrast="none"> complete this puzzle. It includes reactions to </span><a href="https://www.eff.org/deeplinks/2025/01/metas-new-content-policy-will-harm-vulnerable-users-if-it-really-valued-free"><span data-contrast="none">Meta’s policy changes</span></a><span data-contrast="none"> in January 2025 and the Trump’s administration’s decision to </span><a href="https://br.usembassy.gov/announcement-of-a-visa-restriction-policy-targeting-foreign-nationals-who-censor-americans/"><span data-contrast="none">restrict visas</span></a><span data-contrast="none"> to foreign officials based on grounds of limiting free speech online. This decision is viewed as </span><a href="https://apublica.org/2025/05/eduardo-bolsonaro-e-influencers-articulam-contra-stf-nos-eua/"><span data-contrast="none">an offensive</span></a><span data-contrast="none"> against Brazil's Supreme Court from U.S. authorities in alliance with </span><span data-contrast="auto">Bolsonaro’s supporters</span><span data-contrast="none">, </span><a href="https://www.metropoles.com/mundo/muito-satisfeito-diz-eduardo-bolsonaro-sobre-veto-de-vistos-dos-eua"><span data-contrast="none">including his son now living in the U.S</span></a><span data-contrast="none">.</span><span data-ccp-props="0}"> </span></p><p><span data-contrast="none">Changes in the tech landscape, including concerns about the attention-driven information flow, alongside geopolitical tensions, landed in Article 19 examination by the Brazilian Supreme Court. Hurdles in the legislative debate of draft bill 2630 turned attention to the internet intermediary liability cases pending in the Supreme Court as the main vehicles for providing “some” response. Yet, the </span><span data-contrast="auto">scope of such cases (</span><a href="https://www.eff.org/deeplinks/2024/10/brazils-internet-intermediary-liability-rules-under-trial-what-are-risks"><span data-contrast="none">explained here</span></a><span data-contrast="auto">) determined the </span><span data-contrast="none">most likely outcome. As they focus on assessing platform liability for user content and whether it involves a duty to monitor, these issues became the main vectors for analysis and potential change. Alternative approaches, such as improving transparency, ensuring due process, and fostering platform accountability through different measures, like risk assessments, were mainly sidelined. </span><span data-ccp-props="0}"> </span></p><p><i><span data-contrast="auto">Read our <a href="https://www.eff.org/deeplinks/2025/06/major-setback-intermediary-liability-brazil-risks-and-blind-spots">third post</a> </span></i><i><span data-contrast="auto">in this series to learn more about the analysis of the Supreme Court so far and its risks and blind spots.</span></i><span data-ccp-props="0}"> </span></p> </div></div></div></description> <pubDate>Tue, 24 Jun 2025 15:13:58 +0000</pubDate> <guid isPermaLink="false">110834 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/international">International</category> <category domain="https://www.eff.org/issues/free-speech">Free Speech</category> <category domain="https://www.eff.org/issues/privacy">Privacy</category> <dc:creator>Veridiana Alimonti</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/intermediary-4.jpg" alt="A person holding a megaphone that another person speaks through" type="image/jpeg" length="90260" /> </item> <item> <title>Copyright Cases Should Not Threaten Chatbot Users’ Privacy</title> <link>https://www.eff.org/deeplinks/2025/06/copyright-cases-should-not-threaten-chatbot-users-privacy</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>Like users of all technologies, ChatGPT users deserve the right to delete their personal data. Nineteen U.S. States, the European Union, and a host of other countries already protect users’ right to delete. For years, OpenAI gave users the option to delete their conversations with ChatGPT, rather than let their personal queries linger on corporate servers. <a href="https://openai.com/index/response-to-nyt-data-demands/">Now, they can’t</a>. A badly misguided <a href="https://www.courtlistener.com/docket/69879510/33/in-re-openai-inc-copyright-infringement-litigation/">court order</a> in a copyright lawsuit requires OpenAI to store all consumer ChatGPT conversations <a href="https://arstechnica.com/tech-policy/2025/06/openai-confronts-user-panic-over-court-ordered-retention-of-chatgpt-logs/">indefinitely</a>—even if a user <a href="https://www.theverge.com/news/681280/openai-storing-deleted-chats-nyt-lawsuit">tries to delete them</a>. This sweeping order far outstrips the needs of the case and sets a dangerous precedent by disregarding millions of users’ privacy rights.</p><p>The privacy harms here are significant. ChatGPT’s 300+ million users submit over <a href="https://www.theverge.com/2024/12/4/24313097/chatgpt-300-million-weekly-users">1 billion</a> messages to its chatbots <em>per day</em>, <a href="https://imaginingthedigitalfuture.org/reports-and-publications/close-encounters-of-the-ai-kind/close-encounters-of-the-ai-kind-main-report/">often for personal purposes</a>. Virtually any personal use of a chatbot—anything from planning family vacations and daily habits to creating social media posts and fantasy worlds for Dungeons and Dragons games—reveal personal details that, in aggregate, create a comprehensive portrait of a person’s entire life. Other uses risk revealing people’s most sensitive information. For example, tens of millions of Americans use ChatGPT to obtain <a href="https://www.nytimes.com/2024/09/11/health/chatbots-health-diagnosis-treatments.html#:~:text=About%20one%20in%20six%20adults%20%E2%80%94%20and%20about%20a%20quarter%20of,nonprofit%20health%20policy%20research%20organization">medical</a> and <a href="https://www.cnbc.com/2024/11/04/how-to-use-artificial-intelligence-for-personal-finance.html">financial</a> information. Notwithstanding <a href="https://pmc.ncbi.nlm.nih.gov/articles/PMC10277170/">other risks</a> of these uses, people still deserve privacy rights like the right to delete their data. Eliminating protections for user-deleted data risks chilling beneficial uses by individuals who want to protect their privacy.</p><p>This isn’t a new concept. Putting users in control of their data is a <a href="https://www.eff.org/wp/privacy-first-better-way-address-online-harms">fundamental piece of privacy protection</a>. Nineteen states, the European Union, and numerous other countries already protect the right to delete under their privacy laws. These rules exist for good reasons: retained data can be sold or given away, breached by hackers, disclosed to law enforcement, or even used to manipulate a user’s choices through <a href="https://www.eff.org/deeplinks/2022/03/ban-online-behavioral-advertising">online behavioral advertising</a>.</p><p>While appropriately tailored orders to preserve evidence are common in litigation, that’s not what happened here. The court disregarded the privacy rights of millions of ChatGPT users without any reasonable basis to believe it would yield evidence. The court granted the order based on unsupported assertions that users who delete their data are probably copyright infringers looking to “cover their tracks.” This is simply false, and it sets a dangerous precedent for cases against generative AI developers and other companies that have vast stores of user information. Unless courts limit orders to information that is actually relevant and useful, they will needlessly violate the privacy rights of millions of users.</p><p>OpenAI is challenging this order. EFF urges the court to lift the order and correct its mistakes. </p> </div></div></div></description> <pubDate>Tue, 24 Jun 2025 02:07:34 +0000</pubDate> <guid isPermaLink="false">110833 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/innovation">Creativity & Innovation</category> <category domain="https://www.eff.org/issues/privacy">Privacy</category> <category domain="https://www.eff.org/issues/ai">Artificial Intelligence & Machine Learning</category> <dc:creator>Tori Noble</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/icon-2019-privacy.png" alt="" type="image/png" length="16605" /> </item> <item> <title>The NO FAKES Act Has Changed – and It’s So Much Worse</title> <link>https://www.eff.org/deeplinks/2025/06/no-fakes-act-has-changed-and-its-so-much-worse</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>A bill purporting to target the issue of misinformation and defamation caused by generative AI has mutated into something that could change the internet forever, harming speech and innovation from here on out.</p><p>The Nurture Originals, Foster Art and Keep Entertainment Safe (NO FAKES) Act aims to address understandable concerns about generative AI-created “replicas” by creating a broad new intellectual property right. That approach was <a href="https://www.eff.org/deeplinks/2024/04/congress-should-just-say-no-no-fakes">the first mistake</a>: rather than giving people targeted tools to protect against harmful misrepresentations<span data-huuid="17382269887519388031">—</span>balanced against the need to protect legitimate speech such as parodies and satires<span data-huuid="17382269887519388031">—</span>the original NO FAKES just federalized an image-licensing system.</p><p class="take-action"><a href="https://act.eff.org/action/tell-congress-throw-out-the-no-fakes-act-and-start-over">Take Action</a></p><p class="take-explainer"><a href="https://act.eff.org/action/tell-congress-throw-out-the-no-fakes-act-and-start-over">Tell Congress to Say No to NO FAKES</a></p><p>The updated bill doubles down on that initial mistaken approach by mandating a whole new censorship infrastructure for that system, encompassing not just images but the products and services used to create them, with few safeguards against abuse.</p><p>The new version of NO FAKES requires almost every internet gatekeeper to create a system that will a) take down speech upon receipt of a notice; b) keep down any recurring instance<span data-huuid="17382269887519388031">—</span>meaning, adopt inevitably overbroad replica filters on top of the already deeply flawed copyright filters; c) take down and filter tools that might have been used to make the image; and d) unmask the user who uploaded the material based on nothing more than the say so of person who was allegedly “replicated.”</p><p>This bill would be a disaster for internet speech and innovation.</p><h4><strong>Targeting Tools</strong></h4><p>The first version of NO FAKES focused on digital replicas. The new version goes further, targeting tools that can be used to produce images that aren’t authorized by the individual, anyone who owns the rights in that individual’s image, or the law. Anyone who makes, markets, or hosts such tools is on the hook. There are some limits<span data-huuid="17382269887519388031">—</span>the tools must be primarily designed for, or have only limited commercial uses other than making unauthorized images<span data-huuid="17382269887519388031">—</span>but those limits will offer cold comfort to developers given that they can be targeted based on nothing more than a bare allegation. These provisions effectively give rights-holders the veto power on innovation they’ve long sought in the copyright wars, based on the same tech panics. </p><h4><strong>Takedown Notices and Filter Mandate</strong></h4><p>The first version of NO FAKES set up a notice and takedown system patterned on the DMCA, with even fewer safeguards. NO FAKES expands it to cover more service providers and require those providers to not only take down targeted materials (or tools) but keep them from being uploaded in the future. In other words, adopt broad filters or lose the safe harbor.</p><p>Filters are already a huge problem <a href="https://www.eff.org/wp/unfiltered-how-youtubes-content-id-discourages-fair-use-and-dictates-what-we-see-online">when it comes to copyright</a>, and at least in that instance all it <em>should </em>be doing is flagging for human review if an upload appears to be a whole copy of a work. The reality is that these systems often flag things that are <em>similar </em>but not the same (like two different people playing the same piece of <a href="https://www.eff.org/takedowns/sony-finally-admits-it-doesnt-own-bach-and-it-only-took-public-pressure">public domain music</a>). They also flag things for infringement based on <a href="https://www.eff.org/takedowns/mistake-so-bad-even-youtube-says-its-copyright-bot-really-blew-it">mere seconds of a match</a>, and they frequently do not take into account <a href="https://www.eff.org/takedowns">context that would make the use authorized by law</a>.</p><p>But copyright filters are not yet required by law. NO FAKES would create a legal mandate that will inevitably lead to hecklers’ vetoes and other forms of over-censorship.</p><p>The bill does contain carve outs for parody, satire, and commentary, but those will also be cold comfort for those who cannot afford to litigate the question.</p><h4><strong>Threats to Anonymous Speech</strong></h4><p>As currently written, NO FAKES also allows anyone to get a subpoena from a court clerk—not a judge, and without any form of proof—forcing a service to hand over identifying information about a user.</p><p>We've already seen abuse of a similar system in action. In copyright cases, those unhappy with the criticisms being made against them get such subpoenas to silence critics. Often that the criticism includes the complainant's own words as proof of the criticism, an ur-example of fair use. But the subpoena is issued anyway and, unless the service is incredibly on the ball, the user can be unmasked.</p><p>Not only does this chill further speech, the unmasking itself can cause harm to users. Either reputationally or in their personal life.</p><h4><strong>Threats to Innovation</strong></h4><p>Most of us are very unhappy with the state of Big Tech. It seems like not only are we increasingly forced to use the tech giants, but that the quality of their services is actively degrading. By increasing the sheer amount of infrastructure a new service would need to comply with the law, NO FAKES makes it harder for any new service to challenge Big Tech. It is probably not a coincidence that some of these very giants are okay with this new version of NO FAKES.</p><p>Requiring removal of tools, apps, and services could likewise stymie innovation. For one, it would harm people using such services for otherwise lawful creativity. For another, it would discourage innovators from developing new tools. Who wants to invest in a tool or service that can be forced offline by nothing more than an allegation?</p><p>This bill is a solution in search of a problem. Just a few months ago, Congress passed Take It Down, which targeted images involving intimate or sexual content. That deeply flawed bill pressures platforms to actively monitor online speech, including speech that is presently encrypted. But if Congress is really worried about privacy harms, it should at least wait to see the effects of the last piece of internet regulation before going further into a new one. Its failure to do so makes clear that this is not about protecting victims of harmful digital replicas.</p><p>NO FAKES is designed to consolidate control over the commercial exploitation of digital images, not prevent it. Along the way, it will cause collateral damage to all of us.</p><p class="take-action"><a href="https://act.eff.org/action/tell-congress-throw-out-the-no-fakes-act-and-start-over">Take Action</a></p><p class="take-explainer"><a href="https://act.eff.org/action/tell-congress-throw-out-the-no-fakes-act-and-start-over">Tell Congress to Say No to NO FAKES</a></p> </div></div></div></description> <pubDate>Mon, 23 Jun 2025 19:39:42 +0000</pubDate> <guid isPermaLink="false">110831 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/innovation">Creativity & Innovation</category> <category domain="https://www.eff.org/issues/intellectual-property">Fair Use</category> <dc:creator>Katharine Trendacosta</dc:creator> <dc:creator>Corynne McSherry</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/icon-2019-innovation.png" alt="Innovation" type="image/png" length="16801" /> </item> <item> <title>New Journalism Curriculum Module Teaches Digital Security for Border Journalists </title> <link>https://www.eff.org/press/releases/new-journalism-curriculum-module-teaches-digital-security-border-journalists</link> <description><div class="field field--name-field-pr-subhead field--type-text field--label-hidden"><div class="field__items"><div class="field__item even">Module Developed by EFF, Freedom of the Press Foundation, and University of Texas, El Paso Guides Students Through Threat Modeling and Preparation </div></div></div><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span data-contrast="auto">SAN FRANCISCO – A new college journalism curriculum module teaches students how to protect themselves and their digital devices when working near and across the U.S.-Mexico border.</span><span data-ccp-props="{}"> </span></p><p><span data-contrast="auto">“Digital Security 101: Crossing the US-Mexico Border” was developed by Electronic Frontier Foundation (EFF) Director of Investigations Dave Maass and Dr. Martin Shelton, deputy director of digital security at </span><a href="https://freedom.press/" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Freedom of the Press Foundation</span></a><span data-contrast="auto"> (FPF), in collaboration with the University of Texas at El Paso (UTEP) </span><a href="https://www.utep.edu/liberalarts/communication/academic-programs/undergraduate/ba-multimedia-journalism.html" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Multimedia Journalism Program</span></a><span data-contrast="auto"> and </span><a href="https://borderzine.com/" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Borderzine</span></a><span data-contrast="auto">.</span><span data-ccp-props="{}"> </span></p><p><span data-contrast="auto">The module offers a step-by-step process for improving the digital security of journalists passing through U.S. Land Ports of Entry, focusing on threat modeling: thinking through what you want to protect, and what actions you can take to secure it.</span><span data-ccp-props="{}"> </span></p><p><span data-contrast="auto">This involves assessing risk according to the kind of work the journalist is doing, the journalist’s own immigration status, potential adversaries, and much more, as well as planning in advance for protecting oneself and one’s devices should the journalist face delay, detention, search, or device seizure. Such planning might include use of encrypted communications, disabling or enabling certain device settings, minimizing the data on devices, and mentally preparing oneself to interact with border authorities. </span><span data-ccp-props="{}"> </span></p><p><span data-contrast="auto">The module, in development since early 2023, is particularly timely given increasingly invasive questioning and searches at U.S. borders under the Trump Administration and the documented history of border authorities targeting journalists covering migrant caravans during the first Trump presidency.</span><span data-ccp-props="{}"> </span></p><p><span data-contrast="auto">"Today's journalism students are leaving school only to face complicated, new digital threats to press freedom that did not exist for previous generations. This is especially true for young reporters serving border communities," Shelton said. "</span><a href="https://freedom.press/digisec/guides/jschool-curriculum-us/" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Our curriculum</span></a><span data-contrast="auto"> is designed to equip emerging journalists with the skills to protect themselves and sources, while this new module is specifically tailored to empower students who must regularly traverse ports of entry at the U.S.-Mexico border while carrying their phones, laptops, and multimedia equipment."</span><span data-ccp-props="{}"> </span></p><p><span data-contrast="auto">The guidance was developed through field visits to six ports of entry across three border states, interviews with scores of journalists and students from on both sides of the border, and a comprehensive review of CBP policies, while also drawing from EFF and FPF’s combined decades of experience researching constitutional rights and security techniques when it comes to our devices. </span><span data-ccp-props="{}"> </span></p><p><span data-contrast="auto">“While this training should be helpful to investigative journalists from anywhere in the country who are visiting the borderlands, we put journalism students based in and serving border communities at the center of our work,” Maass said. “Whether you’re reviewing the food scene in San Diego and Tijuana, covering El Paso and Ciudad Juarez’s soccer teams, reporting on family separation in the Rio Grande Valley, or uncovering cross-border corruption, you will need the tools to protect your work and sources."</span><span data-ccp-props="279}"> </span></p><p><span data-contrast="auto">The module includes a comprehensive slide deck that journalism lecturers can use and remix for their classes, as well as an interactive worksheet. With undergraduate students in mind, the module includes activities such as roleplaying a primary inspection interview and analyzing pop singer Olivia Rodrigo’s harrowing experience of mistaken identity while reentering the country. The module has already been delivered successfully in trainings with journalism students at UTEP and San Diego State University.</span><span data-ccp-props="{}"> </span></p><p><span data-contrast="auto">“UTEP’s Multimedia Journalism program is well-situated to help develop this digital security training module,” said UTEP Communication Department Chair Dr. Richard Pineda. “Our proximity to the U.S.-Mexico border has influenced our teaching models, and our student population – often daily border crossers – give us a unique perspective from which to train journalists on issues related to reporting safely on both sides of the border.”</span><span data-ccp-props="{}"> </span></p><p><b><span data-contrast="auto">For the “Digital security 101: Crossing the US-Mexico border” module: </span></b><a href="https://freedom.press/digisec/blog/border-security-module/" target="_blank" rel="noopener noreferrer"><span data-contrast="none">https://freedom.press/digisec/blog/border-security-module/</span></a><span data-ccp-props="{}"> </span></p><p><b><span data-contrast="auto">For more about the module:</span></b><span data-ccp-props="{}"> <a href="https://www.eff.org/deeplinks/2025/06/journalist-security-checklist-preparing-devices-travel-through-us-border" target="_blank" rel="noopener noreferrer">https://www.eff.org/deeplinks/2025/06/journalist-security-checklist-preparing-devices-travel-through-us-border</a></span></p><p><b><span data-contrast="auto">For EFF’s guide to digital security at the U.S. border: </span></b><a href="https://www.eff.org/press/releases/digital-privacy-us-border-new-how-guide-eff" target="_blank" rel="noopener noreferrer"><span data-contrast="none">https://www.eff.org/press/releases/digital-privacy-us-border-new-how-guide-eff</span></a><span data-ccp-props="{}"> </span></p><p><b><span data-contrast="auto">For EFF’s student journalist Surveillance Self Defense guide:</span></b> <a href="https://ssd.eff.org/playlist/journalism-student" target="_blank" rel="noopener noreferrer"><span data-contrast="none">https://ssd.eff.org/playlist/journalism-student</span></a><span data-ccp-props="{}"> </span></p> </div></div></div><div class="field field--name-field-contact field--type-node-reference field--label-above"><div class="field__label">Contact:&nbsp;</div><div class="field__items"><div class="field__item even"><div class="ds-1col node node--profile view-mode-node_embed node--node-embed node--profile--node-embed clearfix"> <div class=""> <div class="field field--name-field-profile-first-name field--type-text field--label-hidden"><div class="field__items"><div class="field__item even">Dave</div></div></div><div class="field field--name-field-profile-last-name field--type-text field--label-hidden"><div class="field__items"><div class="field__item even">Maass</div></div></div><div class="field field--name-field-profile-title field--type-text field--label-hidden"><div class="field__items"><div class="field__item even">Director of Investigations</div></div></div><div class="field field--name-field-profile-email field--type-email field--label-hidden"><div class="field__items"><div class="field__item even"><a href="mailto:dm@eff.org">dm@eff.org</a></div></div></div> </div> </div> </div></div></div></description> <pubDate>Mon, 23 Jun 2025 16:00:12 +0000</pubDate> <guid isPermaLink="false">110811 at https://www.eff.org</guid> <dc:creator>Josh Richman</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/border-act-3.jpg" alt="icon of a border agent examining digital devices" type="image/jpeg" length="642988" /> </item> <item> <title>A Journalist Security Checklist: Preparing Devices for Travel Through a US Border</title> <link>https://www.eff.org/deeplinks/2025/06/journalist-security-checklist-preparing-devices-travel-through-us-border</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><em>This post was originally published by the <a href="https://freedom.press/digisec/blog/border-security/">Freedom of the Press Foundation</a> (FPF). This checklist complements the <a href="https://freedom.press/digisec/blog/border-security-module/">recent training module for journalism students in border communities</a> that EFF and FPF developed in partnership with the University of Texas at El Paso Multimedia Journalism Program and <a href="https://borderzine.com/">Borderzine</a>. We are cross-posting it under FPF's <a href="https://creativecommons.org/licenses/by/4.0/">Creative Commons Attribution 4.0 International license</a>. It has been slightly edited for style and consistency.</em></p><p><b>Before diving in:</b> This space is changing quickly! Check <a href="https://freedom.press/digisec/blog/border-security/">FPF's website for updates</a> and <a href="https://freedom.press/contact/">contact them</a> with questions or suggestions. This is a joint project of Freedom of the Press Foundation (FPF) and the <a href="https://eff.org/">Electronic Frontier Foundation</a>.</p><p data-block-key="93a0s">Those within the U.S. have Fourth Amendment protections against unreasonable searches and seizures — but there is an exception at the border. Customs and Border Protection (CBP) asserts broad authority to search travelers’ devices when crossing U.S. borders, whether traveling by land, sea, or air. And unfortunately, except for a <a href="https://www.cbp.gov/newsroom/national-media-release/cbp-releases-march-2025-monthly-update">dip at the start of the COVID-19 pandemic</a> when international travel substantially decreased, CBP has generally searched more devices year over year since the George W. Bush administration. While the percentage of travelers affected by device searches <a href="https://www.cbp.gov/sites/default/files/2024-11/Border%20Search%20of%20Electronics%20at%20Ports%20of%20Entry%20FY%2024%20Statistics%20%28508%29.pdf">remains small</a>, in recent months we’ve heard <a href="https://www.nbcnews.com/news/world/trump-immigration-detained-visitors-border-search-device-visa-passport-rcna197736">growing concerns</a> about apparent increased immigration scrutiny and enforcement at U.S. ports of entry, including seemingly unjustified device searches.</p><p data-block-key="6reru">Regardless, it’s hard to say with certainty the likelihood that <i>you</i> will experience a search of your items, including your digital devices. But there’s a lot you can do to lower your risk in case you are detained in transit, or if your devices are searched. We wrote this checklist to help journalists prepare for transit through a U.S. port of entry while preserving the confidentiality of your most sensitive information, such as unpublished reporting materials or source contact information. It’s important to think about your strategy in advance, and begin planning which options in this checklist make sense for you.