Should you have to think twice before posting a protest flyer to your Instagram story? Or feel pressure to delete that bald JD Vance meme that you shared? Now imagine that you could get kicked out of the country—potentially losing your job or education—based on the Trump administration’s dislike of your views on social media. 

That threat to free expression and dissent is happening now, but we won’t let it stand. 

"...they're not just targeting individuals—they're targeting the very idea of freedom itself."

The Electronic Frontier Foundation and co-counsel are representing the United Automobile Workers (UAW), Communications Workers of America (CWA), and American Federation of Teachers (AFT) in a lawsuit against the U.S. State Department and Department of Homeland Security for their viewpoint-based surveillance and suppression of noncitizens’ First Amendment-protected speech online.  The lawsuit asks a federal court to stop the government’s unconstitutional surveillance program, which has silenced citizens and noncitizens alike. It has even hindered unions’ ability to associate with their members. 

• Press Release
• Full Complaint in UAW v. State Department 

"When they spy on, silence, and fire union members for speaking out, they're not just targeting individuals—they're targeting the very idea of freedom itself,” said UAW President Shawn Fain. 

The Trump administration has built this mass surveillance program to monitor the constitutionally protected online speech of noncitizens who are lawfully present in the U.S. The program uses AI and automated technologies to scour social media and other online platforms to identify and punish individuals who express viewpoints the government considers "hostile" to "our culture" and "our civilization".  But make no mistake: no one should be forced to conform to the views of the state. 

The Foundation of Democracy 

Your free expression and privacy are fundamental human rights, and democracy crumbles without them. We have an opportunity to fight back, but we need you.  EFF’s team of lawyers, activists, researchers, and technologists have been on a mission to protect your freedom online since 1990, and we’re just getting started.

Donate and become a member of EFF today. Your support helps protect crucial rights, online and off, for everyone.

Give Today

Viewpoint-based Online Surveillance of Permanent Residents and Visa Holders Violates First Amendment, Lawsuit Argues

NEW YORK—The United Automobile Workers (UAW), Communications Workers of America (CWA), and American Federation of Teachers (AFT) filed a lawsuit today against the Departments of State and Homeland Security for their viewpoint-based surveillance and suppression of protected expression online. The complaint asks a federal court to stop this unconstitutional surveillance program, which has silenced and frightened both citizens and noncitizens, and hampered the ability of the unions to associate with their members and potential members. The case is titled UAW v. State Department.

Since taking power, the Trump administration has created a mass surveillance program to monitor constitutionally protected speech by noncitizens lawfully present in the U.S. Using AI and other automated technologies, the program surveils the social media accounts of visa holders with the goal of identifying and punishing those who express viewpoints the government doesn't like. This has been paired with a public intimidation campaign, silencing not just noncitizens with immigration status, but also the families, coworkers, and friends with whom their lives are integrated.

As detailed in the complaint, when asked in a survey if they had changed their social media activity as a result of the Trump administration's ideological online surveillance program, over 60 percent of responding UAW members and over 30 percent of responding CWA members who were aware of the program said they had. Among noncitizens, these numbers were even higher. Of respondents aware of the program, over 80 percent of UAW members who were not U.S. citizens and over 40 percent of CWA members who were not U.S. citizens said they had changed their activity online.

Individual union members reported refraining from posting, refraining from sharing union content, deleting posts, and deleting entire accounts in response to the ideological online surveillance program. Criticism of the Trump administration or its policies was the most common type of content respondents reported changing their social media activity around. Many members also reported altering their offline union activity in response to the program, including avoiding being publicly identified as part of the unions and reducing their participation in rallies and protests. One member even said they declined to report a wage theft claim due to fears arising from the surveillance program.

Represented by the Electronic Frontier Foundation (EFF), Muslim Advocates (MA), and the Media Freedom & Information Access Clinic (MFIA), the UAW, CWA, and AFT seek to halt the program that affects thousands of their members individually and has harmed the ability of the unions to organize, represent, and recruit members. The lawsuit argues that the viewpoint-based online surveillance program violates the First Amendment and the Administrative Procedure Act.

"The Trump administration's use of surveillance to track and intimidate UAW members is a direct assault on the First Amendment—and an attack on every working person in this country," said UAW President Shawn Fain. "When they spy on, silence, and fire union members for speaking out, they're not just targeting individuals—they're targeting the very idea of freedom itself. The right to protest, to organize, to speak without fear—that's the foundation of American democracy. If they can come for UAW members at our worksites, they can come for any one of us tomorrow. And we will not stand by and let that happen."

"Every worker should be alarmed by the Trump administration’s online surveillance program," said CWA President Claude Cummings Jr. "The labor movement is built on our freedoms under the First Amendment to speak and assemble without fear retaliation by the government. The unconstitutional Challenged Surveillance Program threatens those freedoms and explicitly targets those who are critical of the administration and its policies. This policy interferes with CWA members’ ability to express their points of view online and organize to improve their working conditions."

"Free speech is the foundation of democracy in America," said AFT President Randi Weingarten. "The Trump administration has rejected that core constitutional right and now says only speech it agrees with is permitted—and that it will silence those who disagree. This suit exposes the online surveillance tools and other cyber tactics never envisioned by the founders to enforce compliance with the administration’s views. It details the direct harms on both the target of these attacks and the chilling effect on all those we represent and teach."

"Using a variety of AI and automated tools, the government can now conduct viewpoint-based surveillance and analysis on a scale that was never possible with human review alone," said EFF Staff Attorney Lisa Femia. "The scale of this spying is matched by an equally massive chilling effect on free speech."

"The administration is hunting online for an ever-growing list of disfavored viewpoints," said Golnaz Fakhimi, Legal Director of Muslim Advocates. "Its goal is clear: consolidate authoritarian power by crushing dissent, starting with noncitizens, but certainly not ending there. This urgent lawsuit aims to put a stop to this power grab and defend First Amendment freedoms crucial to a pluralistic and democratic society."

"This case goes to the heart of the First Amendment," said Anthony Cosentino, a student in the Media Freedom & Information Access Clinic. "The government can’t go after people for saying things it doesn’t like. The current administration has ignored that principle, developing a vast surveillance apparatus to find and punish people for their constitutionally protected speech. It is an extraordinary abuse of power, creating a climate of fear not seen in this country since the McCarthy era, especially on college campuses. Our laws and Constitution will not allow it."

For the complaint: https://www.eff.org/document/uaw-v-dos-complaint

For more about the litigation: https://eff.org/cases/united-auto-workers-v-us-department-state

Contacts:
Electronic Frontier Foundation: press@eff.org
Muslim Advocates: golnaz@muslimadvocates.org

Instead of catching you off-guard with a jump scare this Halloween season, EFF is here to catch you up on the latest digital rights news with our EFFector newsletter!

In this issue, we’re helping you take control of your online privacy with Opt Out October; explaining the UK’s attack on encryption and why it’s bad for all users; and covering shocking new details about an abortion surveillance case in Texas.

Prefer to listen in? Check out our audio companion, where EFF Security and Privacy Activist Thorin Klosowski explains how small steps to protect your privacy can add up to big changes.  Catch the conversation on YouTube or the Internet Archive.

LISTEN TO EFFECTOR

EFFECTOR 37.14 - 🎃 A FULL MONTH OF PRIVACY TIPS FROM EFF

Since 1990 EFF has published EFFector to help keep readers on the bleeding edge of their digital rights. We know that the intersection of technology, civil liberties, human rights, and the law can be complicated, so EFFector is a great way to stay on top of things. The newsletter is chock full of links to updates, announcements, blog posts, and other stories to help keep readers—and listeners—up to date on the movement to protect online privacy and free expression. 

Thank you to the supporters around the world who make our work possible! If you're not a member yet, join EFF today to help us fight for a brighter digital future.

California Governor Newsom has signed S.B. 524, a bill that begins the long process of regulating and imposing transparency on the growing problem of AI-written police reports. EFF supported this bill and has spent the last year vocally criticizing the companies pushing AI-generated police reports as a service. 

S.B.524 requires police to disclose, on the report, if it was used to fully or in part author a police report. Further, it bans vendors from selling or sharing the information a police agency provided to the AI. 

The bill is also significant because it required departments to retain all the various drafts of the report so that judges, defense attorneys, or auditors could readily see which portions of the final report were written by the officer and which portions were written by the computer. This creates major problems for police who use the most popular product in this space: Axon’s Draft One. By design, Draft One does not retain an edit log of who wrote what. Now, to stay in compliance with the law, police departments will either need Axon to change their product, or officers will have to take it upon themselves to go retain evidence of what each subsequent edit and draft of their report looked like. Or, police can drop Axon’s Draft One all together. 

