Security News

No single messaging app can perfectly meet everyone’s security and communication needs, so we can’t make a recommendation without considering the details of a particular person’s or group’s situation. Straightforward answers are rarely correct for everyone—and if they’re correct now, they might not be correct in the future.

At time of writing, if we were locked in a room and told we could only leave if we gave a simple, direct answer to the question of what messenger the...

There is no such thing as a perfect or one-size-fits-all messaging app. For users, a messenger that is reasonable for one person could be dangerous for another. And for developers, there is no single correct way to balance security features, usability, and the countless other variables that go into making a high-quality, secure communications tool.

Over the next week, we’ll be posting a series of articles to explain what makes different aspects of secure messaging so complex:

UPDATE, March 23, 2018: President Donald Trump signed the $1.3 trillion government spending bill—which includes the CLOUD Act—into law Friday morning.

“People deserve the right to a better process.”

Those are the words of Jim McGovern, representative for Massachusetts and member of the House of Representatives Committee on Rules, when, after 8:00 PM EST on Wednesday, he and his colleagues were handed a 2,232-page bill to review and approve for a floor vote by the...

Today was a dark day for the Internet.

The U.S. Senate just voted 97-2 to pass the Allow States and Victims to Fight Online Sex Trafficking Act (FOSTA, H.R. 1865), a bill that silences online speech by forcing Internet platforms to censor their users. As lobbyists and members of Congress applaud themselves for enacting a law tackling the problem of trafficking, let’s be clear:...

UPDATE (3/30/18): We have updated this post and its screenshots to reflect how Facebook reorganized and removed some settings this week.

You shouldn't have to do this. You shouldn't have to wade through complicated privacy settings in order to ensure that the companies with which you've entrusted your personal information are making reasonable, legal efforts to protect it. But Facebook has allowed third parties to violate user privacy on an unprecedented scale, and, while...

It’s Argentina's turn to take a closer look at the practices of their local Internet Service Providers, and how they treat their customers’ personal data when the government comes knocking.

Argentina's ¿Quien Defiende Tus Datos? (Who Defends Your Data?) is a project of Asociación por los Derechos Civiles and the Electronic Frontier Foundation, and is part of a region-wide initiative by leading Iberoamerican digital rights groups to turn a spotlight on how the policies of...

Update: A Best Buy spokesperson confirmed to reporters that at least four Geek Squad employees received payments from the FBI.

After the prosecution of a California doctor revealed the FBI’s ties to a Best Buy Geek Squad computer repair facility in Kentucky, new documents released to EFF show that the relationship goes back years. The records also confirm that the FBI has paid Geek Squad employees as informants.

EFF filed a Freedom of Information Act (FOIA) lawsuit...

UPDATE (2/16/18): We have corrected this post to more accurately reflect the limits of Slack's encryption of user data at rest. We have also clarified that granular retention settings are only available on paid Slack workspaces.

The revolution will not be televised, but it may be hosted on Slack. Community groups, activists, and workers in the United States are increasingly gravitating toward the popular collaboration tool to communicate and coordinate efforts. But many...

It’s Spain's turn to take a closer look at the practices of their local Internet companies, and how they treat their customers’ personal data.

Spain's ¿Quien Defiende Tus Datos? (Who Defends Your Data?) is a project of ETICAS Foundation, and is part of a region-wide initiative by leading Iberoamerican digital rights groups to shine a light on Internet privacy practices in Iberoamerica. The report is based on EFF's annual Who Has Your Back? report, but adapted...

Sharing your personal fitness goals—lowered heart rates, accurate calorie counts, jogging times, and GPS paths—sounds like a fun, competitive feature offered by today’s digital fitness trackers, but a recent report from The Washington Post highlights how this same feature might end up revealing not just where you are, where you’ve been, and how often you’ve traveled there, but sensitive national security information.

According to The Washington Post report, the fitness tracking...

