Security News

A feature of various end-to-end encrypted (E2EE) messaging apps and other non E2EE social media messaging are disappearing messages, which automatically delete after a set period of time. This feature may be useful for general privacy within your extended network, high-risk users, and preemptively clearing side conversations easily within linear chats. However, different messaging apps handle deleted and disappearing messages a little differently, in particular when it comes to quoted...

Location trackers like Tiles and AirTags aren’t just a helpful way to find missing luggage or a misplaced wallet—they can also be easily slipped into a bag or car, allowing stalkers and abusers unprecedented access to a person’s location without their knowledge. That’s why we are enthusiastic about the effort between Apple and Google to release a draft specification on a detection protocol for these devices. We have been calling for an industry-wide standard for detection of this...

Apple has long used end-to-end encryption for some of the information on your iPhone, like passwords or health data, but the company neglected to offer a way to better protect other crucial data, including iCloud backups, until recently. This came after years of a hard fought battle pushing Apple to encrypt backups and drop its plans for client-side scanning. With Advanced Data Protection, that additional security is now an option, but you have to turn it on yourself. This is a big win...

This post is part of a series on Mastodon and the fediverse. We also have a post on understanding the fediverse, privacy and security on Mastodon, and why the fediverse will be great—if we don't screw it up. You can follow EFF on Mastodon here.

The recent chaos at Twitter is a reminder that when you rely on a social media platform, you’re putting your voice, your privacy, and your safety in the hands of the people who run that system. Many people are looking to...

With the U.S. Supreme Court's decision in Dobbs reversing long-standing rights to abortion access, workers and volunteers for reproductive health clinics must reevaluate the risks they face (also known as a threat model) and take steps to safeguard their personal information–including information they have submitted to the government.

In 2020, nearly 17% of abortions performed in the United States occured in California, according to data from the Guttmacher Institute, and...

The ad identifier - aka “IDFA” on iOS, or “AAID” on Android - is the key that enables most third-party tracking on mobile devices. Disabling it will make it substantially harder for advertisers and data brokers to track and profile you, and will limit the amount of your personal information up for sale.

This post explains the history of device ad identifiers and how they have enabled persistent tracking, identification, and other privacy invasions. 

But first things first....

On Tuesday, Motherboard reported that data broker SafeGraph was selling location information “related to visits to clinics that provide abortions including Planned Parenthood facilities.” This included where people came from and where they went afterwards.

In response, SafeGraph agreed to stop selling data about Planned Parenthood visitors. But it also defended its behavior, claiming “SafeGraph has always committed to the highest level of privacy practices ensuring individual...

Legislation deputizing people to find, sue, and collect damages from anyone who tries to help people seeking abortion care creates serious digital privacy and security risks for those involved in abortion access. Patients, their family members and friends, doctors, nurses, clinic staff, reproductive rights activists, abortion rights counselors and website operators, insurance providers, and even drivers who help take patients to clinics may face grave risks to their privacy and safety....

Being able to accurately determine your location anywhere on the planet is a useful technological trick. But when tracking isn’t done by you, but to you—without your knowledge or consent—it’s a violation of your privacy. That’s why at EFF we’ve long fought against dragnet surveillance, mobile device tracking, and warrantless GPS tracking.

Several weeks ago, an EFF supporter brought her car to a mechanic, and found a mysterious device wired into her car under her driver's...

First came tracking devices like Tiles and AirTags, marketed as clever, button-sized Bluetooth-enabled gizmos that can find your lost backpack. Then, after bad actors started using the devices to stalk or follow people, came scanning apps to help victims find out whether those same gizmos were tracking them.Such is the twisted, dangerous path of tracking devices in the wrong hands. That device makers are rolling out scanning apps that can potentially help stalking victims is a...

Update March 8, 2022: EFF has clarified that Channels and Groups are not fully encrypted, end-to-end, updated our post to link to Telegram’s FAQ for Cloud and Secret chats, updated to clarify that auto-delete is available for group and channel admins, and added some additional links.

Russians and Ukrainians are both prolific users of Telegram. They rely on the app for channels that act as newsfeeds, group chats (both public and private), and one-to-one...

Surveillance is always problematic, but it isn’t neutral—it is more often deployed in communities of color than elsewhere. And surveillance technology isn’t objective, either—it often magnifies the biases of its users and creators, affecting already-marginalized individuals far more heavily than others. Matt Mitchell, founder of CryptoHarlem, has an exciting solution for helping undo the damage that pervasive surveillance has...

EFF’s Certbot tool helps to automate TLS/SSL certificates for web servers—and we believe that should be a global right. Certbot is a free, open source software tool for automatically using Let’s Encrypt certificates, and is part of EFF’s larger effort to encrypt the entire Internet. Websites need to use HTTPS to secure the web. Along with HTTPS Everywhere, Certbot aims to build a network that is more structurally private, safe, and protected against censorship.

