Normal view

Microsoft Took a Step Toward Human Rights Accountability. Google and Amazon (and Others) Should Pay Attention!

19 May 2026 at 23:03

For years, civil society organizations, workers, journalists, and human rights experts have warned that major technology companies risk enabling grave human rights abuses when they provide cloud computing, AI, and surveillance infrastructure to governments implicated in violations of international and humanitarian law. While many companies pay lip service to evaluating customers and contracts for human rights implications (lip service Exhibit A: Palantir!), too often those processes fail to provide any meaningful accountability when their standards are not met or are simply ignored. But recent developments at Microsoft suggest that accountability for failing to uphold the human rights standards that a company itself sets, even if incomplete, is possible. 

According to recent reporting, Microsoft’s Israel chief has departed amid an escalating ethical controversy surrounding the company’s business relationships with the Israeli Ministry of Defense. The move follows months of scrutiny, internal dissent, and sustained pressure from inside the organization along with press and civil society, especially after a report by The Guardian revealed that Microsoft technologies were used in systems connected to mass surveillance and military targeting operations in Gaza in ways that appeared to violate Microsoft’s own standards. This did not happen overnight.

In September 2025, Microsoft reportedly suspended certain services after initial investigations raised serious concerns about how its cloud and AI infrastructure may have been used. That alone distinguished Microsoft from many of its peers. Rather than simply dismissing mounting concerns or hiding behind vague claims of neutrality, Microsoft appeared to recognize that providing technology in conflict settings creates real human rights responsibilities. Now, after additional investigation and continued public scrutiny, it appears the company has taken another step, one that should send a strong signal to others that violating Microsoft’s human rights commitments could cost you your job. This is important. 

There is still much more Microsoft should do, of course. The company has yet to fully disclose the scope of its findings, explain exactly which services were suspended, or clarify what safeguards remain in place to prevent its technologies from contributing to human rights abuses in the future. We shouldn’t have to infer the connection between this employment action and the company’s investigation. 

Just prior to reports that Microsoft had fired its Israel Country General Manager, EFF joined Access Now, Amnesty International, Fight for the Future, and 7amleh in a joint May 7, 2026 letter to Microsoft leadership calling on the company to publicly release the findings of its investigation, suspend business relationships tied to serious human rights abuses, and implement meaningful safeguards to prevent its technologies from contributing to further harm. The letter detailed allegations regarding Microsoft’s reported provision of Azure cloud and AI services to Israeli military and intelligence units involved in surveillance and targeting operations, while also pressing the company to take concrete human rights due diligence measures going forward. Those demands remain urgent, even as Microsoft appears to be taking some of the steps we urged.

But even as we push for more, it is important to recognize when a company takes steps in the right direction. Because this is what it means to put human rights commitments into practice. It means acknowledging that human rights policies are not just branding exercises or transparency reports. It means accepting that companies providing cloud infrastructure and AI services have responsibilities when credible evidence emerges that their technologies may be enabling violations of international law. And it means taking concrete action when those risks become known.

The allegations facing Microsoft are serious. Human rights organizations and investigative reporting have documented claims that Microsoft Azure services were used by Israeli military and intelligence units to process large-scale surveillance data, support AI-assisted targeting systems, and sustain military cloud infrastructure during the war in Gaza. The concerns raised extend beyond ordinary business risk; they implicate potential complicity in violations of international humanitarian and human rights law.

Faced with these allegations, Microsoft could have chosen the path many tech companies take: deny everything, attack critics, suppress worker dissent, and continue business as usual. Instead, the company appears to have begun responding to the evidence.

Technology companies are not powerless bystanders. Cloud providers and AI companies make choices every day about who gets access to their infrastructure, under what conditions, and with what oversight. When companies claim to uphold human rights principles, those commitments should have operational consequences. Too many companies, in both international and domestic policing contexts, provide technology to institutions that violate people’s human rights and civil liberties, then fall back on the claim that they are merely providing a service that their customers can use how they see fit. This is an ethical failing that falls short of most companies’ publicly expressed commitments. Microsoft’s recent actions suggest that sustained public pressure, worker organizing, investigative journalism, and civil society advocacy can force even the world’s largest technology companies to respond.

Google and Amazon should especially see this as a clear example to follow. Both companies also provide services to the Israeli Ministry of Defense and have faced years of criticism over those contracts and services, including from EFF. Yet neither has demonstrated the level of responsiveness or accountability that Microsoft has shown. If Microsoft can suspend services, investigate allegations, and make leadership changes amid mounting evidence and ethical concerns, then other cloud giants can no longer pretend that meaningful action is impossible.

The technology industry has spent years insisting that ethics and human rights matter. The real test has always been whether those principles survive when profits, government contracts, and geopolitical pressure are on the line. Microsoft’s recent steps are not the end of that story, but they may mark the beginning of what real accountability can look like.

We’re looking at you, Amazon and Google. If Microsoft can do it, why can’t you?

We Must Not Normalize Digital Surveillance Abuses. EFF’s New Guide Underlines Concrete Steps to Fight Back.

18 May 2026 at 19:15

Poor accountability, feeble control mechanisms, and insufficient legal frameworks have led to systematic human rights violations in the Americas, with no consistent remedy or reparation to victims. What's needed is to materialize essential guarantees and measures to combat repeated surveillance abuses in the region. To help build a path for solutions, EFF launches the guide Tackling Arbitrary Digital Surveillance in the Americas, adding to our extensive work leveraging human rights norms to confront state privacy violations.

The document compiles privacy, data protection, and access to information guarantees established within the Inter-American Human Rights System to provide concrete, actionable guidance to governments in the Americas to curb the vicious cycle of state digital surveillance abuses. It outlines the safeguards and institutional measures necessary to protect individuals and details rules, parameters, and standards to overcome current pernicious practices and trends. 

As concerns over national and public security intensify, countries in the region seem to increasingly normalize the pervasiveness of digital surveillance technologies and their arbitrary use by security forces as a distorted form of protection. However, no actual protection can arise from arbitrary surveillance. 

When public security, intelligence, and law enforcement agencies neglect or harm settled rights in the name of national security or public order, they too become a threat. Tolerating rights violations creates the dire situation that the Freedom of Expression Special Rapporteur of the Inter-American Commission on Human Rights thoroughly analyzed in his report about the serious impacts of digital surveillance on freedom of expression in the Americas.

The great majority of states in Latin America have ratified the American Convention on Human Rights. As such, the parameters and rules our new guide describes stem directly from their obligations before international human rights law. State agents and institutions must take the necessary measures to make them a reality.

As EFF’s guide points out, states must implement clear and precise legal frameworks that:

  • define surveillance powers and limitations;
  • ensure all surveillance measures pursue legitimate aims without discriminatory ends;
  • subject interference with privacy to rigorous necessity and proportionality analysis;
  • require prior judicial authorization for digital surveillance measures;
  • maintain detailed records of surveillance operations;
  • establish independent civilian oversight institutions with technical expertise and enforcement powers;
  • guarantee individuals' right to informational self-determination and proper notification; and
  • provide effective remedies and reparation for victims of surveillance abuses.

States must also put in place the institutional processes and structures to give effect to these legal guarantees. As we stress in the document, States that embrace the guide’s recommendations will not only comply with their international obligations, but will also build more resilient, rights-respecting security architectures capable of addressing genuine threats without sacrificing the freedoms they exist to protect. 

Civil society leaders, activists, legal experts, public defenders, oversight institutions, and state officials committed to human rights must gather and ramp up the fight against the normalization of digital surveillance abuses in the Americas. We hope that EFF’s new guide can serve as a crucial tool in strengthening this fight, one that we have joined since our early days.

Help EFF Solve an Issue That's Bigger than Creepy Ads

13 May 2026 at 19:10

Millions of people around the world use EFF's Privacy Badger. This browser extension blocks the hidden trackers that twist your web browsing into a commodity for Big Tech, advertisers, scammers, and data brokers. But did you know that we’re trying to solve an issue that’s even bigger than creepy ads and user profiling? You can help.

JOIN EFF

Online tracking isn't just creepy and unethical. It also enables government surveillance. Widespread commercial surveillance and weak privacy laws allow data brokers to harvest your data and sell it to law enforcement agencies including the FBI, CBP, and ICE. The government exploits this system to buy sensitive information about you that they would ordinarily need a warrant to collect, like your location over time

With your help, EFF is fighting back. Our team is working to enact stronger laws to uphold your privacy. We’re advocating for consumer rights in the courts. We’re investigating how these technologies affect our communities. And we’re cutting off surveillance advertising at the source with tools like Privacy Badger for everyone. You can support this work as an EFF member.

End Mass Surveillance

Privacy is a human right because it gives you a fundamental measure of security and freedom. That is why we at EFF focus on your ability to have private conversations and interact with the world using technologies that you choose. But when tools that many of us must rely on serve corporate surveillance, they also feed government surveillance. We owe it to ourselves to fight the mass spying used to control and intimidate people. Let’s do this.

A person wearing a black sweatshirt with an embroidered Privacy Badger mascot on the chest over the characters for ‘privacy” in Traditional Chinese.

For a limited time, you can join EFF as a monthly or one-time donor and pick up a new Privacy Badger Crewneck sweatshirt. The embroidered Privacy Badger mascot appears above Traditional Chinese for "privacy” because human rights are universal.

You can also get a set of puffy stickers as a token of thanks. Our little Ghostie protects privacy in Arabic, English, Japanese, Persian, Russian, and Spanish.

Claw Back! This year’s member t-shirt is hot off the press featuring an orange cat swatting at the street-level surveillance equipment multiplying in our communities. You might empathize with him, but there’s a better way. Let’s end the law enforcement contracts, harmful practices, and twisted logic that enable mass spying in the first place.

You can support our mission for technology in the public interest today. Join the movement and become an EFF member.