</p><h2>First thing’s first: What might CBP do?</h2><p data-block-key="77q3b"><a href="https://www.documentcloud.org/documents/24767453-cbp-directive-3340-049a-border-search-of-electronic-media-compliant/">U.S. CBP’s policy</a> is that they may conduct a “basic” search (manually looking through information on a device) for any reason or no reason at all. If they feel they have reasonable suspicion “of activity in violation of the laws enforced or administered by CBP” or if there is a “national security concern,” they may conduct what they call an “advanced” search, which may include connecting external equipment to your device, such as a <a href="https://www.upturn.org/work/mass-extraction/">forensic analysis tool</a> designed to make a copy of your data.</p><p data-block-key="aq8r4">Your citizenship status matters as to whether you can refuse to comply with a request to unlock your device or provide the passcode. If you are a U.S. citizen entering the U.S., you have the most legal leverage to refuse to comply because U.S. citizens cannot be denied entry — they must be let back into the country. But note that if you are a U.S. citizen, you may be subject to escalated harassment and further delay at the port of entry, and your device may be seized for days, weeks, or months.</p><p data-block-key="cb7la">If CBP officers seek to search your locked device using forensic tools, there is a chance that some (if not all of the) information on the device will be compromised. But this probability depends on what tools are available to government agents at the port of entry, if they are motivated to seize your device and send it elsewhere for analysis, and what type of device, operating system, and security features your device has. Thus, it is also possible that strong encryption may substantially slow down or even thwart a government device search.</p><p data-block-key="djlqr">Lawful permanent residents (green-card holders) must generally also be let back into the country. However, the current administration seems more willing to question LPR status, so refusing to comply with a request to unlock a device or provide a passcode may be risky for LPRs. Finally, CBP has broad discretion to deny entry to foreign nationals arriving on a visa or via the visa waiver program.</p><p data-block-key="76uhe">At present, traveling domestically within the United States, particularly if you are a U.S. citizen, is lower risk than travelling internationally. Our luggage and the <i>physical aspects</i> of digital devices may be searched — e.g., manual inspection or x-rays to ensure a device is not a bomb. CBP is often present at airports, but for domestic travel within the U.S. you should only be interacting with the Transportation Security Administration. <a href="https://www.aclunc.org/our-work/legal-docket/aclu-foundation-northern-california-v-tsa-electronic-searches">TSA does not assert authority</a> to search the <i>data</i> on your device — this is CBP’s role.</p><p data-block-key="fffv8">At an international airport or other port of entry, you have to decide whether you will comply with a request to access your device, but this might not feel like much of a choice if you are a non-U.S. citizen entering the country! Plan accordingly.</p><h2 data-block-key="ann01" id="your-border-digital-security-checklist" class="heading">Your border digital security checklist</h2><h3 data-block-key="7d4t2" id="preparing-for-travel" class="heading">Preparing for travel</h3><p data-block-key="9n24j">☐ <a href="https://freedom.press/digisec/blog/your-smartphone-and-you-handbook-modern-mobile-maintenance/#extra-assurance-backing-up-your-device">Make a backup of each of your devices</a> before traveling.<br />☐ <a href="https://freedom.press/digisec/blog/your-smartphone-and-you-handbook-modern-mobile-maintenance/#make-sure-you-have-a-good-password">Use long, unpredictable, alphanumeric passcodes</a> for your devices and commit those passwords to memory.<br /> ☐ If bringing a laptop, ensure it is encrypted using <a href="https://support.microsoft.com/en-us/windows/device-encryption-in-windows-cf7e2b6f-3e70-4882-9532-18633605b7df">BitLocker for Windows</a>, or <a href="https://support.apple.com/guide/mac-help/protect-data-on-your-mac-with-filevault-mh11785/mac">FileVault for macOS</a>. Chromebooks are <a href="https://static.googleusercontent.com/media/www.google.com/en//intl/en/chrome/assets/business/chromebook/downloads/chromebook-security-built-in.pdf">encrypted by default</a>. A password-protected laptop screen lock is usually insufficient. When going through security, devices should be turned all the way off.<br />☐ Fully update your device and apps.<br />☐ Optional: <a href="https://freedom.press/digisec/blog/choosing-a-password-manager/">Use a password manager</a> to help create and store randomized passcodes. 1Password users can create <a href="https://support.1password.com/travel-mode/">temporary travel vaults</a>.<br />☐ Bring as few sensitive devices as possible — only what you need.<br />☐ Regardless which country you are visiting, think carefully about what you are willing to post publicly on social media about that country to avoid scrutiny.<br />☐ For land ports of entry in the U.S., <a href="https://bwt.cbp.gov/">check CBP’s border wait times</a> and plan accordingly.<br />☐ If possible, print out any travel documents in advance to avoid the necessity to unlock your phone during boarding, including boarding passes for your departure and return, rental car information, and any information about your itinerary that you would like to have on hand if questioned (e.g., hotel bookings, visa paperwork, employment information if applicable, conference information). Use a printer you trust at home or at the office, just in case.<br />☐ Avoid bringing sensitive physical documents you wouldn’t want searched. If you need them, consider digitizing them (e.g., by taking a photo) and storing them remotely on a cloud service or backup device.</p><p data-block-key="7vjch">Decide in advance whether you will unlock your device or provide the passcode for a search. Your overall likelihood of experiencing a device search is low (e.g., <a href="https://www.cbp.gov/travel/cbp-search-authority/border-search-electronic-devices">less than .01%</a> of international travelers are selected), but depending on what information you carry, the impact of a search may be quite high. If you plan to unlock your device for a search or provide the passcode, ensure your devices are prepared:</p><p data-block-key="f29d6">☐ Upload any information you would like to keep in cloud providers in advance (e.g., using iCloud) that you would like stored remotely, instead of locally on your device.<br />☐ Remove any apps, files, <a href="https://support.signal.org/hc/en-us/articles/360007320491-Delete-messages-alerts-or-chats">chat histories</a>, browsing histories, and sensitive contacts you would not want exposed during a search.<br />☐ If you delete photos or files, delete them a second time in the “Recently Deleted” or “Trash” sections of your Files and Photos apps.<br />☐ Remove messages from the device that you believe would draw unwanted scrutiny. Remove yourself — even if temporarily — from chat groups on platforms like Signal.<br />☐ If you use Signal and plan to keep it on your device, <a href="https://freedom.press/digisec/blog/locking-down-signal/#why-you-want-disappearing-messages">use disappearing messages</a> to minimize how much information you keep within the app.<br />☐ Optional: Bring a travel device instead of your usual device. Ensure it is populated with the apps you need while traveling, as well as login credentials (e.g., stored in a password manager), and necessary files. If you do this, ensure your trusted contacts know how to reach you on this device.<br />☐ Optional: Rather than manually removing all sensitive files from your computer, if you are primarily accessing web services during your travels, a Chromebook may be an affordable alternative to your regular computer.<br />☐ Optional: After backing up your devices for every day use, factory reset it and add only the information you need back onto the device.<br />☐ Optional: If you intend to work during your travel, plan in advance with a colleague who can remotely assist you in accessing and/or rotating necessary credentials.<br />☐ If you <i>don’t</i> plan to work, consider discussing with your IT department whether temporarily suspending your work accounts could mitigate risks at border crossings.</p><h3 data-block-key="aor90" id="on-the-day-of-travel" class="heading">On the day of travel</h3><p data-block-key="23ip2">☐ Log out of accounts you do not want accessible to border officials. Note that border officers do not have authority to access live cloud content — they must put devices in airplane mode or otherwise disconnect them from the internet.<br /> ☐ Power down your phone and laptop entirely before going through security. This will enable disk encryption, and make it harder for someone to analyze your device.<br />☐ Immediately before travel, if you have a practicing attorney who has expertise in immigration and border issues, particularly related to members of the media, make sure you have their contact information written down before visiting.<br />☐ Immediately before travel, ensure that a friend, relative, or colleague is aware of your whereabouts when passing through a port of entry, and provide them with an update as soon as possible afterward.</p><h3 data-block-key="9pde7" id="if-you-are-pulled-into-secondary-screening" class="heading">If you are pulled into secondary screening</h3><p data-block-key="df6vi">☐ Be polite and try not to emotionally escalate the situation.<br />☐ Do not lie to border officials, but don’t offer any information they do not explicitly request.<br />☐ Politely request officers’ names and badge numbers.<br />☐ If you choose to unlock your device, rather than telling border officials your passcode, ask to type it in yourself.<br />☐ Ask to be present for a search of your device. But note officers are likely to take your device out of your line of sight.<br />☐ You may decline the request to search your device, but this may result in your device being seized and held for days, weeks, or months. If you are not a U.S. citizen, refusal to comply with a search request may lead to denial of entry, or scrutiny of lawful permanent resident status.<br /> ☐ If your device is seized, ask for a custody receipt (Form 6051D). This should also list the name and contact information for a supervising officer.<br />☐ If an officer has plugged your unlocked phone or computer into another electronic device, they may have obtained a forensic copy of your device. You will want to remember anything you can about this event if it happens.<br />☐ Immediately afterward, write down as many details as you can about the encounter: e.g., names, badge numbers, descriptions of equipment that may have been used to analyze the device, changes to the device or corrupted data, etc.</p><p data-block-key="2gg1i">Reporting is not a crime. Be confident knowing you haven’t done anything wrong.</p><h2 data-block-key="1e69q" id="more-resources" class="heading">More resources</h2><ul><li data-block-key="erdsv"><a href="https://hselaw.com/news-and-information/legalcurrents/preparing-for-electronic-device-searches-at-united-states-borders/">https://hselaw.com/news-and-information/legalcurrents/preparing-for-electronic-device-searches-at-united-states-borders/</a></li><li data-block-key="a4mqc"><a href="https://www.eff.org/wp/digital-privacy-us-border-2017#main-content">https://www.eff.org/wp/digital-privacy-us-border-2017#main-content</a></li><li data-block-key="8kbtj"><a href="https://www.aclu.org/news/privacy-technology/can-border-agents-search-your-electronic">https://www.aclu.org/news/privacy-technology/can-border-agents-search-your-electronic</a></li><li data-block-key="6npi6"><a href="https://www.theverge.com/policy/634264/customs-border-protection-search-phone-airport-rights">https://www.theverge.com/policy/634264/customs-border-protection-search-phone-airport-rights</a></li><li data-block-key="535ar"><a href="https://www.wired.com/2017/02/guide-getting-past-customs-digital-privacy-intact/">https://www.wired.com/2017/02/guide-getting-past-customs-digital-privacy-intact/</a></li><li data-block-key="3rd9a"><a href="https://www.washingtonpost.com/technology/2025/03/27/cbp-cell-phones-devices-traveling-us/">https://www.washingtonpost.com/technology/2025/03/27/cbp-cell-phones-devices-traveling-us/</a></li></ul> </div></div></div></description> <pubDate>Mon, 23 Jun 2025 15:31:31 +0000</pubDate> <guid isPermaLink="false">110809 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/border-searches">Border Searches</category> <dc:creator>Guest Author</dc:creator> <dc:creator>Dave Maass</dc:creator> <dc:creator>Sophia Cope</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/border-act-3.jpg" alt="icon of a border agent examining digital devices" type="image/jpeg" length="642988" /> </item> <item> <title>EFF to European Commission: Don’t Resurrect Illegal Data Retention Mandates</title> <link>https://www.eff.org/deeplinks/2025/06/eff-european-commission-dont-resurrect-illegal-data-retention-mandates</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span>The mandatory retention of </span><a href="https://ssd.eff.org/module/why-metadata-matters"><span>metadata</span></a><span> is an evergreen of European digital policy. Despite a number of rulings by Europe’s highest court, </span><a href="https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62012CJ0293"><span>confirming</span></a> <a href="https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62015CA0203"><span>again</span></a> <a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62018CJ0511"><span>and</span></a> <a href="https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62020CJ0140"><span>again</span></a> <a href="https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:62019CA0793"><span>the incompatibility</span></a><span> of general and indiscriminate data retention mandates with European fundamental rights, the European Commission is taking major steps towards the re-introduction of EU-wide data retention mandates. Recently, the Commission launched a Call for Evidence on data retention for criminal investigations—the first formal step towards a legislative proposal.</span></p><p><span>The European Commission and EU Member States have been attempting to revive data retention for years. For this purpose, a secretive “</span><a href="https://home-affairs.ec.europa.eu/networks/high-level-group-hlg-access-data-effective-law-enforcement_en"><span>High Level Group on Access to Data for Effective Law Enforcement</span></a><span>” has been formed, usually referred to as High level Group (HLG) “Going dark”. Going dark refers to the false narrative that law enforcement authorities are left “in the dark” due to a lack of accessible data, despite the ever increasing collection and accessing of data through </span><a href="https://www.eff.org/deeplinks/2025/01/online-behavioral-ads-fuel-surveillance-industry-heres-how"><span>companies</span></a><span>, </span><a href="https://www.eff.org/issues/location-data-brokers"><span>data brokers</span></a><span> and </span><a href="https://www.eff.org/nsa-spying"><span>governments</span></a><span>. Going dark also describes the </span><a href="https://edri.org/our-work/european-commission-discusses-going-dark-behind-closed-doors/"><span>intransparent ways of working of the HLG</span></a><span>, behind closed doors and without input from civil society. <br /></span></p><p><span>The Groups’ </span><a href="https://home-affairs.ec.europa.eu/document/download/1105a0ef-535c-44a7-a6d4-a8478fce1d29_en?filename=Recommendations%20of%20the%20HLG%20on%20Access%20to%20Data%20for%20Effective%20Law%20Enforcement_en.pdf"><span>recommendations</span></a><span> to the European Commission, published in 2024, read like a wishlist of government surveillance.They include suggestions to backdoors in various technologies (reframed as “lawful access by design”), obligations on service providers to collect and retain more user data than they need for providing their services, and intercepting and providing decrypted data to law enforcement in real time, all the while avoiding to compromise the security of their systems. And of course, the HLG calls for a harmonized data retention regime, including not only the retention of but also the access to data, and extending data retention to any service provider that could provide access to data. <br /></span></p><p><a href="https://edri.org/wp-content/uploads/2024/12/Open-Letter-on-HLG-Access-to-Data-for-Effective-Law-Enforcement-Recommendations.pdf"><span>EFF joined other civil society organizations</span></a><span> in addressing the dangerous proposals of the HLG, calling on the European Commission to safeguard fundamental rights and ensuring the security and confidentiality of communication. <br /></span></p><p><span>In our response to the Commission's Call for Evidence, we reiterated the same principles. </span></p><ul><li><span>Any future legislative measures must prioritize the protection of fundamental rights and must be aligned with the extensive jurisprudence of the Court of Justice of the European Union. </span></li><li><span>General and indiscriminate data retention mandates undermine anonymity and privacy, which are essential for democratic societies, and pose significant cybersecurity risks by creating centralized troves of sensitive metadata that are attractive targets for malicious actors. </span></li><li><span>We highlight the lack of empirical evidence to justify blanket data retention and warn against extending retention duties to number-independent interpersonal communication services as it would violate EU Court of Justice doctrine, conflict with European data protection law, and compromise security.</span></li></ul><p><span>The European Commission must once and for all abandon the ghost of data retention that’s been haunting EU policy discussions for decades, and shift its focus to rights respecting alternatives. </span></p><p><span><a href="https://www.eff.org/document/eff-submission-call-evidence-data-retention">Read EFF’s full submission here.</a></span></p> </div></div></div></description> <pubDate>Mon, 23 Jun 2025 15:26:58 +0000</pubDate> <guid isPermaLink="false">110830 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/privacy">Privacy</category> <category domain="https://www.eff.org/issues/mandatory-data-retention">Mandatory Data Retention</category> <category domain="https://www.eff.org/issues/eu-policy">EU Policy</category> <category domain="https://www.eff.org/issues/end-end-encryption">End-to-End Encryption</category> <dc:creator>Svea Windwehr</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/database-1.png" alt="" type="image/png" length="9166" /> </item> <item> <title>Protect Yourself From Meta’s Latest Attack on Privacy</title> <link>https://www.eff.org/deeplinks/2025/06/protect-yourself-metas-latest-attack-privacy</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span>Researchers recently caught Meta using an egregious new tracking technique to spy on you. Exploiting a technical loophole, the company was able to have their apps snoop on users’ web browsing. This tracking technique stands out for its flagrant disregard of core security protections built into phones and browsers. The episode is yet another reason to distrust Meta, block web tracking, and end surveillance advertising. </span></p><p><span>Fortunately, there are steps that you, your browser, and your government can take to fight online tracking. </span></p><h3><span>What Makes Meta’s New Tracking Technique So Problematic?</span></h3><p><span>More than 10 years ago, Meta introduced a snippet of code called the “Meta pixel,” which has since been embedded on </span><a href="https://dl.acm.org/doi/fullHtml/10.1145/3543507.3583311"><span>about 20%</span></a><span> of the most trafficked websites. This pixel exists to spy on you, recording how visitors use a website and respond to ads, and siphoning potentially sensitive info like </span><a href="https://themarkup.org/pixel-hunt/2022/11/22/tax-filing-websites-have-been-sending-users-financial-information-to-facebook"><span>financial information from tax filing websites</span></a><span> and </span><a href="https://themarkup.org/pixel-hunt/2022/06/16/facebook-is-receiving-sensitive-medical-information-from-hospital-websites"><span>medical information from hospital websites</span></a><span>,</span><span> all in service of the company’s creepy system of surveillance-based advertising. </span></p><p><span>While these pixels are well-known, and can be blocked by tools like </span><a href="https://privacybadger.org/"><span>EFF’s Privacy Badger</span></a><span>, researchers discovered another way these pixels were being used to track you. </span></p><p class="pull-quote"><span>Even users who blocked or cleared cookies, hid their IP address with a VPN, or browsed in incognito mode could be identified</span></p><p><span>Meta’s tracking pixel was secretly communicating with Meta’s apps on Android devices. This violates a fundamental security feature (“sandboxing”) of mobile operating systems that prevents apps from communicating with each other. Meta got around this restriction by exploiting </span><i><span>localhost</span></i><span>, a feature meant for developer testing. This allowed Meta to create a hidden channel between mobile browser apps and its own apps. You can read more about the technical details </span><a href="https://localmess.github.io/#description"><span>here</span></a><span>.</span></p><p><span>This workaround helped Meta bypass user privacy protections and attempts at anonymity. Typically, </span><a href="https://themarkup.org/pixel-hunt/2022/06/16/facebook-is-receiving-sensitive-medical-information-from-hospital-websites"><span>Meta tries to link data</span></a><span> from “anonymous” website visitors to individual Meta accounts using signals like IP addresses and cookies. But Meta made re-identification trivial with this new tracking technique by sending information directly from its pixel to Meta's apps, where users are already logged in. Even users who blocked or cleared cookies, hid their IP address with a VPN, or browsed in incognito mode could be identified with this tracking technique. </span></p><p><span>Meta didn’t just hide this tracking technique from users. Developers who embedded Meta’s tracking pixels on their websites were </span><a href="https://localmess.github.io/#faq"><span>also kept in the dark</span></a><span>. Some developers noticed the pixel contacting localhost from their websites, but got no explanation when they </span><a href="https://web.archive.org/web/20250531105747/https://developers.facebook.com/community/threads/317050484803752/"><span>raised</span></a> <a href="https://web.archive.org/web/20250531105711/https://developers.facebook.com/community/threads/937149104821259/"><span>concerns</span></a><span> to Meta. Once publicly exposed, Meta immediately paused this tracking technique. They </span><a href="https://arstechnica.com/security/2025/06/meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers/"><span>claimed</span></a><span> they were in discussions with Google about “a potential miscommunication regarding the application of their policies.”</span></p><p><span>While the researchers only observed the practice on Android devices, similar exploits </span><a href="https://localmess.github.io/#faq"><span>may be possible</span></a><span> on iPhones as well.</span></p><p><span>This exploit underscores the unique privacy risks we face when Big Tech can leverage </span><a href="https://www.eff.org/deeplinks/2025/03/online-tracking-out-control-privacy-badger-can-help-you-fight-back"><span>out of control online tracking</span></a><span> to profit from our personal data.</span></p><h3><span>How Can You Protect Yourself?</span></h3><p><span>Meta seems to have stopped using this technique for now, but that doesn’t mean they’re done inventing new ways to track you. Here are a few steps you can take to protect yourself:</span></p><p><b>Use a Privacy-Focused Browser</b></p><p><span>Choose a browser with better default privacy protections than Chrome. For example, Brave and DuckDuckGo protected users from this tracking technique because they block Meta’s tracking pixel by default. Firefox only partially blocked the new tracking technique with its default settings, but fully blocked it for users with “Enhanced Tracking Protection” set to “Strict.” </span></p><p><span>It’s also a good idea to </span><a href="https://www.zdnet.com/article/in-app-browsers-can-be-trouble-heres-why-and-how-to-avoid-them/"><span>avoid using in-app browsers</span></a><span>. When you open links inside the Facebook or Instagram apps, </span><a href="https://krausefx.com/blog/ios-privacy-instagram-and-facebook-can-track-anything-you-do-on-any-website-in-their-in-app-browser"><span>Meta can track you more easily</span></a><span> than if you opened the same links in an external browser.</span></p><p><b>Delete Unnecessary Apps</b></p><p><span>Reduce the number of ways your information can leak by deleting apps you don’t trust or don’t regularly use. Try opting for websites over apps when possible. In this case, </span><a href="https://www.zdnet.com/article/facebook-was-tracking-your-text-message-and-phone-call-data-now-what/"><span>and many similar cases</span></a><span>, using the Facebook and Instagram website instead of the apps would have limited data collection. Even though both can contain tracking code, apps can access information that websites generally can’t, like a persistent “advertising ID” that companies use to track you (follow </span><a href="https://www.eff.org/deeplinks/2022/05/how-disable-ad-id-tracking-ios-and-android-and-why-you-should-do-it-now"><span>EFF’s instructions to turn it off</span></a><span> if you haven’t already). </span></p><p><b>Install Privacy Badger</b></p><p><span>EFF’s </span><a href="https://privacybadger.org"><span>free browser extension</span></a><span> blocks trackers to stop companies from spying on you online. Although Privacy Badger would’ve stopped Meta’s latest tracking technique by blocking their pixel, Firefox for Android is the only mobile browser it currently supports. You can </span><a href="https://privacybadger.org"><span>install Privacy Badger</span></a><span> on Chrome, Firefox, and Edge on your desktop computer. </span></p><p><b>Limit Meta’s Use of Your Data</b></p><p><span>Meta’s business model creates an incentive to collect as much information as possible about people to sell targeted ads. Short of deleting your accounts, you have </span><a href="https://www.eff.org/deeplinks/2025/01/mad-meta-dont-let-them-collect-and-monetize-your-personal-data"><span>a number of options</span></a><span> to limit tracking and how the company uses your data.</span></p><h3><span>How Should Google Chrome Respond?