Last month, the Federal Trade Commission and the U.S. Department of Education held a workshop in Washington, DC. The topic was “Student Privacy and Ed Tech.” We at EFF have been trying to get the FTC to focus on the privacy risks of educational technology (or “ed tech”) for over two years, so we eagerly filed formal comments.

We’ve long been concerned about how technology impacts student privacy. As schools and classrooms become increasingly wired, and as schools put more digital...

Europe's General Data Protection Regulation (GDPR) will come into effect in May 2018, and with it, a new set of tough penalties for companies that fail to adequately protect the personal data of European users. Amongst those affected are domain name registries and registrars, who are required by ICANN, the global domain name authority, to list the personal information of domain name registrants in publicly-accessible WHOIS directories. ICANN and European registrars have clashed over this...

Dear friends,

Today, the United States Congress struck a significant blow against the basic human right to read, write, learn, and associate free of government’s prying eyes. 

Goaded by those who let fear override democratic principles, some members of Congress shuttered public debate in order to pass a bill that extends the National Security Agency’s unconstitutional Internet surveillance for six years. 

This means six more years of warrantless surveillance under...

Update (April 17, 2018): In light of the passage of the CLOUD Act, the Supreme Court dismissed the case as moot and vacated the lower court rulings.

The Electronic Frontier Foundation urged the Supreme Court today to hold that Microsoft cannot be forced by the U.S. government to disclose the contents of users’ emails stored on the company’s computers in Dublin, Ireland.

The stakes for user privacy in the court’s decision are extremely high. Governments around the...

Perhaps you’re an office manager tasked with setting up a new email system for your nonprofit, or maybe you’re a legal secretary for a small firm and you’ve been asked to choose an app for scanning sensitive documents: you might be wondering how you can even begin to assess a tool as “safe enough to use.” This post will help you think about how to approach the problem and select the right vendor.

As every organization has unique circumstances and needs, we can’t provide definitive...

Social media platforms have developed into incredibly useful resources for professional and citizen journalists, and have allowed people to learn about and read stories that may never have been published in traditional media. Sharing on just one of a few large platforms like Facebook, Twitter, and YouTube may mean the difference between a story being read by a few hundred versus tens of thousands of people.

Unfortunately, these same platforms have taken on the role of censor. They...

Defying the facts, the law, and the will of millions of Americans, the Federal Communications Commission has voted to repeal net neutrality protections. It’s difficult to understate how radical the FCC’s decision was.

The Internet has operated under formal and informal net neutrality principles for years. For the first time, the FCC has not only abdicated its role in enforcing those principles, it has rejected them altogether.

Here’s the good news: the fight is far from...

This summer 143 million Americans had their most sensitive information breached, including their name, addresses, social security numbers (SSNs), and date of birth. The breach occurred at Equifax, one of the three major credit reporting agencies that conducts the credit checks relied on by many industries, including landlords, car lenders, phone and cable service providers, and banks that offer credits cards, checking accounts and mortgages. Misuse of this information can be financially...

Since last year, Indian citizens have been required to submit their photograph, iris and fingerprint scans in order to access legal entitlements, benefits, compensation, scholarships, and even nutrition programs. Submitting biometric information is needed for the rehabilitation of manual scavengers, the training and aid of disabled people, and anti-retroviral therapy for HIV/AIDS patients. Soon police in the Alwar district of Rajasthan will be able to register criminals, and track missing...

For governments interested in suppressing information online, the old methods of direct censorship are getting less and less effective.

Over the past month, the Thai government has made escalating attempts to suppress critical information online. In the last week, faced with an embarrassing video of the Thai King, the government ordered Facebook to geoblock over 300 pages on the platform and even threatened to shut Facebook down in the country. This is on top of last month's...

Republicans in Congress recently voted to repeal the FCC’s broadband privacy rules. As a result, your Internet provider may be able to sell sensitive information like your browsing history or app usage to advertisers, insurance companies, and more, all without your consent. In response, Internet users have been asking what they can do to protect their own data from this creepy, non-consensual tracking by Internet providers—for example, directing their Internet traffic through a VPN or...