____________________

EFF is a member-supported U.S. 501(c)(3) organization. We've received top ratings from the nonprofit watchdog Charity Navigator since 2013! Your donation is tax-deductible as allowed by law.

Broken Promises: RIP Instagram’s End-to-End Encrypted DMs

13 May 2026 at 00:11

Last week, Instagram ended its opt-in, and therefore rarely used, end-to-end encryption feature. Years after publicly promising to provide the privacy protections of end-to-end encryption across its platforms by default, it instead gave up on that technical challenge. Now, we've all lost an option for safer conversations on one of the biggest social media platforms in the world.

In an announcement in 2023, Meta bragged about how it had successfully encrypted Messenger, and teased that Instagram was in progress. Even before then, they’d talked about how important encryption was in Messenger and Instagram in a white paper published in 2022, stating: 

We want people to have a trusted private space that’s safe and secure, which is why we’re taking our time to thoughtfully build and implement e2ee by default across Messenger and Instagram DMs.

So where did the reversal come from? In a statement, Meta claimed that, “Very few people were opting in to end-to-end encrypted messaging in DMs.” This isn’t all that surprising, as turning it on was an optional four-step process that few people knew about. Defaults matter, and Meta’s choice to blame people for failing to opt into this feature is proof of how much. In that same statement, the company pointed people to WhatsApp for access to encrypted messaging. Yet if Meta truly wanted people to have a trusted private space to communicate, it would meet them everywhere they are: on WhatsApp, on Messenger, and on Instagram.

But at least Meta was straightforward about the fact that it will not continue to support or work on this feature. That's rare. Most tech company promises aren’t broken explicitly, they just remain undelivered long enough to be forgotten. 

This is particularly disappointing as other companies take even bigger swings, like Google and Apple working together to implement end-to-end encryption over Rich Communication Services (RCS), and Signal’s continued work to make its app simpler and easier to use for everyone.

Meta abandoning this principle is disheartening, especially as we are still waiting for other promised features from the company, like end-to-end encryption in Facebook Messenger group messages. Instead of blaming users for not using these sorts of features and then abandoning the promise of delivery, Meta—and other tech companies—should start by enabling strong privacy protective features by default.

Victory! End-to-End Encrypted RCS Comes to Apple and Android Chats

12 May 2026 at 18:48

This week, Apple released iOS 26.5, an update that supports end-to-end encryption for Rich Communication Services (RCS), meaning conversations between Android and iPhone will soon be encrypted in the default chat apps. This has been a long time coming, and is a welcome delivery on a promise both Google and Apple made.

With this update, conversations that take place between Apple’s Messages app and Google Messages on Android will be end-to-end encrypted by default, as long as the carrier supports both RCS and encrypted messages (you can find a list of carriers here). RCS messages are a replacement for SMS, and in 2024 Apple started supporting it, making for a marked improvement in the quality of images and other media shared between Android and iPhones. 

Now, those conversations can also benefit from the increased privacy and security that end-to-end encryption offers, making it so neither Google, Apple, nor the cellular carriers have access to the contents of messages. This feature comes courtesy of both Apple and Google supporting the GSMA RCS Universal Profile 3.0, which implements the Messaging Layer Security protocol for encryption. Metadata will likely still be collected and stored for these conversations, making alternatives like Signal still a better option for many conversations. Likewise, if you back up those conversations to the cloud, they may be stored unencrypted unless you enable Advanced Data Protection on iOS (Google Messages end-to-end encrypts the text of messages in backups, but not the media, so we’d like to see a similar offering as ADP on Android). Still, this is a significant step forward for the privacy of millions of conversations worldwide.

End-to-end encrypted RCS messaging is still marked as beta on Apple devices, likely because the rollout is dependent on carriers as well as the Android phone running the most recent version of Google Messages. 

It might take some time before you get this feature in your chats and until you do, remember that the conversations are not protected with end-to-end encryption. But once everyone in the conversation is on the right software version and the carrier support is implemented, you will see a lock icon and the text, “Encrypted” at the top of the conversation for any chats you have over RCS, as seen here:

We applaud Apple and Google for getting this across the finish line and Encrypting It Already! More companies should take these sorts of difficult but necessary steps to protect the privacy of our conversations and our data.

Canada’s Bill C-22 Is a Repackaged Version of Last Year’s Surveillance Nightmare

11 May 2026 at 22:18

Last year, the Canadian government pushed Bill C-2, which would erode Canadian digital rights in the name of “border security.” The bill was so bad it didn’t even make it to committee because of the backlash from the privacy community. Now, the spring’s worst sequel, Bill C-22, aka The Lawful Access Act, is trying it again.

As with most sequels, Bill C-22 makes some tweaks to problematic elements, but largely retains the same problems. The bill forces digital services, which could include telecoms, messaging apps, and more, to record and retain metadata for a full year, and expands information sharing with foreign governments, including the United States. Metadata can reveal a lot about who you communicate with, where you go, and when you do so. Expanding the collection of metadata would require companies to store even more information about their users than they already do, providing an incentive for bad actors to access that information. 

Worst of all, Bill C-22 erodes the privacy of millions by providing a mechanism for the Minister of Public Safety to demand companies create a backdoor to their services to provide law enforcement access to data, as long as these mandates don’t introduce a “systemic vulnerability.” These widespread surveillance backdoors would likely facilitate even more data breaches than we see already. The bill also bans companies from even revealing the existence of these orders publicly.

The definitions of both “systemic vulnerabilities” and “encryption” are not clear enough in C-22, leaving wiggle room for the government to demand that companies circumvent encryption. And the overbroad definitions in the bill can include apps as well as operating systems. Canadian officials have made it clear they believe it’s possible to add surveillance without introducing systemic vulnerabilities, which is just not true. Surveillance of encrypted communications is fundamentally a systemic vulnerability.

This resembles what happened in the UK last year, when the government demanded that Apple implement this type of backdoor into its optional Advanced Data Protection feature, which then forced Apple to revoke the feature for its UK users instead of complying with the request. To this day, UK users still do not have access to this powerful, privacy-protective feature that provides stronger protections for data stored in iCloud. Both Meta and Apple are concerned that C-22 would give the Canadian governments similar powers, and both companies have come out against the bill. The U.S. House Judiciary and Foreign Affairs committees also sent a joint letter to Canada’s Minister of Public Safety highlighting the concern around backdoors into encrypted systems.

The dangers of these sorts of backdoors are not theoretical. In 2024, the Salt Typhoon hack took advantage of a system built by Internet Service Providers to give law enforcement access to user data. When you build these systems, hackers will come.

Canadians deserve strong privacy protections, transparency into how companies handle user data, and clear safeguards around encrypted data. Bill C-22 provides none of that, instead reaching further into the digital pockets of tech companies to build broad lawful access mechanisms.

Further reading

EFF Stands in Solidarity With RightsCon and the Global Digital Rights Community

11 May 2026 at 19:37

When governments shut down spaces for dialogue, dissent, and collective organizing, the damage extends far beyond a single event. The abrupt cancellation of RightsCon 2026—the world’s largest annual global digital rights conference—is not just a logistical disruption for thousands of researchers, journalists, technologists, and activists—it is part of a growing global pattern of shrinking civic space and increasing hostility toward free expression and independent civil society.

Just days before the conference was set to begin and as participants had begun to arrive in Lusaka, organizers announced that RightsCon would no longer proceed in Zambia or online after mounting political pressure and demands that would have excluded vulnerable communities and constrained discussion. The U.N.’s World Press Freedom Day, which was set to take place just prior to the conference, was scaled down in light of the events, and its press freedom prize ceremony postponed to a later date.

RightsCon has long served as one of the few truly global convenings where civil society groups, grassroots organizers, technologists, and policymakers can meet on equal footing to confront some of the most urgent human rights challenges of the digital age—from censorship and surveillance to internet shutdowns, platform accountability, and the safety of marginalized communities online. EFF has had a presence at RightsCon since its inception in 2011, and had planned to meet with and learn from international partners and present our work during several sessions in Lusaka.

The cancellation is especially devastating because of what RightsCon represents. For many advocates—particularly those from the global majority—it is not merely another conference. It is a rare opportunity to build solidarity across borders, form lasting partnerships, learn from other regions’ experiences, secure funding and support for local work, and ensure that the people most impacted by digital repression have a seat at the table. Holding the event in southern Africa carried particular significance, promising to elevate regional voices and strengthen local digital rights networks.

What happened in Zambia sends a chilling message. According to organizers and multiple reports, the pressure surrounding the event included Chinese government demands to exclude Taiwanese participants and moderate discussions around politically sensitive topics. At a moment when governments around the world are increasingly restricting protest, targeting journalists, cutting funds for human rights work, banning young people from online communities, censoring speech, and criminalizing civil society activity, the cancellation of RightsCon reflects the broader erosion of democratic space online and offline.

Organizations from the digital rights community have spoken out forcefully against the government’s cancellation of the conference, making clear that these attacks on civic participation will not pass unnoticed. Access Now described the decision as evidence of “the far reach of transnational repression targeting civil society.” Index on Censorship’s response warned that the move represents a dangerous escalation in attempts to suppress open dialogue, while IFEX rightly described the cancellation as a blow not just to one conference, but to freedom of expression and assembly everywhere.

We are also heartened to see statements from members of the international community—including Tabani Moyo, who spoke about the impact on the southern African community, and Taiwanese participant Shin Yang, who emphasized the importance of preserving spaces where marginalized communities can safely organize and speak—underscoring that attempts to silence civil society only reinforce the importance of defending open, global spaces for organizing and debate.

Even as this cancellation represents a serious setback, it is important to remember that the digital rights community has always adapted under pressure. Around the world, advocates continue to organize in increasingly difficult environments, finding new ways to connect, collaborate, and resist censorship and repression. Upcoming events like the Global Gathering and FIFAfrica—both of which EFF plans to attend—will bring together members of the community to tackle tough issues. And in the meantime, groups from all over the world are working together to incorporate global perspectives into platform regulations, oppose age verification laws, protect against surveillance, and fight internet shutdowns, among many other efforts.