</span></h3><p><span>After learning about Meta’s latest tracking technique, Chrome and Firefox released fixes for the technical loopholes that Meta exploited. That’s an important step, but Meta’s deliberate attempt to bypass browsers’ privacy protections shows why browsers should do more to protect users from online trackers. </span></p><p><span>Unfortunately, the most popular browser, Google Chrome, is also the worst for your privacy. Privacy Badger can help by blocking trackers on desktop Chrome, but Chrome for Android doesn’t support browser extensions. That seems to be Google’s choice, rather than a technical limitation. Given the lack of privacy protections they offer, </span><b>Chrome should support extensions on Android</b><span> to let users protect themselves. </span></p><p><span>Although Chrome addressed the latest Meta exploit after it was exposed, their refusal to block third-party cookies or known trackers leaves the door wide open for Meta’s other creepy tracking techniques. Even when browsers block third-party cookies, allowing trackers to load at all gives them other ways to harvest and de-anonymize users’ data. </span><b>Chrome should protect its users by blocking known trackers</b><span> (</span><a href="https://www.ghostery.com/whotracksme"><span>including Google’s</span></a><span>). Tracker-blocking features in </span><a href="https://support.apple.com/en-us/105030"><span>Safari</span></a><span> and </span><a href="https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop"><span>Firefox</span></a><span> show that similar protections are possible and long overdue in Chrome. It has yet to be approved to ship in Chrome, but </span><a href="https://github.com/explainers-by-googlers/script-blocking"><span>a Google proposal</span></a><span> to block fingerprinting scripts in Incognito Mode is a promising start. </span></p><h3><span>Yet Another Reason to Ban Online Behavioral Advertising</span></h3><p><span>Meta’s </span><a href="https://www.eff.org/deeplinks/2021/11/after-facebook-leaks-here-what-should-come-next"><span>business model</span></a><span> relies on collecting as much information as possible about people in order to sell highly-targeted ads. Even if this method has been paused, as long as they have the incentive to do so Meta will keep finding ways to bypass your privacy protections. </span></p><p><br /><span>The best way to stop this cycle of invasive tracking techniques and patchwork fixes is to </span><a href="https://www.eff.org/deeplinks/2022/03/ban-online-behavioral-advertising"><span>ban online behavioral advertising</span></a><span>. This would end the practice of targeting ads based on your online activity, removing the primary incentive for companies to track and share your personal data. We need strong federal privacy laws to ensure that you, not Meta, control what information you share online.</span></p> </div></div></div></description> <pubDate>Fri, 20 Jun 2025 15:01:28 +0000</pubDate> <guid isPermaLink="false">110826 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/privacy">Privacy</category> <category domain="https://www.eff.org/issues/online-behavioral-tracking">Online Behavioral Tracking</category> <dc:creator>Lena Cohen</dc:creator> <dc:creator>Rory Mir</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/third_party_tracking_banner.png" alt="A woman being watched behind a one-way mirror" type="image/png" length="178751" /> </item> <item> <title>A Token of Appreciation for Sustaining Donors 💞</title> <link>https://www.eff.org/deeplinks/2025/06/eff35-sustaining-donors</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>You'll get a custom <a href="https://eff.org/coin">EFF35 Challenge Coin</a> when you become a <a href="https://eff.org/r.d98c">monthly</a> or <a href="https://eff.org/r.13hk">annual</a> Sustaining Donor by July 10. It’s that simple.</p><p class="take-action"><a href="https://eff.org/r.d98c">Give Once a Month</a></p><p class="take-action"><a href="https://eff.org/r.13hk">Give Once a YEar</a></p><p class="take-explainer">Start a Convenient recurring donation Today!</p><p>But here's a little more background for all of you detail-oriented digital rights fans. <a href="https://www.eff.org/35">EFF's 35th Anniversary</a> celebration has begun and we're commemorating three and a half decades for fighting for your privacy, security, and free expression rights online. These values are hallmarks of freedom and necessities for true democracy, and you can help protect them. It's only possible with the kindness and steadfast support from EFF members, and over 30% of them are <em>Sustaining Donors</em>: people who spread out their support with a monthly or annual automatic recurring donation.</p><p>We're saying thanks to new and upgrading Sustaining Donors by offering brand new EFF35 Challenge Coins as a literal token of thanks. Challenge coins follow a long tradition of offering a symbol of kinship and respect for great achievements—and we owe our strength to tech creators and users like you. EFF challenge coins are individually numbered for each supporter and <a href="https://eff.org/r.d98c">only available while supplies last</a>.</p><p class="take-explainer"><a href="https://eff.org/r.d98c"><img src="https://www.eff.org/files/2025/06/02/coin_cat_1200px.jpg" width="500" height="375" alt="Orange cat inspecting EFF 35th Anniversary Challenge Coin" title="EFF35 Challenge Coin for monthly &amp; annual donors (kitty not included)." /></a></p><h2><strong>Become a Sustaining Donor</strong></h2><p>Just start an automated recurring donation of at least <a href="https://eff.org/r.aa8c">$5 per month (Copper Level)</a> or <a href="https://eff.org/r.64dt">$25 per year (Silicon Level)</a> by <del>July 10, 2025</del> <strong>August 11, 2025</strong>. We'll automatically send a special-edition EFF challenge coin to the shipping address you provide during your transaction.</p><h2><strong>Already a Monthly or Annual Sustaining Donor?</strong></h2><p>First of all—THANKS! Second, you can get an EFF35 Challenge Coin when you upgrade your donation. Just increase your monthly or annual gift by any amount and let us know by emailing <a href="mailto:upgrade@eff.org?subject=Sustaining%20Donor%20Upgrade&amp;amp;body=Item%20(size%20%26%20style%20if%20applicable)%3A%20%0A%0AShipping%20Address%3A%20">upgrade@eff.org</a>.</p><p>Get started with your upgrade at <a class="theme markdown__link" href="https://eff.org/recurring" rel="noopener noreferrer" target="_blank"><span>eff.org/recurring</span></a>. If you used PayPal, just <a class="theme markdown__link" href="https://www.paypal.com/myaccount/autopay" rel="noopener noreferrer" target="_blank"><span>cancel your current recurring donation</span></a> and then go to eff.org to <a class="theme markdown__link" href="https://eff.org/r.d98c" rel="noopener noreferrer" target="_blank"><span>start a new upgraded recurring donation</span></a>.</p><h2><strong>Digital Rights Every Day</strong></h2><p>EFF's mission is sustained by thousands of people from every imaginable background giving modest donations when they can. <em>Every cent counts</em>. We like to show our gratitude and give you something to start conversations about civil liberties and human rights, whether you're <a href="https://eff.org/r.76bz">a one time donor</a> or recurring <a href="https://eff.org/r.d98c">Sustaining Donor</a>.</p><p></p><center><a href="https://eff.org/r.d98c"><img src="/files/2025/06/18/hoodie-front-back-alt-square-750px.jpg" width="750" height="750" alt="Person wearing a green hoodie with a gold motherboard figure and orange poppies on the back, next to a person wearing an EFF35 Cityscape member t-shirt." title="Get great EFF swag when you become a monthly Sustaining Donor." /></a></center><p>Check out freshly-baked member gifts made for EFF's anniversary year including the new <a href="https://supporters.eff.org/donate/images/premium/55/shirt-v-neck-square2.jpg" target="_blank" rel="noopener noreferrer">EFF35 Cityscape T-Shirt</a>, <a href="https://supporters.eff.org/donate/images/premium/59/hoodie-front-back-alt-square.jpg" target="_blank" rel="noopener noreferrer">Motherboard Hooded Sweatshirt</a>, and <a href="https://supporters.eff.org/donate/images/premium/60/Anime_Girl_Multisticker_900px.png" target="_blank" rel="noopener noreferrer">new stickers</a>. With your help, EFF is here to stay.</p> </div></div></div></description> <pubDate>Thu, 19 Jun 2025 17:04:37 +0000</pubDate> <guid isPermaLink="false">110808 at https://www.eff.org</guid> <dc:creator>Aaron Jue</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/challenge-coin-2025-preview-v2.jpg" alt="Front and back of silver EFF 35th anniversary challenge coin on a black background" type="image/jpeg" length="231720" /> </item> <item> <title>Strategies for Resisting Tech-Enabled Violence Facing Transgender People</title> <link>https://www.eff.org/deeplinks/2025/06/strategies-resisting-tech-enabled-violence-facing-transgender-people</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span>Today's Supreme Court’s ruling in </span><i><span>U.S. v. Skrmetti</span></i><span> upholding bans on gender-affirming care for youth makes it clear: trans people are under attack. Threats to trans rights and healthcare are coming from legislatures, anti-trans bigots (both organized and not), apathetic bystanders, and more. Living under the most sophisticated surveillance apparatus in human history only makes things worse. While the dangers are very much tangible and immediate, the risks posed by technology can amplify them in insidious ways. Here is a non-exhaustive overview of concerns, a broad-sweeping threat model, and some recommended strategies that you can take to keep yourself and your loved ones safe.</span></p><h3><span>Dangers for Trans Youth</span></h3><p><span>Trans kids experience an inhumane amount of cruelty and assault. Much of today’s anti-trans legislation is aimed specifically at making life harder for transgender youth, across all aspects of life. For this reason, we have highlighted several of the unique threats facing transgender youth.</span></p><h4><span>School Monitoring Software</span></h4><p><span>Most school-issued devices are root-kitted with surveillance spyware known as student-monitoring software. The purveyors of these technologies </span><a href="https://www.markey.senate.gov/news/press-releases/senators-markey-warren-investigation-finds-that-edtech-student-surveillance-platforms-need-urgent-federal-action-to-protect-students"><span>have been widely criticized</span></a><span> for posing significant risks to marginalized children, particularly LGBTQ+ students. We ran our own investigation on the dangers posed by these technologies with a project called </span><a href="https://redflagmachine.org/"><span>Red Flag Machine</span></a><span>. Our findings showed that a significant portion of the times students’ online behavior was flagged as “inappropriate” was when they were researching LGBTQ+ topics such as queer history, sexual education, psychology, and medicine. When a device with this software flags such activity it often leads to students being placed in direct contact with school administrators or </span><a href="https://www.warren.senate.gov/oversight/reports/warren-markey-investigation-finds-that-edtech-student-surveillance-platforms-need-urgent-federal-action-to-protect-students"><span>even law enforcement</span></a><span>. </span><a href="https://www.eff.org/deeplinks/2022/06/mandatory-student-spyware-creating-perfect-storm-human-rights-abuses"><span>As I wrote 3 years ago</span></a><span>, this creates a persistent and uniquely dangerous situation for students living in areas with regressive laws around LGBTQ+ life or unsafe home environments.</span></p><p class="pull-quote"><span>The risks posed by technology can amplify threats in insidious ways</span></p><p><span>Unfortunately, because of the invasive nature of these school-issued devices, we can’t recommend a safe way to research LGBTQ+ topics on them without risking school administrators finding out. If possible, consider compartmentalizing those searches to different devices, ones owned by you or a trusted friend, or devices found in an environment you trust, such as a public library.</span></p><h4><span>Family Owned Devices</span></h4><p><span>If you don’t own your phone, laptop, or other devices—such as if your parents or guardians are in control of them (e.g. they have access to unlock them or they exert control over the app stores you can access with them)— it’s safest to treat those devices as you would a school-issued device. This means you should not trust those devices for the most sensitive activities or searches that you want to keep especially private. While steps like deleting browser history and using </span><a href="https://support.apple.com/guide/personal-safety/lock-or-hide-apps-on-your-iphone-ipsd0be4c185/web"><span>hidden folders</span></a><span> or </span><a href="https://support.apple.com/en-us/104987"><span>photo albums</span></a><span> can offer some safety, they aren’t sure-fire protections to prevent the adults in your life from accessing your sensitive information. When possible, try using a public library computer (outside of school) or borrow a trusted friend’s device with fewer restrictions. </span></p><h3><span>Dangers for Protestors</span></h3><p><span>Pride demonstrations are once again returning to their roots as political protests. It’s important to treat them as such by locking down your devices and coming up with some safety plans in advance. We recommend reading our entire </span><a href="https://ssd.eff.org/module/attending-protest"><span>Surveillance Self-Defense guide on attending a protest</span></a><span>, taking special care to implement strategies like disabling biometric unlock on your phone and documenting the protest without putting others at risk. If you’re attending the demonstration with others–which is strongly encouraged–consider setting up a Signal group chat and using strategies laid out in this </span><a href="https://micahflee.com/using-signal-groups-for-activism/"><span>blog post by Micah Lee</span></a><span>.</span></p><h4><span>Counter-protestors</span></h4><p><span>There is a significant push from anti-trans bigots to make Pride month more dangerous for our community. An independent source has been </span><a href="https://www.google.com/maps/d/viewer?mid=1kd_jQ6rRJrgaQp4J0Km7NWwKsuyDCtQ&amp;ll=41.25881813524541%2C-96.69431800000001&amp;z=5"><span>tracking and mapping anti-trans organized groups</span></a><span> who are specifically targeting Pride events. While the list is non-exhaustive, it does provide some insight into who these groups are and where they are active. If one of these groups is organizing in your area, it will be important to take extra precautions to keep yourself safe.</span></p><h3><span>Data Brokers &amp; Open-Source Intelligence</span></h3><p><span>Data brokers pose a </span><a href="https://www.eff.org/deeplinks/2025/01/online-behavioral-ads-fuel-surveillance-industry-heres-how"><span>significant threat to everyone</span></a><span>–and frankly, the entire industry deserves to be deleted out of existence. The dangers are even more pressing for people doing the vital work advocating for human rights of transgender people. If you’re a doctor, an activist, or a supportive family member of a transgender person, you are at risk of your own personal information being weaponized against you. Anti-trans bigots and their supporters online will routinely access open-source intelligence and data broker records to cause harm.</span></p><p><span>You can reduce some of these risks by opting out from data brokers. It’s not a cure-all (the entire dissolution of the data broker industry is the only solution), but it’s a meaningful step. The </span><a href="https://innovation.consumerreports.org/new-report-data-defense-evaluating-people-search-site-removal-services/"><span>DIY method has been found most effective</span></a><span>, though there are services to automate the process if you would rather save yourself the time and energy. For the DIY approach, we recommend using </span><a href="https://github.com/yaelwrites/Big-Ass-Data-Broker-Opt-Out-List"><span>Yael Grauer’s Big Ass Data-Broker Opt Out List</span></a><span>.</span></p><p class="pull-quote"><span>Legality is likely to continue to shift</span></p><p><span>It’s also important to look into other publicly accessible information that may be out there, including voter registration records, medical licensing information, property sales records, and more. Some of these can be obfuscated through mechanisms like “address confidentiality programs.” These protections vary state-by-state, so we recommend checking your local laws and protections.</span></p><h3><span>Medical Data</span></h3><p><span>In recent years, legislatures across the country have moved to restrict access to and ban transgender healthcare. Legality is likely to continue to shift, especially after the Supreme Court’s green light today in </span><i><span>Skrmetti</span></i><span>. Many of the concerns around criminalization of transgender healthcare overlap with those surrounding abortion access –issues that are deeply connected and not mutually exclusive. The </span><a href="https://ssd.eff.org/playlist/reproductive-healthcare-service-provider-seeker-or-advocate"><span>Surveillance Self-Defense playlist for the abortion access movement</span></a><span> is a great place to start when thinking through these risks, particularly the guides on </span><a href="https://ssd.eff.org/module/mobile-phones-location-tracking"><span>mobile phone location tracking</span></a><span>, making a </span><a href="https://ssd.eff.org/module/your-security-plan"><span>security plan</span></a><span>, and </span><a href="https://ssd.eff.org/module/communicating-others"><span>communicating with others</span></a><span>. While some of this overlaps with the previously linked protest safety guides, that redundancy only underscores the importance.</span></p><p><span>Unfortunately, much of the data about your medical history and care is out of your hands. While some medical practitioners may have </span><i><span>some</span></i><span> flexibility over how your records reflect your trans identity, certain aspects like diagnostic codes and pharmaceutical data for hormone therapy or surgery are often more rigid and difficult to obscure. As a patient, it’s important to consult with your medical provider about this information. Consider opening up a dialogue with them about what information </span><i><span>needs</span></i><span> to be documented, versus what could be obfuscated, and how you can plan ahead in the event that this type of care is further outlawed or deemed criminal.</span></p><h3><span>Account Safety</span></h3><h4><span>Locking Down Social Media Accounts</span></h4><p><span>It’s a good idea for everyone to review the privacy and security settings on their social media accounts. But given the extreme amount of anti-trans hate online (</span><a href="https://glaad.org/releases/meta-oversight-board-allows-anti-trans-hate-from-others-but-tells-meta-to-remove-its-own/"><span>sometimes emboldened by the very platforms themselves</span></a><span>), this is a necessary step for trans people online. To start, check out the </span><a href="https://ssd.eff.org/module/protecting-yourself-social-networks"><span>Surveillance Self-Defense guide on social media account safety</span></a><span>. </span></p><p class="pull-quote"><span>We can’t let the threats posed by technology diminish our humanity and our liberation.</span></p><p><span>In addition to reviewing your account settings, you may want to think carefully about what information you choose to share online. While visibility of queerness and humanity is a powerful tool for destigmatizing our existence, only you can decide if the risk involved with sharing your face, your name, and your life outweigh the benefit of showing others that no matter what happens, trans people exist. There’s no single right answer—only what’s right for you.</span></p><p><span>Keep in mind also that </span><a href="https://www.eff.org/deeplinks/2024/06/global-suppression-online-lgbtq-speech-continues"><span>LGBTQ expression is at significantly greater risk of censorship by these platforms</span></a><span>. There is little individuals can do to fully evade or protect against this, underscoring the importance of advocacy and platform accountability.</span></p><h4><span>Dating Apps</span></h4><p><span>Dating apps also pose a unique set of risks for transgender people. </span><a href="https://www.hrc.org/resources/understanding-intimate-partner-violence-in-the-lgbtq-community"><span>Intimate partner violence for transgender people is at a staggeringly high rate</span></a><span> compared to cisgender people–meaning we must take special care to protect ourselves. </span><a href="https://www.eff.org/deeplinks/2021/06/security-tips-online-lgbtq-dating"><span>This guide on LGBTQ dating app safety</span></a><span> is worth reading, but here’s the TLDR: always designate a friend as your safety contact before and after meeting anyone new, meet in public first, and be mindful of how you share photos with others on dating apps.</span></p><h3><span>Safety and Liberation Are Collective Efforts</span></h3><p><span>While bodily autonomy is under attack from multiple fronts, it’s crucial that we band together to share strategies of resistance. Digital privacy and security must be considered when it comes to holistic security and safety. Don’t let technology become the tool that enables violence or restricts the self-determination we all deserve.</span></p><p><span>Trans people have always existed. Trans people will continue to exist despite the state’s efforts to eradicate us. Digital privacy and security are just one aspect of our collective safety. We can’t let the threats posed by technology diminish our humanity and our liberation. Stay informed. Fight back. We keep each other safe.</span></p> </div></div></div></description> <pubDate>Wed, 18 Jun 2025 22:49:37 +0000</pubDate> <guid isPermaLink="false">110824 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/lgbtq">LGBTQ+</category> <dc:creator>Daly Barnett</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/icon-2019-freespeech.png" alt="A multi-colored bullhorn icon surrounded by grey-blue hexagons" type="image/png" length="14323" /> </item> <item> <title>Apple to Australians: You’re Too Stupid to Choose Your Own Apps</title> <link>https://www.eff.org/deeplinks/2025/06/apple-australians-youre-too-stupid-choose-your-own-apps</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span>Apple</span><a href="https://www.neowin.net/news/apple-warns-australia-against-joining-eu-in-mandating-iphone-app-sideloading/"> <span>has released a scaremongering, self-serving warning aimed at the Australian government</span></a><span>, claiming that Australians will be overrun by a parade of digital horribles if Australia follows the European Union’s lead and regulates Apple’s “walled garden.” </span></p><p><span>The </span><a href="https://www.eff.org/pages/adoption-dsadma-notre-analyse"><span>EU’s Digital Markets Act</span></a><span> is a big, complex, ambitious law that takes aim squarely at the source of Big Tech’s power: lock-in. For users, the DMA offers</span><a href="https://www.eff.org/deeplinks/2022/04/eu-digital-markets-acts-interoperability-rule-addresses-important-need-raises"> <span>interoperability rules</span></a><span> that let Europeans escape US tech giants’ walled gardens</span><a href="https://www.eff.org/interoperablefacebook"> <span>without giving up their relationships</span></a><span> and</span><a href="https://www.eff.org/deeplinks/2021/08/facebooks-secret-war-switching-costs"> <span>digital memories</span></a><span>. </span></p><p><span>For small businesses, the DMA offers something just as valuable: the right to process their own payments. That may sound boring, but here’s the thing: Apple takes </span><i><span>30 percent </span></i><span>commission on most payments made through iPhone and iPad apps, and they ban app makers from including alternative payment methods or even </span><i><span>mentioning</span></i><span> that Apple customers can make their payments on the web. </span></p><p><span>All this means that</span><a href="https://www.theverge.com/2024/8/12/24218629/patreon-membership-ios-30-percent-apple-tax"> <span>every euro a European Patreon user sends to a performer or artist</span></a><span> takes a round-trip through Cupertino, California, and comes back 30 cents lighter. Same goes for other money sent to major newspapers, big games, or large service providers. Meanwhile, the actual cost of processing a payment in the EU is </span><i><span>less than one percent</span></i><span>, meaning that Apple is taking in a 3,000 percent margin on its EU payments. </span></p><p><span>To make things worse, Apple uses “digital rights management” to lock iPhones and iPads to its official App Store. That means that Europeans can’t escape Apple’s 30 percent “app tax” by installing apps from a store with fairer payment policies. </span></p><p><span>Here, too, the DMA offers relief, with a rule that requires Apple to permit “sideloading” of apps (that is, installing apps without using an app store). The same rule requires Apple to allow its customers to choose to use independent app stores. </span></p><p><span>With the DMA, the EU is leading the world in smart, administrable tech policies that strike at the </span><i><span>power</span></i><span> of tech companies. This is a welcome break from the dominant approach to tech policy over the first two decades of this century, in which regulators focused on demanding that tech companies use their power wisely – by surveilling and controlling their users to prevent bad behavior – rather than taking that power away. </span></p><p><span>Which is why Australia is so interested.