EFF will continue to monitor whether departments are complying with this state law.

After Utah, California has become the second state to pass legislation that begins to address this problem. Because of the lack of transparency surrounding how police departments buy and deploy technology, it’s often hard to know if police departments are using AI to write reports, how the generative AI chooses to translate audio to a narrative, and which portions of reports are written by AI and which parts are written by the officers. EFF has written a guide to help you file public records requests that might shed light on your police department’s use of AI to write police reports. 

It’s still unclear if products like Draft One run afoul of record retention laws, and how AI-written police reports will impact the criminal justice system. We will need to consider more comprehensive regulation and perhaps even prohibition of this use of generative AI. But S.B. 524 is a good first step. We hope that more states will follow California and Utah’s lead and pass even stronger bills.

In a letter sent to Microsoft at the end of last month, EFF and five other civil society organizations—Access Now, Amnesty International, Human Rights Watch, Fight for the Future, and 7amleh—called on the company to cease any further involvement in providing AI and cloud computing technologies for use in Israel’s ongoing genocide against Palestinians in the Gaza Strip.

EFF also sent updated letters to Google and Amazon renewing our calls for each company to respond to the serious concerns we raised with each of them last year about how they are fulfilling their respective human rights promises to the public. Neither Google nor Amazon has responded substantively. Amazon failed to even acknowledge our request, much less provide any transparency to the public. 

Microsoft Takes a Positive Step Against Surveillance

On September 25, Microsoft’s Vice Chair & President reported that the company had “ceased and disabled a set of services” provided to a unit within the Israel Ministry of Defense. The announcement followed an internal review at the company after The Guardian reported on August 6 that the IDF is using Azure for the storage of data files of phone calls obtained through broad or mass surveillance of civilians in Gaza and the West Bank.

This investigation by The Guardian, +972 Magazine, and Local Call also revealed the extent to which Israel’s military intelligence unit in question, Unit 8200, has used Microsoft’s Azure cloud infrastructure and AI technologies to process intercepted communications and power AI-driven targeting systems against Palestinians in Gaza and the West Bank—potentially facilitating war crimes and acts of genocide.

Microsoft’s actions are a positive step, and we urge its competitors Google and Amazon to, at the very least, do the same, rather than continuing to support and facilitate mass surveillance of Palestinians in Gaza and the West Bank.  

The Next Steps

But this must be the starting point, and not the end. Our joint letter therefore calls on Microsoft to provide clarity around:

1. What further steps Microsoft will take to suspend its business with the Israeli military and other government bodies where there is evidence indicating that business is contributing to grave human rights abuses and international crimes.
2. Whether Microsoft will commit to publishing the review findings in full, including the scope of the investigation, the specific entities and services under review, and measures Microsoft will take to address adverse human rights impacts related to its business with the Israeli military and other government bodies.
3. What steps Microsoft has taken to ensure that its current formal review thoroughly investigates the use of its technologies by the Israeli authorities, in light of the fact that the same law firm carried out the previous review and concluded that there was no evidence of use of Microsoft’s Azure and AI technologies to target or harm people in Gaza.
4. Whether Microsoft will conduct an additional human rights review, or incorporate a human rights lens to the current review.
5. Whether Microsoft has applied any limited access restrictions to its AI technologies used by the IDF and Israeli government to commit genocide and other international crimes. 
6. Whether Microsoft will evaluate the “high-impact and higher-risk uses” of its evolving AI technology deployed in conflict zones.
7. How Microsoft is planning to provide effective remedy, including reparations, to Palestinians affected by any contributions by the company to violations of human rights by Israel.

Microsoft’s announcement of an internal review and the suspension of some of its services is long overdue and much needed in addressing its potential complicity in human rights abuses. But it must not end here, and Microsoft should not be the only major technology company taking such action.  

EFF, Access Now, Amnesty International, Human Rights Watch, Fight for the Future, and 7amleh provided a deadline of October 10 for Microsoft to respond to the questions outlined in the letter. However, Microsoft is expected to send its written response by the end of the month, and we will publish the response once received.

Read the full letter to Microsoft here.

Online surveillance is everywhere—and understanding how you’re being tracked, and how to fight back, is more important than ever. That’s why EFF partnered with Women In Security and Privacy (WISP) for our annual Global Members’ Speakeasy, where we tackled online behavioral tracking and the massive data broker industry that profits from your personal information. 

Our live panel featured Rory Mir (EFF Associate Director of Community Organizing), Lena Cohen (EFF Staff Technologist), Mitch Stoltz (EFF IP Litigation Director) and Yael Grauer, Program Manager at Consumer Reports. Together, they unpacked how we arrived at a point where a handful of major tech companies dictate so much of our digital rights, how these monopolies erode privacy, and what real-world consequences come from constant data collection—and most importantly, what you can do to fight back. 

Members also joined in for a lively Q&A, exploring practical steps to opt out of some of this data collection, discussing the efficacy of privacy laws like the California Consumer Privacy Act (CCPA), and sharing tools and tactics to reclaim control over their data. 

We're always excited to find new ways to connect with our supporters and spotlight the critical work that their donations make possible. And because we want everyone to learn from these conversations, you can now watch the full conversation on YouTube or the Internet Archive: 

WATCH THE FULL DISCUSSION

EFF’s Global Member Speakeasy: You Are the Product 

Events like the annual Global Members’ Speakeasy are just one way we like to thank our members for powering EFF’s mission. When you become a member, you’re not only supporting our legal battles, research, and advocacy for digital freedom—you’re joining a global community of people who care deeply about defending privacy and free expression for everyone. 

Join EFF today, and you’ll receive invitations for future member events, quarterly insider updates on our most important work, and some conversation-starting EFF gear to help you spread the word about online freedom. 

A huge thank you to everyone who joined us and our partners at WISP for helping make this event happen. We’re already planning upcoming in-person and virtual events, and we can’t wait to see you there. 

Austin, Texas is a major tech hub with a population that’s engaged in advocacy and paying attention. Since 1991, EFF-Austin an independent nonprofit civil liberties organization, has been the proverbial beacon alerting those in central Texas to the possibilities and implications of modern technology. It is also an active member of the Electronic Frontier Alliance (EFA). On a recent visit to Texas, I got the chance to speak with Kevin Welch, President of EFF-Austin, about the organization, its work, and what lies ahead for them:

How did EFF-Austin get started, and can you share how it got its name?

EFF-Austin is concerned with emerging frontiers where technology meets society. We are a group of visionary technologists, legal professionals, academics, political activists, and concerned citizens who work to protect digital rights and educate the public about emerging technologies and their implications. Similar to our namesake, the national Electronic Frontier Foundation (EFF), “the dominion we defend is the vast wealth of digital information, innovation, and technology that resides online.” EFF-Austin was originally formed in 1991 with the intention that it would become the first chapter of the national Electronic Frontier Foundation. However, EFF decided not to become a chapters organization, and EFF-Austin became a separately-incorporated, independent nonprofit organization focusing on cyber liberties, digital rights, and emerging technologies.

What's the mission of EFF-Austin and what do you promote?

EFF-Austin advocates for establishment and protection of digital rights and defense of the wealth of digital information, innovation, and technology. We promote the right of all citizens to communicate and share information without unreasonable constraint. We also advocate for the fundamental right to explore, tinker, create, and innovate along the frontier of emerging technologies.

EFF-Austin has been involved in a number of initiatives and causes over the past several years, including legislative advocacy. Can you share a few of them?

We were one of the earliest local organizations that began to call out the Austin City Council over their use of automated license plate readers (ALPRs). After several years of fighting, EFF-Austin was proud to join the No ALPRs coalition as a founding member with over thirty local and state activist groups. Through our efforts, Austin decided not to renew our ALPR pilot project, becoming one of the only cities in America to reject ALPRs. Building on this success, the coalition is broadening its scope to call out other uses of surveillance in Austin, like proposed contracts for park surveillance from Liveview Technologies, as well as data privacy abuses more generally, such as the potential partnership with Valkyrie AI to non-consensually provide citizen data for model training and research purposes without sufficient oversight or guardrails. In support of these initiatives, EFF-Austin also partnered with the Austin Technology Commission to propose much stricter oversight and transparency rules around how the city of Austin engages in contracts with third party technology vendors.

EFF-Austin has also provided expert testimony on a number of major technology bills at the Texas Legislature that have since become law, including the Texas Data Privacy And Security Act (TDPSA) and the Texas Responsible AI Governance Act (TRAIGA).

How can someone local to central Texas get involved?