RightsCon itself emerged from a recognition that defending human rights in the digital age requires international solidarity—and that need has not disappeared.

The conversations that were supposed to happen in Lusaka will continue elsewhere: in community spaces, online gatherings, encrypted chats, and future convenings yet to come. Governments may close venues, restrict participation, or attempt to narrow the boundaries of acceptable speech, but they cannot erase the global movement working to defend a free and open internet.

RightsCon will not go on in Zambia, but we remain heartened and inspired by the strength of the global digital rights community, stand with them in solidarity, and look forward to seeing our allies at the next RightsCon and other upcoming events.

Congress Narrowed the GUARD Act, But Serious Problems Remain

9 May 2026 at 01:24

Following criticism, lawmakers have narrowed the GUARD Act, a bill aimed at restricting minors’ access to certain AI systems. The earlier version could have applied broadly to nearly every AI-powered chatbot or search tool. The amended bill focuses more narrowly on so-called “AI companions”—conversational systems designed to simulate emotional or interpersonal interactions with users. 

That change does address some of the broadest concerns raised about the original proposal, though some questions about the bill’s reach remain. Bottom line: the revised bill still creates serious problems for privacy, online speech, and parental choice.

TAKE ACTION

Tell Congress: oppose the guard act

The new GUARD Act still requires companies offering AI companions to implement burdensome age-verification systems tied to users’ real-world identities. Even parents who specifically want their teenagers to use these systems would still face significant hurdles. A family might decide that a conversational AI tool helps an isolated teenager practice social interaction, or engage in harmless creative roleplay. A parent deployed in the military might set up a persistent AI storyteller for a younger child. Under the revised bill, those users could still face mandatory age checks tied to sensitive personal or financial information before they or their children can use these services.

The revised bill also leaves important definitions unclear while sharply increasing penalties for developers and companies that get those judgments wrong. Congress narrowed the GUARD Act. But it is still trying to solve a complicated social problem with vague legal standards, heavy liability, and privacy-invasive verification systems.

Intrusive Age-Verification Remains In The Bill

The revised GUARD Act still requires companies offering AI companions to verify that users are adults through a “reasonable age verification” system. The bill allows a broader set of verification methods than the earlier version, but they are still tied to a user’s real-world identity—such as financial records, or age-verified accounts for a mobile operating system or app store. 

That approach still raises serious privacy and access concerns. Millions of Americans do not have current government ID, accounts at major banks, or stable access to the kinds of digital identity systems the bill contemplates. Even for those who do, requiring identity-linked verification to access online speech tools creates real risks for privacy, anonymity, and data security. Many people are rightly creeped out by age-verification systems, and may simply forgo using these services rather than compromise their privacy and security.

The revised definition of “AI companion” is also narrower than before, but it’s unclear at the margins. The bill now focuses on systems that “engage in interactions involving emotional disclosures” from the user, or present a “persistent identity, persona or character.” 

EFF appreciates that the authors recognized that the prior definition could reach a variety of AI systems that are not chatbots, including internet search engines. But the narrowed definition could be read to also apply to a variety of chat tools that are not AI companions. For example, many modern online conversational systems increasingly recognize and respond to users’ emotions. Customer service systems, including completely human-powered ones that existed long before AI chatbots, have long been designed to recognize frustration and respond empathetically. As conversational AI becomes more emotionally responsive, a customer service chatbot’s efforts to empathize may sweep it within the bill’s definition. 

Bigger Penalties, Bigger Incentives To Restrict Access

The revised bill also sharply increases penalties. Instead of $100,000 per violation, companies—including small developers—can face fines of up to $250,000 per violation, enforced by both federal and state officials.

That kind of liability creates incentives to over-restrict access, especially for minors. Smaller developers, in particular, may decide it is safer to block younger users entirely, disable conversational features, or avoid developing certain tools at all, rather than risk severe penalties under vague standards.

The concerns driving this bill are real. Some AI systems have engaged in troubling interactions with vulnerable users, including minors. But the right answer to that is targeted enforcement against bad actors, and privacy laws that protect us all. The revised GUARD Act instead responds with a privacy-invasive system that burdens the right to speak, read, and interact online.

Congress did improve this bill, but EFF’s core speech, privacy, and security issues remain.

TAKE ACTION

Tell Congress: oppose the guard act

Free Signal Guide

8 May 2026 at 19:23

EFF friend Guy Kawasaki* has written a book: Everybody Has Something to Hide: Why and How to Use Signal to Preserve Your Privacy, Security, and Well-Being. This guide is now available in Spanish and English as an ebook in the EPUB format that you can download here. Take a look and consider sharing it with anyone who you know who uses (or should use) Signal. 

And don't forget: EFF has two short guides on using Signal on our Surveillance Self-Defense site. An intro How to Use Signal guide, and a guide on Managing Signal Groups. 

Everybody Has Something to Hide: Why and How to Use Signal to Preserve Your Privacy, Security, and Well-Being courtesy of Guy Kawasaki. 

*Guy Kawasaki is an EFF donor.

The SECURE Data Act is Not a Serious Piece of Privacy Legislation

6 May 2026 at 16:38

The federal SECURE Data Act is not a serious consumer privacy bill, and its provisions—if enacted—would be a retreat from already insufficient state protections.

Republicans on the House Energy and Commerce Committee released a draft of the bill late last month without bipartisan support. The bill is weaker than congressional proposals in prior years, as well as most of the 21 state consumer privacy laws already on the books.

The bill could wipe out hundreds of  state privacy protections.

Most troubling for EFF: the bill would preempt dozens, if not hundreds, of state laws that regulate related topics, and it would not allow consumers to sue to protect their own rights (commonly called a private right of action). And it comes nowhere close to banning online behavioral advertising—a practice that fuels technology companies’ always increasing hunt for personal data.

The bill also suffers from many other flaws including weak opt-out defaults, inadequate data minimization requirements, and large definitional loopholes for companies.

Key Provisions

The bill would give consumers some rights to take action to control their personal data— like access, correction, deletion, and limited portability. These rights have become standard in all data privacy proposals in recent years.

The bill would also require companies to obtain your consent before processing your sensitive data, or using any of your personal data for a previously undisclosed purpose. Absent your consent, a company couldn’t do these things.

Further, the bill would allow you to opt out of (1) targeted third-party advertising, (2) the sale of your personal data, and (3) profiling of you that has a legal, healthcare, housing, or employment effect. Unfortunately, a company could keep doing these invasive things to you, unless you opted out.

The bill would also require data brokers that make at least 50 percent of their profits from the sale of personal data to register in a public database maintained by the Federal Trade Commission (FTC).

Preemption of Too Many State Laws

Federal privacy laws should allow states to build ever stronger rights on top of the federal floor. Many federal privacy laws allow this, including the Health Insurance Portability and Accountability Act, the Video Privacy Protection Act, and the Electronic Communications Privacy Act.

The SECURE Data Act would not do that. Instead, it would wipe out dozens, if not hundreds, of existing state privacy protections. Section 15 of the bill would preempt any “law, rule, regulation, requirement, standard, or other provision [that] relates to the provisions of this Act.” This would kill the 21 state consumer privacy laws passed in the past few years. These state bills aren’t strong enough, but they are still better than this federal proposal. For example, California maintains a data broker deletion tool and requires companies to comply with automatic opt-out signals—including one that is built into EFF’s Privacy Badger.

Because the SECURE Data Act has provisions that relate to data privacy and security, it could preempt all 50 state data breach laws and many others. It could also preempt state laws related to specific pieces of sensitive data, like bans on the sale of biometric or location information. Some states like California have constitutional provisions that protect an individual’s right to privacy, which can be enforced against companies. That constitutional provision, as well as state privacy torts, could also be in danger if this bill passed.

No Private Enforcement, A New Cure Period, and Vague Security Powers

Strong consumer privacy laws should allow consumers to take companies to court to defend their own rights. This is essential because regulators do not have the resources to catch every violation, and federal consumer enforcement agencies have been gutted during the current administration.

The SECURE Data Act does not have a private right of action. The FTC, along with state attorneys general, have primary enforcement authority. The law also gives companies 45 days to “cure” any violation with no penalty after they are caught.

Moreover, Section 8 of the bill creates a vaguely defined self-regulatory scheme in which companies can apply to be audited by an “independent organization” that will apply a “code of conduct.” Following this code of conduct would give companies a presumption that they are complying with the law. This provision is an implicit acknowledgement that the bill does not provide regulators with any new resources to enforce new protections.

Section 9 of the bill would give the Secretary of Commerce broad power to “take any action necessary and appropriate to support the international flow of personal data,” including assessing “security interests of the United States.” The scope of this amorphous provision is unclear, but it likely does not belong in a consumer protection bill.

Weak Privacy Defaults

Your online privacy should not depend on whether you have the time, patience, and knowledge to navigate a website and turn off invasive tracking. Good privacy laws build in data minimization requirements—meaning there should be a default standard that prevents companies from processing your data for purposes that are not needed to provide you with the service you asked for.

The SECURE Data Act puts the burden on you to opt out of invasive company practices, like targeted third-party advertising, the sale of your personal data, and profiling. The bill at least requires companies to obtain your consent before processing your sensitive data (like selling your precise location). These consent requirements, however, are often an invitation for companies to trick you into clicking a button to give away your rights in hard-to-read policies. Indeed, few people would knowingly agree to let a company sell their personal data to a broker who turns around and sells it to the government.

Section 3 of the bill uses the term “data minimization,” but it is done in name only. The provision does not limit a company’s processing of data to only what is necessary to provide the customer with the good or service they asked for. Instead, the provision limits processing of data to only what a company “disclosed to the customer”—meaning if it is in the confusing privacy policy that nobody reads, it is okay.

