More than a decade ago, Congress tried to pass SOPA and PIPA—two sweeping bills that would have allowed the government and copyright holders to quickly shut down entire websites based on allegations of piracy. The backlash was immediate and massive. Internet users, free speech advocates, and tech companies flooded lawmakers with protests, culminating in an “Internet Blackout” on January 18, 2012. Turns out, Americans don’t like government-run internet blacklists. The bills were ultimately shelved. 

Thirteen years later, as institutional memory fades and appetite for opposition wanes, members of Congress in both parties are ready to try this again. 

take action

Act Now To Defend the Open Web  

The Foreign Anti-Digital Piracy Act (FADPA), along with at least one other bill still in draft form, would revive this reckless strategy. These new proposals would let rights holders get federal court orders forcing ISPs and DNS providers to block entire websites based on accusations of infringing copyright. Lawmakers claim they’re targeting “pirate” sites—but what they’re really doing is building an internet kill switch.

These bills are an unequivocal and serious threat to a free and open internet. EFF and our supporters are going to fight back against them. 

Site-Blocking Doesn’t Work—And Never Will 

Today, many websites are hosted on cloud infrastructure or use shared IP addresses. Blocking one target can mean blocking thousands of unrelated sites. That kind of digital collateral damage has already happened in Austria, Russia​, and in the US.

Site-blocking is both dangerously blunt and trivially easy to evade. Determined evaders can create the same content on a new domain within hours. Users who want to see blocked content can fire up a VPN or change a single DNS setting to get back online. 

These workarounds aren’t just popular—they’re essential tools in countries that suppress dissent. It’s shocking that Congress is on the verge of forcing Americans to rely on the same workarounds that internet users in authoritarian regimes must rely on just to reach mislabeled content. It will force Americans to rely on riskier, less trustworthy online services. 

Site-Blocking Silences Speech Without a Defense

The First Amendment should not take a back seat because giant media companies want the ability to shut down websites faster. But these bills wrongly treat broad takedowns as a routine legal process. Most cases would be decided in ex parte proceedings, with no one there to defend the site being blocked. This is more than a shortcut–it skips due process entirely. 

Users affected by a block often have no idea what happened. A blocked site may just look broken, like a glitch or an outage. Law-abiding publishers and users lose access, and diagnosing the problem is difficult. Site-blocking techniques are the bluntest of instruments, and they almost always punish innocent bystanders. 

The copyright industries pushing these bills know that site-blocking is not a narrowly tailored fix for a piracy epidemic. The entertainment industry is booming right now, blowing past its pre-COVID projections. Site-blocking legislation is an attempt to build a new American censorship system by letting private actors get dangerous infrastructure-level control over internet access. 

EFF and the Public Will Push Back

FADPA is already on the table. More bills are coming. The question is whether lawmakers remember what happened the last time they tried to mess with the foundations of the open web. 

If they don’t, they’re going to find out the hard way. Again. 

take action

Tell Congress: No To Internet Blacklists  

Site-blocking laws are dangerous, unnecessary, and ineffective. Lawmakers need to hear—loud and clear—that Americans don’t support government-mandated internet censorship. Not for copyright enforcement. Not for anything.

In a moment of clarity after initially moving forward a deeply flawed piece of legislation, the French National Assembly has done the right thing: it rejected a dangerous proposal that would have gutted end-to-end encryption in the name of fighting drug trafficking. Despite heavy pressure from the Interior Ministry, lawmakers voted Thursday night (article in French) to strike down a provision that would have forced messaging platforms like Signal and WhatsApp to allow hidden access to private conversations.

The vote is a victory for digital rights, for privacy and security, and for common sense.

The proposed law was a surveillance wishlist disguised as anti-drug legislation. Tucked into its text was a resurrection of the widely discredited "ghost” participant model—a backdoor that pretends not to be one. Under this scheme, law enforcement could silently join encrypted chats, undermining the very idea of private communication. Security experts have condemned the approach, warning it would introduce systemic vulnerabilities, damage trust in secure communication platforms, and create tools ripe for abuse.

The French lawmakers who voted this provision down deserve credit. They listened—not only to French digital rights organizations and technologists, but also to basic principles of cybersecurity and civil liberties. They understood that encryption protects everyone, not just activists and dissidents, but also journalists, medical professionals, abuse survivors, and ordinary citizens trying to live private lives in an increasingly surveilled world.

A Global Signal

France’s rejection of the backdoor provision should send a message to legislatures around the world: you don’t have to sacrifice fundamental rights in the name of public safety. Encryption is not the enemy of justice; it’s a tool that supports our fundamental human rights, including the right to have a private conversation. It is a pillar of modern democracy and cybersecurity.

As governments in the U.S., U.K., Australia, and elsewhere continue to flirt with anti-encryption laws, this decision should serve as a model—and a warning. Undermining encryption doesn’t make society safer. It makes everyone more vulnerable.