We conduct monthly meetups with a variety of speakers, usually the second Tuesday of each month at 7:00pm at Capital Factory (701 Brazos St, Austin, TX 78701) in downtown Austin. These meetups can range from technology and legal explainers to digital security trainings, from digital arts profiles to shining a spotlight on surveillance. In addition, we have various one-off events, often in partnership with other local nonprofits and civic institutions, including our fellow EFA member Open Austin. We also have annual holiday parties and SXSW gatherings that are free and open to the public. We don't currently have memberships, so any and all are welcome.

While EFF-Austin events are popular and well-attended, and our impact on local technology policy is quite impressive for such a small nonprofit, we have no significant sustained funding beyond occasional outreach to our community. Any local nonprofits, activist organizations, academic initiatives, or technology companies who find themselves aligned with our cause and would like to fund our efforts are encouraged to reach out. We also always welcome the assistance of those who wish to volunteer their technical, organizational, or legal skills to our cause. In addition to emailing us at info@effaustin.org, follow us on Mastodon, Bluesky, Twitter, Facebook, Instagram, or Meetup, and visit us at our website at https://effaustin.org.

As all things old are new again, a bill that would make obtaining bad patents easier and harder to challenge is being considered in the Senate Judiciary Committee. The Patent Eligibility Restoration Act (PERA) would reverse over a decade of progress in fighting patent trolls and making the patent system more balanced.

PERA would overturn long-standing court decisions that have helped keep some of the most problematic patents in check. This includes the Supreme Court’s Alice v. CLS Bank decision, which bars patents on abstract ideas. While Alice has not completely solved the problems of the patent system or patent trolling, it has led to the rejection of hundreds of low-quality software patents and, as a result, has allowed innovation and small businesses to grow.

Thanks to the Alice decision, courts have invalidated a rogue’s gallery of terrible software patents—such as patents on online photo contests, online bingo, upselling, matchmaking, and scavenger hunts. These patents didn’t describe real inventions—they merely applied old ideas to general-purpose computers. But PERA would wipe out the Alice framework and replace it with vague, hollow exceptions, taking us back to an era where patent trolls and large corporate patent-holders aggressively harassed software developers and small companies.

This bill, combined with recent changes that have restricted access to the Patent Trial and Appeal Board (PTAB), would create a perfect storm—giving patent trolls and major corporations with large patent portfolios free rein to squeeze out independent inventors and small businesses.

EFF is proud to join a letter, along with Engine, the Public Interest Patent Law Institute, Public Knowledge, and R Street, to the Senate Judiciary Committee opposing this poorly-timed and concerning bill. We urge the committee to instead focus on restoring the PTAB as the accessible, efficient check on patent quality that Congress intended.

In a joint letter to the ranking members of the House and Senate intelligence committees, EFF has joined with 20 other organizations, including the ACLU, Brennan Center, CDT, Asian Americans Advancing Justice, and Demand Progress, to express opposition to a rule change that would seriously weaken accountability in the intelligence community. Specifically, under the proposed Senate Intelligence Authorization Act, S. 2342, the general counsels of the Central Intelligence Agency (CIA) and the Office of the Director of National Intelligence (ODNI) would no longer be subject to Senate confirmation.

You can read the entire letter here. 

In theory, having the most important legal thinkers at these secretive agencies—the ones who presumably tell an agency if something is legal or not—approved or rejected by the Senate allows elected officials the chance to vet candidates and their beliefs. If, for instance, a confirmation hearing had uncovered that a proposed general counsel for the CIA thinks it's not only legal, but morally justifiable for the agency to spy on US persons on US soil because of their political or religious beliefs–then the Senate would have the chance to reject that person. 

As the letter says, “The general counsels of the CIA and ODNI wield extraordinary influence, and they do so entirely in secret, shaping policies on surveillance, detention, interrogation, and other highly consequential national security matters. Moreover, they are the ones primarily responsible for determining the boundaries of what these agencies may lawfully do. The scope of this power and the fact that it occurs outside of public view is why Senate confirmation is so important.” 

It is for this reason that EFF and our ally organizations urge Congress to remove this provision from the Senate Intelligence Authorization Act.

Privacy laws are only as strong as their enforcement. In California, the state’s privacy agency recently issued its largest-ever fine for violation of the state’s privacy law—and all because of a consumer complaint.

The state’s  privacy law, the California Consumer Privacy Act or CCPA, requires many companies to respect California customers' and job applicants' rights to know, delete and correct information that businesses collect about them, and to opt-out of some types of sharing and use. It also requires companies to give notice of these rights, along with other information, to customers, job applicants, and others. (Bonus tip: Have a complaint about something else, such as a data breach? Go to the CA Attorney General.)

If you’re a Californian and think a business isn’t obeying the law, then the best thing to do is tell someone who can do something about it. How? It’s easy. In fewer than a dozen questions, you can share enough information to get the agency started.

Start With the Basics

First, head to the California Privacy Protection Agency’s website at cppa.ca.gov. On the front page, you’ll see an option to “File a Complaint.” Click on that option.

That button takes you to the online complaint form. You can also print out the agency’s paper complaint form here.

The complaint form starts, fittingly, by explaining the agency’s own privacy practices. Then it gets down to business by asking for information about your situation.

The first question offers a list of rights people have under the CCPA, such as a right to delete or a right to correct sensitive personal information. So, for example, if you’ve asked ABC Company to delete your information, but they have refused, you’d select “Right to Delete.” This helps the agency categorize your complaint and tie it directly to the requirements in the law.  The form then asks for the names of businesses, contractors, or people you want to report.

It also asks whether you’re a California resident. If you’re unsure, because you split residency or for other reasons, there is an “Unsure” option.

Adding the Details

From there, the form asks for more detailed information about what’s happened. There is a character limit on this question, so you’ll have to choose your words carefully. If you can, check out the agency’s FAQ on how to write a successful complaint before you submit the form. This will help you be specific and tell the agency what they need to hear to act on your complaint.

In the next question, include information about any proof you have supporting your complaint. So, for example, you could tell the agency you have your email asking ABC Company to delete your information, and also a screenshot of proof that they haven’t erased it. Or, say “I spoke to a person on the phone on this date.” This should just be a list of information you have, rather than a place to paste in emails or attach images.

The form will also ask if you’ve directly contacted the business about your complaint. You can just answer yes or no to this question. If it’s an issue such as a company not posting a privacy notice, or something similar, it may not have made sense to contact them directly. But if you made a deletion request, you probably have contacted them about it.

Anonymous or Not?

Finally, the complaint form will ask you to make either an “unsworn complaint” or a “sworn complaint.” This choice affects how you’ll be involved in the process going forward. You can file an anonymous unsworn complaint. But that will mean the agency can’t contact you about the issue in the future, since they don’t have any of your information.

For a sworn complaint, you have to provide some contact information and confirm that what you’re saying is true and that you’d swear to it in court.

Just because you submit contact information, that doesn’t mean the agency will contact you. Investigations are usually confidential, until there’s something like a settlement to announce. But we’ve seen that consumer complaints can be the spark for an investigation. It’s important for all of us to speak up, because it really does make a difference.

The California Privacy Protection Agency (CPPA) issued a record fine earlier this month to Tractor Supply, the country’s self-proclaimed largest “rural lifestyle” retailer, for apparently ducking its responsibilities under the California Consumer Privacy Act. Under that law, companies are required to respect California customers’ and job applicants’ rights to know, delete, and correct information that businesses collect about them, and to opt-out of some types of sharing and use. The law also requires companies to give notice of these rights, along with other information, to customers, job applicants, and others. The CPPA said that Tractor Supply failed several of these requirements. This is the first time the agency has enforced this data privacy law to protect job applicants. Perhaps best of all, the company's practices came to light all thanks to a consumer complaint filed with the agency.

Your complaints matter—so keep speaking up. 

Tractor Supply, which has 2,500 stores in 49 states, will pay for their actions to the tune of $1,350,000—the largest fine the agency has issued to date. Specifically, the agency said, Tractor Supply violated the law by:

• Failing to maintain a privacy policy that notified consumers of their rights;
• Failing to notify California job applicants of their privacy rights and how to exercise them;
• Failing to provide consumers with an effective mechanism to opt-out of the selling and sharing of their personal information, including through opt-out preference signals such as Global Privacy Control; and
• Disclosing personal information to other companies without entering into contracts that contain privacy protections.

In addition to the fine, the company also must take an inventory of its digital properties and tracking technologies and will have to certify its compliance with the California privacy law for the next four years.

It may surprise people to see that the agency’s most aggressive fine isn’t levied on a large technology company, data broker, or advertising company. But this case merely highlights what anyone who uses the internet knows: practically every company is tracking your online behavior. 