</span><a href="https://treasury.gov.au/sites/default/files/2024-12/c2024-547447-pp.pdf"> <span>A late 2024 report from the Australian Treasury</span></a><span> took a serious look at transposing DMA-style rules to Australia. It’s a sound policy, as the European experience has shown. </span></p><p><span>But you wouldn’t know it by listening to Apple. According to Apple, Australians aren’t competent to have the final say over which apps they use and how they pay for them, and only Apple can make those determinations safely. It’s true that Apple sometimes takes</span><a href="https://www.cnbc.com/2022/02/02/facebook-says-apple-ios-privacy-change-will-cost-10-billion-this-year.html"> <span>bold, admirable steps to protect its customers’ privacy</span></a><span> – but it’s also true that</span><a href="https://gizmodo.com/apple-iphone-analytics-tracking-even-when-off-app-store-1849757558"> <span>sometimes </span><i><span>Apple</span></i><span> invades its customers’ privacy (and lies about it)</span></a><span>. It’s true that sometimes</span><a href="https://www.eff.org/deeplinks/2016/02/eff-support-apple-encryption-battle"> <span>Apple defends its customers from government spying</span></a><span> – but it’s also true that sometimes Apple</span><a href="https://www.macworld.com/article/230330/apple-in-china-why-the-company-withdrew-vpn-apps-from-its-app-store.html"> <span>serves its customers up on a platter to government spies</span></a><span>,</span><a href="https://www.nytimes.com/2021/05/17/technology/apple-china-censorship-data.html"> <span>delivering population-scale surveillance for autocratic regimes</span></a><span> (and</span><a href="https://www.vice.com/en/article/apple-airdrop-china-ios/"> <span>Apple has even been known to change its apps to help autocrats cling to power</span></a><span>). </span></p><p><span>Apple sometimes has its customers’ backs, but often, it sides with its shareholders (or repressive governments) over those customers. There’s no such thing as a benevolent dictator:</span><a href="https://www.eff.org/document/letter-bruce-schneier-senate-judiciary-regarding-app-store-security"> <span>letting Apple veto your decisions about how you use your devices will not make you safer</span></a><span>. </span></p><p><span>Apple’s claims about the chaos and dangers that Europeans face thanks to the DMA are even more (grimly) funny when you consider that Apple has flouted EU law with</span><a href="https://www.eff.org/deeplinks/2024/05/big-tech-eu-drop-dead"> <span>breathtaking acts</span></a><span> of</span><a href="https://developer.apple.com/support/ios-interoperability/#overview"> <span>malicious compliance</span></a><span>. Apparently, the European iPhone carnage has been triggered by the words on the European law books, without Apple even having to follow those laws! </span></p><p><span>The world is in the midst of a global anti-monopoly wave that keeps on growing. This decade has seen big, muscular antitrust action in the US, the UK, the EU, Canada, South Korea, Japan, Germany, Spain, France, and even China. </span></p><p><span>It’s been a century since the last wave of trustbusting swept the globe, and while today’s monopolists are orders of magnitude larger than their early 20th-century forbears, they also have a unique vulnerability. </span></p><p><span>Broadly speaking, today’s tech giants cheat in the same way </span><i><span>everywhere</span></i><span>. They do the same spying, the same price-gouging, and employ the same lock-in tactics in every country where they operate, which is practically every country. That means that when a large bloc like the EU makes a good tech regulation, it has the power to ripple out across the planet, benefiting all of us – like when the EU forced Apple to switch to standard USB-C cables to charge their devices, and</span><a href="https://www.theguardian.com/technology/2022/oct/26/iphone-usb-c-lightning-connectors-apple-eu-rules"> <span>we all got iPhones with USB-C ports</span></a><span>. </span></p><p><span>It makes perfect sense for Australia to import the DMA – after all, Apple and other American tech companies run the same scams on Australians as they do on Europeans. </span></p><p><span>Around the world, antitrust enforcers have figured out that they can copy one another’s homework, to the benefit of the people they defend. For example, in 2022,</span><a href="https://assets.publishing.service.gov.uk/media/63f61bc0d3bf7f62e8c34a02/Mobile_Ecosystems_Final_Report_amended_2.pdf"> <span>the UK’s Digital Markets Unit published a landmark study on the abuses of the mobile duopoly</span></a><span>. The EU Commission relied on the UK report when it crafted the DMA, as did</span><a href="https://www.congress.gov/bill/117th-congress/senate-bill/2710"> <span>an American Congressman who introduced a similar law that year</span></a><span>. The same report’s findings became the basis for new enforcement efforts in</span><a href="https://asia.nikkei.com/Business/Technology/Japan-to-crack-down-on-Apple-and-Google-app-store-monopolies"> <span>Japan</span></a><span> and</span><a href="https://www.reuters.com/technology/skorea-considers-505-mln-fine-against-google-apple-over-app-market-practices-2023-10-06/"> <span>South Korea</span></a><span>. </span></p><p><span>As Benjamin Franklin wrote, “He who receives an idea from me, receives instruction himself without lessening mine; as he who lights his taper at mine, receives light without darkening mine.” It’s wonderful to see Australian regulators picking up best practices from the EU, and we look forward to seeing what ideas Australia has for the rest of the world to copy. </span></p> </div></div></div></description> <pubDate>Wed, 18 Jun 2025 21:35:30 +0000</pubDate> <guid isPermaLink="false">110823 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/competition">Competition</category> <category domain="https://www.eff.org/issues/dmca">DMCA</category> <category domain="https://www.eff.org/issues/drm">DRM</category> <category domain="https://www.eff.org/issues/trade-agreements">Trade Agreements and Digital Rights</category> <dc:creator>Cory Doctorow</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/apple-worm.png" alt="the standard apple logo in silver, with a cartoonish green worm poking through it on each side" type="image/png" length="9851" /> </item> <item> <title>LGBT Q&A: Your Online Speech and Privacy Questions, Answered</title> <link>https://www.eff.org/deeplinks/2025/06/lgbt-qa-your-online-speech-and-privacy-questions-answered</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span>This year, like almost all years before, LGBTQ+ Pride month is taking place at a time of burgeoning </span><a href="https://www.adl.org/resources/press-release/adl-and-glaad-report-more-350-anti-lgbtq-hate-and-extremism-incidents"><span>anti-LGBTQ+</span></a><span> violence, harassment, and criticism. Lawmakers and regulators are passing </span><a href="https://www.eff.org/deeplinks/2024/02/ghanas-president-must-refuse-sign-anti-lgbtq-bill"><span>legislation</span></a><span> restricting freedom of expression and privacy for LGBTQ+ individuals and fueling offline intolerance. Online platforms are also complicit in this pervasive ecosystem by </span><a href="https://www.eff.org/deeplinks/2025/01/metas-new-content-policy-will-harm-vulnerable-users-if-it-really-valued-free"><span>censoring pro-LGBTQ+ speech</span></a><span>, forcing LGBTQ+ individuals to </span><a href="https://www.eff.org/deeplinks/2025/01/vpns-are-not-solution-age-verification-laws"><span>self-censor or turn to VPNs</span></a><span> to avoid being profiled, harassed, doxxed, or criminally prosecuted. Unfortunately, </span><a href="https://newrepublic.com/article/182865/pride-attacks-proud-boys-lgbtq-violence"><span>these risks</span></a><span> look likely to continue, threatening LGBTQ+ individuals and the fight for queer liberation. </span></p><p class="pull-quote"><span>This Pride, we’re here to help build an online space where <i>you</i> get to decide what aspects of yourself you share with others, how you present to the world, and what things you keep private.</span></p><p><span>We know that it feels overwhelming thinking about how to protect yourself online in the face of these issues—whether that's best practices for using gay dating apps like Grindr and Her, how to download a VPN to see and interact with banned LGBTQ+ content, methods for posting pictures from events and protests without outing your friends, or how to argue over your favorite queer musicians’ most recent problematic takes without being doxxed. </span></p><p><span>That's why this LGBTQ+ Pride month, we’re launching an LGBT Q&amp;A. Throughout Pride, we’ll be answering your most pressing digital rights questions on EFF’s </span><span>Instagram</span><span> and </span><span>TikTok</span><span> accounts. Comment your questions under </span>these posts <span>on <a href="https://www.instagram.com/reel/DLDMyAYyvxt/">Instagram</a> and <a href="https://www.tiktok.com/@efforg/video/7517337079924215095">TikTok</a>, and we’ll reply directly. Want to stay anonymous? Submit your questions via a secure link on our </span><a href="https://supporters.eff.org/2025-eff-lgbtqa"><span>website</span></a><span> and we’ll answer these in separate posts. </span></p><p><span>Everyone needs guidance and protection from prying eyes. This is especially true for those of us who face consequences when intimate details around gender or sexual identities are revealed without consent. This Pride, we’re here to help build an online space where </span><i><span>you</span></i><span> get to decide what aspects of yourself you share with others, how you present to the world, and what things you keep private.</span></p><p><span>No question is too big or too small! But comments that discriminate against marginalized groups, including the LGBTQ+ community, will not be engaged with. </span></p><p>The fight for the safety and rights of LGBTQ+ people is not just a fight for visibility online (and offline)—it’s a fight for survival. Now more than ever, it's essential to collectivize information sharing to not only make the digital world safer for LGBTQ+ individuals, but to make it a space where people can have fun, share memes, date, and build communities without facing repression and harm. Join us to make the internet private, safe, and full of gay pride.</p> </div></div></div></description> <pubDate>Wed, 18 Jun 2025 17:21:18 +0000</pubDate> <guid isPermaLink="false">110819 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/free-speech">Free Speech</category> <category domain="https://www.eff.org/issues/privacy">Privacy</category> <dc:creator>Paige Collings</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/09_pride.png" alt="An orange tabby cat with yellow lightning markings in a blue spacesuit, wearing a jetpack, flying through pink and purple space. There are planets in the sky with colors representing a variety of pride flags." type="image/png" length="1051271" /> </item> <item> <title>Big Brother's Little Problem | EFFector 37.6</title> <link>https://www.eff.org/deeplinks/2025/06/big-brothers-little-problem-effector-376</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>Just in time for summer, <a href="https://www.eff.org/effector/37/6">EFFector is back</a>—with a brand new look! If you're not signed up, now's a perfect time to subscribe and get the latest details on EFF's work defending your rights to privacy and free expression online.</p><p><a href="https://www.eff.org/effector/37/6">EFFector 37.6 highlights an important role</a> that EFF has to protecting you online: <em>watching the watchers</em>. In this issue, we're pushing back on invasive car-tracking technologies, and we share an update on our case challenging the illegal disclosure of government records to DOGE. You'll also find updates on issues like masking at protests, defending encryption in Europe, and the latest developments in the right to repair movement.</p><p>Speaking of right to repair: <strong>we're debuting a new audio companion to EFFector</strong> as well! This time, Hayley Tsukayama breaks down how Washington's new right to repair law fits into broader legislative trends. You can listen now on <a href="https://www.youtube.com/watch?v=LEeH2Z-kqgY">YouTube</a> or the <a href="https://archive.org/details/37.6_20250618">Internet Archive</a>.</p><p class="take-action"><a href="https://youtu.be/SCdMGDiyIIs">SUBSCRIBE TO EFFECTOR</a></p><p class="take-action take-explainer"><span>EFFECTOR 37.6 - BIG BROTHER'S LITTLE PROBLEM</span></p><p><span>Since 1990 EFF has published EFFector to help keep readers on the bleeding edge of their digital rights. We know that the intersection of technology, civil liberties, human rights, and the law can be complicated, so EFFector is a great way to stay on top of things. The newsletter is chock full of links to updates, announcements, blog posts, and other stories to help keep readers—and listeners—up to date on the movement to protect online privacy and free expression. </span></p><p><span>Thank you to the supporters around the world who make our work possible! If you're not a member yet, <a href="https://eff.org/effect">join EFF today</a> to help us fight for a brighter digital future.</span></p> </div></div></div></description> <pubDate>Wed, 18 Jun 2025 17:10:56 +0000</pubDate> <guid isPermaLink="false">110820 at https://www.eff.org</guid> <dc:creator>Christian Romero</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/effector_banner_5.jpeg" alt="" type="image/jpeg" length="130379" /> </item> <item> <title>Podcast Episode: Securing Journalism on the ‘Data-Greedy’ Internet</title> <link>https://www.eff.org/deeplinks/2025/06/podcast-episode-securing-journalism-data-greedy-internet</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span data-contrast="auto">Public-interest journalism speaks truth to power, so protecting press freedom is part of protecting democracy. But what does it take to digitally secure journalists’ work in an environment where critics, hackers, oppressive regimes, and others seem to have the free press in their crosshairs?</span></p><p><div class="mytube" style="width: 100%px;"> <div class="mytubetrigger" tabindex="0"> <img src="https://www.eff.org/sites/all/modules/custom/mytube/play.png" class="mytubeplay" alt="play" style="top: -4px; left: 20px;" /> <div hidden class="mytubeembedcode">%3Ciframe%20height%3D%2252px%22%20width%3D%22100%25%22%20frameborder%3D%22no%22%20scrolling%3D%22no%22%20seamless%3D%22%22%20src%3D%22https%3A%2F%2Fplayer.simplecast.com%2F3a9d54ab-0f04-453e-8101-fe44607d3800%3Fdark%3Dtrue%26amp%3Bcolor%3D000000%22%20allow%3D%22autoplay%22%3E%3C%2Fiframe%3E</div> </div> <div class="mytubetext"> <span><a href="https://www.eff.org/deeplinks/2008/02/embedded-video-and-your-privacy" rel="noreferrer" target="_blank">Privacy info.</a></span> <span>This embed will serve content from <em><a rel="nofollow" href="https://player.simplecast.com/3a9d54ab-0f04-453e-8101-fe44607d3800?dark=true&amp;color=000000">simplecast.com</a></em><br /></span> </div></div></p><p><span data-contrast="auto"></span><span data-ccp-props="{}"> <i><a href="https://open.spotify.com/show/4UAplFpPDqE4hWlwsjplgt" target="_blank" rel="noopener noreferrer"><img src="https://www.eff.org/files/2021/11/01/spotify-podcast-badge-blk-wht-330x80.png" alt="Listen on Spotify Podcasts Badge" width="198" height="48" /></a> <a href="https://podcasts.apple.com/us/podcast/effs-how-to-fix-the-internet/id1539719568" target="_blank" rel="noopener noreferrer"><img src="https://www.eff.org/files/2021/11/01/applebadge2.png" alt="Listen on Apple Podcasts Badge" width="195" height="47" /></a> <a href="https://music.amazon.ca/podcasts/bf81f00f-11e1-431f-918d-374ab6ad07cc/how-to-fix-the-internet?ref=dmm_art_us_HTFTI" target="_blank" rel="noopener noreferrer"><img height="47" width="195" src="https://www.eff.org/files/styles/kittens_types_wysiwyg_small/public/2024/02/15/us_listenon_amazonmusic_button_charcoal.png?itok=YFXPE4Ii" /></a> <a href="https://feeds.eff.org/howtofixtheinternet" target="_blank" rel="noopener noreferrer"><img src="https://www.eff.org/files/2021/11/01/subscriberss.png" alt="Subscribe via RSS badge" width="194" height="50" /></a></i></span></p><p>(You can also find this episode on the <a href="https://archive.org/details/htfti-s6e4-harlo-holmes-vfinal" target="_blank" rel="noopener noreferrer">Internet Archive</a> and on <a href="https://youtu.be/9kk6PxPeYAo?si=nUc7AeG8GMpHqoA4" target="_blank" rel="noopener noreferrer">YouTube</a>.)</p><p><span data-contrast="auto">That’s what Harlo Holmes focuses on as Freedom of the Press Foundation’s digital security director. Her team provides training, consulting, security audits, and other support to newsrooms, independent journalists, freelancers, documentary filmmakers – anyone who is making independent journalism in the public interest – so that they can do their jobs more safely and securely. Holmes joins EFF’s Cindy Cohn and Jason Kelley to discuss the tools and techniques that help journalists protect themselves and their sources while keeping the world informed. </span><span data-ccp-props="{}"> </span></p><p><span data-contrast="auto">In this episode you’ll learn about:</span></p><ul><li><span data-ccp-props="{}">The importance of protecting online anonymity on an ever-increasingly “data-greedy” internet</span></li><li><span data-ccp-props="{}">How digital security nihilism in the United States compares with regions of the world where oppressive and repressive governance are more common</span></li><li><span data-ccp-props="{}">Why compartmentalization can be a simple, easy approach to digital security</span></li><li><span data-ccp-props="{}">The need for middleware to provide encryption and other protections that shield sources’ anonymity and journalists’ work product when using corporate data platforms</span></li><li><span data-ccp-props="{}">How podcasters, YouTubers, and TikTokers fit into the broad sweep of media history, and need digital protections as well</span><span data-ccp-props="{}"> </span></li></ul><p><span data-contrast="auto">Harlo Holmes is the chief information security officer and director of digital security at </span><a href="https://freedom.press/" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Freedom of the Press Foundation</span></a><span data-contrast="auto">. She strives to help individual journalists in various media organizations become confident and effective in securing their communications within their newsrooms, with their sources, and with the public at large. She is a media scholar, software programmer, and activist. Holmes was a regular contributor to the open-source mobile security collective </span><a href="https://guardianproject.info/" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Guardian Project</span></a><span data-contrast="auto">, where she spearheaded the media metadata verification initiative currently empowering </span><a href="https://proofmode.org/" target="_blank" rel="noopener noreferrer"><span data-contrast="none">ProofMode</span></a><span data-contrast="auto">, </span><a href="https://www.open-archive.org/save" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Save by OpenArchive</span></a><span data-contrast="auto">, </span><a href="https://www.eyewitness.global/" target="_blank" rel="noopener noreferrer"><span data-contrast="none">eyeWitness to Atrocities</span></a><span data-contrast="auto">, and others.</span><span data-ccp-props="{}"> </span></p><p><span data-contrast="auto">Resources:</span><span data-ccp-props="{}"> </span></p><ul><li><a href="https://securedrop.org/ " target="_blank" rel="noopener noreferrer">SecureDrop</a></li><li><a href="https://www.torproject.org/ " target="_blank" rel="noopener noreferrer">The Tor Project</a></li><li><span data-contrast="auto">EFF: “</span><a href="https://www.eff.org/deeplinks/2024/02/privacy-isnt-dead-far-it" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Privacy Isn't Dead. Far From It.</span></a><span data-contrast="auto">"</span><span data-ccp-props="{}"> (Feb. 13, 2024)</span></li><li><span data-contrast="auto">Digital Dada Podcast: “</span><a href="https://youtu.be/w0K6rqQdr44?si=JJyM1yxTHI7vVlTg" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Combatting Digital Security Nihilism featuring Harlo Holmes</span></a><span data-contrast="auto">” (Dec. 20, 2023)</span><span data-ccp-props="{}"> </span></li><li><span data-contrast="auto">Reuters: “</span><a href="https://www.reuters.com/investigates/special-report/usa-spying-raven/" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Inside the UAE’s secret hacking team of American mercenaries</span></a><span data-contrast="auto">” (Jan. 30, 2019)</span><span data-ccp-props="{}"> </span></li></ul><p><span data-contrast="auto">What do you think of “How to Fix the Internet?” </span><a href="https://forms.office.com/pages/responsepage.aspx?id=qalRy_Njp0iTdV3Gz61yuZZXWhXf9ZdMjzPzrVjvr6VUNUlHSUtLM1lLMUNLWE42QzBWWDhXU1ZEQy4u&amp;web=1&amp;wdLOR=c90ABD667-F98F-9748-BAA4-CA50122F0423" target="_blank" rel="noopener noreferrer"><span data-contrast="none">Share your feedback here</span></a><span data-contrast="auto">.</span></p><h3><span data-ccp-props="259}">Transcript</span></h3><p><span data-ccp-props="{}"><strong>HARLO HOLMES:</strong> within the sphere of public interest journalism. The reason why it exists is because it holds truth to power and it doesn't have to be adversarial, although, that's our right as citizens on this planet, but it doesn't have to be adversarial. And over the tenure that I've had, I've seen so many amazing examples where affecting change through public interest journalism done right, with the most detail paid to the operational and digital security of an investigation, literally ended up with laws being changed and legislation being written in order to make sure the problem that the journalist pointed out does not happen again.<br />One of my favorites is with Reuters. They wrote a story about how members of the intelligence community in Washington DC, after they had left Washington DC, were being actively poached by intelligence services in the UAE.<br />So it would take, like, leaving members of the people working in Washington DC, place them in cushy intelligence jobs at the UAE in order to, like, work on programs that we know are like, surveillance heavy, antithetical to all of our interests, public interest as well as the interest of the United States government.<br />And when that reporting came out, literally like, uh, Congress approved a bill saying that you have to wait three years before you can go through that revolving door rotation. <br />And that's the trajectory that makes me the most proud to work where I do.</span></p><p><span data-ccp-props="{}"><strong>CINDY COHN:</strong> That's Harlo Holmes talking about some of the critically important journalism that she is able to help facilitate in her role with the Freedom of the Press Foundation.<br />I'm Cindy Cohn, the executive director of the Electronic Frontier Foundation.</span></p><p><span data-ccp-props="{}"><strong>JASON KELLEY:</strong> And I'm Jason Kelley, EFF's activism director. This is our podcast, How to Fix the Internet.</span></p><p><span data-ccp-props="{}"><strong>CINDY COHN:</strong> On this show, we flip the script from the dystopian doom and gloom thinking we all get mired in when thinking about the future of tech -- we're here challenge ourselves, our guests and our listeners to imagine the better future that we could be working towards. What can we look forward to if we dare to dream about getting things right?</span></p><p><span data-ccp-props="{}"><strong>JASON KELLEY:</strong> Our guest today, Harlo Holmes, is the chief information security officer and the director of digital security at the Freedom of the Press Foundation where she teaches journalists how to keep themselves – and their sources – safe online.</span></p><p><span data-ccp-props="{}"><strong>CINDY COHN:</strong> We started off by getting Harlo to explain exactly how the Freedom of the Press Foundation operates.</span></p><p><span data-ccp-props="{}"><strong>HARLO HOLMES:</strong> What we do, I like to say, is a three-pillared approach to protecting press freedom in the 21st century. The first, absolutely most important is our advocacy team. So not only do we have a staff of lawyers and legal scholars that weigh in on First Amendment issues and protect them within the United States, we also have a fantastic advocacy team at our own little newsroom, the US Press Freedom Tracker, where we have reporters who, anytime members of the press have their right to perform their rightful function challenged, minimized, persecuted, et cetera, we have reporters who are there who report on it, and we stay with those cases for as long as it takes. <br />And that's something that we're incredibly proud of. That's just one pillar. The other pillars that we have, is our engineering wing. So perhaps you have heard of a tool called SecureDrop. In certain newsrooms all over the planet, it's actually installed in order to technologically enable, as much anonymity as, uh, technically possible. Between reporters at those newsrooms and members of the press at large who might want to be whistleblowers or just to, you know, like, uh, say hey to, a news outlet that they admire in a way that ensures their anonymity.<br />And then there is my small team. We are the digital security team. Uh, we do a lot of training, consulting, security audits, and other supports that we can provide to newsrooms, independent journalists, freelancers, documentary filmmakers, anyone who is making independent journalism in the public interest in order to do their job more safely and securely.</span></p><p><span data-ccp-props="{}"><strong>CINDY COHN:</strong> Yeah. I think this is a really important thing that the Freedom of the Press Foundation does. Specifically your piece of it, this kind of connective tissue between the people who are really busy doing the reporting and finding things out and the people who wanna give them information and making sure that this whole thing is protected in a secure way. And I appreciate that you put it third, but to me it's really central to how this whole thing works. So I think that's really important.<br />And of course, SecureDrop for, you know, old time EFF and digital rights people – we know that this piece of technology was developed by our friend Aaron Schwartz, before he passed away. And the Freedom Press Foundation has picked it up and really turned it from a good but small idea into something that is vital and in newsrooms all around the world.</span></p><p><span data-ccp-props="{}"><strong>HARLO HOLMES:</strong> Yes. And thank you very, very much, for recognizing those particular achievements. SecureDrop has grown over the past, what, 12 years? I would say, into not only a tool that enables, the groundbreaking amount of journalism that has pretty much changed the trajectory of current events over the years that it's been developed, but also, represents increasing advances in technology around security that everyone on the planet benefits from. So for example, SecureDrop would not be anywhere were it not for its deep collaboration with the Tor Project, right? <br />And for all of us who pay attention to, digital security cryptography and, the intersection with human rights, you know, that the Tor Network is a groundbreaking piece of technology that not only provides, you know, anonymity on the internet in an increasingly, like, data-greedy environment, but also, like, represents, the ways that people can access parts of the internet in so many different innovative ways. And investigative journalism use in Secure drop is just one example of the benefits of like having Tor around and having it supported.<br />And so, that's one example. Another example is that, as people's interactions with computers change, uh, the way that we interface with browsers change the. Interplay between, you know, like using a regular computer and accessing stuff on mobile, that's changed, right?<br />And so our team has, like, such commendable intellectual curiosity in talking about these nuances and finding ways to make people's safety using all of these interfaces better. And so even though, we build Secure Drop in service of promoting public interest journalism, the way that it reverberates in technology is something that we're incredibly proud of. And it's all done in open source, right? Which means that anyone can access it. Anyone can iterate upon it, anyone can benefit from it.</span></p><p><span data-ccp-props="{}"><strong>CINDY COHN:</strong> Yeah, and it, and everyone can trust it. 'cause you know, you might not be able to read the code, but many people can. And so developing this trust and security, you know, they go hand in hand.</span></p><p><span data-ccp-props="{}"><strong>HARLO HOLMES:</strong> Yes,</span></p><p><span data-ccp-props="{}"><strong>JASON KELLEY:</strong> You use this term "data-greedy," which I really love. I've never heard that before.</span></p><p><span data-ccp-props="{}"><strong>CINDY COHN:</strong> It's so good!</span></p><p><span data-ccp-props="{}"><strong>JASON KELLEY:</strong> So you just created this incredible term "data-greedy" that I've never heard anyone use and I love and it's a good descriptor, I think of sort of like why journalists, but also everyone needs to be aware of like the tracks that they're leaving, the digital security practices that they use because it's not even necessarily the case that that data collection is intended to be harmful, but we just live in this environment where data is collected, where it's, you know, used sometimes intentionally to track people, but often just for other reasons. <br />Let's talk a little bit about that third pillar. What is it that journalists specifically need to think about in terms of security? I think a lot of people probably who have never done journalism, don't really think about the dangers of collecting information, of talking to sources of, you know, protecting that, how, how should they be thinking about it and what are the kinds of things that you talk to people about?</span></p><p><span data-ccp-props="{}"><strong>HARLO HOLMES:</strong> Great question. First and foremost, I feel that our team at Freedom of the Press Foundation, leads every training with the assumption that a journalist's job is to tell the story in the most compelling and effective way. Their job is not to concern themselves with what data stewardship means.<br />What protection of digital assets means. That's our job. And so, we really, really lean into meeting people where they are and just giving them exactly what it is that they need to know in order to do this job better without putting undue pressure on them. And also without scaring the bejesus out of anyone. <br />Because when you do take stock of like how data greedy all of our devices are, it can be a little bit scary to the point of making people feel disempowered. And so we always want to avoid that.