And the bill would not even allow you to restrict certain uses of your data. As companies seek more data for AI systems, many internet users do not want their private personal data to be used to train those models. However, the bill makes clear that “nothing in this Act may be construed to restrict” a company from collecting, using, or retaining your data to “develop” or “improve” a new technology.

Other Flawed Definitions and Loopholes

The bill has numerous loopholes that technology companies would exploit if the bill were to become law. Below is just a sampling:

  • Government contractors: Under Section 13(b)(2), government contractors are exempt from the bill, which could be wrongly interpreted to exempt certain data brokers from sale restrictions when those sales are made to the government. This type of exemption could benefit surveillance companies like Clearview AI, which previously argued it was exempt from Illinois’ strict biometric law using a similar contractor exception. This is likely not the authors’ intention, since the definition of sale includes those made “to a government entity.”
    Sale definition: The definition in Section 16(28) is defined too narrowly. A sale should mean any exchange for monetary “or other valuable” consideration, as in some other privacy laws.
  • Biometric information definition: The definition in Section 16(4) excludes data generated from a photo or video, and the definition excludes face scans not meant to “identify a specific individual.” This could be wrongly interpreted to allow biometric identification from security camera footage, or biometric use for sentiment or demographic analysis.
  • Personal data definition: The definition in Section 16(21) exempts “de-identified data” from the definition of personal data, which could allow companies to do anything with de-identified data because that data is not protected by the law. The problem with de-identified data is that many times it is not.
  • Deletion requests: With regard to data that a company obtained from a third-party, Section 2(d)(5) would treat a consumer’s deletion request merely as an opt-out request. And even if a customer requested deletion, a company might be able to retain the data for research purposes under section 11(a)(9)(A).
  • Profiling definition: Under the definition in Section 16(25), companies could profile so long as the profiling is not “solely automated.” The flimsiest human review would exempt highly automated profiling.

Congress is long overdue to enact a strong comprehensive consumer data privacy law, and we have sketched what it should look like. But the SECURE Data Act is woefully inadequate. In fact, it would cause even more corporate surveillance of our personal information, by wiping out state laws that are more protective than this federal bill. Even worse, this bill would block state legislatures from protecting their residents from the privacy threats of tomorrow that are unforeseeable today. 

EFF and 18 Organizations Urge UK Policymakers to Prioritize Addressing the Roots of Online Harm

5 May 2026 at 12:41

EFF joins 18 organizations in writing a letter to UK policymakers urging them to address the root causes of online harm—rather than undermining the open web through blunt restrictions.

The coalition, which includes Mozilla, Tor Project, and Open Rights Group, warns that proposed measures following the passage of the Children’s Wellbeing and Schools Bill risk fundamentally reshaping the internet in harmful ways. Chief among these proposals are sweeping age-gating requirements and access restrictions that would apply not only to young people, but effectively to all users.

While framed as efforts to protect children online, these policies rely heavily on age assurance technologies that are either inaccurate, privacy-invasive, or both. As the letter notes, mandating such systems across a wide range of services—from social media and video games to VPNs and even basic websites—would force users to verify their identity simply to access the web. This creates serious risks, including expanded surveillance, data breaches, and the erosion of anonymity.

Beyond privacy concerns, the signatories argue that these measures threaten the core architecture of the open internet. Age-gating at scale could fragment the web into a patchwork of restricted jurisdictions, limit access to information, and entrench the dominance of powerful gatekeepers like app stores and platform ecosystems. In doing so, policymakers risk weakening the very qualities—interoperability, accessibility, and openness—that have made the internet a global public resource.

The letter also emphasizes what’s missing from the current policy approach: meaningful efforts to address the underlying drivers of online harm. Many digital platforms are designed to maximize engagement and profit through pervasive data collection and targeted advertising, often at the expense of user safety and autonomy. Rather than imposing access bans, the coalition calls on UK policymakers to hold companies accountable for these systemic practices and to prioritize user rights by design.

Importantly, the signatories highlight that the internet remains a vital space for young people: offering access to information, support networks, and opportunities for expression that may not exist offline. Policies that restrict access risk cutting off these lifelines without meaningfully reducing harm.

The message is clear: protecting users online requires more than heavy-handed restrictions. It demands thoughtful, rights-respecting policies that tackle the business models and design choices driving harm, while preserving the open, global nature of the web.

EFF Submission to UK Consultation on Digital ID

4 May 2026 at 20:35

Last September, the United Kingdom’s Prime Minister Keir Starmer announced plans to introduce a new digital ID scheme in the country. The scheme aims to make it easier for people to prove their identities by creating a virtual ID on personal devices with information like names, date of birth, nationality or residency status, and a photo to verify their right to live and work in the country. 

Since then, EFF has joined UK-based civil society organizations in urging the government to reconsider this proposal. In one joint letter from December, ahead of Parliament’s debate around a petition signed by 2.9 million people calling for an end to the government’s plans to roll out a national digital ID, EFF and 12 other civil society organizations wrote to politicians in the country urging MPs to reject the Labour government’s proposal.

Nevertheless, politicians have continued to explore ways to build out a digital ID system in the country, often fluctuating between different ideas and conceptualisations for such a scheme. In their search for clarity, the government launched a consultation, Making public services work for you with your digital identity,’ seeking views on a proposed national digital ID system in the UK. 

EFF submitted comments to this consultation, focusing on six interconnected issues:

  1. Mission creep
  2. Infringements on privacy rights 
  3. Serious security risks
  4. Reliance on inaccurate and unproven technologies
  5. Discrimination and exclusion
  6. The deepening of entrenched power imbalances between the state and the public.

Even the strongest recommended safeguards cannot resolve these issues, and the fundamental core problem that a mandatory digital ID scheme that shifts power dramatically away from individuals and toward the state. They are pursued as a technological solution to offline problems but instead allow the state to determine what you can access, not just verify who you are, by functioning as a key to opening—or closing—doors to essential services and experiences. 

No one should be coerced—technically or socially—into a digital system in order to participate fully in public life. It is essential that the UK government listen to people in the country and say no to digital ID. 

Read our submission in full here.

Getting Digital Fairness Right: EFF's Recommendations for the EU's Digital Fairness Act

4 May 2026 at 17:33

Digital Fairness in the EU

The next few years will be decisive for EU digital policymaking. With major laws like the Digital Services Act, the Digital Markets Act, and the AI Act now in place, the EU is entering an enforcement era that will show whether these rules are rights-respecting or drift toward overreach and corporate control. With the proposed EU’s Digital Fairness Act (DFA), the Commission is now turning to increasingly visible risks for users, such as dark patterns and exploitative personalization. Its “Digital Fairness Fitness Check” makes clear that existing consumer rules need updating to reflect how digital markets operate today.

But not all proposed solutions point in the right direction. Regulators are already flirting with measures that rely on expanded surveillance, such as age verification mandates—surface-level fixes that risk undermining fundamental rights while offering little more than a false sense of protection.

For EFF, digital fairness means addressing the root causes of harm, not requiring platforms to exert more control over their users. It means safeguarding privacy, freedom of expression, and the rights of users and developers.

If the DFA is to make a real difference, it must tackle structural imbalances. Lawmakers should focus on two interlocking principles. First, prioritize privacy. Reforms should address harms driven by surveillance-based business models, alongside deceptive design practices that impair informed choices. Second, strengthen user sovereignty, which is also a necessary precondition for European digital sovereignty more broadly. Strengthening user sovereignty means taking measures that address user lock-in, coercive contract terms, and manipulative defaults that limit users’ ability to freely choose how they use digital products and services.

Together, these principles would support the EU’s objectives of consistent consumer protection, fair markets, and a more coherent legal framework. If implemented properly, the EU could address power imbalances and build trust in Europe’s digital economy.

Ban Dark Patterns

Dark patterns are practices that impair users’ ability to make informed and autonomous decisions. Many companies deploy these tactics through interface design to steer choices and influence behavior. Their impact goes beyond poor consumer decisions. Dark patterns push users to share personal data they would not otherwise disclose and undermine autonomy by making alternatives harder to access.

The DFA should address this by clearly prohibiting misleading interfaces that distort user choice in commercial contexts. While the Digital Services Act introduced a definition, it only partially bans such practices and leaves gaps across existing consumer law rules. The DFA should close these gaps by, at the very least, introducing explicit prohibitions and clearer enforcement rules, without resorting to design mandates.

Tackle Commercial Surveillance

At the core of digital unfairness lies the pervasive collection and use of personal data. Surveillance and profiling drive many of the harms regulators are trying to address, from dark patterns to exploitative personalization. The DFA should tackle these incentives directly by reducing reliance on surveillance-based business models. These practices are fundamentally incompatible with privacy and fairness, and they distort digital markets by rewarding data exploitation rather than quality of service. At a minimum, the DFA should address unfair profiling and surveillance advertising by strengthening privacy rights and banning pay-for-privacy schemes. Users should not have to trade their data or pay extra to avoid being tracked. Accordingly, the DFA should support the recognition of automated privacy signals by web browsers and mobile operating systems, which give users a better way to reject tracking and exercise their rights. Practices that override such signals through banners or interface design should be considered unfair.

Addressing surveillance and profiling also protects children, since many online harms are tied to the collection and exploitation of their data. Systems that serve ads or curate content often rely on intrusive profiling practices, raising concerns about privacy and fairness, particularly when applied to minors. Rather than turning to invasive age verification, the focus should be on limiting data use by default.

Strengthen User Sovereignty

There is a major gap in how EU law addresses user autonomy in digital markets: many digital products and services still restrict what people can do with what they pay for through opaque or one-sided licensing terms, technical protection measures, and remote controls. These mechanisms increasingly limit lawful use, modification, or access after purchase, allowing providers to revoke access, disable functionalities, or degrade performance over time. In practice, this turns ownership into a conditional rental.

Consumers must be able to use and resell digital goods without hidden limitations and with clear licensing terms. Too often, technical and contractual lock-ins, including remote lockouts and unilateral restrictions on functionality, erode that control. Recent legal reforms show that progress is possible. Rules such as those under the Digital Markets Act have begun to curb technical and contractual barriers and promote user choice. However, many restrictions persist.