The agency may be trying to make exactly this point by zeroing in on Tractor Supply. In its press release on the fine, the agency's top enforcer was clear that they'll be casting a wide net. 

 “We will continue to look broadly across industries to identify violations of California’s privacy law,” said Michael Macko, the Agency’s head of enforcement. “We made it an enforcement priority to investigate whether businesses are properly implementing privacy rights, and this action underscores our ongoing commitment to doing that for consumers and job applicants alike.”

It is encouraging to see the agency stand up for Californians’ rights. For years, we have said privacy laws are only as strong as their enforcement. Ideally we'd like to see privacy laws—including California’s—include a private right to action to let anyone sue for privacy violations, in addition to enforcement actions like this one from regulators. Since individuals can't stand up for the majority of their own privacy rights in California, however, it's even more important that regulators such as the CPPA are active, strategic, and bold. 

It also highlights why it's important for people like you to submit complaints to regulators. As the agency itself said, “The CPPA opened an investigation into Tractor Supply’s privacy practices after receiving a complaint from a consumer in Placerville, California.” Your complaints matter—so keep speaking up. 

New documents and court records obtained by EFF show that Texas deputies queried Flock Safety's surveillance data in an abortion investigation, contradicting the narrative promoted by the company and the Johnson County Sheriff that she was “being searched for as a missing person,” and that “it was about her safety.” 

The new information shows that deputies had initiated a "death investigation" of a "non-viable fetus," logged evidence of a woman’s self-managed abortion, and consulted prosecutors about possibly charging her. 

Johnson County Sheriff Adam King repeatedly denied the automated license plate reader (ALPR) search was related to enforcing Texas's abortion ban, and Flock Safety called media accounts "false," "misleading" and "clickbait." However, according to a sworn affidavit by the lead detective, the case was in fact a death investigation in response to a report of an abortion, and deputies collected documentation of the abortion from the "reporting person," her alleged romantic partner. The death investigation remained open for weeks, with detectives interviewing the woman and reviewing her text messages about the abortion. 

The documents show that the Johnson County District Attorney's Office informed deputies that "the State could not statutorily charge [her] for taking the pill to cause the abortion or miscarriage of the non-viable fetus."

An excerpt from the JCSO detective's sworn affidavit.

The records include previously unreported details about the case that shocked public officials and reproductive justice advocates across the country when it was first reported by 404 Media in May. The case serves as a clear warning sign that when data from ALPRs is shared across state lines, it can put people at risk, including abortion seekers. And, in this case, the use may have run afoul of laws in Washington and Illinois.

A False Narrative Emerges

Last May, 404 Media obtained data revealing the Johnson County Sheriff’s Office conducted a nationwide search of more than 83,000 Flock ALPR cameras, giving the reason in the search log: “had an abortion, search for female.” Both the Sheriff's Office and Flock Safety have attempted to downplay the search as akin to a search for a missing person, claiming deputies were only looking for the woman to “check on her welfare” and that officers found a large amount of blood at the scene – a claim now contradicted by the responding investigator’s affidavit. Flock Safety went so far as to assert that journalists and advocates covering the story intentionally misrepresented the facts, describing it as "misreporting" and "clickbait-driven." 

As Flock wrote of EFF's previous commentary on this case (bold in original statement): 

Earlier this month, there was purposefully misleading reporting that a Texas police officer with the Johnson County Sheriff’s Office used LPR “to target people seeking reproductive healthcare.” This organization is actively perpetuating narratives that have been proven false, even after the record has been corrected.

According to the Sheriff in Johnson County himself, this claim is unequivocally false.

… No charges were ever filed against the woman and she was never under criminal investigation by Johnson County. She was being searched for as a missing person, not as a suspect of a crime.

That sheriff has since been arrested and indicted on felony counts in an unrelated sexual harassment and whistleblower retaliation case. He has also been charged with aggravated perjury for allegedly lying to a grand jury. EFF filed public records requests with Johnson County to obtain a more definitive account of events.

The newly released incident report and affidavit unequivocally describe the case as a "death investigation" of a "non-viable fetus." These documents also undermine the claim that the ALPR search was in response to a medical emergency, since, in fact, the abortion had occurred more than two weeks before deputies were called to investigate. 

In recent years, anti-abortion advocates and prosecutors have increasingly attempted to use “fetal homicide” and “wrongful death” statutes – originally intended to protect pregnant people from violence – to criminalize abortion and pregnancy loss. These laws, which exist in dozens of states, establish legal personhood of fetuses and can be weaponized against people who end their own pregnancies or experience a miscarriage. 

In fact, a new report from Pregnancy Justice found that in just the first two years since the Supreme Court’s decision in Dobbs, prosecutors initiated at least 412 cases charging pregnant people with crimes related to pregnancy, pregnancy loss, or birth–most under child neglect, endangerment, or abuse laws that were never intended to target pregnant people. Nine cases included allegations around individuals’ abortions, such as possession of abortion medication or attempts to obtain an abortion–instances just like this one. The report also highlights how, in many instances, prosecutors use tangentially related criminal charges to punish people for abortion, even when abortion itself is not illegal.

By framing their investigation of a self-administered abortion as a “death investigation” of a “non-viable fetus,” Texas law enforcement was signaling their intent to treat the woman’s self-managed abortion as a potential homicide, even though Texas law does not allow criminal charges to be brought against an individual for self-managing their own abortion. 

The Investigator's Sworn Account

Over two days in April, the woman went through the process of taking medication to induce an abortion. Two weeks later, her partner–who would later be charged with domestic violence against her–reported her to the sheriff's office. 

The documents confirm that the woman was not present at the home when the deputies “responded to the death (Non-viable fetus).” As part of the investigation, officers collected evidence that the man had assembled of the self-managed abortion, including photographs, the FedEx envelope the medication arrived in, and the instructions for self-administering the medication. 

Another Johnson County official ran two searches through the ALPR database with the note "had an abortion, search for female," according to Flock Safety search logs obtained by EFF. The first search, which has not been previously reported, probed 1,295 Flock Safety networks–composed of 17,684 different cameras–going back one week. The second search, which was originally exposed by 404 Media, was expanded to a full month of data across 6,809 networks, including 83,345 cameras. Both searches listed the same case number that appears on the death investigation/incident report obtained by EFF. 

After collecting the evidence from the woman’s partner, the investigators say they consulted the district attorney’s office, only to be told they could not press charges against the woman. 

An excerpt from the JCSO detective's sworn affidavit.

Nevertheless, when the subject showed up at the Sheriff’s office a week later, officers were under the impression that she came to “to tell her side of the story about the non-viable fetus.” They interviewed her, inspected text messages about the abortion on her phone, and watched her write a timeline of events. 

Only after all that did they learn that she actually wanted to report a violent assault by her partner–the same individual who had called the police to report her abortion. She alleged that less than an hour after the abortion, he choked her, put a gun to her head, and made her beg for her life. The man was ultimately charged in connection with the assault, and the case is ongoing. 

This documented account runs completely counter to what law enforcement and Flock have said publicly about the case. 

Johnson County Sheriff Adam King told 404 media: "Her family was worried that she was going to bleed to death, and we were trying to find her to get her to a hospital.” He later told the Dallas Morning News: “We were just trying to check on her welfare and get her to the doctor if needed, or to the hospital."

The account by the detective on the scene makes no mention of concerned family members or a medical investigator. To the contrary, the affidavit says that they questioned the man as to why he "waited so long to report the incident," and he responded that he needed to "process the event and call his family attorney." The ALPR search was recorded 2.5 hours after the initial call came in, as documented in the investigation report.

The Desk Sergeant's Report—One Month Later

EFF obtained a separate "case supplemental report" written by the sergeant who says he ran the May 9 ALPR searches. 

The sergeant was not present at the scene, and his account was written belatedly on June 5, almost a month after the incident and nearly a week after 404 Media had already published the sheriff’s alternative account of the Flock Safety search, kicking off a national controversy. The sheriff's office provided this sergeant's report to Dallas Morning News. 

In the report, the sergeant claims that the officers on the ground asked him to start "looking up" the woman due to there being "a large amount of blood" found at the residence—an unsubstantiated claim that is in conflict with the lead investigator’s affidavit. The sergeant repeatedly expresses that the situation was "not making sense." He claims he was worried that the partner had hurt the woman and her children, so "to check their welfare," he used TransUnion's TLO commercial investigative database system to look up her address. Once he identified her vehicle, he ran the plate through the Flock database, returning hits in Dallas.