</span></p><p><span data-ccp-props="{}"><strong>CINDY COHN:</strong> What are some techniques you use to try to avoid that? 'Cause I think that's really central to a lot of work that we're trying to do to try to get people, beyond what I think my colleague, Eva Galperin called “privacy nihilism. I'm not sure if she started it. She's the one who I heard it from.</span></p><p><span data-ccp-props="{}"><strong>HARLO HOLMES:</strong> I probably have heard that from her as well. I love, Eva and, uh, she has been so instrumental in the way that I think through these issues over the past like decade so yeah, digital security nihilism is 100% a thing.<br />And, perhaps maybe later we can get into like the regional contours of that because people in the United States have or exhibit a certain amount of nihilism. And then if you talk to people in like Central and Eastern Europe, it's a different way. If you talk to people in Latin America and South America, it's a different way.<br />So having that perspective actually like really helps the contours around how you approach people in digital security education and training..</span></p><p><span data-ccp-props="{}"><strong>CINDY COHN:</strong> Oh please, tell us more. I'm fascinated by this.</span></p><p><span data-ccp-props="{}"><strong>HARLO HOLMES:</strong> OK, so, I do want to come back to your original question, but, that said, I can definitely do a detour into the historicity of, um, digital security nihilism and how it interplays with where you are on the planet. <br />It's all political and in the United States we have, well, even though we're currently like in a bit of a, or in a bit of a, in a crisis mode, where we are absolutely looking at, you know, like our rights to privacy, the concessions that we make, our prominence in building these technologies and thus having a little bit of, like, insider knowledge of what the contours are.<br />Uh, if you compare that to the digital security protections of people who are in, let's say, you know, like Central or Eastern Europe, where, historically, they have never had or not for, you know, like decades, um, if not even like, you know, a hundred years. Um, that access to transparency about what's being done to their data and also transparency into how that data has been taken away from them because they didn't have a seat at the table.<br />if you look at places in, Latin America, Central America, South America, there are plenty of places where loss of digital security also comes hand in hand with loss of physical security, right? Like speaking to someone over the phone can often, especially where journalists are considered, will often come with a threat of physical violence, often to the most extreme. Right. So, yeah, exactly. Which is, you know, according to, um, so many, you know, like academics and scholars who focus on press freedom, know that, that that is one of the most dangerous places on the planet to be a journalist because failures in digital security can often come with literally, you know, like being summarily executed, right? So, every region on this planet has their own contours. It is constantly a fascinating challenge and one that I'm willing to meet in order to understand these contexts and to appropriately apply the right digital security solutions to the audiences that we find ourselves in front of.</span></p><p><span data-ccp-props="{}"><strong>CINDY COHN:</strong> Yeah. Okay. Back to my original question, sorry.<br /></span></p><p><span data-ccp-props="{}"><strong>HARLO HOLMES:</strong> Go for it.</span></p><p><span data-ccp-props="{}"><strong>JASON KELLEY:</strong> Well, what, what is, I mean, did we get to the point? I don't think we really covered yet, really the basics of, like, what journalists need to think about in terms of their security. I mean, that's, you know, I, I, I love talking about privacy nihilism and how we can fight it, but, um, we would talk for three hours if we did that.</span></p><p><span data-ccp-props="{}"><strong>HARLO HOLMES:</strong> Yeah. Um, so quite frankly, one of the things that we're leaning most heavily on, and this is pretty much across the board, right, has to do with compartmentalization. I feel that, uh, recently within the United States, it's become really like technicolor to people. So they understand exactly why that's important, but it's always been important and it's always like something that you can apply everywhere.<br />There's always historically been attention as, uh, since the very moment the first iPhone stepped onto the market, this temptation to go the easy route. Everything is on the same device. You're calling your mom. You're, you know, like researching a flight on Expedia. You're, you know, Googling something. And then you're also talking to a source about a sensitive story, or you're also like, you know, gonna like, go through the comments in the Google Doc on the report that you're writing regarding a national security issue. <br />People definitely do need to be encouraged to like decouple the ways that they treat devices because these devices are not our friends. And the companies that like, create the experiences on these devices, they are definitely not our friends. They never have been. <br />But I hear you on that and, uh, reminding people, despite their digital security nihilism, despite their temptation to do the easiest of things, just reminding people to apply appropriate compartmentalization. <br />We take things very slowly. We take things as easily as we possibly can because there are ways that people can get started in order to, actually be effective at this until they get to the point where it actually means something either to their livelihoods or the story that they're working on and that of the sources that they, interact with. But yeah, that's pretty much where it starts. <br />Also, credential security is like the bread and butter. And I've been at this for, almost exactly 10 years at FPF and, you know, within this industry for about 15. <br />And it never changes that people really, really do need to maintain as much rigor regarding how people access their accounts. So like, you gotta have a unique, complex password. You have to be using a password manager. You have to be using multifactor authentication. And the ways that you can get it have changed over the years and they get better and better and better.<br />You have to be vigilant against phishing, but the ways that people try to phish you are like, you know, increasingly, like, sneakier. You know, we deal with it as it comes, but ultimately that has never changed. It really hasn't.</span></p><p><span data-ccp-props="{}"><strong>CINDY COHN:</strong> So we've, we've talked a little bit about kind of the nihilism and the kind of, thicket of things that you have to kind of make your way through in order to, help, journalists and their sources feel more secure. So let's flip it a bit. What does it look like if it's better? What are the kinds of places where you see, you know, if we could get this right, it would start to get better?</span></p><p><span data-ccp-props="{}"><strong>HARLO HOLMES:</strong> I love this question because I do feel that I've been able to look at it from multiple sides. Similarly, as I was describing how Secure Drop not only enables impactful public interest journalism, it represents a herculean feat of cryptography and techno activism. This is one example, Signal is another example.<br />So, one of the things I thought was so poignant when, as Joe Biden was exiting the White House, one of his, like, parting shots was to say like, everyone should use Signal. Like, and the reason why he says this is because, Signal not only represents like a cool app or like, you know, a thing that, like, hackers love and you know, like we can be proud of 'cause we got in on the first floor.<br />It represents the evolution of technologies that we should have. Our phone conversations had not been encrypted. Now they are. Get with it. You know, like that's the point. So from a technical perspective, that's what is so important and that's something that we always want to position ourselves to champion.<br /><br /><strong>JASON KELLEY:</strong> Let's take a quick moment to say thank you to our sponsor. How to Fix The Internet is supported by the <a href="https://sloan.org/programs/public-understanding/" target="_blank" rel="noopener noreferrer">Alfred P. Sloan Foundation's program in Public Understanding of Science and Technology</a>, enriching people's lives through a keener appreciation of our increasingly technological world and portraying the complex humanity of scientists, engineers, and mathematicians.<br />We also wanna thank EFF members and donors. You can become a member for just $25 and for a little more, you can get some good, very stylish gear. Your support is the reason we can keep our digital security guides for journalists, and everyone else, up to date to deal with the latest threats. So please, if you like what we do, go to eff.org/pod to donate. <br />We also wanted to share that our friend Cory Doctorow has a new podcast. Listen to this. <br />[<a href="https://podcasts.apple.com/ca/podcast/understood-who-broke-the-internet/id1673817105" target="_blank" rel="noopener noreferrer">Who Broke the Internet</a> trailer]</span></p><p><span data-ccp-props="{}"><strong>JASON KELLEY:</strong> And now back to our conversation with Harlo Holmes.<br />Are there tools that are missing that, in a better world you're like, oh, this would be great to have, you know, or things that maybe couldn't exist without changes to technology or to the way that people, work or to policy that you just absolutely hear, you know, oh, it would be nice if we could do this, but for whatever reason, that's not a place we're at yet.</span></p><p><span data-ccp-props="{}"><strong>HARLO HOLMES:</strong> Yeah. Actually I have started to have a couple of conversations about that. Um, before I answer, I will say that I don't have, like, the bandwidth or time to be a technologist. Um, it's like my code writing days are probably over, but I have so many opinions.</span></p><p><span data-ccp-props="{}"><strong>JASON KELLEY:</strong> Of course. So many ideas.</span></p><p><span data-ccp-props="{}"><strong>HARLO HOLMES:</strong> Yeah. Um - </span></p><p><span data-ccp-props="{}"><strong>CINDY COHN:</strong> Well, we're your audience, right? I mean, you know, the EFF audience are people who, you know, uh, not overwhelmingly, um, but a lot of people with technical skills who are trying to figure out, okay, how do I, how do I apply them to do good? And, and, and I think, you know, over the years we've seen a lot of really well-meaning efforts by technologists to try to do something to support other communities that weren't grounded enough in those communities, and so didn't really work. <br />And I think your work at Freedom of the Press Foundation, again, has kind of bridged that gap, especially for journalists. But there's, there's broader things. so where else could you see places where technologists could really dig in and have this work in a way that sometimes it does, but often it doesn't.</span></p><p><span data-ccp-props="{}"><strong>HARLO HOLMES:</strong> I love that question because that is exactly the point, right? Bridging the gap. And I feel that like at FPF, given, you know how I introduce it with like the three pillars or whatever, we are uniquely poised in order to perform, like, you know, user research within a community, right? And then have that directly inform technology mandates, have that directly inform advocacy, uh, like, you know, charge to action.<br />So I think anyone who finds themselves at those cross sections, that's exactly what you have to kind of, like, strategize around in order to be as effective as possible. In terms of, like, actual technologies, one thing and I already kind of started having these conversations with people, is let's take our relationship within a typical newsroom to cloud services like Google when you are drafting, right? I mean it's anecdotal and like the plural anecdote is not data, right. But that said, we do know that given that, you know, Google's Drive has so much machine learning and AI enabled power, drafting a story that's like the next Watergate, right? Like that's actually going to get you put in jail before you get to publish, right?<br />Because we know about their capabilities. And, not gonna, like, talk about specific anecdotes, but like that is a thing, right? But one of the things, or like the big contention is that actually, like, in terms of collaboration, how effective you can be writing a story, how like, you know, you rely on the comments section with your editor, right, as you're, you know, massaging a story. You rely on those features as much. <br />What are 0pen source, like, you know, hacker ethos alternatives. We have, you know, we have <a href="https://nextcloud.com/" target="_blank" rel="noopener noreferrer">Nextcloud</a>, we have uh, <a href="https://cryptpad.fr/" target="_blank" rel="noopener noreferrer">CryptPad</a>, we have <a href="https://etherpad.org/" target="_blank" rel="noopener noreferrer">Etherpad</a>. But all of those things are insufficient not only, like, in terms of their feature set in what needs to be accommodated in order for a journalist to work, right, but also, can be insufficient in terms of their sustainability models, the fact that we can rely upon them in the future. And as much as we love all of those people at those developer initiatives, no one is supporting them to make sure that they can be in a place to be a viable alternative, right? <br />So, what's the next frontier, right? If I don't want to live in a world where a Nextcloud doesn't exist, where a CryptPad doesn't exist, or an Etherpad, like that's not what I'm saying, 'cause they're fantastic and they're really great to use in creative scenarios. <br />However, if you're thinking about the meat and potatoes day to day in a typical newsroom, and you have to contend with a tech giant like Google that has become increasingly, like, ideologically unreliable. Guess what? They actually do have a really cool tool called client side encryption, right? So now you're actually, like, removing the people who decide at Google what is ideologically acceptable use of their tools, right? You're removing them from the position where they can make any decision or scrutinize further and client side encryption.<br />Or like anything that provides end-to-end encryption, that is like the ultimate goal. That's what we should protect. Whether it is in Secure Drop, whether it is in Nextcloud or CryptPad, or if it's in Google itself. And so actually, I would recommend, like, anybody who has these spare cycles to contribute to a developer effort to tackle this type of middleware that allows us to still have as much autonomy as possible within the ecosystems that we have to kind of work within.</span></p><p><span data-ccp-props="{}"><strong>CINDY COHN:</strong> I love that. I mean, it’s a story about interoperability, right? This, you know, what you're talking about, middleware in this area is like, we should be able to make a choice. Either use things that are not hosted corporately or use things that are hosted corporately, but be able to have our cake and eat it too.<br />Have a tool that helps us interoperate with that system without the bad parts of the deal, right. And in this instance, the bad parts of the deal are a piece of it, it’s the business model, but a piece of it is just compliance with, with government in a way that the, the company, is increasing, you know, used to fight. They still fight some.</span></p><p><span data-ccp-props="{}"><strong>HARLO HOLMES:</strong> They still fight, yes.</span></p><p><span data-ccp-props="{}"><strong>CINDY COHN:</strong> They might fight, yes, but they also don't have the ability to fight that much. We might wanna go to something that's a little, that, that gives them the ability to say, look, we don't have access to that information. Just like Apple doesn't have access to the information that's stored on your iPhone. They made a policy decision to protect you. </span></p><p><span data-ccp-props="{}"><strong>HARLO HOLMES:</strong> But now we're looking at what happened in the UK, and we’re like, hm.</span></p><p><span data-ccp-props="{}"><strong>CINDY COHN:</strong> Exactly, but then the government has to act, you know, so it's always a fight on the technical level, and on the policy level, sadly. I wish that encryption we could, you know, fix with just technology. But we need other forms of protection. but I love this idea of having so many options, you know, some that are decentralized, some that are hosted, you know, in the nonprofit world, some that might be publicly supported, and then some that are the corporate side, but with the protections that we need. <br />And I just feel like we need all of the above. Anybody who asks you to choose between these strategies is kind of getting you caught in a side fight when the main fight is how do we get people the privacy that they need to do their work?</span></p><p><span data-ccp-props="{}"><strong>HARLO HOLMES:</strong> Yeah. Yeah. And one of the things that gives me the most hope is, continuing to fight in a space where we are all about the options. <br />We're all about giving people options and being as creative as possible and building options for everyone.</span></p><p><span data-ccp-props="{}"><strong>JASON KELLEY:</strong> What else gives you hope? Because you've been at Freedom of the Press for a while now, and we're at a difficult time in a lot of ways, but I assume there are other things that you've, you know, seen change over the years in a positive way, right? Because it feels too easy to say, look, things are getting dire, because in many ways they are. But, but what else gives you hope, given how long you've been working on this issue?</span></p><p><span data-ccp-props="{}"><strong>HARLO HOLMES:</strong> I actually, I love really thinking through the new challenges of other types of media that is represented. So much of my career had been, pretty much centered around traditional print and/or digital. However, I am so enthusiastic about being alongside, like, podcasters and YouTube creators as they navigate these new challenges and also understand, like, the long history of media theory, where we've gone as an industry in order to understand how it applies to them.<br />So one thing that I thought was pretty cool was having a conversation, recently, with a somewhat influential, TikTok person about class consciousness in regards to whether or not people who are influencers should actually start considering themselves as journalists legitimately.<br />And one of the things that I mentioned had to do with the fact that, you know, like in the 2010s, bloggers were not considered quote unquote journalists, and yet blogging has become one of the most influential, even like from a financial perspective, like, drivers within this market. So influencers should not consider themselves anything other than journalists, because their fights are – especially like when, you know, platforms get involved and like what their economic model looks like and their, you know, integrity and ethos within journalism – like, that's the media history that we are building right now. So that excites me.</span></p><p><span data-ccp-props="{}"><strong>CINDY COHN:</strong> Oh, that's great. You know, EFF was involved in some of the early cases about whether bloggers could be protected by journalism shield laws, we had a case called <a href="https://www.eff.org/cases/apple-v-does" target="_blank" rel="noopener noreferrer"><em>Apple v. Does</em></a> a long time ago that, uh, that helped establish that in the state of California. But I, I really love helping, kind of, new media think of itself as media. <br />And also, I mean, the way that I always think about it is, it's not whether you're a journalist, it's whether you're doing journalism, right? It's the verb part. and that, different framing than I think helps break people out of the mold of, well, I do some stuff that's just kind of silly, and that might not be journalism, but if you're bringing news to the public, if you're bringing information to the public that the public wants, even if it's in a fashion context, like, that's journalism and it should have, uh, you should think of yourself that way because there is this rich history of how we protect that and how important that is to society, not just about the kind of hard political issues, but actually, you know, in creating and shaping and managing our culture as well.</span></p><p><span data-ccp-props="{}"><strong>HARLO HOLMES:</strong> Mm-hmm. I agree 100%.</span></p><p><span data-ccp-props="{}"><strong>JASON KELLEY:</strong> How did you end up doing this kind of digital security work specifically for journalists? Did you make an intentional choice at some point that you wanted to help journalists, or have you sort of found yourself here and it's just incredible, important work?</span></p><p><span data-ccp-props="{}"><strong>HARLO HOLMES:</strong> A little bit of both. I'm an avid media consumer who cares a lot about media history, and in undergraduate school I studied comparative literature, which is all based off of the fact that the media itself has its own unique power. And the way that it is expressed says way more than what is actually said.<br />And I've always found that to be the most important thing to do. As far as technology is concerned, as any young inquisitive person might do, I got into coding like so hardcore and, it wasn't until I was in grad school that I discovered, via a class with this fantastic person, <a href="https://cyber.harvard.edu/people/nfreitas" target="_blank" rel="noopener noreferrer">Nathan Freitas</a>, who's a Harvard, uh, Berkman Fellow Emeritus, and also the head of the <a href="https://guardianproject.info/" target="_blank" rel="noopener noreferrer">Guardian Project</a>, where he opened my eyes to the fact that like the code that you're writing, just like, you know, for fun or whatever, like you can actually use this to defend human rights.<br />And so it was kind of the culmination of those ideas that led me through, like, a couple of things. Like, um, I was an open news fellow at, um, the New York Times for about a year where I worked with the computer assisted reporting team and that was really impressive. And that was the first time where I got to see how people will, like, scrape a webpage in order to write an investigative story.<br />And I was like, wow, people do that that's so cool! And then also because I was hanging out with like Nathan and other folks, um, I was the, the one of the kids in the newsroom floor who knew what Tor was, they're like, that's cool. How do we use this in journalism? I'm like, well, I got ideas. And that's how, kind of how my career got started.</span></p><p><span data-ccp-props="{}"><strong>CINDY COHN:</strong> That's so great. Nathan's an old friend of EFF. That's so fun to hear the tentacles of how, you know, people inspire other people. Inspire other people. I think that's part of the fun story of digital rights.</span></p><p><span data-ccp-props="{}"><strong>HARLO HOLMES:</strong> Yeah, yeah. I agree. I think anyone is super duper lucky to understand not only like the place that you occupy right now, but also where it sits within, like, a long history. And, I also really love, any experience where I get to kind of touch people with that as well.</span></p><p><span data-ccp-props="{}"><strong>CINDY COHN:</strong> Nice. Ooh, that's a nice place to end. What do you think, Jason?</span></p><p><span data-ccp-props="{}"><strong>JASON KELLEY:</strong> That sounds great. Yeah. And think of all the people who are saying the same thing about you now that you're saying about Nathan. Right. It never stops.</span></p><p><span data-ccp-props="{}"><strong>HARLO HOLMES:</strong> It shouldn't ever stop. It shouldn't. This is our history.</span></p><p><span data-ccp-props="{}"><strong>CINDY COHN:</strong> Oh, Harlo, thank you so much for coming and spending time with us. It's just been a delight to talk to you and good luck going forward. The times really need people like you.</span></p><p><span data-ccp-props="{}"><strong>HARLO HOLMES:</strong> Thank you so much. Um, it's always a pleasure to talk to you and, um, I love your pod. I love the work that you do, and I'll, you know, see you next time.<br /><br /><strong>JASON KELLEY:</strong> Well, I'm really glad that we got a chance to talk to Harlo because these conversations with folks who work in these, um, specific areas with people are really helpful when, you know, it's not our job every day to talk to journalists, just like it's not our job every day to talk to specific advocates about specific issues. But you learn exactly what the kinds of things are that they think about and what we need to get things right and what it'll look like if we do get things right for journalists or, or whomever it is.</span></p><p><span data-ccp-props="{}"><strong>CINDY COHN:</strong> Yeah, and I think the thing that I loved about the conversation is the stuff that she articulated is stuff that will help all of us. You know, it's a particular need for journalists. But when, you know, when we asked her, you know, what kind of tools need to exist, you know, she pointed, you know, not only to the open source decentralized tools like Ether Pad and things like that, but to basically an interoperability issue that making Google Docs secure, so that Google doesn't know what you're saying on your Google Docs. And I would toss Slack in there as well. That, you know, taking the tools that people rely on every day and building in things that make them secure against the company and against government coming and strong arming the company into giving them information, like that's a tool that will be really great for journalists, and I can see that. It'll also help all the rest of us.</span></p><p><span data-ccp-props="{}"><strong>JASON KELLEY:</strong> Yeah.</span></p><p><span data-ccp-props="{}"><strong>CINDY COHN:</strong> And the, you know, the other thing she said when she was giving, you know, what advice do you give to journalists, like off the top? She said, well, use separate devices for the things that you're doing and don't have everything on one device, you know, because, uh, I think I love the, what she say, they're data-hungry? </span></p><p><span data-ccp-props="{}"><strong>JASON KELLEY:</strong> Data-greedy.</span></p><p><span data-ccp-props="{}"><strong>CINDY COHN:</strong> Data-greedy, even better. That our devices are data greedy. So separating them gives us something. That's a useful piece of information for anyone who’s in activism.</span></p><p><span data-ccp-props="{}"><strong>JASON KELLY:</strong> Yeah. And so, I mean, I, I wanna say easy. It's not always simple to have two devices, but the idea that the solution wasn't something more complicated. It reminds me that often the best advice is something that's fairly simple and that really, you know, anyone who has the ability and the money could have multiple devices and, and journalists are no different.<br />So it reminded me also that, you know, when we're working on things like our surveillance, self-defense guides, it's helpful to remember that, like Harlo said, her job is to make the journalist’s job easy, right? They shouldn't have to think about this stuff. And that's how sort of the spirit of the guides that we write as well.<br />And that was just a really good reminder that sometimes you feel like you're trying to convince everyone, or explain to them how all these tools work and actually it might be better to think about, well, you shouldn't have to understand all of this deeply like I do. In some cases you just need to know that this works and that's what you need to use.