The DFA must address these practices by targeting unfair post-sale restrictions and strengthening users’ ability to control and switch services. This means setting clear limits on unfair terms and misleading practices, alongside robust transparency on how digital services function over time. It should also strengthen interoperability and support user control, allowing people to access third-party applications and to let trusted applications act on their behalf, reducing lock-in and expanding meaningful choice in how users interact with digital services.

Stop New York's Attack on 3D Printing

16 April 2026 at 22:31

New York's proposed 2026-2027 budget currently includes provisions that will require all 3D printers sold in the state to run print-blocking censorware—software that surveils every print for forbidden designs. This policy would also create felony charges for possessing or sharing certain design files. The vote on the state budget could happen as early as next week, so New Yorkers need to act fast and demand that their Assemblymembers and Senators strip this provision from the budget.

Take action

Tell Your Representative to Stand with Creators

State legislators across the US are rushing to regulate 3D-printed firearms under the syllogism something must be done; there, I've done something.” The most reckless of these proposals is a mandate for manufacturers to implement print blocking on all 3D printers. We, and other experts, have already pointed out that this algorithmic print blocking is simply unfeasible and will only serve to stifle competition, free expression, and privacy. While most detrimental to the creative communities lawfully using these printers, every New Yorker will be impacted by this blow to innovation.

This policy is unfortunately buried in Part C of the New York State’s proposed budget for the 2026-2027 fiscal year (S.9005 / A.10005), which is urgently moving toward a vote after facing extensive delays. It’s also bundled with a policy that would allow felony charges to be brought against researchers and journalists for sharing design files restricted by the state.  The worst of these impacts won’t be known until after it is negotiated behind closed doors, with no safeguards for creative expression or privacy.

Researchers and Journalists Could Face Felony Charges

Part C Subpart A of the budget includes two particularly concerning provisions: §2.10 and 2.11. These threaten Class E felony charges for distributing or possessing 3D-printer files that would produce firearm parts with a 3D printer or CNC machine. 

Under these provisions merely sharing a print file with any of them could result in criminal charges

The first provision, 2.10, makes it a felony to sell or distribute files that can produce major firearm components to someone who is not a federally and NY-licensed gunsmith. Under 2.11, it’s also a felony to possess these files if you intend to illegally print a firearm or share them with someone you believe is not permitted to own or smith a firearm.

A journalist reporting on 3D-printed guns. A researcher studying printable firearms. An artist incorporating parts into a new work commenting on gun culture. Under these provisions merely sharing a print file with any of them could result in criminal charges, even if no one involved intends to assemble a firearm.

Criminalizing information doesn’t work. Someone intent on illegally printing a firearm is already subject to charges for that act. Adding felony liability for simply possessing a file or design piles on additional charges while doing nothing to stop printing. New charges for someone distributing these files won’t make them inaccessible to lawbreakers, but they will have a chilling effect on legitimate and entirely legal work. 

Unsurprisingly, a similar law was proposed and subsequently scrapped in Colorado due to First Amendment concerns. We recommend New York do the same.

Take action

Tell Your Representative to Stand with Creators

Mandated Surveillance, Less Access

Part C Subpart B would require every 3D printer and CNC machine sold in New York to include algorithms that scan your design files and block prints the system identifies as producing firearm components. Furthermore, all sales and deliveries of these machines must be made face-to-face. 

Unlike other bills we have seen, there are no exceptions to this mandate. These restrictions apply to sales to researchers, commercial manufacturers, and—oddly enough—federally and state-licensed gunsmiths.

Applying these restrictions to CNC machine sellers is particularly absurd. These cousins of 3D printers, which make 3D objects by removing materials, are often tens of thousands of dollars and used by commercial manufacturers. Automotive, aerospace, medical manufacturers, and many others industries will be subject to the in-person sales, surveillance risk, and all the other problems with these print-blocking algorithms introduce.

Industries will be subject to the in-person sales, surveillance risk, and all the other problems

Even limiting the focus to individual buyers—hobbyists and artists who use these machines at home—this restriction to face-to-face sales comes with its own issues. Beyond unnecessarily complicating the use of printers in the state, this barrier to access will hit rural New Yorkers the hardest. People in rural or remote locations can stand to benefit from the saved time and costs of printing useful parts at home. With this restriction, they will need to drive to one of the few retailers who actually sell this equipment and settle for the models they stock. 

That is, if sellers continue to stock these printers despite the risk. Subpart B §§ 2.3 and 2.5 open sellers up to liability, including anyone on the second-hand market, for selling out-of-date printers. Meanwhile, buyers hoping to illegally print firearms can simply build their own printer with widely available equipment.

The Law Won’t Work as Advertised 

Here’s what makes Subpart B of the New York budget particularly reckless: the technology it mandates is not capable of doing what it is supposed to. 

There is very little detail provided about requirements for the mandated algorithms. What the bill does outline boils down to this: the algorithms must evaluate print files to determine whether they would produce a firearm or illegal firearm parts, and if so, block the print. In an attempt to enable this, New York state would also create and maintain a library of forbidden files with tightly restricted access. 

We’ve already gone over why this idea simply won’t work. Design files are trivially easy to modify, split into segments, or otherwise alter to evade pattern detection. Even if printers fully rendered and analyzed the print with cloud-based AI, any number of design or post-print tricks can be used to dodge detection. Meanwhile, such fuzzy AI interpretation will rapidly increase the percentage of lawful prints censored. 

Firearms aren’t a highly specific design like paper currency; these proposed algorithms are futilely attempting to block an infinite number of designs capable of—or that can be made capable of—the few simple mechanical functions that make up a firearm. 

This group has no peer review requirements, so it could easily be loaded with profiteers or incumbent manufacturers

As we’ve said before: the internet always routes around censorship. Anyone determined to print a prohibited object has straightforward workarounds. The people who get surveilled and blocked are the people trying to follow the law.

The bill aims to enforce this impossible mandate by creating a working group to define the actual technical requirements of enforcement—but only after the law passes. This group has no peer review requirements, so it could easily be loaded with profiteers or incumbent manufacturers who are already lining up to participate. These incumbents stand to profit from shutting out new competitors and locking in users to their devices, and sellers into their platform, subjecting both to the type of enshittification seen with Digital Rights Management (DRM) software. There are also no safeguards in the law to prevent the most surveillance-heavy approaches to print scanning, or to stop this censorship infrastructure from being further weaponized against lawful speech.

On the other hand, unbiased experts in open-source manufacturing in the working group can at best pause the clock by showing such algorithms are unfeasible. That is, until a new snake oil company comes along to restart it. 

New York Won't Be the Last Stop 

New York is one of the largest consumer markets in the country. When it mandates a feature in hardware, manufacturers hardly ever build a New York-only version. They build the New York version and sell it globally. A print-blocking mandate adopted in New York will become the national standard in practice.

New Yorkers deserve more than this rush job buried in a budget bill. This is an unfeasible tech solution, built without the consumer protections that would be required of any serious policy proposal, and creates new costs and inconveniences amidst a protracted annual budget process. It also threatens First Amendment protections. This policy will take shape without consumer guardrails, behind closed doors, and risks the worst outcomes for grassroots innovation and creativity enabled by these machines. Worse still, these practices can become the norm across other states and among 3D-printer manufacturers worldwide. 

Your representatives could vote on this ill-conceived measure in the next week.  If you're a New Yorker, email your legislators now, and tell them to strip this measure from the budget today. 

Take action

Tell Your Representative to Stand with Creators

Google Broke Its Promise to Me. Now ICE Has My Data.

14 April 2026 at 18:01

In September 2024, Amandla Thomas-Johnson was a Ph.D. candidate studying in the U.S. on a student visa when he briefly attended a pro-Palestinian protest. In April 2025, Immigration and Customs Enforcement (ICE) sent Google an administrative subpoena requesting his data. The next month, Google gave Thomas-Johnson's information to ICE without giving him the chance to challenge the subpoena, breaking a nearly decade-long promise to notify users before handing their data to law enforcement. 

Google names a handful of exceptions to this promise (such as if Google receives a gag order from a court) that do not apply to Thomas-Johnson's case. While ICE “requested” that Google not notify Thomas-Johnson, the request was not enforceable or mandated by a court. Today, the Electronic Frontier Foundation sent complaints to the California and New York Attorneys General asking them to investigate Google for deceptive trade practices for breaking that promise. You can read about the complaints here. Below is Thomas-Johnson's account of his ordeal. 

Out of touch but not out of reach 

I thought my ordeal with U.S. immigration authorities was over a year ago, when I left the country, crossing into Canada at Niagara Falls.  

A photo of Amandla Thomas-Johnson

By that point, the Trump administration had effectively turned federal power against international students like me. After I attended a pro-Palestine protest at Cornell University—for all of five minutes—the administration’s rhetoric about cracking down on students protesting what we saw as genocide forced me into hiding for three months. Federal agents came to my home looking for me. A friend was detained at an airport in Tampa and interrogated about my whereabouts. 

I’m currently a Ph.D. student. Before that, I was a reporter. I’m a dual British and Trinadad and Tobago citizen. I have not been accused of any crime. 

I believed that once I left U.S. territory, I had also left the reach of its authorities. I was wrong. 

The email

Weeks later, in Geneva, Switzerland, I received what looked like a routine email from Google. It informed me that the company had already handed over my account data to the Department of Homeland Security. 

At first, I wasn’t alarmed. I had seen something similar before. An associate of mine, Momodou Taal, had received advance notice from Google and Facebook that his data had been requested. He was given advanced notice of the subpoenas, and law enforcement eventually withdrew them before the companies turned over his data. 

Google had already disclosed my data without telling me.

I assumed I would be given the same opportunity. But the language in my email was different. It was final: “Google has received and responded to legal process from a law enforcement authority compelling the release of information related to your Google Account.” 