Two abortion-related searches in the JCSO's Flock Safety ALPR audit log

The sergeant's report, filed after the case attracted media attention, notably omits any mention of the abortion at the center of the investigation, although it does note that the caller claimed to have found a fetus. The report does not explain, or even address, why the sergeant used the phrase "had an abortion, search for female” as the official reason for the ALPR searches in the audit log. 

It's also unclear why the sergeant submitted the supplemental report at all, weeks after the incident. By that time, the lead investigator had already filed a sworn affidavit that contradicted the sergeant's account. For example, the investigator, who was on the scene, does not describe finding any blood or taking blood samples into evidence, only photographs of what the partner believed to be the fetus. 

One area where they concur: both reports are clearly marked as a "death investigation." 

Correcting the Record

Since 404 Media first reported on this case, King has perpetuated the false narrative, telling reporters that the woman was never under investigation, that officers had not considered charges against her, and that "it was all about her safety."

But here are the facts: 

• The reports that have been released so far describe this as a death investigation.
• The lead detective described himself as "working a death investigation… of a non-viable fetus" at the time he interviewed the woman (a week after the ALPR searches).
• The detective wrote that they consulted the district attorney's office about whether they could charge her for "taking the pill to cause the abortion or miscarriage of the non-viable fetus." They were told they could not.
• Investigators collected a lot of data, including photos and documentation of the abortion, and ran her through multiple databases. They even reviewed her text messages about the abortion. 
• The death investigation was open for more than a month.

The death investigation was only marked closed in mid-June, weeks after 404 Media's article and a mere days before the Dallas Morning News published its report, in which the sheriff inaccurately claimed the woman "was not under investigation at any point."

Flock has promoted this unsupported narrative on its blog and in multimedia appearances. We did not reach out to Flock for comment on this article, as their communications director previously told us the company will not answer our inquiries until we "correct the record and admit to your audience that you purposefully spread misinformation which you know to be untrue" about this case. 

Consider the record corrected: It turns out the truth is even more damning than initially reported.

The Aftermath

In the aftermath of the original reporting, government officials began to take action. The networks searched by Johnson County included cameras in Illinois and Washington state, both states where abortion access is protected by law. Since then: 

• The Illinois Secretary of State has announced his intent to “crack down on unlawful use of license plate reader data,” and urged the state’s Attorney General to investigate the matter. 
• In California, which also has prohibitions on sharing ALPR out of state and for abortion-ban enforcement, the legislature cited the case in support of pending legislation to restrict ALPR use.
• Ranking Members of the House Oversight Committee and one of its subcommittees launched a formal investigation into Flock’s role in “enabling invasive surveillance practices that threaten the privacy, safety, and civil liberties of women, immigrants, and other vulnerable Americans.” 
• Senator Ron Wyden secured a commitment from Flock to protect Oregonians' data from out-of-state immigration and abortion-related queries.

In response to mounting pressure, Flock announced a series of new features supposedly designed to prevent future abuses. These include blocking “impermissible” searches, requiring that all searches include a “reason,” and implementing AI-driven audit alerts to flag suspicious activity. But as we've detailed elsewhere, these measures are cosmetic at best—easily circumvented by officers using vague search terms or reusing legitimate case numbers. The fundamental architecture that enabled the abuse remains unchanged. 

Meanwhile, as the news continued to harm the company's sales, Flock CEO Garrett Langley embarked on a press tour to smear reporters and others who had raised alarms about the usage. In an interview with Forbes, he even doubled down and extolled the use of the ALPR in this case. 

So when I look at this, I go “this is everything’s working as it should be.” A family was concerned for a family member. They used Flock to help find her, when she could have been unwell. She was physically okay, which is great. But due to the political climate, this was really good clickbait.

Nothing about this is working as it should, but it is working as Flock designed. 

The Danger of Unchecked Surveillance

Flock Safety ALPR cameras

This case reveals the fundamental danger of allowing companies like Flock Safety to build massive, interconnected surveillance networks that can be searched across state lines with minimal oversight. When a single search query can access more than 83,000 cameras spanning almost the entire country, the potential for abuse is staggering, particularly when weaponized against people seeking reproductive healthcare. 

The searches in this case may have violated laws in states like Washington and Illinois, where restrictions exist specifically to prevent this kind of surveillance overreach. But those protections mean nothing when a Texas deputy can access cameras in those states with a few keystrokes, without external review that the search is legal and legitimate under local law. In this case, external agencies should have seen the word "abortion" and questioned the search, but the next time an officer is investigating such a case, they may use a more vague or misleading term to justify the search. In fact, it's possible it has already happened. 

ALPRs were marketed to the public as tools to find stolen cars and locate missing persons. Instead, they've become a dragnet that allows law enforcement to track anyone, anywhere, for any reason—including investigating people's healthcare decisions. This case makes clear that neither the companies profiting from this technology nor the agencies deploying it can be trusted to tell the full story about how it's being used.

States must ban law enforcement from using ALPRs to investigate healthcare decisions and prohibit sharing data across state lines. Local governments may try remedies like reducing data retention period to minutes instead of weeks or months—but, really, ending their ALPR programs altogether is the strongest way to protect their most vulnerable constituents. Without these safeguards, every license plate scan becomes a potential weapon against a person seeking healthcare.

At EFF, we believe that tech rights are worker’s rights. Since the pandemic, workers of all kinds have been subjected to increasingly invasive forms of bossware. These are the “algorithmic management” tools that surveil workers on and off the job, often running on devices that (nominally) belong to workers, hijacking our phones and laptops. On the job, digital technology can become both a system of ubiquitous surveillance and a means of total control.

Enter the EU’s Platform Work Directive (PWD). The PWD was finalized in 2024, and every EU member state will have to implement (“transpose”) it by 2026. The PWD contains far-reaching measures to protect workers from abuse, wage theft, and other unfair working conditions.

But the PWD isn’t self-enforcing! Over the decades that EFF has fought for user rights, we’ve proved that having a legal right on paper isn’t the same as having that right in the real world. And workers are rarely positioned to take on their bosses in court or at a regulatory body. To do that, they need advocates.

That’s where unions come in. Unions are well-positioned to defend their members – and all workers (EFF employees are proudly organized under the International Federation of Professional and Technical Engineers).

The European Trade Union Confederation has just published “Negotiating the Algorithm,” a visionary – but detailed and down-to-earth – manual for unions seeking to leverage the PWD to protect and advance workers’ interests in Europe.

The report notes the alarming growth of algorithmic management, with 79% of European firms employing some form of bossware. Report author Ben Wray enumerates many of the harms of algorithmic management, such as “algorithmic wage discrimination,” where each worker is offered a different payscale based on surveillance data that is used to infer how economically desperate they are.

Algorithmic management tools can also be used for wage theft, for example, by systematically undercounting the distances traveled by delivery drivers or riders. These tools can also subject workers to danger by penalizing workers who deviate from prescribed tasks (for example, when riders are downranked for taking an alternate route to avoid a traffic accident).

Gig workers live under the constant threat of being “deactivated” (kicked off the app) and feel pressure to do unpaid work for clients who can threaten their livelihoods with one-star reviews. Workers also face automated de-activation: a whole host of “anti-fraud” tripwires can see workers de-activated without appeal. These risks do not befall all workers equally: Black and brown workers face a disproportionate risk of de-activation when they fail facial recognition checks meant to prevent workers from sharing an account (facial recognition systems make more errors when dealing with darker skin tones).

Algorithmic management is typically accompanied by a raft of cost-cutting measures, and workers under algorithmic management often find that their employer’s human resources department has been replaced with chatbots, web-forms, and seemingly unattended email boxes. When algorithmic management goes wrong, workers struggle to reach a human being who can hear their appeal.

For these reasons and more, the ETUC believes that unions need to invest in technical capacity to protect workers’ interests in the age of algorithmic management.

The report sets out many technological activities that unions can get involved with. At the most basic level, unions can invest in developing analytical capabilities, so that when they request logs from algorithmic management systems as part of a labor dispute, they can independently analyze those files.

But that’s just table-stakes. Unions should also consider investing in “counter apps” that help workers. There are workers that act as an external check on employers’ automation, like the UberCheats app, which double-checked the mileage that Uber drivers were paid for. There are apps that enable gig workers to collectively refuse lowball offers, raising the prevailing wage for all the workers in a region, such as the Brazilian StopClub app. Indonesian gig riders have a wide range of “tuyul” apps that let them modify the functionality of their dispatch apps. We love this kind of “adversarial interoperability.” Any time the users of technology get to decide how it works, we celebrate. And in the US, this sort of tech-enabled collective action by workers is likely to be shielded from antitrust liability even if the workers involved are classified as independent contractors.