</span></p><p><span data-ccp-props="{}"><strong>CINDY COHN:</strong> Yeah, I think that's right and I, you know, obviously, you know, ‘just go out and buy a second device’ isn't advice that we would give to people in parts of the world where that's a really a prohibitive suggestion. But there are many parts of the world, and journalists, many of them, live in them, where it is actually not that hard a thing to do to get yourself a burner phone or get a simpler phone for your work, rather than having to try to, you know, configure one device to really support all of those things. <br />And turning on two FA right? Turning on two factor authentication. Another thing that is just good advice for anybody. So, you know, what I'm hearing is that, you know, if we build a place that is better for journalists, it's better for all of us and vice versa. If we build a world that's better for all of us, it's also better for journalists. So, I really liked that. I also really liked her articulating and lifting up the role that the Tor project plays in what they do with Secure Drop. What they do to try to help protect journalists who have, uh, confidential sources.<br />Because we're, again, as we're looking into all of these various tools that help create a better future, a more secure future, we're discovering that actually open source tools, like Tor, underlie many different pieces of the better world. And so we're starting to see kind of the network for good, right, the conspiracy for good of a lot of the open source security projects. </span></p><p><span data-ccp-props="{}"><strong>JASON KELLEY:</strong> I didn't really realize when we were putting together these guests for this season, how interconnected they all were, and it's been really wonderful to hear everyone lift everyone else up. They really do all depend on one another, and it is really important to see that for the people who maybe don't think about it and use these tools as one-offs, right?</span></p><p><span data-ccp-props="{}"><strong>CINDY COHN:</strong> Yeah. And I think as those of us who are trying to make the internet better, recognizing that we're all in this together, so as we're headed into this time, where we're seeing a lot of targeted attacks on different pieces of a secure world. You know, recognizing that these things are interconnected and then building strength from there seems to me to be a really important strategy.<br /><br /><strong>JASON KELLEY:</strong> And that's our episode for today. If you have feedback or suggestions, we'd love to hear from you. Visit eff.org/podcast and click on listener feedback. And while you're there, you can become a member and donate, maybe even pick up some of the merch, and just see what's happening in digital rights this week and every week.<br />Our theme music is by Nat Keefe of Beat Mower with Reed Mathis, and How to Fix the Internet is supported by the Alfred P SLoan Foundation's program and public understanding of science and technology. We'll see you next time. I'm Jason Kelley.</span></p><p><span data-ccp-props="{}"><strong>CINDY COHN:</strong> And I'm Cindy Cohn.</span></p><p><span data-ccp-props="{}"><em><strong>MUSIC CREDITS:</strong> This podcast is licensed creative commons attribution 4.0 international, and includes the following music licensed creative commons attribution 3.0 unported by its creators: Drops of H2, The Filtered Water Treatment by Jay Lang. Sound design, additional music and theme remixes by Gaetan Harris.</em><br /></span></p><p><span data-ccp-props="{}"></span></p> </div></div></div></description> <pubDate>Wed, 18 Jun 2025 07:05:11 +0000</pubDate> <guid isPermaLink="false">110798 at https://www.eff.org</guid> <category domain="https://www.eff.org/how-to-fix-the-internet-podcast">How to Fix the Internet: Podcast</category> <category domain="https://www.eff.org/issues/free-speech">Free Speech</category> <category domain="https://www.eff.org/issues/end-end-encryption">End-to-End Encryption</category> <dc:creator>Josh Richman</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/2025-htfi-harlo-blog.png" alt="How to Fix the Internet - Harlo Holmes - Securing Journalism on the ‘Data-Greedy’ Internet" type="image/png" length="515257" /> </item> <item> <title>Betting on Your Digital Rights: EFF Benefit Poker Tournament at DEF CON 33</title> <link>https://www.eff.org/deeplinks/2025/06/betting-your-digital-rights-eff-benefit-poker-tournament-def-con-33</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>Hacker Summer Camp is almost here... and with it comes the Third Annual EFF Benefit Poker Tournament at <a href="https://www.eff.org/event/eff-def-con-33" target="_blank" rel="noopener noreferrer">DEF CON 33</a> hosted by security expert <a href="https://infosec.exchange/@Tarah" target="_blank" rel="noopener noreferrer">Tarah Wheeler</a>.</p><p>Please join us on Friday, August 8th, at high noon at our new location: Planet Hollywood Poker Room. The fees haven’t changed; it’s still $250 to register plus $100 the day of the tournament with unlimited rebuys. (AND all players will receive a complimentary EFF Titanium Level Membership for the year.)</p><p>Tarah Wheeler—EFF board member and resident poker expert—has been working hard on the tournament since last year! We will have Lintile as emcee this year and there's going to be bug bounties! When you take someone out of the tournament, they will give you a pin. Prizes—and major bragging rights—go to the player with the most bounty pins. Be sure to <a href="https://supporters.eff.org/civicrm/event/register?id=497&amp;reset=1" target="_blank" rel="noopener noreferrer">register today</a> and see lintile in action!</p><p>Did we mention there will be Celebrity Bounties? Knock out Wendy Nather, Chris “WeldPond” Wysopal, Jake “MalwareJake” Williams, Bryson Bort, Allan Friedman and get neat EFF swag and the respect of your peers! Plus, as always, knock out Tarah's dad Mike, and she donates $250 to the EFF in your name!</p> <p></p><center><strong>EFF Benefit Poker Tournament at DC33 </strong><br /><strong>Planet Hollywood Poker Room</strong><br /><strong>3667 Las Vegas Blvd South, Las Vegas, NV 89109</strong><br /><strong>Friday, August 8, 12:00 pm</strong></center><center><strong></strong></center><br /><p class="take-action"><a href="https://supporters.eff.org/civicrm/event/register?id=448&amp;reset=1">Register Now</a></p><p class="take-explainer"><strong>Find Full Event Details and Registration</strong></p><p>Have a friend that might be interested but not sure how to play? Have you played some poker before but could use a refresher? Join poker pro Mike Wheeler (Tarah’s dad) and celebrities for a free poker clinic from 11:00 am-11:45 am just before the tournament. Mike will show you the rules, strategy, table behavior, and general Vegas slang at the poker table. Even if you know poker pretty well, come a bit early and help out.</p><p><a href="https://supporters.eff.org/civicrm/event/register?id=448&amp;reset=1" target="_blank" rel="noopener noreferrer">Register today</a> and reserve your deck. Be sure to invite your friends to join you!</p><p> </p> </div></div></div></description> <pubDate>Tue, 17 Jun 2025 05:17:14 +0000</pubDate> <guid isPermaLink="false">110793 at https://www.eff.org</guid> <dc:creator>Melissa Srago</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/poker-dogs-1.jpg" alt="Dogs playing at the EFF Benefit Poker Tournament table" type="image/jpeg" length="305538" /> </item> <item> <title>Connectivity is a Lifeline, Not a Luxury: Telecom Blackouts in Gaza Threaten Lives and Digital Rights</title> <link>https://www.eff.org/deeplinks/2025/06/connectivity-lifeline-not-luxury-telecom-blackouts-gaza-threaten-lives-and-digital</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span>For the third time since October 2023, Gaza has faced a near-total telecommunications blackout—plunging over 2 million residents into digital darkness and isolating them from the outside world. According to Palestinian digital rights organization</span><a href="https://7amleh.org/post/total-internet-blackout-expands-across-gaza,-threatening-complete-telecommunications-collapse"> <span>7amleh</span></a><span>, the latest outage began on June 11, 2025, and lasted three days before partial service was </span><a href="https://www.france24.com/en/live-news/20250614-internet-restored-in-gaza-after-3-days-palestinian-telecom-official"><span>restored</span></a><span> on June 14. As of today, </span><a href="https://x.com/Hind_Gaza/status/1934515652242358536"><span>reports from inside Gaza</span></a><span> suggest that access has been cut off again in central and southern Gaza. </span></p><p><span>Blackouts like these affect internet and phone communications across Gaza, leaving journalists, emergency responders, and civilians unable to communicate, document, or call for help.</span></p><p><span>Cutting off telecommunications during an active military campaign is not only a violation of basic human rights—it is a direct attack on the ability of civilians to survive, seek safety, and report abuses. Access to information and the ability to communicate are core to the exercise of freedom of expression, press freedom, and the right to life itself.</span></p><p><span>The threat of recurring outages looms large. Palestinian digital rights groups warn of a complete collapse of Gaza’s telecommunications infrastructure, which has already been weakened by years of blockade, lack of spare parts, and now sustained bombardment.</span></p><p><span>These blackouts systematically silence the people of Gaza amidst a humanitarian crisis. They </span><span>prevent the documentation of war crimes</span><span>, hide the extent of humanitarian crises, and obstruct the global community’s ability to witness and respond.</span></p><p><span>EFF has </span><a href="https://www.eff.org/deeplinks/2024/03/access-internet-infrastructure-essential-wartime-and-peacetime"><span>long maintained </span></a><span>that governments and occupying powers must not disrupt internet or telecom access, especially during times of conflict. The blackout in Gaza is not just a local or regional issue—it’s a global human rights emergency.</span></p><p><span>As part of the campaign led by 7amleh to </span><a href="https://www.eff.org/deeplinks/2025/03/eff-joins-7amleh-campaign-reconnectgaza"><span>#ReconnectGaza</span></a><span>, we call on all actors, including governments, telecommunications regulators, and civil society, to demand an end to telecommunications blackouts in Gaza and everywhere. Connectivity is a lifeline, not a luxury. </span></p> </div></div></div></description> <pubDate>Mon, 16 Jun 2025 21:17:54 +0000</pubDate> <guid isPermaLink="false">110810 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/international">International</category> <dc:creator>Jillian C. York</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/gaza-2.jpg" alt="social media icon speaking about refugees, with war image background" type="image/jpeg" length="381027" /> </item> <item> <title>Google’s Advanced Protection Arrives on Android: Should You Use It?</title> <link>https://www.eff.org/deeplinks/2025/06/googles-advanced-protection-arrives-android-should-you-use-it</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span>With this week’s </span><a href="https://blog.google/products/android/android-16/"><span>release of Android 16</span></a><span>, Google added a new security feature to Android, called Advanced Protection. At-risk people—like journalists, activists, or politicians—should consider turning it on. Here’s what it does, and how to decide if it’s a good fit for your security needs.</span></p><p><span>To get some confusing naming schemes clarified at the start: Advanced Protection is an extension of </span><a href="https://landing.google.com/intl/en_in/advancedprotection/"><span>Google’s Advanced Protection Program</span></a><span>, which protects your Google account from phishing and harmful downloads, and is not to be confused with Apple’s Advanced Data Protection, which enables end-to-end encryption for most data in iCloud. Instead, Google's Advanced Protection is more comparable to the </span><a href="https://ssd.eff.org/module/how-to-enable-lockdown-mode-on-iphone"><span>iPhone’s Lockdown Mode</span></a><span>, Apple’s solution to protecting high risk people from specific types of digital threats on Apple devices. <br /></span></p><p><span>Advanced Protection for Android is meant to provide stronger security by: enabling certain features that aren’t on by default, disabling the ability to turn off features that are enabled by default, and adding new security features. Put together, this suite of features is designed to isolate data where possible, and reduce the chances of interacting with unsecure websites and unknown individuals.</span></p><p><span>For example, when it comes to enabling existing features, Advanced Protection turns on </span><a href="https://ssd.eff.org/module/how-to-get-to-know-android-privacy-and-security-settings#set-up-find-my-device-and-theft-protection-features"><span>Android’s “theft detection” features</span></a><span> (designed to protect against in-person thefts), forces Chrome to use HTTPS for all website connections (a feature we’d like to see expand to everything on the phone), enables scam and spam protection features in Google Messages, and </span><a href="https://ssd.eff.org/module/how-to-get-to-know-android-privacy-and-security-settings#disable-2g"><span>disables 2G</span></a><span> (which helps prevent your phone from connecting to </span><a href="https://www.eff.org/wp/gotta-catch-em-all-understanding-how-imsi-catchers-exploit-cell-networks"><span>some Cell Site Simulators</span></a><span>)</span><span>. You could go in and enable each of these individually in the Settings app, but having everything turned on with one tap is much easier to do.</span></p><p><span>Advanced Protection also prevents you from disabling certain core security features that are enabled by default, like Google Play Protect (Android’s built-in malware protection) and Android Safe Browsing (which safeguards against malicious websites).</span></p><p><span>But Advanced Protection also adds some new features. Once turned on, the “Inactivity reboot” feature restarts your device if it’s locked for 72 hours, which prevents ease of access that can occur when your device is on for a while and you have settings that could unlock your device. By forcing a reboot, it resets everything to being encrypted and behind biometric or pin access. It also turns on “USB Protection,” which makes it so any new USB connection can only be used for charging when the device is locked. It also prevents your device from auto-reconnecting to unsecured Wi-Fi networks.</span></p><p><span>As with all things Android, some of these features are limited to select devices, or only phones made by certain manufacturers. Memory Tagging Extension (MTE), which attempts to mitigate memory vulnerabilities by blocking unauthorized access, debuted on Pixel 8 devices in 2023 is only now showing up on other phones. These segmentations in features makes it a little difficult to know exactly what your device is protecting against if you’re not using a Pixel phone. <br /></span></p><p><span>Some of the new features, like the ability to generate security logs that you can then share with security professionals in case your device is ever compromised, along with the aforementioned insecure network reconnect and USB protection features, won’t launch until later this year.</span></p><p><span>It’s also worth considering that enabling Advanced Protection may impact how you use your device. For example, Advanced Protection disables the JavaScript optimizer in Chrome, which may break some websites, and since Advanced Protection blocks unknown apps, you won’t be able to side-load. There’s also the chance that some of the call screening and scam detection features may misfire and flag legitimate calls.</span></p><h2><span>How to Turn on Advanced Protection</span></h2><p><span><img src="/files/2025/06/16/advancedprotection.png" width="2048" height="1993" alt="screenshots of Android's Advanced Protection page" title="screenshots of Android's Advanced Protection page" /></span></p><p><span>Advanced Protection is easy to turn on and off, so there’s no harm in giving it a try. Advanced Protection was introduced with Android 16, so you may need to </span><a href="https://support.google.com/android/answer/7680439?hl=en"><span>update your phone</span></a><span>, or wait a little longer for your device manufacturer to support the update if it doesn’t already. Once you’re updated, to turn it on:</span></p><ul><li><span>Open the </span><b><i>Settings</i></b><span> app.</span></li><li><span>Tap </span><b><i>Security and Privacy</i></b><span> &gt; </span><b><i>Advanced Protection</i></b><span>, and enable the option next to “Device Protection.” </span></li><li><span>If you haven’t already done so, now is a good time to consider enabling </span><a href="https://landing.google.com/advancedprotection/"><span>Advanced Protection</span></a><span> for your Google account as well, though you will need to enroll a </span><a href="https://ssd.eff.org/module/how-enable-two-factor-authentication#how-do-i-enable-2fa"><span>security key </span></a><span>or </span><a href="https://ssd.eff.org/module/how-enable-two-factor-authentication#what-about-passkeys"><span>a passkey</span></a><span> to use this feature.</span></li></ul><p><span>We welcome these features on Android, as well as the simplicity of its approach to enabling several pre-existing security and privacy features all at once. While there is no panacea for every security threat, this is a baseline that improves the security on Android for at-risk individuals without drastically altering day-to-day use, which is a win for everyone. We hope to see Google continue to push new improvements to this feature and for different phone manufacturer’s to support Advanced Protection where they don’t already.</span></p> </div></div></div></description> <pubDate>Mon, 16 Jun 2025 20:33:37 +0000</pubDate> <guid isPermaLink="false">110806 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/security-education">Security Education</category> <dc:creator>Thorin Klosowski</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/mobile-privacy.png" alt="" type="image/png" length="23559" /> </item> <item> <title>EFF to NJ Supreme Court: Prosecutors Must Disclose Details Regarding FRT Used to Identify Defendant</title> <link>https://www.eff.org/deeplinks/2025/06/eff-nj-supreme-court-prosecutors-must-disclose-details-regarding-frt-used-identify</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><em>This post was written by EFF legal intern Alexa Chavara.</em></p><p>Black box technology has no place in the criminal legal system. That’s why we’ve once again filed an amicus brief arguing that the both the defendant and the public have a right to information regarding face recognition technology (FRT) that was used during an investigation to identify a criminal defendant.</p><p>Back in June 2023, we filed an amicus brief along with Electronic Privacy Information Center (EPIC) and the National Association of Criminal Defense Lawyers (NACDL) in <a href="https://www.eff.org/deeplinks/2023/06/victory-new-jersey-court-rules-police-must-give-defendant-facial-recognition"><em>State of New Jersey v. Arteaga</em></a>. We argued that information regarding the face recognition technology used to identify the defendant should be disclosed due to the fraught process of a face recognition search and the many ways that inaccuracies manifest in the use of the technology. The New Jersey appellate court agreed, holding that state prosecutors must turn over detailed information to the defendant about the FRT used, including how it works, its source code, and its error rate. The court held that this ensures the defendant’s due process rights with the ability to examine the information, scrutinize its reliability, and build a defense.</p><p>Last month, partnering with the same organizations, we filed another amicus brief in favor of transparency regarding FRT in the criminal system, this time in the New Jersey Supreme Court in <em>State of New Jersey v. Miles</em>.</p><p>In <em>Miles</em>, New Jersey law enforcement used FRT to identify Mr. Miles as a suspect in a criminal investigation. The defendant, represented by the same public defender in <em>Arteaga</em>, moved for discovery on information about the FRT used, relying on <em>Arteaga</em>. The trial court granted this request for discovery, and the appellate court affirmed. The State then appealed to the New Jersey Supreme Court, where the issue is before the Court for the first time.</p><p>As explained in our amicus brief, disclosure is necessary to ensure criminal prosecutions are based on accurate evidence. Every search using face recognition technology presents a unique risk of error depending on various factors from the specific FRT system used, the databases searched, the quality of the photograph, and the demographics of the individual. <a href="https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7709.pdf">Study</a> after <a href="https://ieeexplore.ieee.org/document/8636231">study</a> shows that facial recognition algorithms are <a href="https://www.sciencedirect.com/science/article/abs/pii/S0364021302000848">not always reliable</a>, and that error rates <a href="https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8280.pdf">spike significantly</a> when involving faces of <a href="https://arxiv.org/pdf/1904.07325">people of color</a>, especially <a href="https://proceedings.mlr.press/v81/buolamwini18a/buolamwini18a.pdf">Black women</a>, as well as <a href="https://qz.com/1726806/facial-recognition-ai-from-amazon-microsoft-and-ibm-misidentifies-trans-and-non-binary-people">trans and nonbinary people</a>.</p><p>Moreover, these searches often determine the course of investigation, reinforcing errors and resulting in <a href="https://www.nytimes.com/2023/08/06/business/facial-recognition-false-arrest.html">numerous</a> <a href="https://www.freep.com/story/news/local/michigan/detroit/2020/07/10/facial-recognition-detroit-michael-oliver-robert-williams/5392166002/">wrongful</a> <a href="https://www.cnn.com/2021/04/29/tech/nijeer-parks-facial-recognition-police-arrest/index.html">arrests</a>, <a href="https://apnews.com/article/mistaken-arrests-facial-recognition-technology-lawsuits-b613161c56472459df683f54320d08a7">most often</a> of <a href="https://www.wired.com/story/face-recognition-software-led-to-his-arrest-it-was-dead-wrong/">Black</a> <a href="https://www.washingtonpost.com/technology/2021/04/13/facial-recognition-false-arrest-lawsuit/">folks</a>. Discovery is the last chance to correct harm from misidentification and to allow the defendant to understand the evidence against them.</p><p>Furthermore, the public, including independent experts, have the right to examine the technology used in criminal proceedings. Under the First Amendment and the more expansive New Jersey Constitution corollary, the public’s right to access criminal judicial proceedings includes filings in pretrial proceedings, like the information being sought here. That access provides the public meaningful oversight of the criminal justice system and increases confidence in judicial outcomes, which is especially significant considering the documented risks and shortcomings of FRT.</p> </div></div></div></description> <pubDate>Mon, 16 Jun 2025 19:56:29 +0000</pubDate> <guid isPermaLink="false">110805 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/face-surveillance">Face Surveillance</category> <category domain="https://www.eff.org/issues/street-level-surveillance">Street-Level Surveillance</category> <dc:creator>Hannah Zhao</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/face-recognition-banner_0_0.jpg" alt="This image shows a person&#039;s face with layers of pixelation throughout. " type="image/jpeg" length="182336" /> </item> <item> <title>Protecting Minors Online Must Not Come at the Cost of Privacy and Free Expression</title> <link>https://www.eff.org/deeplinks/2025/06/protecting-minors-online-must-not-come-cost-privacy-and-free-expression</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span>The European Commission has taken an important step toward protecting minors online by releasing draft guidelines under Article 28 of the Digital Services Act (DSA). EFF recently submitted feedback to the Commission’s Targeted Consultation, emphasizing a critical point: Online safety for young people must not come at the expense of privacy, free expression, and equitable access to digital spaces.</span></p><p><span>We support the Commission’s commitment to proportionality, rights-based protections, and its efforts to include young voices in shaping these guidelines. But we remain deeply concerned by the growing reliance on invasive age assurance and verification technologies—tools that too often lead to surveillance, discrimination, and censorship.</span></p><p><span>Age verification systems </span><a href="https://www.eff.org/issues/digital-identity"><span>typically depend on government-issued ID</span></a><span> or biometric data, posing significant risks to privacy and shutting out millions of people without formal documentation. Age estimation methods fare no better: they’re inaccurate, especially for marginalized groups, and often rely on sensitive behavioral or biometric data. Meanwhile, vague mandates to protect against “unrealistic beauty standards” or “potentially risky content” threaten to overblock legitimate expression, disproportionately harming vulnerable users, including LGBTQ+ youth.</span></p><p><span>By placing a disproportionate emphasis on age assurance as a necessary tool to safeguard minors, the guidelines do not address the root causes of risks encountered by all users, including minors, and instead merely focus on treating their symptoms.</span></p><p><span>Safety matters—but so do privacy, access to information, and the fundamental rights of all users. We urge the Commission to avoid endorsing disproportionate, one-size-fits-all technical solutions. Instead, we recommend user-empowering approaches: Strong default privacy settings, transparency in recommender systems, and robust user control over the content they see and share.</span></p><p><span>The DSA presents an opportunity to protect minors while upholding digital rights. We hope the final guidelines reflect that balance.</span></p><p><span>Read more about digital identity and the future of age verification in Europe </span><a href="https://www.eff.org/deeplinks/2025/04/digital-identities-and-future-age-verification-europe"><span>here</span></a><span>.</span></p> </div></div></div></description> <pubDate>Mon, 16 Jun 2025 15:52:46 +0000</pubDate> <guid isPermaLink="false">110803 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/international">International</category> <category domain="https://www.eff.org/issues/digital-identity">Digital Identity</category> <category domain="https://www.eff.org/issues/lgbtq">LGBTQ+</category> <category domain="https://www.eff.org/issues/eu-policy">EU Policy</category> <dc:creator>Jillian C. York</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/ageverificationbanner.png" alt="Purple padlock with an 18+ only symbol and a combination lock requiring Day, Month, and Year. Surrounded by abstract purple dashed lines." type="image/png" length="1291379" /> </item> <item> <title>A New Digital Dawn for Syrian Tech Users</title> <link>https://www.eff.org/deeplinks/2025/06/new-digital-dawn-syrian-tech-users</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span>U.S. sanctions on Syria have for several decades not only restricted trade and financial transactions, they’ve also severely limited Syrians’ access to digital technology. From software development tools to basic cloud services, Syrians were locked out of the global internet economy—stifling innovation, education, and entrepreneurship.