Google had already disclosed my data without telling me. There was no opportunity to contest it. 

Google’s broken promise

To be clear, this should not have happened this way. Google promises that it will notify users before their data is handed over in response to legal processes, including administrative subpoenas. That notice is meant to provide a chance to challenge the request. In my case, that safeguard was bypassed. My data was handed over without warning—at the request of an administration targeting students engaged in protected political speech. 

Months later, my lawyer at the Electronic Frontier Foundation obtained the subpoena itself. On paper, the request focused largely on subscriber information: IP addresses, physical address, other identifiers, and session times and durations. 

But taken together, these fragments form something far more powerful—a detailed surveillance profile. IP logs can be used to approximate location. Physical addresses show where you sleep. Session times would show when you were communicating with friends or family. Even without message content, the picture that emerges is intimate and invasive.  

State power meets private data

What this experience has made clear is that anyone can be targeted by law enforcement. And with their massive stores of data, technology companies can facilitate those arbitrary investigations. Together, they can combine state power, corporate data, and algorithmic inference in ways that are difficult to see—and even harder to challenge. 

The consequences of what happened to me are not abstract. I left the United States. But I do not feel that I have left its reach. Being investigated by the federal government is intimidating. Questions run through your head. Am I now a marked individual? Will I face heightened scrutiny if I continue my reporting? Can I travel safely to see family in the Caribbean? 

Who, exactly, can I hold accountable?

Update: This post has been updated to include more information about Google's exceptions to their notification policy, none of which applied to the subpoena targeting Thomas-Johnson.

Digital Hopes, Real Power: How the Arab Spring Fueled a Global Surveillance Boom

8 April 2026 at 10:22

This is the third installment of a blog series reflecting on the global digital legacy of the 2011 Arab uprisings. You can read the first post here, and the second here.

When people recall the 2011 uprisings across the Middle East and North Africa (MENA), they often picture crowded squares, raised phones, and the feeling that the internet had finally shifted the balance of power toward ordinary people. But the past decade and a half is also a story about how governments, companies, and platforms turned those same tools into the backbone of a powerful state surveillance apparatus.

For activists, journalists, everyday users, that means now living with a constant threat. The phone in your pocket, the platforms you organize on, and the systems you rely on for safety and connection can be weaponized at the flip of a switch. A global surveillance industry has treated repression by many MENA governments as a growth opportunity, and the tactics refined there now shape digital authoritarianism worldwide. This essay traces how that shift unfolded: security agencies upgraded older systems of repression with new surveillance tools and permanent monitoring infrastructure; cybercrime laws and mercenary spyware markets turned digital control into standard operating procedure; and biometrics, facial recognition, and ‘smart city’ projects laid the groundwork for AI‑driven surveillance that now shapes protests, borders, and everyday life far beyond the region. 

Remembering the Arab Spring means seeing the events of 2011 as both a remarkable moment of movement history when people leveraged networked tools in their fight for freedom and the beginning of a long, grinding effort to turn those same tools into mechanisms of state control.

Old‑School Repression, New‑School Tools

Long before Facebook and Twitter, regimes in countries like Egypt and Syria already knew how to crush dissent. They leaned on informant networks, physical surveillance, and wiretaps, backed by emergency laws that let security agencies monitor and detain critics with almost no restraint. Research on the use of surveillance technology in MENA shows that, even before the Arab Spring, states were layering early digital tools like internet monitoring, deep packet inspection, and interception centers on top of that older machinery of control.

At the same time, connectivity was racing ahead. Cheap smartphones and social media suddenly let people share information at scale, coordinate protests, and broadcast abuses in real time. In 2011, EFF described both the excitement around “Facebook revolutions” and the early signs that governments were scrambling to upgrade their capacity to watch and disorganize popular dissent.

After the uprisings, Western critics endlessly debated how much credit to give social media itself. While in the background, security agencies across several MENA states reached a much simpler conclusion: if networked communication can help topple a dictator, then they needed to embed themselves deep inside those networks. Analyses of the rise of digital authoritarianism in MENA show how quickly officials pivoted from being surprised by online organizing to building systems to monitor and pre‑empt it.

In the years after 2011, governments across the region poured money into tools that let them systematically watch what people said and did on major platforms. Foreign vendors set up monitoring centers and interception systems that let security agencies block tens of thousands of sites, scrape and analyze social media at scale, monitor activist pages and online communities, and track activists in real time. They built a new, pre‑emptive model of digital control, one that assumes the state should see as much as possible, as early as possible.

As we noted in 2011, exporting permanent surveillance infrastructure to already‑abusive governments doesn’t “modernize” public safety; it locks in an architecture of control that is primed to abuse dissidents, journalists, and marginalized communities.

Domestic Lawfare and Cyber-Mercenaries

After the uprisings, a number of governments also rewrote the rules that govern online life. Cybercrime laws, “fake news” provisions, and overbroad public‑order and ‘morality’ offences gave prosecutors and security agencies legal cover to act with impunity. Governments in Saudi Arabia, Tunisia, Jordan, and Egypt combined counterterrorism, cybercrime, defamation, and protest laws into a legal thicket designed to make online dissent feel dangerous and costly. Morality laws and cybercrime provisions are used to target queer and trans people based on identity and expression.​

At the United Nations, a new global cybercrime convention now risks baking this logic into international law. The convention was adopted by the UN General Assembly in late 2024, despite serious human rights concerns raised by civil society. Echoing our partners, EFF warned at the time that the UN cybercrime draft convention remained too flawed to adopt and urged states to reject the draft language because it legitimized expansive surveillance powers and criminalized legitimate expression, security research, and everyday digital practices around the world. While on paper, these instruments gesture to “public safety” objectives, in practice they function as pathways for state security agencies to monitor, prosecute, and silence the communities most at risk. For state-targeted communities, that makes being visible online a calculated risk, not a neutral choice.​​

Criminal codes are only half the story; mercenary tech is the other. As governments worldwide looked for ways to outpace their critics, a parallel market emerged to help them infiltrate and take over devices. Companies like NSO Group marketed Pegasus and similar tools as off‑the‑shelf capabilities for governments that wanted to hack a target’s cellphones or other devices to read messages, turn on microphones, and monitor entire social networks while bypassing the courts. 

In 2019, UN Special Rapporteur David Kaye called for a global moratorium on the sale and transfer of private surveillance tools until real, enforceable safeguards exist. Two years later, forensic work by Amnesty and media partners showed how the same spyware used to hack phones of Palestinian human‑rights defenders was used to surveil journalists, activists, lawyers, and political opponents across dozens of countries

Regional groups responded by demanding an end to the sale of surveillance technology to autocratic governments and security agencies, arguing that you cannot keep selling “lawful intercept” tools into systems where law itself is an instrument of repression. Commercial spyware is at the center of digital repression, not at its margins. Surveillance vendors are not neutral suppliers. Safeguards remain weak, fragmented, or nonexistent in most of the countries buying these tools, yet vendors continue seeking new contracts and new militarized “use cases.” Put bluntly, the companies that design, market, and maintain these systems precisely because they enable this kind of control profit from (and help entrench) authoritarian power.

Biometrics, Facial Recognition, and AI‑Powered Surveillance Cities

On top of this rapidly intensifying interception and spyware stack, governments and companies began layering biometrics and face recognition into everyday systems, creating pathways for bulk data collection, automated analysis, and risk profiling. In parts of MENA, national ID schemes, border and migration controls, and centralized biometric databases have been rolled out in environments with weak or captured data‑protection laws, making it easy to link people’s movements, services, and political activity to a single, persistent identifier.​

Humanitarian programs are not exempt from this protocol. In Jordan, Syrian refugees have been required to submit iris scans and biometric data to access cash assistance and food, turning “consent” into a precondition for survival. When access to aid depends on enrollment in centralized biometric systems, any breach, misuse, or repurposing of that data can have severe, life‑altering consequences for people who have no realistic way to opt out. Investigations into surveillance‑tech firms complicit in abuses in MENA show that vendors profit from supplying biometric and surveillance tools for migration management and internal security, even when those tools are used in discriminatory or abusive ways.​

Like elsewhere, mass surveillance technologies in MENA were first piloted on people who were already criminalized or made vulnerable by poverty. But their use quickly expanded from narrow, security‑framed deployments to routine use in city streets. As hardware sensors, cameras, and data storage got cheaper, “smart city” surveillance systems promised seamless security and services, and it became easier and less politically contentious to keep these systems running everywhere, all the time.​

Unlike targeted hacking tools, these broad, city‑wide surveillance infrastructures erase any practical line between people under investigation and the broad public, normalizing bulk, indiscriminate monitoring of public space and everyday movement. In the Gulf, facial recognition and dense sensor networks are increasingly built into high‑profile “smart city” and mega‑project plans that lean heavily on biometric and AI‑driven monitoring. These are security‑first development projects where biometric and sensor infrastructures are designed from the outset to embed policing, migration control, and commercial tracking into the urban fabric. In this vision of the Gulf’s “smart city” future—often sold as seamless services and digital opportunity—“smart” is the branding, and pervasive monitoring is the operating principle.​​

EFF has consistently opposed government use of face recognition and biometric surveillance, in some instances calling for outright bans. In contexts that treat peaceful dissent as a security threat, embedding biometric surveillance into everyday infrastructure locks in a balance of power that favors militarized policing and state control. That infrastructure is now the starting point for a new set of risks. Surveillance systems built over the last decade are being repackaged as the foundation for a new generation of “AI‑enabled” defense and security products. 

Companies that once focused on video management or perimeter security now advertise “defense applications” for AI‑driven situational awareness and threat detection, using computer‑vision models to scan camera feeds, compare against existing watchlists, and flag “suspicious” people or behaviors in real time. Drone and sensor platforms are being upgraded with embedded AI that tracks and classifies targets autonomously and with “drone‑based AI threat detection and intelligent situational awareness,” turning aerial surveillance into a continuous data feed for security agencies and militaries. In smart‑city and defense expos from the Gulf to Europe and North America, similar systems are marketed as neutral efficiency upgrades or tools to “protect critical infrastructure,” even where they are explicitly designed to scale up border enforcement, protest surveillance, and internal security operations.