Developing in-house tech teams also gives unions the know-how to develop the tools for organizers and workers to coordinate their efforts to protect workers. The report acknowledges that this is a lot of tech work to ask individual unions to fund, and it moots the possibility of unions forming cooperative ventures to do this work for the unions in the co-op. At EFF, we regularly hear from skilled people who want to become public interest technologists, and we bet there’d be plenty of people who’d jump at the chance to do this work.

The new Platform Work Directive gives workers and their representatives the right to challenge automated decision-making, to peer inside the algorithms used to dispatch and pay workers, to speak to a responsible human about disputes, and to have their privacy and other fundamental rights protected on the job. It represents a big step forward for workers’ rights in the digital age.

But as the European Trade Union Confederation’s report reminds us, these rights are only as good as workers’ ability to claim them. After 35 years of standing up for people’s digital rights, we couldn’t agree more.

In research shared with Wired this week, security researchers detailed a series of vulnerabilities and design flaws with Life360’s Tile Bluetooth trackers that make it easy for stalkers and the company itself to track the location of Tile devices.

Tile trackers are small Bluetooth trackers, similar to Apple’s Airtags, but they work on their own network, not Apple’s. We’ve been raising concerns about these types of trackers since they were first introduced and provide guidance for finding them if you think someone is using them to track you without your knowledge.

EFF has worked on improving the Detecting Unwanted Location Trackers standard that Apple, Google, and Samsung use, and these companies have at least made incremental improvements. But Tile has done little to mitigate the concerns we’ve raised around stalkers using their devices to track people.

One of the core fundamentals of that standard is that Bluetooth trackers should rotate their MAC address, making them harder for a third-party to track, and that they should encrypt information sent. According to the researchers, Tile does neither.

This has a direct impact on the privacy of legitimate users and opens the device up to potentially even more dangerous stalking. Tile devices do have a rotating ID, but since the MAC address is static and unencrypted, anyone in the vicinity could pick up and track that Bluetooth device.

Other Bluetooth trackers don’t broadcast their MAC address, and instead use only a rotating ID, which makes it much harder for someone to record and track the movement of that tag. Apple, Google, and Samsung also all use end-to-end encryption when data about the location is sent to the companies’ servers, meaning the companies themselves cannot access that information.

In its privacy policy, Life360 states that, “You are the only one with the ability to see your Tile location and your device location.” But if the information from a tracker is sent to and stored by Tile in cleartext (i.e. unencrypted text) as the researchers believe, then the company itself can see the location of the tags and their owners, turning them from single item trackers into surveillance tools.

There are also issues with the “anti-theft mode” that Tile offers. The anti-theft setting hides the tracker from Tile’s “Scan and Secure” detection feature, so it can’t be easily found using the app. Ostensibly this is a feature meant to make it harder for a thief to just use the app to locate a tracker. In exchange for enabling the anti-theft feature, a user has to submit a photo ID and agree to pay a $1 million fine if they’re convicted of misusing the tracker.

But that’s only helpful if the stalker gets caught, which is a lot less likely when the person being tracked can’t use the anti-stalking protection feature in the app to find the tracker following them. As we’ve said before, it is impossible to make an anti-theft device that secretly notifies only the owner without also making a perfect tool for stalking.

Life360, the company that owns Tile, told Wired it “made a number of improvements” after the researchers reported them, but did not detail what those improvements are.

Many of these issues would be mitigated by doing what their competition is already doing: encrypting the broadcasts from its Bluetooth trackers and randomizing MAC addresses. Every company involved in the location tracker industry business has the responsibility to create a safeguard for people, not just for their lost keys.

A San Francisco supervisor has proposed that police and other city agencies should have no financial consequences for breaking a landmark surveillance oversight law. In 2019, organizations from across the city worked together to help pass that law, which required law enforcement to get the approval of democratically elected officials before they bought and used new spying technologies. Bit by bit, the San Francisco Police Department and the Board of Supervisors have weakened that law—but one important feature of the law remained: if city officials are caught breaking this law, residents can sue to enforce it, and if they prevail they are entitled to attorney fees. 

Now Supervisor Matt Dorsey believes that this important accountability feature is “incentivizing baseless but costly lawsuits that have already squandered hundreds of thousands of taxpayer dollars over bogus alleged violations of a law that has been an onerous mess since it was first enacted.” 

Between 2010 and 2023, San Francisco had to spend roughly $70 million to settle civil suits brought against the SFPD for alleged misconduct ranging from shooting city residents to wrongfully firing whistleblowers. This is not “squandered” money; it is compensating people for injury. We are all governed by laws and are all expected to act accordingly—police are not exempt from consequences for using their power wrongfully. In the 21st century, this accountability must extend to using powerful surveillance technology responsibly. 

The ability to sue a police department when they violate the law is called a “private right of action” and it is absolutely essential to enforcing the law. Government officials tasked with making other government officials turn square corners will rarely have sufficient resources to do the job alone, and often they will not want to blow the whistle on peers. But city residents empowered to bring a private right of action typically cannot do the job alone, either—they need a lawyer to represent them. So private rights of action provide for an attorney fee award to people who win these cases. This is a routine part of scores of public interest laws involving civil rights, labor safeguards, environmental protection, and more.

Without an enforcement mechanism to hold police accountable, many will just ignore the law. They’ve done it before. AB 481 is a California state law that requires police to get elected official approval before attempting to acquire military equipment, including drones. The SFPD knowingly ignored this law. If it had an enforcement mechanism, more police would follow the rules. 

President Trump recently included San Francisco in a list of cities he would like the military to occupy. Law enforcement agencies across the country, either willingly or by compulsion, have been collaborating with federal agencies operating at the behest of the White House. So it would be best for cities to keep their co-optable surveillance infrastructure small, transparent, and accountable. With authoritarianism looming, now is not the time to make police less hard to control—especially considering SFPD has already disclosed surveillance data to Immigration and Customs Enforcement (ICE) in violation of California state law.  

We’re calling on the Board of Supervisors to reject Supervisor Dorsey’s proposal. If police want to avoid being sued and forced to pay the prevailing party’s attorney fees, they should avoid breaking the laws that govern police surveillance in the city.

Related Cases: Williams v. San Francisco

This is the tenth and final installment in a blog series documenting EFF's findings from the Stop Censoring Abortion campaign. You can read additional posts here. 

When we launched Stop Censoring Abortion, our goals were to understand how social media platforms were silencing abortion-related content, gather data and lift up stories of censorship, and hold social media companies accountable for the harm they have caused to the reproductive rights movement.

Thanks to nearly 100 submissions from educators, advocates, clinics, researchers, and individuals around the world, we confirmed what many already suspected: this speech is being removed, restricted, and silenced by platforms at an alarming rate. Together, our findings paint a clear picture of censorship in action: platforms’ moderation systems are not only broken, but are actively harming those seeking and sharing vital reproductive health information.

Here are the key lessons from this campaign: what we uncovered, how platforms can do better, and why pushing back against this censorship matters more now than ever.

Lessons Learned

Across our submissions, we saw systemic over-enforcement, vague and convoluted policies, arbitrary takedowns, sudden account bans, and ignored appeals. And in almost every case we reviewed, the posts and accounts in question did not violate any of the platform’s stated rules.

The most common reason Meta gave for removing abortion-related content was that it violated policies on Restricted Goods and Services, which prohibit any “attempts to buy, sell, trade, donate, gift or ask for pharmaceutical drugs.” But most of the content submitted simply provided factual, educational information that clearly did not violate those rules. As we saw in the M+A Hotline’s case, this kind of misclassification deprives patients, advocates, and researchers of reliable information, and chills those trying to provide accurate and life-saving reproductive health resources.

In one submission, we even saw posts sharing educational abortion resources get flagged under the “Dangerous Organizations and Individuals” policy, a rule intended to prevent terrorism and criminal activity. We’ve seen this policy cause problems in the past, but in the reproductive health space, treating legal and accurate information as violent or unlawful only adds needless stigma and confusion.

Meta’s convoluted advertising policies add another layer of harm. There are specific, additional rules users must navigate to post paid content about abortion. While many of these rules still contain exceptions for purely educational content, Meta is vague about how and when those exceptions apply. And ads that seem like they should have been allowed were frequently flagged under rules about “prescription drugs” or “social issues.” This patchwork of unclear policies forces users to second-guess what content they can post or promote for fear of losing access to their networks.

In another troubling trend, many of our submitters reported experiencing shadowbanning and de-ranking, where posts weren’t removed but were instead quietly suppressed by the algorithm. This kind of suppression leaves advocates without any notice, explanation, or recourse—and severely limits their ability to reach people who need the information most.  

Many users also faced sudden account bans without warning or clear justification. Though Meta’s policies dictate that an account should only be disabled or removed after “repeated” violations, organizations like Women Help Women received no warning before seeing their critical connections cut off overnight.

