Security News

Last month, Congress reauthorized Section 702, the controversial law the NSA uses to conduct some of its most invasive electronic surveillance. With Section 702 set to expire, Congress had a golden opportunity to fix the worst flaws in the NSA’s surveillance programs and protect Americans’ Fourth Amendment rights to privacy. Instead, it reupped Section 702 for six more years.

But the bill passed by Congress and signed by the president, labeled S. 139, didn’t just extend Section...

On January 25th, Reuters reported that software companies like McAfee, SAP, and Symantec allow Russian authorities to review their source code, and that "this practice potentially jeopardizes the security of computer networks in at least a dozen federal agencies." The article goes on to explain what source code review looks like and which companies allow source code reviews, and reiterates that "allowing Russia to review the source code may expose unknown vulnerabilities that could be...

It’s Spain's turn to take a closer look at the practices of their local Internet companies, and how they treat their customers’ personal data.

Spain's ¿Quien Defiende Tus Datos? (Who Defends Your Data?) is a project of ETICAS Foundation, and is part of a region-wide initiative by leading Iberoamerican digital rights groups to shine a light on Internet privacy practices in Iberoamerica. The report is based on EFF's annual Who Has Your Back? report, but adapted...

Sharing your personal fitness goals—lowered heart rates, accurate calorie counts, jogging times, and GPS paths—sounds like a fun, competitive feature offered by today’s digital fitness trackers, but a recent report from The Washington Post highlights how this same feature might end up revealing not just where you are, where you’ve been, and how often you’ve traveled there, but sensitive national security information.

According to The Washington Post report, the fitness tracking...

Last month, the Federal Trade Commission and the U.S. Department of Education held a workshop in Washington, DC. The topic was “Student Privacy and Ed Tech.” We at EFF have been trying to get the FTC to focus on the privacy risks of educational technology (or “ed tech”) for over two years, so we eagerly filed formal comments.

We’ve long been concerned about how technology impacts student privacy. As schools and classrooms become increasingly wired, and as schools put more digital...

The news that Immigrations & Customs Enforcement is using a massive database of license plate scans from a private company sent shockwaves through the civil liberties and immigrants’ rights community, who are already sounding the alarm about how mass surveillance will be used to fuel deportation efforts.

The concerns are certainly justified: the vendor, Vigilant Solutions, offers access to 6.5 billion data points, plus millions more collected by law enforcement agencies around...

EFF has been working on multiple fronts to end a widespread violation of digital liberty—warrantless searches of travelers’ electronic devices at the border. Government policies allow border agents to search and confiscate our cell phones, tablets, and laptops at airports and border crossings for no reason, without explanation or any suspicion of wrongdoing. It’s as if our First and Fourth Amendment rights don’t exist at the border. This is wrong, which is why we’re working to challenge...

Europe's General Data Protection Regulation (GDPR) will come into effect in May 2018, and with it, a new set of tough penalties for companies that fail to adequately protect the personal data of European users. Amongst those affected are domain name registries and registrars, who are required by ICANN, the global domain name authority, to list the personal information of domain name registrants in publicly-accessible WHOIS directories. ICANN and European registrars have clashed over this...

Security is not a one-size-fits-all proposition, and features that are prohibitively inconvenient for some could be critical for others. For most users, standard account security settings options are sufficient protection against common threats. But for the small minority of users who might be targeted individually—like journalists, policy makers, campaign staff, activists, people with abusive exes, or victims of stalking—standard security options won’t cut it.

For those users,...

Yesterday, EFF and Lookout announced a new report, Dark Caracal, that uncovers a new, global malware espionage campaign. One aspect of that campaign was the use of malicious, fake apps to impersonate legitimate popular apps like Signal and WhatsApp. Some readers had questions about what this means for them. This blog post is here to answer those questions and dive further into the Dark Caracal report.

First, the good news: Dark...

Dear friends,

Today, the United States Congress struck a significant blow against the basic human right to read, write, learn, and associate free of government’s prying eyes. 

Goaded by those who let fear override democratic principles, some members of Congress shuttered public debate in order to pass a bill that extends the National Security Agency’s unconstitutional Internet surveillance for six years. 

This means six more years of warrantless surveillance under...

Update (April 17, 2018): In light of the passage of the CLOUD Act, the Supreme Court dismissed the case as moot and vacated the lower court rulings.

The Electronic Frontier Foundation urged the Supreme Court today to hold that Microsoft cannot be forced by the U.S. government to disclose the contents of users’ emails stored on the company’s computers in Dublin, Ireland.

The stakes for user privacy in the court’s decision are extremely high. Governments around the...

UPDATE, January 12, 2018: The Senate could vote Tuesday on a disastrous NSA surveillance extension bill that violates the Fourth Amendment. Click the link at the bottom of the page to email your Senator today and tell them to oppose bill S. 139.