</span></p><p><span>EFF has for many years pushed for sanctions exemptions for technology in </span><a href="https://www.eff.org/deeplinks/2011/09/stop-the-piecemeal-export-approach"><span>Syria</span></a><span>, as well as in </span><a href="https://www.eff.org/deeplinks/2015/02/success-general-license-allows-export-communications-tools-sudan?language=tr"><span>Sudan</span></a><span>, </span><a href="https://www.eff.org/deeplinks/2020/01/iranian-tech-users-are-getting-knocked-web-sanctions"><span>Iran</span></a><span>, and </span><a href="https://www.eff.org/deeplinks/2010/03/better-u-s-net-rules-iran-cuba-and-syria"><span>Cuba</span></a><span>. While civil society had early wins in securing general licenses for Iran and Sudan allowing the export of communications technologies, the conflict in Syria that began in 2011 made loosening of sanctions a pipe dream.</span></p><p><span>But recent changes to U.S. policy could mark the beginning of a shift. In a quiet yet significant move, the U.S. government has eased sanctions on Syria. On May 23, the Treasury Department issued </span><a href="https://home.treasury.gov/news/press-releases/sb0148"><span>General License 25</span></a><span>, effectively allowing technology companies to provide services to Syrians. This decision could have an immediate and positive impact on the lives of millions of Syrian internet users—especially those working in the tech and education sectors.</span></p><h3><b>A Legacy of Digital Isolation</b></h3><p><span>For years, Syrians have found themselves barred from accessing even the most basic tools. U.S. sanctions meant that companies like Google, Apple, Microsoft, and Amazon—either by law or by cautious decisions taken to avoid potential penalties—restricted access to many of their services. Developers couldn’t access GitHub repositories or use Google Cloud; students couldn’t download software for virtual classrooms; and entrepreneurs struggled to build startups without access to payment gateways or secure infrastructure.</span></p><p><span>Such restrictions can put users in harm’s way; for instance, not being able to access the Google Play store from inside the country means that Syrians can’t easily download secure versions of everyday tools like Signal or WhatsApp, thus potentially subjecting their communications to surveillance.</span></p><p><span>These restrictions also compounded the difficulties of war, economic collapse, and internal censorship. Even when Syrian tech workers could connect with global communities, their participation was hampered by legal gray zones and technical blocks.</span></p><h3><b>What the Sanctions Relief Changes</b></h3><p><span>Under </span><a href="https://home.treasury.gov/news/press-releases/sb0148"><span>General License 25</span></a><span>, companies will now be able to provide services to Syria that have never officially been available. While it may take time for companies to catch up with any regulatory changes, it is our hope that Syrians will soon be able to access and make use of technologies that will enable them to more freely communicate and rebuild.</span></p><p><span>For Syrian developers, the impact could be transformative. Restored access to platforms like GitHub, AWS, and Google Cloud means the ability to build, test, and deploy apps without the need for VPNs or workarounds. It opens the door to participation in global hackathons, remote work, and open-source communities—channels that are often lifelines for those in conflict zones. Students and educators stand to benefit, too. With sanctions eased, educational tools and platforms that were previously unavailable could soon be accessible. Entrepreneurs may also finally gain access to secure communications, e-commerce platforms, and the broader digital infrastructure needed to start and scale businesses. These developments could help jumpstart local economies.</span></p><p><span>Despite the good news, challenges remain. Major tech companies have </span><a href="https://www.eff.org/deeplinks/2014/06/sudan-tech-sanctions-harm-innovation-development-us-government-and-corporations-must-act"><span>historically been slow</span></a><span> to respond to sanctions relief, often erring on the side of over-compliance to avoid liability. Many of the financial and logistical barriers—such as payment processing, unreliable internet, and ongoing conflict—will not disappear overnight.</span></p><p><span>Moreover, the lifting of sanctions is not a blanket permission slip; it’s a cautious opening. Any future geopolitical shifts or changes in U.S. foreign policy could once again cut off access, creating an uncertain digital future for Syrians.</span></p><p><span>Nevertheless, by removing barriers imposed by sanctions, the U.S. is taking a step toward recognizing that access to technology is not a luxury, but a necessity—even in sanctioned or conflict-ridden countries.</span></p><p><span>For Syrian users, the lifting of tech sanctions is more than a bureaucratic change—it’s a door, long closed, beginning to open. And for the international tech community, it’s an opportunity to re-engage, responsibly and thoughtfully, with a population that has been cut off from essential services for too long.</span></p> </div></div></div></description> <pubDate>Thu, 12 Jun 2025 15:19:49 +0000</pubDate> <guid isPermaLink="false">110796 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/international">International</category> <category domain="https://www.eff.org/issues/export-controls">Export Controls</category> <category domain="https://www.eff.org/issues/free-speech">Free Speech</category> <category domain="https://www.eff.org/issues/privacy">Privacy</category> <dc:creator>Jillian C. York</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/laptop-spying_0.png" alt="" type="image/png" length="11826" /> </item> <item> <title>EFFecting Change: Pride in Digital Freedom</title> <link>https://www.eff.org/deeplinks/2025/06/effecting-change-pride-digital-freedom</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>Join us for our next EFFecting Change livestream this Thursday! We're talking about emerging laws and platform policies that affect the digital privacy and free expression rights of the LGBT+ community, and how this echoes the experience of marginalized people across the world.</p><p></p><center><strong>EFFecting Change Livestream Series:</strong><br /><strong>Pride in Digital Freedom</strong><br />Thursday, June 12th<br />4:00 PM - 5:00 PM Pacific - <a href="https://dateful.com/eventlink/1181420983">Check Local Time</a><br />This event is LIVE and FREE!<p><strong><em><a data-cke-saved-href="https://supporters.eff.org/civicrm/event/register?id=476&amp;reset=1" href="https://supporters.eff.org/civicrm/event/register?id=496&amp;reset=1" target="_blank" rel="noopener noreferrer"><img alt="RSVP Today" height="51" data-cke-saved-src="https://www.eff.org/files/2024/03/20/rsvptoday_0.png" src="https://www.eff.org/files/2024/03/20/rsvptoday_0.png" width="193" /></a></em></strong></p><p></p></center><p>Join our panel featuring EFF Senior Staff Technologist <a href="https://www.eff.org/event/effecting-change-pride-digital-freedom#Daly" target="_blank" rel="noopener noreferrer">Daly Barnett</a>, EFF Legislative Activist <a href="https://www.eff.org/event/effecting-change-pride-digital-freedom#Rin" target="_blank" rel="noopener noreferrer">Rindala Alajaji</a>, Chosen Family Law Center Senior Legal Director <a href="https://www.eff.org/event/effecting-change-pride-digital-freedom#Andy">Andy Izenson</a>, and Woodhull Freedom Foundation Chief Operations Officer <a href="https://www.eff.org/event/effecting-change-pride-digital-freedom#Mandy">Mandy Salley</a> while they discuss what is happening and what should change to protect digital freedom.</p><p><a href="https://supporters.eff.org/civicrm/event/register?id=496&amp;reset=1" target="_blank" rel="noopener noreferrer"><div class="media media-element-container media-default"><div id="file-57758" class="file file-image file-image-png" class="file file-image file-image-png"> <h2 class="element-invisible"><a href="/file/effectingchangepridesocialbannerpng">effectingchangepride_social_banner.png</a></h2> <div class="content"> <img style="display: block; margin-left: auto; margin-right: auto;" class="media-element file-default" data-delta="1" src="https://www.eff.org/files/effectingchangepride_social_banner.png" width="1200" height="600" alt="" /> </div> </div></div></a></p><p><a href="https://supporters.eff.org/civicrm/event/register?id=496&amp;reset=1" target="_blank" rel="noopener noreferrer">We hope you and your friends can join us live</a>! Be sure to spread the word, and share our past livestreams.<span> </span><a href="https://www.eff.org/EFFectingChangeRecordings" target="_blank" rel="noopener noreferrer">Please note that all events will be recorded for later viewing on our YouTube page</a>.</p><p><span class="NormalTextRun SCXW212089369 BCX0">Want to make sure you<span> </span></span><span class="NormalTextRun SCXW212089369 BCX0">don’t</span><span class="NormalTextRun SCXW212089369 BCX0"><span> </span>miss our next livestream?<span> </span></span><span class="NormalTextRun SCXW212089369 BCX0">Here’s</span><span class="NormalTextRun SCXW212089369 BCX0"><span> </span>a link to sign up for updates about this series:<span> </span><a href="https://www.eff.org/ECUpdates" target="_blank" rel="noopener noreferrer">eff.org/ECUpdates</a>.</span></p> </div></div></div></description> <pubDate>Thu, 12 Jun 2025 00:06:34 +0000</pubDate> <guid isPermaLink="false">110792 at https://www.eff.org</guid> <dc:creator>Melissa Srago</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/09_pride.png" alt="An orange tabby cat with yellow lightning markings in a blue spacesuit, wearing a jetpack, flying through pink and purple space. There are planets in the sky with colors representing a variety of pride flags." type="image/png" length="1051271" /> </item> <item> <title>Congress Can Act Now to Protect Reproductive Health Data</title> <link>https://www.eff.org/deeplinks/2025/06/congress-can-act-now-protect-reproductive-health-data</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span>State, federal, and international regulators are increasingly concerned about the harms they believe the internet and new technology are causing to users of all categories. Lawmakers are currently considering many proposals that are intended to provide protections to the most vulnerable among us. Too often, however, those proposals do not carefully consider the likely unintended consequences or even whether the law will actually reduce the harms it’s supposed to target. That’s why EFF supports <a href="https://sarajacobs.house.gov/news/press-releases/rep-jacobs-sens-hirono-and-wyden-reintroduce-bill-to-protect-reproductive-and-sexual-health-data?adfadf">Rep. Sara Jacobs’ newly reintroduced “My Body, My Data" Act</a>, which will protect the privacy and safety of people seeking reproductive health care, while maintaining important constitutional protections and avoiding any erosion of end-to-end encryption. </span></p><p class="take-action"><a href="https://act.eff.org/action/congress-can-act-now-to-protect-reproductive-health-data">Take Action</a></p><p class="take-action take-explainer">Tell Congress to Protect Reproductive Health Data</p><p><span>Privacy fears should never stand in the way of healthcare. That's why this common-sense bill will require businesses and non-governmental organizations to act responsibly with personal information concerning reproductive health care. Specifically, it restricts them from collecting, using, retaining, or disclosing reproductive health information that isn't essential to providing the service someone requests.</span></p><p class="pull-quote"><span>The bill would protect people who use fertility or period-tracking apps or are seeking information about reproductive health services.</span></p><p><span>These restrictions apply to companies that collect personal information related to a person’s reproductive or sexual health. That includes data related to pregnancy, menstruation, surgery, termination of pregnancy, contraception, basal body temperature or diagnoses. The bill would protect people who, for example, use fertility or period-tracking apps or are seeking information about reproductive health services. </span></p><p><span>We are proud to join Planned Parenthood Federation of America, Reproductive Freedom for All, Physicians for Reproductive Health, National Partnership for Women &amp; Families, National Women’s Law Center, Center for Democracy and Technology, Electronic Privacy Information Center, National Abortion Federation, Catholics for Choice, National Council for Jewish Women, Power to Decide, United for Reproductive &amp; Gender Equity, Indivisible, Guttmacher, National Network of Abortion Funds, and All* Above All in support of this bill. </span></p><p><span>In addition to the restrictions on company data processing, this bill also provides people with necessary rights to access and delete their reproductive health information. Companies must also publish a privacy policy, so that everyone can understand what information companies process and why. It also ensures that companies are held to public promises they make about data protection and gives the Federal Trade Commission the authority to hold them to account if they break those promises. </span></p><p><span>The bill also lets people take on companies that violate their privacy with a strong private right of action. Empowering people to bring their own lawsuits not only places more control in the individual's hands, but also ensures that companies will not take these regulations lightly. </span></p><p><span>Finally, while Rep. Jacobs' bill establishes an important national privacy foundation for everyone, it also leaves room for states to pass stronger or complementary laws to protect the data privacy of those seeking reproductive health care. </span></p><p><span>We thank Rep. Jacobs and Sens. Mazie Hirono and Ron Wyden for taking up this important bill, <a href="https://www.congress.gov/bill/119th-congress/house-bill/3916?s=1&amp;r=2">H.R. 3916</a>, and using it as an opportunity not only to protect those seeking reproductive health care, but also highlight why data privacy is an important element of reproductive justice. </span></p><p class="take-action"><a href="https://act.eff.org/action/congress-can-act-now-to-protect-reproductive-health-data">Take Action</a></p><p class="take-action take-explainer">Tell Congress to Protect Reproductive Health Data</p> </div></div></div></description> <pubDate>Wed, 11 Jun 2025 22:58:14 +0000</pubDate> <guid isPermaLink="false">110794 at https://www.eff.org</guid> <dc:creator>India McKinney</dc:creator> <dc:creator>Hayley Tsukayama</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/repro-rights-hd-2.jpg" alt="a female figure with ultrasound revealing security icon" type="image/jpeg" length="371102" /> </item> <item> <title>Oppose STOP CSAM: Protecting Kids Shouldn’t Mean Breaking the Tools That Keep Us Safe</title> <link>https://www.eff.org/deeplinks/2025/06/oppose-stop-csam-protecting-kids-shouldnt-mean-breaking-tools-keep-us-safe</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span>A Senate bill re-introduced this week threatens security and free speech on the internet. EFF urges Congress to reject the STOP CSAM Act of 2025 (</span><a href="https://www.congress.gov/bill/119th-congress/senate-bill/1829/text?s=1&amp;r=1&amp;q=%7B%22search%22%3A%22S.1829%22%7D"><span>S. 1829</span></a><span>), which would undermine services offering end-to-end encryption and force internet companies to take down lawful user content. </span></p><p class="take-action"><a href="https://act.eff.org/action/tell-congress-don-t-outlaw-encrypted-applications" target="_blank" rel="noopener noreferrer">TAKE ACTION</a></p><p class="take-explainer"><a href="https://act.eff.org/action/tell-congress-don-t-outlaw-encrypted-applications" target="_blank" rel="noopener noreferrer">Tell Congress Not to Outlaw Encrypted Apps</a></p><p><span></span></p><p><span>As in the version introduced </span><a href="https://www.eff.org/deeplinks/2023/04/stop-csam-act-would-put-security-and-free-speech-risk"><span>last Congress</span></a><span>, S. 1829 purports to limit the online spread of child sexual abuse material (CSAM), also known as child pornography. CSAM is already highly illegal. Existing law already requires online service providers who have actual knowledge of “apparent” CSAM on their platforms to report that content to the National Center for Missing and Exploited Children (NCMEC). NCMEC then forwards actionable reports to law enforcement agencies for investigation. </span></p><p><span>S. </span><span>1829 goes much further than current law and threatens to punish any service that works to keep its users secure, including those that do their best to eliminate and report CSAM. The bill applies to “interactive computer services,” which broadly includes private messaging and email apps, social media platforms, cloud storage providers, and many other internet intermediaries and online service providers. </span></p><h3>The Bill Threatens End-to-End Encryption</h3><p><span>The bill makes it a crime to intentionally “host or store child pornography” or knowingly “promote or facilitate” the sexual exploitation of children. The bill also opens the door for civil lawsuits against providers for the intentional, knowing or even reckless “promotion or facilitation” of conduct relating to child exploitation, the “hosting or storing of child pornography,” or for “making child pornography available to any person.” </span></p><p><span>The terms “promote” and “facilitate” are broad, and civil liability may be imposed based on a low recklessness state of mind standard. This means a court can find an app or website liable for hosting CSAM even if the app or website did not even know it was hosting CSAM, including because the provider employed end-to-end encryption and could not view the contents of content uploaded by users.</span></p><p><b>Creating new criminal and civil claims against providers based on broad terms and low standards will undermine digital security for all internet users.</b><span> Because the law already prohibits the distribution of CSAM, the bill’s broad terms could be interpreted as reaching more passive conduct, like merely providing an encrypted app. </span></p><p><span>Due to the nature of their services, encrypted communications providers who receive a notice of CSAM may be deemed to have “knowledge” under the criminal law even if they cannot verify and act on that notice. And there is little doubt that plaintiffs’ lawyers will (wrongly) argue that merely providing an encrypted service that can be used to store any image—not necessarily CSAM—recklessly facilitates the sharing of illegal content. </span></p><h3><b>Affirmative Defense Is Expensive and Insufficient </b></h3><p><span>While the bill includes an affirmative defense that a provider can raise if it is “technologically impossible” to remove the CSAM without “compromising encryption,” it is not sufficient to protect our security. Online services that offer encryption shouldn’t have to face the impossible task of proving a negative in order to avoid lawsuits over content they can’t see or control. </span></p><p><span>First, by making this protection an affirmative defense, providers must still defend against litigation, with significant costs to their business. Not every platform will have the resources to fight these threats in court, especially newcomers that compete with entrenched giants like Meta and Google. Encrypted platforms should not have to rely on prosecutorial discretion or favorable court rulings after protracted litigation. Instead, specific exemptions for encrypted providers should be addressed in the text of the bill. </span></p><p><span>Second, although technologies like </span><a href="https://www.eff.org/deeplinks/2019/11/why-adding-client-side-scanning-breaks-end-end-encryption"><span>client-side scanning break encryption</span></a><span>, </span><span>members of Congress have </span><a href="https://www.eff.org/document/earn-it-act-myths-and-facts-document"><span>misleadingly claimed otherwise. </span></a><span>Plaintiffs are likely to argue that providers who do not use these techniques are acting recklessly, leading many apps and websites to scan all of the content on their platforms and remove any content that a state court could find, even wrongfully, is CSAM.</span></p><p class="take-action"><a href="https://act.eff.org/action/tell-congress-don-t-outlaw-encrypted-applications" target="_blank" rel="noopener noreferrer">TAKE ACTION</a></p><p class="take-explainer"><a href="https://act.eff.org/action/tell-congress-don-t-outlaw-encrypted-applications" target="_blank" rel="noopener noreferrer">Tell Congress Not to Outlaw Encrypted Apps</a></p> <h3><b>The Bill Threatens Free Speech by Creating a New Exception to Section 230 </b></h3><p><span>The bill allows a new type of lawsuit to be filed against internet platforms, accusing them of “facilitating” child sexual exploitation based on the speech of others. It does this by creating an exception to </span><a href="https://www.eff.org/issues/cda230"><span>Section 230</span></a><span>, the foundational law of the internet and online speech. </span><a href="https://www.eff.org/issues/cda230"><span>Section 230</span></a><span> provides partial immunity to internet intermediaries when sued over content posted by their users. Without that protection, platforms are much more likely to aggressively monitor and censor users.</span></p><p>Section 230 creates the legal breathing room for internet intermediaries to create online spaces for people to freely communicate around the world, with low barriers to entry. However, creating a new exception that exposes providers to more lawsuits will cause them to limit that legal exposure. Online services will censor more and more user content and accounts, with minimal regard as to whether that content is in fact legal. Some platforms may even be forced to shut down or may not even get off the ground in the first place, for fear of being swept up in a flood of litigation and claims around alleged CSAM. On balance, this harms all internet users who rely on intermediaries to connect with their communities and the world at large. </p> </div></div></div></description> <pubDate>Tue, 10 Jun 2025 23:08:57 +0000</pubDate> <guid isPermaLink="false">110788 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/end-end-encryption">End-to-End Encryption</category> <category domain="https://www.eff.org/issues/privacy">Privacy</category> <dc:creator>India McKinney</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/keys-crossed-pink-starburst_0.png" alt="" type="image/png" length="20659" /> </item> <item> <title>Despite Changes, A.B. 412 Still Harms Small Developers</title> <link>https://www.eff.org/deeplinks/2025/06/despite-changes-ab-412-still-harms-small-developers</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span>California lawmakers are continuing to promote a bill that will reinforce the power of giant AI companies by burying small AI companies and non-commercial developers in red tape, copyright demands and potentially, lawsuits. After several amendments, the bill hasn’t improved much, and in some ways has actually gotten worse. If A.B. 412 is passed, it will make California’s economy less innovative, and less competitive. </span></p><h3><b>The Bill Threatens Small Tech Companies</b></h3><p><span>A.B. 412 masquerades as a transparency bill, but it’s actually a government-mandated “reading list” that will allow rights holders to file a new type of lawsuit in state court, even as the federal courts continue to assess whether and how federal copyright law applies to the development of generative AI technologies. </span></p><p><span>The bill would require developers—even two-person startups— to keep lists of training materials that are “registered, </span><a href="https://www.copyright.gov/prereg/"><span>pre-registered</span></a><span> or indexed” with the U.S. Copyright Office, and help rights holders create digital ‘fingerprints’ of those works—a technical task with no established standards and no realistic path for small teams to follow. Even if it were limited to registered copyrighted material, that’s a monumental task, as we </span><a href="https://www.eff.org/deeplinks/2025/03/californias-ab-412-bill-could-crush-startups-and-cement-big-tech-ai-monopoly"><span>explained in March</span></a><span> when we examined the earlier text of A.B. 412. </span></p><p><span>The bill’s amendments have made compliance even harder, since it now requires technologists to go beyond copyrighted material and somehow identify “pre-registered” copyrights. The amended bill also has new requirements that demand technologists document and keep track of when they look at works that aren’t copyrighted but are subject to exclusive rights, such as pre-1972 sound recordings—rights that, not coincidentally, are primarily controlled by large entertainment companies. </span></p><p><span>The penalties for noncompliance are steep—up to $1,000 per day per violation—putting small developers at enormous financial risk even for accidental lapses.</span></p><p><span>The goal of this list is clear: for big content companies to more easily file lawsuits against software developers, big and small. And for most AI developers, the burden will be crushing. Under A.B. 412, a two-person startup building an open-source chatbot, or an indie developer fine-tuning a language model for disability access, would face the same compliance burdens as Google or Meta. </span></p><h3><b>Reading and Analyzing The Open Web Is Not a Crime </b></h3><p><span>It’s critical to remember that AI training is very likely protected by fair use under U.S. copyright law—a point that’s still being worked out in the courts. The idea that we should preempt that process with sweeping state regulation is not just premature; it’s dangerous.</span></p><p><span>It’s also worth noting that copyright is governed by federal law. Federal courts are already working to define the boundaries of fair use and copyright in the AI context—the California legislature should let them do their job. A.B. 412 tries to create a state-level regulatory scheme in an area that belongs in federal hands—a risky legal overreach that could further complicate an already unsettled policy space.</span></p><p><span>A.B. 412 is a solution in search of a problem. The courthouse doors are far from closed to content owners who want to dispute the use of their copyrighted works. There are multiple high-profile litigations over the copyright status of AI training works that are working their way through trial courts and appeal courts right now. </span></p><h3><b>Scope Creep</b></h3><p><span>Rather than narrowing its focus to make compliance more realistic, the latest amendments to A.B. 412 actually expand the scope of covered works. The bill now demands documentation of obscure categories of content like pre-1972 sound recordings. These recordings have rights that are often murky, and largely controlled by major media companies.</span></p><p><span>The bill also adds “preregistered” and indexed works to its coverage. Preregistration, designed to help entertainment companies punish unauthorized copying even before commercial release, expands the universe of content that developers must track—without offering any meaningful help to small creators. </span></p><h3><b>A Moat Serving Big Tech</b></h3><p><span>Ironically, the companies that will benefit most from A.B. 412 are the very same large tech firms that lawmakers often claim they want to regulate. Big companies can hire teams of lawyers and compliance officers to handle these requirements. Small developers? They’re more likely to shut down, sell out, or never enter the field in the first place.