Finally, we learned that Meta’s enforcement outcomes were deeply inconsistent. Users often had their appeals denied and accounts suspended until someone with insider access to Meta could intervene. For example, the Red River’s Women’s Clinic, RISE at Emory, and Aid Access each had their accounts restored only after press attention or personal contacts stepped in. This reliance on backchannels underscores the inequity in Meta’s moderation processes: without connections, users are left unfairly silenced.

It’s Not Just Meta

Most of our submissions detailed suppression that took place on one of Meta’s platforms (Facebook, Instagram, Whatsapp and Threads), so we decided to focus our analysis on Meta’s moderation policies and practices. But we should note that this problem is by no means confined to Meta.

On LinkedIn, for example, Stephanie Tillman told us about how she had her entire account permanently taken down, with nothing more than a vague notice that she had violated LinkedIn’s User Agreement. When Stephanie reached out to ask what violation she committed, LinkedIn responded that “due to our Privacy Policy we are unable to release our findings,” leaving her with no clarity or recourse. Stephanie suspects that the ban was related to her work with Repro TLC, an advocacy and clinical health care organization, and/or her posts relating to her personal business, Feminist Midwife LLC. But LinkedIn’s opaque enforcement meant she had no way to confirm these suspicions, and no path to restoring her account.

Screenshot submitted by Stephanie Tillman to EFF (with personal information redacted by EFF)

And over on Tiktok, Brenna Miller, a creator who works in health care and frequently posts about abortion, posted a video of her “unboxing” an abortion pill care package from Carafem. Though Brenna’s video was factual and straightforward, TikTok removed it, saying that she had violated TikTok’s Community Guidelines.

Screenshot submitted by Brenna Miller to EFF

Brenna appealed the removal successfully at first, but a few weeks later the video was permanently deleted—this time, without any explanation or chance to appeal again.

Brenna’s far from the only one experiencing censorship on TikTok. Even Jessica Valenti, award-winning writer, activist, and author of the Abortion Every Day newsletter, recently had a video taken down from TikTok for violating its community guidelines, with no further explanation. The video she posted was about the Trump administration calling IUDs and the Pill ‘abortifacients.’ Jessica wrote:

Which rule did I break? Well, they didn’t say: but I wasn’t trying to sell anything, the video didn’t feature nudity, and I didn’t publish any violence. By process of elimination, that means the video was likely taken down as "misinformation." Which is…ironic.

These are not isolated incidents. In the Center for Intimacy Justice’s survey of reproductive rights advocates, health organizations, sex educators, and businesses, 63% reported having content removed on Meta platforms, 55% reported the same on TikTok, and 66% reported having ads rejected from Google platforms (including YouTube). Clearly, censorship of abortion-related content is a systemic problem across platforms.

How Platforms Can Do Better on Abortion-Related Speech

Based on our findings, we're calling on platforms to take these concrete steps to improve moderation of abortion-related speech:

• Publish clear policies. Users should not have to guess whether their speech is allowed or not.
• Enforce rules consistently. If a post does not violate a written standard, it should not be removed.
• Provide real transparency. Enforcement decisions must come with clear, detailed explanations and meaningful opportunities to appeal.
• Guarantee functional appeals. Users must be able to challenge wrongful takedowns without relying on insider contacts.
• Expand human review. Reproductive rights is a nuanced issue and can be too complex to be left entirely to error-prone automated moderation systems.

Practical Tips for Users

Don’t get it twisted: Users should not have to worry about their posts being deleted or their accounts getting banned when they share factual information that doesn’t violate platform policies. The onus is on platforms to get it together and uphold their commitments to users. But while platforms continue to fail, we’ve provided some practical tips to reduce the risk of takedowns, including:

• Consider limiting commonly flagged words and images. Posts with pill images or certain keyword combinations (like “abortion,” “pill,” and “mail”) were often flagged.
• Be as clear as possible. Vague phrases like “we can help you get what you need” might look like drug sales to an algorithm.
• Be careful with links. Direct links to pill providers were often flagged. Spell out the links instead.
• Expect stricter rules for ads. Boosted posts face harsher scrutiny than regular posts.
• Appeal wrongful enforcement decisions. Requesting an appeal might get you a human moderator or, even better, review from Meta’s independent Oversight Board.
• Document everything and back up your content. Screenshot all communications and enforcement decisions so you can share them with the press or advocacy groups, and export your data regularly in case your account vanishes overnight.

Keep Fighting

Abortion information saves lives, and social media is the primary—and sometimes only—way for advocates and providers to get accurate information out to the masses. But now we have evidence that this censorship is widespread, unjustified, and harming communities who need access to this information most.

Platforms must be held accountable for these harms, and advocates must continue to speak out. The more we push back—through campaigns, reporting, policy advocacy, and user action—the harder it will be for platforms to look away.

So keep speaking out, and keep demanding accountability. Platforms need to know we're paying attention—and we won't stop fighting until everyone can share information about abortion freely, safely, and without fear of being silenced.

This is the tenth and final post in our blog series documenting the findings from our Stop Censoring Abortion campaign. Read more at https://www.eff.org/pages/stop-censoring-abortion.  

Affected by unjust censorship? Share your story using the hashtag #StopCensoringAbortion. Amplify censored posts and accounts, share screenshots of removals and platform messages—together, we can demonstrate how these policies harm real people. 

This is the ninth installment in a blog series documenting EFF’s findings from the Stop Censoring Abortion campaign. You can read additional posts here.  

Meta has been getting content moderation wrong for years, like most platforms that host user-generated content. Sometimes it’s a result of deliberate design choices—privacy rollbacks, opaque policies, features that prioritize growth over safety—made even when the company knows that those choices could negatively impact users. Other times, it’s simply the inevitable outcome of trying to govern billions of posts with a mix of algorithms and overstretched human reviewers. Importantly, users shouldn’t have to worry about their posts being deleted or their accounts getting banned when they share factual health information that doesn’t violate the platforms' policies. But knowing more about what the algorithmic moderation is likely to flag can help you to avoid its mistakes. 

We analyzed the roughly one-hundred survey submissions we received from social media users in response to our Stop Censoring Abortion campaign. Their stories revealed some clear patterns: certain words, images, and phrases seemed to trigger takedowns, even when posts didn’t come close to violating Meta’s rules. 

For example, your post linking to information on how people are accessing abortion pills online clearly is not an offer to buy or sell pills, but an algorithm, or a human content reviewer who doesn’t know for sure, might wrongly flag it for violating Meta’s policies on promoting or selling “restricted goods.” 

That doesn’t mean you’re powerless. For years, people have used “algospeak”—creative spelling, euphemisms, or indirection—to sidestep platform filters. Abortion rights advocates are now forced into similar strategies, even when their speech is perfectly legal. It’s not fair, but it might help you keep your content online. Here are some things we learned from our survey: 

Practical Tips to Reduce the Risk of Takedowns 

While traditional social media platforms can help people reach larger audiences, using them also generally means you have to hand over control of what you and others are able to see to the people who run the company. This is the deal that large platforms offer—and while most of us want platforms to moderate some content (even if that moderation is imperfect), current systems of moderation often reflect existing societal power imbalances and impact marginalized voices the most. 

There are ways companies and governments could better balance the power between users and platforms. In the meantime, there are steps you can take right now to break the hold these platforms have:   

• Images and keywords matter. Posts with pill images, or accounts with “pill” in their names, were flagged often—even when the posts weren’t offering to sell medication. Before posting, consider whether you need to include an image of, or the word “pill,” or whether there’s another way to communicate your message. 

• Clarity beats vagueness. Saying “we can help you find what you need” or “contact me for more info” might sound innocuous, but to an algorithm, it can look like an offer to sell drugs. Spell out what kind of support you do and don’t provide—for example: “We can talk through options and point you toward trusted resources. We don’t provide medical services or medication.” 

• Be careful with links. Direct links to organizations or services that provide abortion pills were often flagged, even if the organizations operate legally. Instead of linking, try spelling out the name of the site or account. 

• Certain word combos are red flags. Posts that included words like “mifepristone,” “abortion,” and “mail” together were frequently removed. You may still want to use them—they’re accurate and important—but know they make your post more likely to be flagged. 

• Ads are even stricter. Meta requires pharmaceutical advertisers to prove they’re licensed in the countries they target. If you boost posts, assume the more stringent advertising standards will be applied. 

Alternatives and Backups 

Big platforms give you reach, but they also set the rules—and those rules usually favor corporate interests over human rights. You don’t have to accept that as the only way forward: 

• Keep a backup. Export your data regularly so you’re not left empty-handed if your account disappears overnight. 