The House of Representatives cast a deeply disappointing vote today to extend NSA spying powers for the next six years by a 256-164 margin. In a related vote, the House also failed to adopt meaningful reforms on how the government...

Multiple nonprofit organizations and policy think tanks, and one company have recently joined ranks to limit broad NSA surveillance. Though our groups work for many causes— freedom of the press, shared software development, universal access to knowledge, equal justice for all—our voices are responding to the same threat: the possible expansion of Section 702 of the FISA Amendments Act.

On January 5, the Rules Committee for the House of Representatives introduced S. 139. The...

The Supreme Court announced today that it will not review a lower court’s ruling in United States v. Mohamud, which upheld warrantless surveillance of an American citizen under Section 702 of the Foreign Intelligence Surveillance Act. EFF had urged the Court to take up Mohamud because this surveillance violates core Fourth Amendment protections. The Supreme Court’s refusal to get involved here is disappointing.

Using Section 702, the government warrantlessly collects...

Perhaps you’re an office manager tasked with setting up a new email system for your nonprofit, or maybe you’re a legal secretary for a small firm and you’ve been asked to choose an app for scanning sensitive documents: you might be wondering how you can even begin to assess a tool as “safe enough to use.” This post will help you think about how to approach the problem and select the right vendor.

As every organization has unique circumstances and needs, we can’t provide definitive...

U.S. Customs and Border Protection (CBP) issued a new policy on border searches of electronic devices that's full of loopholes and vague language and that continues to allow agents to violate travelers’ constitutional rights. Although the new policy contains a few improvements over rules first published nine years ago, overall it doesn’t go nearly far enough to protect the privacy of innocent travelers or to recognize how exceptionally intrusive electronic device searches are.

The movement to encrypt the web reached milestone after milestone in 2017. The web is in the middle of a massive change from non-secure HTTP to the more secure, encrypted HTTPS protocol. All web servers use one of these two protocols to get web pages from the server to your browser. HTTP has serious problems that make it vulnerable to eavesdropping and content hijacking. By adding Transport Layer Security (or TLS, a prior version of which was known as Secure Sockets Layer or SSL) HTTPS...

Americans in 2017 lived under a threat of constant surveillance, both online and offline. While the battle to curtail unaccountable and unconstitutional NSA surveillance continued this year with only limited opportunities appearing in Congress, the struggle to secure community control over surveillance by local police has made dramatic and expanding strides across the country at the local level.

In July, Seattle passed a law making it the nation’s second jurisdiction to require...

Social media platforms have developed into incredibly useful resources for professional and citizen journalists, and have allowed people to learn about and read stories that may never have been published in traditional media. Sharing on just one of a few large platforms like Facebook, Twitter, and YouTube may mean the difference between a story being read by a few hundred versus tens of thousands of people.

Unfortunately, these same platforms have taken on the role of censor. They...

The latest on the Computer Fraud and Abuse Act? It’s still terrible. And this year, the detrimental impacts of the notoriously vague and outdated criminal computer crime statute showed themselves loud and clear. The statute lies at the heart of the Equifax breach, which might have been averted if our laws didn’t criminalize security research. And it’s at the center of a court case pending in the Ninth Circuit Court of Appeals, hiQ v. LinkedIn, which threatens a hallmark of today’s...

One of the government’s most powerful surveillance tools is scheduled to sunset in less than three weeks, and, for months, EFF has fought multiple legislative attempts to either extend or expand the NSA’s spying powers—warning the public, Representatives, and Senators about circling bills that threaten Americans’ privacy. But the frenetic, deadline-pressure environment on Capitol Hill betrays the slow, years-long progress that EFF has made elsewhere: the courts.

2017 was a year...

Protecting the highly personal location data stored on or generated by digital devices is one of the 21st century’s most important privacy issues. In 2017, the Supreme Court finally took on the question of how law enforcement can get ahold of this sensitive information.

Whenever you use a cell phone, whether to make calls, send or receive texts, or browse the Internet, your phone automatically generates “cell site location information” (CSLI) through its interactions with cell...

If 2016 was the year government hacking went mainstream, 2017 is the year government hacking played the Super Bowl halftime show. It's not Fancy Bear and Cozy Bear making headlines. This week, the Trump administration publicly attributed the WannaCry ransomware attack to the Lazarus Group, which allegedly works on behalf of the North Korean government. As a Presidential candidate, Donald Trump famously dismissed allegations that the Russian government broke into email accounts belonging...

In 2017, major entertainment companies continued their quest for power to edit the Internet by blocking entire websites for copyright enforcement—and we’ve continued to push back.

Website blocking is a particularly worrisome form of enforcement because it’s a blunt instrument, always likely to censor more speech than necessary. Co-opting the Internet’s domain name system (DNS) as a tool for website blocking also threatens the stability of the Internet by inviting ever more special...