</span></p><p><span>This bill doesn’t create a fairer marketplace. It builds a regulatory moat around the incumbents, locking out new competitors and ensuring that only a handful of companies have the resources to develop advanced AI systems. Truly innovative technology often comes from unknown or small companies, but A.B. 412 threatens to turn California—and anyone who does business there—into a fortress where only the biggest players survive.</span></p><h3><b>A Lopsided Bill </b></h3><p><span>A.B. 412 is becoming an increasingly extreme and one-sided piece of legislation. It’s a maximalist wishlist for legacy rights-holders, delivered at the expense of small developers and the public. The result will be less competition, less innovation, and fewer choices for consumers—not more protection for creators.</span></p><p><span>This new version does close a few loopholes, and expands the period for AI developers to respond to copyright demands from 7 days to 30 days. But it seriously fails to close others: for instance, the exemption for noncommercial development applies only to work done “exclusively for noncommercial academic or governmental” institutions. That still leaves a huge window to sue hobbyists and independent researchers who don’t have university or government jobs. </span></p><p><span>While the bill nominally exempts developers who use only public or developer-owned data, that’s a carve-out with no practical value. Like a search engine, nearly every meaningful AI system relies on mixed sources — and developers can’t realistically track the copyright status of them all.</span></p><p><span>At its core, A.B. 412 is a flawed bill that would harm the whole U.S. tech ecosystem. Lawmakers should be advancing policies that protect privacy, promote competition, and ensure that innovation benefits the public—not just a handful of entrenched interests.</span></p><p><span>If you’re a California resident, now is the time to speak out. </span><a href="https://findyourrep.legislature.ca.gov/"><span>Tell your legislators</span></a><span> that A.B. 412 will hurt small companies, help big tech, and lock California’s economy in the past.</span></p> </div></div></div></description> <pubDate>Tue, 10 Jun 2025 22:07:32 +0000</pubDate> <guid isPermaLink="false">110787 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/innovation">Creativity & Innovation</category> <dc:creator>Joe Mullin</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/robotai.png" alt="A robot painting a self-portrait" type="image/png" length="177967" /> </item> <item> <title>35 Years for Your Freedom Online</title> <link>https://www.eff.org/deeplinks/2025/06/35-years-internet-freedom</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>Once upon a time we were promised flying cars and jetpacks. Yet we've arrived at a more complicated timeline where rights advocates can find themselves defending our hard-earned freedoms more often than shooting for the moon. <em>In tough times, it's important to remember that your vision for the future can be just as valuable as the work you do now.</em></p><p>Thirty-five years ago, a small group of folks saw the coming digital future and banded together to ensure that technology would empower people, not oppress them—and EFF was born. While the dangers of corporate and state forces grew alongside the internet, EFF and supporters like you faithfully rose to the occasion. <a href="https://eff.org/r.76bz">Will you help celebrate EFF’s 35th anniversary and donate in support of digital freedom?</a></p><p class="take-action"><a href="https://eff.org/r.76bz">Give today</a></p><p class="take-explainer">Protect Online Privacy &amp; Free Expression</p><p>Together we’ve won many fights for encryption, free speech, innovation, and privacy online. Yet it’s plain to see that we must keep advocating for technology users whether that’s in the courts, before lawmakers, educating the public, or creating privacy-enhancing tools. EFF members make it possible—you can lend a hand and get some great perks!</p><h2>Summer Swag Is Here</h2><p>We love making stuff for EFF’s members each year. It’s our way of saying thanks for supporting the mission for your rights online, and I hope it’s your way of starting a conversation about internet freedom with people in your life.</p><p></p><center><div class="media media-element-container media-default"><div id="file-57747" class="file file-image file-image-jpeg" class="file file-image file-image-jpeg"> <h2 class="element-invisible"><a href="/file/shirts-both-necklines-wider-square-750pxjpg">shirts-both-necklines-wider-square-750px.jpg</a></h2> <div class="content"> <img title="Get free EFF 35th Anniversary swag when you join!" class="media-element file-default" data-delta="4" src="https://kittens.eff.org/files/2025/06/05/shirts-both-necklines-wider-square-750px.jpg" width="750" height="750" alt="" /> </div> </div></div></center><p>Celebrate EFF's 35th Anniversary in the digital rights movement with this <a href="https://www.eff.org/files/2025/05/29/shop-2025-mem-shirt-art_700px.png">EFF35 Cityscape member t-shirt by Hugh D’Andrade</a>! EFF has a not-so-secret weapon that keeps us in the fight even when the odds are against us: <em>we never lose sight of our vision for a better future.</em> <a href="https://eff.org/r.76bz">Choose a roomy Classic Fit Crewneck or a soft Slim Fit V-Neck.</a></p><p></p><center><div class="media media-element-container media-default"><div id="file-57746" class="file file-image file-image-jpeg" class="file file-image file-image-jpeg"> <h2 class="element-invisible"><a href="/file/hoodie-front-back-alt-square-750pxjpg">hoodie-front-back-alt-square-750px.jpg</a></h2> <div class="content"> <img title="Motherboard Hooded Sweatshirt for Titanium Level Members" class="media-element file-default" data-delta="5" src="https://kittens.eff.org/files/2025/06/05/hoodie-front-back-alt-square-750px.jpg" width="750" height="750" alt="" /> </div> </div></div></center><p>And enjoy Lovelace-Klimtian vibes on EFF’s new <a href="https://www.eff.org/files/2025/06/02/hoodie-details-back-square-750px.jpg">Motherboard Hooded Sweatshirt by Shirin Mori</a>. Gold details and orange poppies pop on lush forest green. Don't lose the forest for the trees—keep fighting for a world where tech supports people irl.</p><h2>Join the Sustaining Donor Challenge (it’s easy)</h2><p>You'll get a numbered <a href="https://eff.org/coin">EFF35 Challenge Coin</a> when you become a <a href="https://eff.org/r.d98c">monthly</a> or <a href="https://eff.org/r.13hk">annual</a> Sustaining Donor by <del>July 10</del> <strong>August 11, 2025</strong>. It’s that simple.</p><p>If you're already a Sustaining Donor—THANKS! You too can get an EFF 35th Anniversary Challenge Coin when you upgrade your donation. Just increase your monthly or annual gift and <a href="mailto:upgrade@eff.org?subject=Sustaining%20Donor%20Upgrade&amp;amp;body=Item%20(size%20%26%20style%20if%20applicable)%3A%20%0A%0AShipping%20Address%3A%20">let us know by emailing upgrade@eff.org</a>. Get started at <a class="theme markdown__link" href="https://eff.org/recurring" rel="noopener noreferrer" target="_blank"><span>eff.org/recurring</span></a>. If you used PayPal, just <a class="theme markdown__link" href="https://www.paypal.com/myaccount/autopay" rel="noopener noreferrer" target="_blank"><span>cancel your current recurring donation</span></a> and then go to eff.org to <a class="theme markdown__link" href="https://eff.org/r.d98c" rel="noopener noreferrer" target="_blank"><span>start a new upgraded recurring donation</span></a>.</p><p></p><center><div class="media media-element-container media-default"><div id="file-57725" class="file file-image file-image-jpeg" class="file file-image file-image-jpeg"> <h2 class="element-invisible"><a href="/file/coincat1200pxjpg">coin_cat_1200px.jpg</a></h2> <div class="content"> <img title="EFF35 Challenge Coin for monthly &amp; annual donors (kitty not included)." class="media-element file-default" data-delta="2" src="https://kittens.eff.org/files/2025/06/02/coin_cat_1200px.jpg" width="1200" height="900" alt="" /> </div> </div></div></center><p>Support internet freedom with a no-fuss automated recurring donation! Over 30% of EFF members have <a href="https://eff.org/r.d98c">joined as Sustaining Donors</a> to defend digital rights (and get some great swag every year). Challenge coins follow a long tradition of offering a symbol of kinship and respect for great achievements—and EFF owes its strength to technology creators and users like you.</p><p>With your help, EFF is here to stay.</p><p class="take-action"><a href="https://eff.org/r.76bz">Join EFF</a></p><p class="take-explainer">Protect Online Privacy &amp; Free Expression</p> </div></div></div></description> <pubDate>Tue, 10 Jun 2025 07:04:46 +0000</pubDate> <guid isPermaLink="false">110762 at https://www.eff.org</guid> <dc:creator>Aaron Jue</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/circuit-city-og-static.png" alt="Green EFF 35th Anniversary digital cityscape on a black background." type="image/png" length="189965" /> </item> <item> <title>NYC Lets AI Gamble with Child Welfare</title> <link>https://www.eff.org/deeplinks/2025/06/nyc-lets-ai-gamble-child-welfare</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p>The Markup revealed in its <a href="https://themarkup.org/investigations/2025/05/20/the-nyc-algorithm-deciding-which-families-are-under-watch-for-child-abuse">reporting</a> last month that New York City’s Administration for Children’s Services (ACS) has been quietly deploying an algorithmic tool to categorize families as “high risk". Using a grab-bag of factors like neighborhood and mother’s age, this AI tool can put families under intensified scrutiny without proper justification and oversight.</p><p>ACS knocking on your door is a nightmare for any parent, with the risk that any mistakes can break up your family and have your children sent to the foster care system. Putting a family under such scrutiny shouldn’t be taken lightly and shouldn’t be a testing ground for automated decision-making by the government.</p><p> This “AI” tool, developed internally by ACS’s Office of Research Analytics, scores families for “risk” using 279 variables and subjects those deemed highest-risk to intensified scrutiny. The lack of transparency, accountability, or due process protections demonstrates that ACS has learned nothing from the failures of similar products in the realm of child services.</p><p>The algorithm operates in complete secrecy and the harms from this opaque “AI theater” are not theoretical. The 279 variables are derived only from cases back in 2013 and 2014 where children were seriously harmed. However, it is unclear how many cases were analyzed, what, if any, kind of auditing and testing was conducted, and whether including of data from other years would have altered the scoring.</p><p>What we do know is disturbing: Black families in NYC face ACS investigations at <a href="https://www.nyclu.org/report/racism-every-stage-data-shows-how-nycs-administration-childrens-services-discriminates">seven times the rate</a> of white families and ACS staff has admitted that the agency is <a href="https://www.nytimes.com/2022/11/22/nyregion/nyc-acs-racism-abuse-neglect.html">more punitive</a> towards Black families, with parents and advocates calling its practices “<a href="https://www.nytimes.com/2022/11/22/nyregion/nyc-acs-racism-abuse-neglect.html">predatory</a>.” It is likely that the algorithm effectively automates and amplifies this discrimination.</p><p>Despite the disturbing lack of transparency and accountability, ACS’s usage of this system has subjected families that this system ranks as “highest risk” to additional scrutiny, including possible home visits, calls to teachers and family, or consultations with outside experts. But those families, their attorneys, and even caseworkers don't know when and why the system flags a case, making it difficult to challenge the circumstances or process that leads to this intensified scrutiny.</p><p>This is not the only incidence in which usage of AI tools in the child services system has encountered issues with systemic biases. Back in 2022, the <a href="https://apnews.com/article/child-welfare-algorithm-investigation-9497ee937e0053ad4144a86c68241ef1">Associated Press reported</a> that Carnegie Mellon researchers found that from August 2016 to May 2018, Allegheny County in Pennsylvania used an algorithmic tool that flagged 32.5% of Black children for “mandatory” investigation compared to just 20.8% of white, all while social workers disagreed with the algorithm's risk scores about one-third of the time.</p><p>The Allegheny system operates with the same toxic combination of secrecy and bias now plaguing NYC. Families and their attorneys can never know their algorithmic scores, making it impossible to challenge decisions that could destroy their lives. When a judge asked to see a family’s score in court, <a href="https://apnews.com/article/child-welfare-algorithm-investigation-9497ee937e0053ad4144a86c68241ef1">the county resisted</a>, claiming it didn't want to influence legal proceedings with algorithmic numbers, which suggests that the scores are too unreliable for judicial scrutiny yet acceptable for targeting families.</p><p>Elsewhere these biased systems were successfully challenged. The developers of the Allegheny tool had already had their product <a href="https://apnews.com/article/child-welfare-algorithm-investigation-9497ee937e0053ad4144a86c68241ef1">rejected in New Zealand</a>, where researchers correctly identified that the tool would likely result in more Māori families being tagged for investigation. Meanwhile, California spent $195,273 developing a similar tool before abandoning it in 2019 due in part to concerns about racial equity.</p><p>Governmental deployment of automated and algorithmic decision making not only perpetuates social inequalities, but removes mechanisms for accountability when agencies make mistakes. The state should not be using these tools for rights-determining decisions and any other uses must be subject to vigorous scrutiny and independent auditing to ensure the public’s trust in the government’s actions.</p> </div></div></div></description> <pubDate>Mon, 09 Jun 2025 21:36:05 +0000</pubDate> <guid isPermaLink="false">110782 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/transparency">Transparency</category> <category domain="https://www.eff.org/issues/ai">Artificial Intelligence & Machine Learning</category> <dc:creator>Hannah Zhao</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/predictive_policing_animation3x.gif" alt="3 squares hover over a map, seemingly looking for crime hot spots" type="image/gif" length="139216" /> </item> <item> <title>Criminalizing Masks at Protests is Wrong </title> <link>https://www.eff.org/deeplinks/2025/06/criminalizing-masks-protests-wrong</link> <description><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span>There has been a </span><a href="https://www.washingtonpost.com/health/2024/06/24/mask-ban-north-carolina-new-york/"><span>crescendo</span></a><span> of states attempting to criminalize the wearing of face coverings while </span><a href="https://thesicktimes.org/mask-bans-and-proposed-bans-by-state/"><span>attending protests</span></a><span>. Now </span><a href="https://www.msnbc.com/rachel-maddow-show/maddowblog/pointing-protesters-not-ice-agents-trump-demands-arrests-masks-rcna211787"><span>the President</span></a><span> has demanded, in the context of ongoing protests in Los Angeles: “ARREST THE PEOPLE IN FACE MASKS, NOW!” <br /></span></p><p><span>But the truth is: whether you are afraid of catching an airborne illness from your fellow protestors, or you are concerned about reprisals from police or others for expressing your political opinions in public, you should have the right to wear a mask. Attempts to criminalize masks at protests fly in the face of a right to privacy. <br /></span></p><p class="pull-quote"><span>Anonymity is a fundamental human right.</span></p><p><span>In terms of public health, wearing a mask while in a crowd can be a </span><a href="https://www.yalemedicine.org/news/can-strategic-masking-protect-against-covid-19-flu-and-rsv"><span>valuable tool </span></a><span>to prevent the spread of communicable illnesses. This can be essential for people with </span><a href="https://cv.nmhealth.org/archives/extra-protection/"><span>compromised immune systems</span></a><span> who still want to exercise their First Amendment-protected right to protest.</span></p><p><span>Moreover, wearing a mask is a perfectly legitimate surveillance self-defense practice during a protest. There has been a massive proliferation of surveillance camera networks, </span><a href="https://sls.eff.org/technologies/face-recognition"><span>face recognition technology</span></a><span>, and databases of personal information. There also is a long law enforcement’s history of </span><a href="https://www.eff.org/deeplinks/2024/08/atlanta-police-must-stop-high-tech-spying-political-movements"><span>harassing and surveilling people </span></a><span>for publicly criticizing or opposing law enforcement practices and other government policies. What’s more, non-governmental actors may try to identify protesters in order to retaliate against them, for example, by limiting their employment opportunities.</span></p><p><span>All of this may chill our willingness to speak publicly or attend a protest in a cause we believe in. Many people would be less willing to attend a rally or march if they know that a drone or helicopter, equipped with a camera, will take repeated passes over the crowd, and police later will use face recognition to scan everyone’s faces and create a list of protest attendees. This would make many people</span><a href="https://www.motherjones.com/politics/2025/06/los-angeles-ice-protests-helicopter/?utm_source=dlvr.it&amp;utm_medium=slack"><span> rightfully concerned</span></a><span> about surveillance and harassment from law enforcement. <br /></span></p><p><span>Anonymity is a fundamental human right. EFF has long advocated for anonymity </span><a href="https://www.eff.org/issues/anonymity"><span>online</span></a><span>. We’ve also supported low-tech methods to protect our anonymity from high-tech snooping in public places; for example, we’ve supported legislation to allow car owners to use </span><a href="https://www.eff.org/deeplinks/2018/01/how-license-plate-covers-would-protect-vulnerable-communities?language=ko"><span>license plate covers</span></a><span> when their cars are parked to reduce their exposure to </span><a href="https://www.eff.org/cases/automated-license-plate-readers"><span>ALPRs</span></a><span>.</span></p><p><span>A word of caution. No surveillance self-defense technique is perfect. Technology companies are trying to develop ways to use face recognition technology to </span><a href="https://www.cnet.com/health/facial-recognition-firms-are-scrambling-to-see-around-face-masks/"><span>identify people wearing masks</span></a><span>. But if somebody wants to hide their face to try to avoid government scrutiny, the government should not punish them.</span></p><p><span>While members of the public have a right to wear a mask when they protest, law enforcement officials should </span><i><span>not</span></i><span> wear a mask when they arrest protesters and others. An elementary principle of police accountability is to require uniformed officers to identify themselves to the public; this discourages officer misconduct, and facilitates accountability if an officer violates the law. This is one reason EFF has long supported the First Amendment </span><a href="https://www.eff.org/deeplinks/2020/06/you-have-first-amendment-right-record-police"><span>right to record</span></a><span> on-duty police, including </span><a href="https://www.eff.org/deeplinks/2025/02/yes-you-have-right-film-ice"><span>ICE officers</span></a><span>. <br /></span></p><p><span>For these reasons, EFF believes it is wrong for state legislatures, and now federal law enforcement, to try to criminalize or punish mask wearing at protests. It is especially wrong, in moments like the present, where government it taking extreme measures to crack down on the civil liberties of protesters. </span></p> </div></div></div></description> <pubDate>Mon, 09 Jun 2025 20:37:53 +0000</pubDate> <guid isPermaLink="false">110780 at https://www.eff.org</guid> <category domain="https://www.eff.org/issues/street-level-surveillance">Street-Level Surveillance</category> <dc:creator>Matthew Guariglia</dc:creator> <dc:creator>Adam Schwartz</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/protest-2024-2.jpg" alt="2 protestors in silhouette on retro starburst background" type="image/jpeg" length="719510" /> </item> <item> <title>Privacy Victory! Judge Grants Preliminary Injunction in OPM/DOGE Lawsuit </title> <link>https://www.eff.org/press/releases/privacy-victory-judge-grants-preliminary-injunction-opmdoge-lawsuit</link> <description><div class="field field--name-field-pr-subhead field--type-text field--label-hidden"><div class="field__items"><div class="field__item even">Court to Decide Scope of Injunction Later This Week </div></div></div><div class="field field--name-body field--type-text-with-summary field--label-hidden"><div class="field__items"><div class="field__item even"><p><span>NEW YORK–In a victory for personal privacy, a New York federal district court judge today </span><span>granted a preliminary injunction in a lawsu</span><span>it</span> <span>challenging the </span><span>U.S. Office of Personnel Management</span><span>’s</span><span> (OPM) </span><span>disclosure of records </span><span>to DOGE</span> <span>and its agents.</span><span data-ccp-props="0}"> <br /></span></p><p><span>Judge Denise L. Cote of the U.S. District Court for the Southern District of New York</span><span> found that OPM violated the Privacy Act and bypassed its established cybersecurity practices under the Administrative Procedures Act. </span><span>The court will decide the scope of the injunction later this week. </span><span>The p</span><span>laintiffs have asked the court to </span><span>halt DOGE agents’ access to OPM records and </span><span>for DOGE </span><span>and its </span><span>agents to </span><span>delete any records </span><span>that have already been disclosed. </span><span>OPM’s databases </span><span>hold highly sensitive personal information about tens of millions of federal employees, retirees, and job applicants.</span></p><p><span>“The plaintiffs have shown that the defendants disclosed OPM records to individuals who had no legal right of access to those records,” </span><span>Cote found.</span> <span>“</span><span>In doing so, the defendants violated the Privacy Act and departed from cybersecurity standards that they are obligated to follow. This was a breach of law and of trust. Tens of millions of Americans depend on the Government to safeguard records that reveal their most private and sensitive affairs.</span><span>”</span><span data-ccp-props="0}"> <br /></span></p><p><span data-contrast="none">The Electronic Frontier Foundation (EFF), </span><a href="https://www.lex-lumina.com/"><span data-contrast="none">Lex Lumina LLP</span></a><span data-contrast="none">, </span><a href="https://statedemocracydefenders.org/fund/"><span data-contrast="none">Democracy Defenders Fund</span></a><span data-contrast="none">, and </span><a href="https://www.chandralaw.com/"><span data-contrast="none">The Chandra Law Firm</span></a><span data-contrast="none"> requested the injunction as part of their ongoing lawsuit against OPM and DOGE on behalf of two labor unions and individual current and former government workers across the country. The lawsuit’s union plaintiffs are the</span><a href="https://www.afge.org/"> <span data-contrast="none">American Federation of Government Employees AFL-CIO</span></a><span data-contrast="none"> and the</span><a href="https://aalj.org/"> <span data-contrast="none">Association of Administrative Law Judges, International Federation of Professional and Technical Engineers Judicial Council 1 AFL-CIO</span></a><span data-contrast="none">. </span></p><p><span data-contrast="none">The lawsuit argues that OPM and OPM Acting Director Charles Ezell illegally disclosed personnel records to DOGE agents in violation of the Administrative Procedures Act and the federal Privacy Act of 1974, a watershed anti-surveillance statute that prevents the federal government from abusing our personal information. In addition to seeking to permanently halt the disclosure of further OPM data to DOGE, the lawsuit asks for the deletion of any data previously disclosed by OPM to DOGE.</span><span data-ccp-props="0}"> <br /></span></p><p><span data-contrast="none">The federal government is the nation’s largest employer, and the records held by OPM represent one of the largest collections of sensitive personal data in the country. In addition to personally identifiable information such as names, social security numbers, and demographic data, these records include work information like salaries and union activities; personal health records and information regarding life insurance and health benefits; financial information like death benefit designations and savings programs; nondisclosure agreements; and information concerning family members and other third parties referenced in background checks and health records. <br /></span></p><p><span data-contrast="none">OPM holds these records for tens of millions of Americans, including current and former federal workers and those who have applied for federal jobs. OPM has a history of privacy violations—an OPM breach in 2015 exposed the personal information of 22.1 million people—and its recent actions make its systems less secure. </span><span data-ccp-props="0}"></span></p><p><span data-contrast="none">With few exceptions, the Privacy Act limits the disclosure of federally maintained sensitive records on individuals without the consent of the individuals whose data is being shared. It protects all Americans from harms caused by government stockpiling of our personal data. This law was enacted in 1974, the last time Congress acted to limit the data collection and surveillance powers of an out-of-control President. </span></p><p><span data-contrast="none">A </span><a href="https://www.lawfaremedia.org/projects-series/trials-of-the-trump-administration/tracking-trump-administration-litigation"><span>number of courts</span></a><span data-contrast="none"> have already found that DOGE’s activities at other agencies likely violate the law, including at the Social Security Administration and the Treasury Department.</span><span data-ccp-props="0}"> <br /></span></p><p><b><span data-contrast="none">For the preliminary injunction:</span></b> <a href="https://www.eff.org/document/afge-v-opm-opinion-and-order-granting-preliminary-injunction">https://www.eff.org/document/afge-v-opm-opinion-and-order-granting-preliminary-injunction</a><br /><b><span data-contrast="none">For the complaint: </span></b><span data-contrast="none"><a href="https://www.eff.org/document/afge-v-opm-complaint">https://www.eff.org/document/afge-v-opm-complaint</a><br /></span><b><span data-contrast="none">For more about the case: </span></b><a href="https://www.eff.org/cases/american-federation-government-employees-v-us-office-personnel-management"><span data-contrast="none">https://www.eff.org/cases/american-federation-government-employees-v-us-office-personnel-management</span></a><span data-ccp-props="0}"><br /></span></p><p><strong>Contacts:</strong><br />Electronic Frontier Foundation: <a href="mailto:press@eff.org">press@eff.org</a><br />Lex Lumina LLP: Managing Partner Rhett Millsaps, <a href="mailto:rhett@lex-lumina.com">rhett@lex-lumina.com</a></p> </div></div></div></description> <pubDate>Mon, 09 Jun 2025 19:28:37 +0000</pubDate> <guid isPermaLink="false">110779 at https://www.eff.org</guid> <dc:creator>Hudson Hongo</dc:creator> <enclosure url="https://www.eff.org/files/banner_library/opm-eye-3b.jpg" alt="An eye with the OPM logo in the iris, green digital background" type="image/jpeg" length="149733" /> </item> </channel></rss> 