• Build your own space. Hosting a website isn’t free, but it puts you in control. 

• Explore other platforms. Newsletters, Discord, and other community tools offer more control than Facebook or Instagram. Decentralized platforms like Mastodon and Bluesky aren’t perfect, but they show what’s possible when moderation isn’t dictated from the top down. (Learn more about the differences between Mastodon, Bluesky, and Threads, and how these kinds of platforms help us build a better internet.) 

• Push for interoperability. Imagine being able to take your audience with you when you leave a platform. That’s the future we should be fighting for. (For more on interoperability and Meta, check out this video where Cory Doctorow explains what an interoperable Facebook would look like.) 

Protect Your Privacy 

If you’re working in abortion access—whether as a provider, activist, or volunteer—your privacy and security matter. The same is true for patients. Check out EFF’s Surveillance Self-Defense for tailored guides. Look at resources from groups like Digital Defense Fund and learn how location tracking tools can endanger abortion access. If you run an organization, consider some of the ways you can minimize what information you collect about patients, clients, or customers, in our guide to Online Privacy for Nonprofits. 

Platforms like Meta insist they want to balance free expression and safety, but their blunt systems consistently end up reinforcing existing inequalities—silencing the very people who most need to be heard. Until they do better, it’s on us to protect ourselves, share our stories, and keep building the kind of internet that respects our rights. 

This is the ninth post in our blog series documenting the findings from our Stop Censoring Abortion campaign. Read more in the series: https://www.eff.org/pages/stop-censoring-abortion 

Affected by unjust censorship? Share your story using the hashtag #StopCensoringAbortion. Amplify censored posts and accounts, share screenshots of removals and platform messages—together, we can demonstrate how these policies harm real people.  

Flock Safety, the police technology company most notable for their extensive network of automated license plate readers spread throughout the United States, is rolling out a new and troubling product that may create headaches for the cities that adopt it: detection of “human distress” via audio. As part of their suite of technologies, Flock has been pushing Raven, their version of acoustic gunshot detection. These devices capture sounds in public places and use machine learning to try to identify gunshots and then alert police—but EFF has long warned that they are also high powered microphones parked above densely-populated city streets. Cities now have one more reason to follow the lead of many other municipalities and cancel their Flock contracts, before this new feature causes civil liberties harms to residents and headaches for cities. 

In marketing materials, Flock has been touting new features to their Raven product—including the ability of the device to alert police based on sounds, including “distress.” The online ad for the product, which allows cities to apply for early access to the technology, shows the image of police getting an alert for “screaming.” 

It’s unclear how this technology works. For acoustic gunshot detection, generally the microphones are looking for sounds that would signify gunshots (though in practice they often mistake car backfires or fireworks for gunshots). Flock needs to come forward now with an explanation of exactly how their new technology functions. It is unclear how these devices will interact with state “eavesdropping” laws that limit listening to or recording the private conversations that often take place in public. 

Flock is no stranger to causing legal challenges for the cities and states that adopt their products. In Illinois, Flock was accused of violating state law by allowing Immigration and Customs Enforcement (ICE), a federal agency, access to license plate reader data taken within the state. That’s not all. In 2023, a North Carolina judge halted the installation of Flock cameras statewide for operating in the state without a license. When the city of Evanston, Illinois recently canceled its contract with Flock, it ordered the company to take down their license plate readers–only for Flock to mysteriously reinstall them a few days later. This city has now sent Flock a cease and desist order and in the meantime, has put black tape over the cameras. For some, the technology isn’t worth its mounting downsides. As one Illinois village trustee wrote while explaining his vote to cancel the city’s contract with Flock, “According to our own Civilian Police Oversight Commission, over 99% of Flock alerts do not result in any police action.”

Gunshot detection technology is dangerous enough as it is—police showing up to alerts they think are gunfire only to find children playing with fireworks is a recipe for innocent people to get hurt. This isn’t hypothetical: in Chicago a child really was shot at by police who thought they were responding to a shooting thanks to a ShotSpotter alert. Introducing a new feature that allows these pre-installed Raven microphones all over cities to begin listening for human voices in distress is likely to open up a whole new can of unforeseen legal, civil liberties, and even bodily safety consequences.

Every day, corporations track our movements through license plate scanners, building detailed profiles of where we go, when we go there, and who we visit. When they do this to us in violation of data privacy laws, we’ve suffered a real harm—period. We shouldn’t need to prove we’ve suffered additional damage, such as physical injury or monetary loss, to have our day in court.

That's why EFF is proud to join an amicus brief in Mata v. Digital Recognition Network, a lawsuit by drivers against a corporation that allegedly violated a California statute that regulates Automatic License Plate Readers (ALPRs). The state trial court erroneously dismissed the case, by misinterpreting this data privacy law to require proof of extra harm beyond privacy harm. The brief was written by the ACLU of Northern California, Stanford’s Juelsgaard Clinic, and UC Law SF’s Center for Constitutional Democracy.

The amicus brief explains:

This case implicates critical questions about whether a California privacy law, enacted to protect people from harmful surveillance, is not just words on paper, but can be an effective tool for people to protect their rights and safety.

California’s Constitution and laws empower people to challenge harmful surveillance at its inception without waiting for its repercussions to manifest through additional harms. A foundation for these protections is article I, section 1, which grants Californians an inalienable right to privacy.

People in the state have long used this constitutional right to challenge the privacy-invading collection of information by private and governmental parties, not only harms that are financial, mental, or physical. Indeed, widely understood notions of privacy harm, as well as references to harm in the California Code, also demonstrate that term’s expansive meaning.

What’s At Stake

The defendant, Digital Recognition Network, also known as DRN Data, is a subsidiary of Motorola Solutions that provides access to a massive searchable database of ALPR data collected by private contractors. Its customers include law enforcement agencies and private companies, such as insurers, lenders, and repossession firms. DRN is the sister company to the infamous surveillance vendor Vigilant Solutions (now Motorola Solutions), and together they have provided data to ICE through a contract with Thomson Reuters.

The consequences of weak privacy protections are already playing out across the country. This year alone, authorities in multiple states have used license plate readers to hunt for people seeking reproductive healthcare. Police officers have used these systems to stalk romantic partners and monitor political activists. ICE has tapped into these networks to track down immigrants and their families for deportation.

Strong Privacy Laws

This case could determine whether privacy laws have real teeth or are just words on paper. If corporations can collect your personal information with impunity—knowing that unless you can prove bodily injury or economic loss, you can’t fight back—then privacy laws lose value.

We need strong data privacy laws. We need a private right of action so when a company violates our data privacy rights, we can sue them. We need a broad definition of “harm,” so we can sue over our lost privacy rights, without having to prove collateral injury. EFF wages this battle when writing privacy laws, when interpreting those laws, and when asserting “standing” in federal and state courts.

The fight for privacy isn’t just about legal technicalities. It’s about preserving your right to move through the world without being constantly tracked, catalogued, and profiled by corporations looking to profit from your personal information.

You can read the amicus brief here.

The Financial Times reports that the U.K. is once again demanding that Apple create a backdoor into its encrypted backup services. The only change since the last time they demanded this is that the order is allegedly limited to only apply to British users. That doesn’t make it any better.

The demand uses a power called a “Technical Capability Notice” (TCN) in the U.K.’s Investigatory Powers Act. At the time of its signing we noted this law would likely be used to demand Apple spy on its users.

After the U.K. government first issued the TCN in January, Apple was forced to either create a backdoor or block its Advanced Data Protection feature—which turns on end-to-end encryption for iCloud—for all U.K. users. The company decided to remove the feature in the U.K. instead of creating the backdoor.

The initial order from January targeted the data of all Apple users. In August, the US claimed the U.K. withdrew the demand, but Apple did not re-enable Advanced Data Protection. The new order provides insight into why: the U.K. was just rewriting it to only apply to British users.

This is still an unsettling overreach that makes U.K. users less safe and less free. As we’ve said time and time again, any backdoor built for the government puts everyone at greater risk of hacking, identity theft, and fraud. It sets a dangerous precedent to demand similar data from other companies, and provides a runway for other authoritarian governments to issue comparable orders. The news of continued server-side access to users' data comes just days after the UK government announced an intrusive mandatory digital ID scheme, framed as a measure against illegal migration.

A tribunal hearing was initially set to take place in January 2026, though it’s currently unclear if that will proceed or if the new order changes the legal process. Apple must continue to refuse these types of backdoors. Breaking end-to-end encryption for one country breaks it for everyone. These repeated attempts to weaken encryption violates fundamental human rights and destroys our right to private spaces.