A long standing goal...

For more than 10 years, EFF’s HTTPS Everywhere browser extension has provided a much-needed service to users: encrypting their browser communications with websites and making sure they benefit from the protection of HTTPS wherever possible. Since we started offering HTTPS Everywhere, the battle to encrypt the web has made leaps and bounds: what was once a challenging technical argument is now a mainstream standard offered on most web pages. Now HTTPS is truly just about everywhere, thanks...

WhatsApp is rolling out an option for users to encrypt their message backups, and that is a big win for user privacy and security. The new feature is expected to be available for both iOS and Android “in the coming weeks.” EFF has pointed out unencrypted backups as a huge weakness for WhatsApp and for any messenger that claims to offer end-to-end encryption, and we applaud this improvement. Next, encryption for backups should become the default for all users, not just an option.

As part of our goal to expand the impact of our digital security guide, Surveillance Self-Defense (SSD), we recently translated the majority of its contents into Burmese. This repository of resources on circumventing surveillance across a variety of different platforms, devices, and threat models is now available in English, and in whole or in part in 11 other languages: Amharic, Arabic, Spanish, French, Russian, Turkish, Vietnamese, Brazilian Portuguese, Burmese, Thai, and Urdu.

Over the past few months, students from all over the country have reached out to EFF and other advocacy organizations because their schools—including teachers and administrators—have made flimsy claims about cheating based on digital logs from online learning platforms that don’t hold up to scrutiny. Such claims were made against over a dozen students at the Dartmouth Geisel School of Medicine, which EFF and the Foundation for Individual Rights in Education (FIRE) criticized for being a...

This post was updated on 6/29/21 to more accurately describe how New York is running its voluntary vaccine passport program

The State of California recently released what it calls a “Digital COVID-19 Vaccine Record.” It is part of that state’s recent easing of public health rules on masking within businesses. California’s new Record is a QR code that contains the same information as is on our paper vaccine cards, including name and birth date. We all...

Between the increasing capabilities of local and state police, the creep of federal law enforcement into domestic policing, the use of aerial surveillance such as spy planes and drones, and mounting cooperation between private technology companies and the government, it can be hard to understand and visualize what all this overlapping surveillance can mean for your daily life. We often think of these problems as siloed issues. Local police deploy automated license plate readers or...

Between the increasing capabilities of local and state police, the creep of federal law enforcement into domestic policing, the use of aerial surveillance such as spy planes and drones, and mounting cooperation between private technology companies and the government, it can be hard to understand and visualize what all this overlapping surveillance can mean for your daily life. We often think of these problems as siloed issues. Local police deploy automated license plate readers or...

Dating is risky. Aside from the typical worries of possible rejection or lack of romantic chemistry, LGBTQIA people often have added safety considerations to keep in mind. Sometimes staying in the proverbial closet is a matter of personal security. Even if someone is open with their community about being LGBTQ+, they can be harmed by oppressive governments, bigoted law enforcement, and individuals with hateful beliefs. So here’s some advice for staying safe while online dating as an...

In the wake of Colombia’s tax reform proposal, which came as more Colombians fell into poverty as a result of the pandemic, demonstrations spread over the country in late April, reviving social unrest and socio-economic demands that led people to the streets in 2019.The government's attempts to reduce public outcry by withdrawing the tax proposal to draft a new text did not work. Protests continue online and offline. Violent repression on the ground by police, and the military presence in...

We are launching a new Privacy Breakdown of Mobile Phones "playlist" on Surveillance Self-Defense, EFF's online guide to defending yourself and your friends from surveillance by using secure technology and developing careful practices. This guided tour walks through the ways your phone communicates with the world, how your phone is tracked, and how that tracking data can be analyzed. We hope to reach everyone from those who may have a smartphone for the first time, to those who have had...

As the world rapidly changed in 2020, new threats arose to our digital security. The shift to online education and the wave of police brutality protests brought new avenues for surveillance, so EFF created new resources to help people protect themselves.EFF maintains a repository of self-help resources for fighting back against surveillance across a variety of different platforms, devices, and threat models. We call it Surveillance Self-Defense, or SSD for short. 

SSD covers myriad...

“Doxxing” is an eerie, cyber-sounding term that gets thrown around more and more these days, but what exactly does it mean? Simply put, it’s when a person or other entity exposes information about you, publicly available or secret, for the purpose of causing harm. It might be information you intended to keep secret, like your personal address or legal name. Often it is publicly available data that can be readily found online with just a bit of digging, like your phone number or workplace...