As these systems are folded into AI‑driven defense products, the line between “civilian” infrastructure and militarized surveillance disappears, turning streets, borders, and aid sites into continuous input for security operations. That is the landscape that human rights and accountability efforts now have to confront.

Templates of Control, Networks of Resistance

The patterns established in heavily securitized MENA states after the Arab Spring now shape how states monitor and crush more recent uprisings, from Iran’s use of location data and facial recognition to track down protesters to long‑running crackdowns elsewhere in the region. This model of “digital authoritarianism” built on spyware, data‑hungry ID systems, platform control, and emergency‑style security laws has emerged everywhere from Latin America to Eastern Europe to here in the United States. As the new UN Cybercrime Convention moves toward implementation, its broad offences and surveillance powers risk turning this ad hoc toolkit into a formal template for cross‑border data‑sharing, repression, and an all‑purpose global surveillance instrument.

For people on the ground, none of this is theoretical. Human‑rights defenders, journalists, and ordinary users across the region face arrest, long prison sentences, and exile based on their digital traces. In that context, commercial spyware is not a marginal issue but part of the core machinery of repression. Pegasus has been used to hack journalists’ phones through zero‑click exploits and compromise human‑rights defenders and watchdog organizations themselves, including staff at Amnesty’s Pegasus Project partners and Human Rights Watch. These deployments give practical effect to the “cybercrime” and “terrorism” frameworks described earlier: person‑by‑person campaigns against particular communities, contacts, and networks, rather than “neutral,” generalized security measures.

Under these conditions, everyday security becomes a second job. People describe carrying multiple phones, keeping one for relatively “clean” uses and others for riskier conversations, splitting identities across platforms, using coded language, and moving their organizing off mainstream services when possible. Pushing this burden onto users is a political choice: states, platforms, and vendors could build systems that are safe by design; instead, they externalize risk to the people they watch and punish.

Even against that backdrop, civil society organizations have refused to capitulate to security agencies and vendors. Regional coalitions have demanded strict export controls and outright bans on selling intrusive surveillance tech to autocratic governments. Advocates have also pushed companies to do more than box‑ticking “due diligence.” Work with surveillance‑tech firms in the context of migration and border control has repeatedly shown that most are still far from serious human‑rights assessments, let alone willing to turn down these lucrative contracts.

Many of the same governments that have been critical of others on the issue of human rights have hosted or licensed companies that build these tools, in some cases buying similar capabilities for their own security agencies. European authorities, for instance, have investigated FinFisher’s export of spyware “made in Germany” to Turkey and other non‑EU governments. Meanwhile, the NSO Group has at least 22 Pegasus contracts with security and law‑enforcement agencies in 12 EU countries. This is a transnational industry, not a localized problem.

Against near impossible odds, people continue finding pathways to freedom. The global surveillance sector reinforces the same hierarchies and violence that people have found ways to survive for generations. Queer activists and others at the sharpest edges of this system have had to develop their own forms of resistance, including against biometric and data‑driven targeting. Encryption, circumvention tools, and security training are not silver bullets, but they remain essential for anyone trying to organize, document abuses, or simply exist online with a bit less risk. Resources like EFF’s Surveillance Self‑Defense are one piece of that ecosystem, alongside trainers and groups who have been doing this work on the ground for years.​

Defending the Future of Digital Dissent

The Arab Spring is often remembered through images of packed squares and hopeful tweets. But contending with its aftermath means confronting the surveillance architecture built in its shadow: laws that turn online speech into a crime, spyware and biometric systems that turn phones and faces into tracking beacons, and platform practices that routinely sacrifice the people most at risk. None of that is inevitable, and none of it is confined to one part of the world.

Accountability has to reach both governments and the companies that profit from arming them with these tools. That means pushing for far stronger limits on how surveillance tech is built, sold, and deployed; demanding meaningful transparency when these systems are used; and defending the tools people rely on to communicate and organize safely, including robust encryption and secure channels. It also means taking direction from the people and communities who have been navigating and resisting this landscape for years.

Surveillance itself is transnational: tools, playbooks, and data moves across borders as easily as money. And so we, too, continue our work, documenting abuses, sharing security knowledge, and collectively organizing against these violent systems.

This is the third installment of a blog series reflecting on the global digital legacy of the 2011 Arab uprisings. Read the rest of the series here.

Google and Amazon: Acknowledged Risks, and Ignored Responsibilities

2 April 2026 at 17:12

In late 2024, we urged Google and Amazon to honor their human rights commitments, to be more transparent with the public, and to take meaningful action to address the risks posed by Project Nimbus, their cloud computing contract that includes Israel’s Ministry of Defense and the Israeli Security Agency. Since then, a stream of additional reporting has reinforced that our concerns were well-founded. Yet despite mounting evidence of serious risk, both companies have refused to take action. 

Amazon has completely ignored our original and follow-up letters. Google, meanwhile, has repeatedly promised to respond to our questions. Yet more than a year and a half later, we have seen no meaningful action by either company. Neither approach is acceptable given the human rights commitments these companies have made.

Additionally, Microsoft required a public leak before it felt compelled enough to look into and find that its client, the Israeli government, was indeed misusing its services in ways that violated Microsoft’s public commitments to human rights. This should have given both Google and Amazon an additional reason to take a close look and let the public know what they find, but nothing of the sort materialized. 

In such circumstances, waiting for definitive proof is not responsible risk management, it is willful blindness.

Google: Known Risks, No Meaningful Action

Google’s own internal assessments warned of the risks associated with Project Nimbus even before the contract was signed. Major news outlets have reported that Google provides the Israeli government with advanced cloud and AI services under Project Nimbus, including large-scale data storage, image and video analysis, and AI model development tools. These capabilities are exceptionally powerful, highly adaptable, and well suited for surveillance and military applications.

Despite those warnings, and the multiple reports since then about human rights abuses by the very portions of the Israeli government that uses Google’s and Amazon’s services, the companies continue to operate business as usual. It seems that they have taken the position that they do not need to change course or even publicly explain themselves unless the media or other external organizations present definitive proof that their tools have been used in specific violations of international human rights or humanitarian law. While that conclusive public evidence has not yet emerged for all the companies, the risks are obvious, and they are aware of them. Instead of conducting robust, transparent human rights due diligence, Amazon and Google are continually choosing to look the other way.

Google’s own internal assessments undermine its public posture. According to reporting, Google’s lawyers and policy staff warned that Google Cloud services could be linked to the facilitation of human rights abuses. In the same report, Google employees also raised concerns that the company’s cloud and AI tools could be used for surveillance or other militarized purposes, which seems very likely given the Israeli government’s long-standing reliance on advanced data-driven systems to control and monitor Palestinians.

Google has publicly claimed that Project Nimbus is “not directed at highly sensitive, classified, or military workloads” and is governed by its standard Acceptable Use Policies. Yet reporting has revealed conflicting representations about the contract’s terms, including indications that the Israeli government may be permitted to use any services offered in Google’s cloud catalog for any purpose. Google has declined to publicly resolve these contradictions, and its lack of transparency is problematic. The gap between what Google says publicly and what it knows internally should alarm anyone who hopes to take the company’s human rights commitments seriously.

Google’s and Amazon’s AI Principles Require Proactive Action

Even after being revised last year, Google’s AI Principles continue to commit the company to responsible development and deployment of its technologies, including implementing appropriate human oversight, due diligence, and safeguards to mitigate harmful outcomes and align with widely accepted principles of international law and human rights. While the updated principles no longer explicitly commit Google to avoiding entire categories of harmful use, they still require the company to assess foreseeable risks, employ rigorous monitoring and mitigation measures, and act responsibly throughout the full lifecycle of AI development and deployment.

Amazon has similarly committed to responsible AI practices through its Responsible AI framework for AWS services. The company states that it aims to integrate responsible AI considerations across the full lifecycle of AI design, development and operation, emphasizing safeguards such as fairness, explainability, privacy and security, safety, transparency, and governance. Amazon also says its AI services are designed with mechanisms for monitoring, and risk mitigation to help prevent harmful outputs or misuse and to enable responsible deployment across a range of use cases.

Google and Amazon have the knowledge, the leverage, and the responsibility to act now. Choosing not to is still a choice.

Here, the risks are neither speculative nor remote. They are foreseeable, well-documented, and exacerbated by the context in which Project Nimbus operates, which is an ongoing military campaign marked by widespread civilian harm and credible allegations of grave human rights violations including genocide. In such circumstances, waiting for definitive proof is not responsible risk management, it is willful blindness.

Modern cloud and AI systems are designed to be flexible, customizable, and deployable at scale, often beyond the vendor’s direct visibility. That reality is precisely why human rights due diligence must be proactive. Waiting for a leaked document or whistleblower account demonstrating direct misuse, as occurred in Microsoft’s case, means waiting until harm has already been done.

Microsoft’s Experience Should Have Been Warning Enough

As noted above, the recent revelations about Microsoft’s technologies being misused in violation of Microsoft’s commitments by the Israeli military illustrate the dangers of this wait-and-see approach. Google and Amazon should not need a similar incident to recognize what is at stake. The demonstrated misuse of comparable technologies, combined with Google’s and Amazon’s own knowledge of the risks associated with Project Nimbus, should already be sufficient to trigger action.

The appropriate response is to act responsibly and proactively.

Google and Amazon should immediately:

  • Conduct and publish an independent human rights impact assessment of Project Nimbus.
  • Disclose how they evaluate, monitor, and enforce compliance with their AI Principles in high-risk government contracts, including and especially in Project Nimbus.
  • Commit to suspending or restricting services where there is a credible risk of serious human rights harm, even if definitive proof of misuse has not yet emerged.

Waiting Is a Choice, and Not One That Protects Human Rights

Google and Amazon publicly emphasize their commitment to responsible AI and respect for human rights. Those commitments are meaningless if they apply only once harm is undeniable and irreversible. In conflict settings, especially where secrecy and information asymmetry are the norm, companies must act on credible risk, not perfect evidence.

Google and Amazon have the knowledge, the leverage, and the responsibility to act now. Choosing not to is still a choice, and one that carries real consequences for people whose lives are already at risk.

EFF’s Submission to the UN OHCHR on Protection of Human Rights Defenders in the Digital Age

2 April 2026 at 13:29

Governments around the world are adopting new laws and policies aimed at addressing online harms, including laws intended to curb cybercrime and disinformation, and ostensibly protect user safety. While these efforts are often framed as necessary responses to legitimate concerns, they are increasingly being used in ways that restrict fundamental rights.

In a recent submission to the United Nations Office of the High Commissioner for Human Rights, we highlighted how these evolving regulatory approaches are affecting human rights defenders (HRDs) and the broader digital environment in which they operate.

Threats to Human Rights Defenders

Across multiple regions, cybercrime and national security laws are being applied to prosecute lawful expression, restrict access to information, and expand state surveillance. In some cases, these measures are implemented without adequate judicial oversight or clear safeguards, raising concerns about their compatibility with international human rights standards.

Regulatory developments in one jurisdiction are also influencing approaches elsewhere. The UK’s Online Safety Act, for example, has contributed to the global diffusion of “duty of care” frameworks. In other contexts, similar models have been adopted with fewer protections, including provisions that criminalize broadly defined categories of speech or require user identification, increasing risks for those engaged in the defense of human rights.

At the same time, disruptions to internet access—including shutdowns, throttling, and geo-blocking—continue to affect the ability of HRDs to communicate, document abuses, and access support networks. These measures can have significant implications not only for freedom of expression, but also for personal safety, particularly in situations of conflict or political unrest.

The expanded use of digital surveillance technologies further compounds these risks. Spyware and biometric monitoring systems have been deployed against activists and journalists, in some cases across national borders. These practices result in intimidation, detention, and other forms of retaliation.

The practices of social media platforms can also put human rights defenders—and their speech—at risk. Content moderation systems that rely on broadly defined policies, automated enforcement, and limited transparency can result in the removal or suppression of speech, including documentation of human rights violations. Inconsistent enforcement across languages and regions, as well as insufficient avenues for redress, disproportionately affects HRDs and marginalized communities.

Putting Human Rights First

These trends underscore the importance of ensuring that regulatory and corporate responses to online harms are grounded in human rights principles. This includes adopting clear and narrowly tailored legal frameworks, ensuring independent oversight, and providing effective safeguards for privacy, expression, and association.

It also requires meaningful engagement with civil society. Human rights defenders bring essential expertise on the local and contextual impacts of digital policies, and their participation is critical to developing effective and rights-respecting approaches.

As digital technologies continue to shape civic space, protecting the individuals and communities who rely on them to advance human rights remains an urgent priority.

You can read our full submission here.

Cindy Cohn on The Daily Show: Learn More About EFF, Privacy's Defender, and Watch the Interview

31 March 2026 at 05:17

About EFF

The Electronic Frontier Foundation is the leading nonprofit defending civil liberties in the digital world. EFF’s work to protect your rights on the internet is supported by over 30,000 members who have joined our mission by donating just this year.

For over 35 years, our lawyers, activists, and technologists have been thinking about the next big thing in tech before anyone else—whether that’s age verification, AI, or Palantir. Whatever causes you fight for, EFF protects the internet infrastructure you rely on to do so.

JOIN EFF TODAY

To learn more about our work, follow EFF on social media and subscribe to EFF's EFFector newsletter below to learn about the ways the internet and online rights are changing and what that means for you. And join EFF to support our fight—because if you use technology, this fight is yours. 

Watch the Interview

play
Privacy info. This embed will serve content from youtube-nocookie.com

Privacy's Defender: My Thirty Year Fight Against Digital Surveillance, by Cindy Cohn

In Privacy’s Defender: My Thirty-Year Fight Against Digital Surveillance (MIT Press), EFF Executive Director Cindy Cohn weaves her own personal story with her role as a leading legal voice representing the rights and interests of technology users, innovators, whistleblowers, and researchers during the Crypto Wars of the 1990s, battles over NSA’s dragnet internet spying revealed in the 2000s, and the fight against FBI gag orders.

"Let's Sue the Government" T-Shirt

Sometimes our supporters call EFF a merch store with a law firm attached because our stickers, hoodies and shirts are so well known. Our "Let's Sue the Government" shirt tells people: When your rights are at risk, you don’t stay quiet.

Privacy First: A Better Way to Address Online Harms

Our lawmakers seem to be losing the forest for the trees, promoting scattered and disconnected proposals addressing whichever perceived harm is causing the loudest public anxiety in any given moment. Too often, those proposals do not carefully consider the likely unintended consequences or even whether the law will actually reduce the harms it’s supposed to target. 

The truth is many of the ills of today’s internet have a single thing in common: they are built on a system of corporate surveillance. Multiple companies, large and small, collect data about where we go, what we do, what we read, who we communicate with, and so on. They use this data in multiple ways and, if it suits their business model, may sell it to anyone who wants it—including law enforcement. Addressing this shared reality will better promote human rights and civil liberties, while simultaneously holding space for free expression, creativity, and innovation than many of the issue-specific bills we’ve seen over the past decade.

Read EFF's Privacy First: A Better Way to Address Online Harms.

EFF's History

In early 1990, the U.S. Secret Service conducted raids tracking the distribution of a document illegally copied from a telecom company’s computer; one of those targeted was an Austin, TX publisher named Steve Jackson, whose computers were seized but later returned without any charges filed. Jackson’s business had suffered, and he discovered that the government had read and deleted his customers’ emails. He sought a civil liberties organization to represent him for this violation of his rights, but no existing organization understood the technology well enough to grasp the free speech and privacy issues at hand.

But a few well-informed technologists did understand. Mitch Kapor, former president of Lotus Development Corp.; John Perry Barlow, a Wyoming cattle rancher and lyricist for the Grateful Dead; and John Gilmore, an early employee of Sun Microsystems, with help from Apple co-founder Steve Wozniak, decided to do something about it – and so the Electronic Frontier Foundation was born in July 1990. The Steve Jackson Games case turned out to be an extremely important one for the early internet: For the first time, a court held that electronic mail deserves at least as much protection as telephone calls.

EFF's original logo, in use from 1990-2018

EFF continued to take on cases that set important precedents for the treatment of rights in cyberspace. In our second big case, Bernstein v. U.S. Department of Justice, the United States government prohibited a University of California mathematics Ph.D. student from publishing online an encryption program he had created. Years earlier, the government had placed encryption on the United States Munitions List, alongside bombs and flamethrowers, as a weapon to be regulated for national security purposes; our lawsuit established that written software code is speech protected by the First Amendment, and the further ruled that the export control laws on encryption violated Bernstein's rights by prohibiting his constitutionally protected speech.  Now everyone has the right to "export" encryption software—by publishing it on the Internet—without prior permission from the U.S. government. 

Since then we’ve fought against government and corporate abuses of our Constitutional rights, on issues including warrantless wiretapping by intelligence agencies, the panopticon of street-level surveillance that seeks to track everything we do, and the corporate surveillance that turns our clicks into their commodity, as well as issues of antitrust and intellectual property, artificial intelligence, cybersecurity, and much more. We are lawyers, technologists, activists, and lobbyists who work every day for the privacy, security and dignity of all who use technology - and if you use technology, this fight is yours, too.

EFF's Greatest Hits

While many early battles over the right to communicate freely and privately stemmed from government censorship, today EFF is fighting for users on many other fronts as well.

Today, certain powerful corporations are attempting to shut down online speech, prevent new innovation from reaching consumers, and facilitating government surveillance. We challenge corporate overreach just as we challenge government abuses of power.

JOIN EFF TODAY

We also develop technologies that can help individuals protect their privacy and security online, which our technologists build and release freely to the public for anyone to use.

In addition, EFF is engaged in major legislative fights, beating back digital censorship bills disguised as intellectual property proposals, opposing attempts to force companies to spy on users, championing reform bills that rein in government surveillance, documenting police technology and where it's used, helping users protect themselves from surveillance, and much more.

Learn more about some of EFF's most impactful work— Download a PDF of our new catalog, "Now That's What I Call Digital Rights!

EFF's Cindy Cohn on The Daily Show! Tonight Monday, March 30

30 March 2026 at 17:12

EFF Executive Director Cindy Cohn will be on The Daily Show tonight, Monday March 30, at 11 pm ET and PT, speaking with host Jon Stewart. Cindy will discuss her long history of fighting for privacy online and her new book, Privacy’s Defender: My Thirty-Year Fight Against Digital Surveillance (MIT Press). The book details her own personal story alongside her role representing the rights and interests of technology users, innovators, whistleblowers, and researchers during the Crypto Wars of the 1990s, battles over NSA’s dragnet internet spying revealed in the 2000s, and the fight against FBI gag orders. 

You can watch the interview below, and on Comedy Central, and extended episodes are released shortly thereafter on Paramount Plus as well as in segments on YouTube

play
Privacy info. This embed will serve content from youtube-nocookie.com

Tune in image for The Daily Show - Cindy Cohn picture with Text That says The Daily Show Cindy Cohn Tonights Guest

About The Daily Show

The Daily Show is a long-running comedy news show that covers the biggest headlines of the day. It has won 26 Primetime Emmy Awards and has introduced the world to now well-known actors and comedians such as Steve Carell, Samantha Bee, Ed Helms, and Trevor Noah, as well as hosts of their own current shows, Stephen Colbert and John Oliver. 

❌