This victory was not inevitable. It came after sustained public pressure, expert input, and tireless advocacy from civil society. It shows that pushing back works. But for the foreseeable future, misguided lobbyists for police national security agencies will continue to push similar proposals—perhaps repackaged, or rushed through quieter legislative moments.

Supporters of privacy should celebrate this win today. Tomorrow, we will continue to keep watch.

The U.S. Patent and Trademark Office (USPTO) just made a move that will protect bad patents at the expense of everyone else. In a memo released February 28, the USPTO further restricted access to inter partes review, or IPR—the process Congress created to let the public challenge invalid patents without having to wage million-dollar court battles.

If left unchecked, this decision will shield bad patents from scrutiny, embolden patent trolls, and make it even easier for hedge funds and large corporations to weaponize weak patents against small businesses and developers.

IPR Exists Because the Patent Office Makes Mistakes

The USPTO grants over 300,000 patents a year, but many of them should not have been issued in the first place. Patent examiners spend, on average, around 20 hours per patent, often missing key prior art or granting patents that are overly broad or vague. That’s how bogus patents on basic ideas—like podcasting, online shopping carts, or watching ads online—have ended up in court.

Congress created IPR in 2012 to fix this problem. IPR allows anyone to challenge a patent’s validity based on prior art, and it’s done before specialized judges at the USPTO, where experts can re-evaluate whether a patent was properly granted. It’s faster, cheaper, and often fairer than fighting it out in federal court.

The USPTO is Blocking Patent Challenges—Again

Instead of defending IPR, the USPTO is working to sabotage it. The February 28 memo reinstates a rule that allows for widespread use of “discretionary denials.” That’s when the Patent Trial and Appeal Board (PTAB) refuses to hear an IPR case for procedural reasons—even if the patent is likely invalid. 

The February 28 memo reinstates widespread use of the Apple v. Fintiv rule, under which the USPTO often rejected IPR petitions whenever there’s an ongoing district court case about the same patent. This is backwards. If anything, an active lawsuit is proof that a patent’s validity needs to be reviewed—not an excuse to dodge the issue.

In 2022, former USPTO Director Kathi Vidal issued a memo making clear that the PTAB should hear patent challenges when “a petition presents compelling evidence of unpatentability,” even if there is parallel court litigation. 

That 2022 guidance essentially saved the IPR system. Once PTAB judges were told to consider all petitions that showed “compelling evidence,” the procedural denials dropped to almost nothing. This February 28 memo signals that the USPTO will once again use discretionary denials to sharply limit access to IPR—effectively making patent challenges harder across the board.  

Discretionary Denials Let Patent Trolls Rig the System

The top beneficiary of this decision will be patent trolls, shell companies formed expressly for the purpose of filing patent lawsuits. Often patent trolls seek to extract a quick settlement before a patent can be challenged. With IPR becoming increasingly unavailable, that will be easier than ever. 

Patent owners know that discretionary denials will block IPRs if they file a lawsuit first. That’s why trolls flock to specific courts, like the Western District of Texas, where judges move cases quickly and rarely rule against patent owners.

By filing lawsuits in these troll-friendly courts, patent owners can game the system—forcing companies to pay up rather than risk millions in litigation costs.

The recent USPTO memo makes this problem even worse. Instead of stopping the abuse of discretionary denials, the USPTO is doubling down—undermining one of the most effective ways businesses, developers, and consumers can fight back against bad patents.

Congress Created IPR to Protect the Public—Not Just Patent Owners

The USPTO doesn’t get to rewrite the law. Congress passed IPR to ensure that weak patents don’t become weapons for extortionary lawsuits. By reinforcing discretionary denials with minimal restrictions, and, as a result, blocking access to IPRs, the USPTO is directly undermining what Congress intended.

Leaders at the USPTO should immediately revoke the February 28 memo. If they refuse, as we pointed out the last time IPR denials spiraled out of control, it’s time for Congress to step in and fix this. They must ensure that IPR remains a fast, affordable way to challenge bad patents—not just a tool for the largest corporations. Patent quality matters—because when bad patents stand, we all pay the price.

California legislators have begun debating a bill (A.B. 412) that would require AI developers to track and disclose every registered copyrighted work used in AI training. At first glance, this might sound like a reasonable step toward transparency. But it’s an impossible standard that could crush small AI startups and developers while giving big tech firms even more power.

A Burden That Small Developers Can’t Bear

The AI landscape is in danger of being dominated by large companies with deep pockets. These big names are in the news almost daily. But they’re far from the only ones – there are dozens of AI companies with fewer than 10 employees trying to build something new in a particular niche. 

This bill demands that creators of any AI model–even a two-person company or a hobbyist tinkering with a small software build– identify copyrighted materials used in training.  That requirement will be incredibly onerous, even if limited just to works registered with the U.S. Copyright Office. The registration system is a cumbersome beast at best–neither machine-readable nor accessible, it’s more like a card catalog than a database–that doesn’t offer information sufficient to identify all authors of a work,  much less help developers to reliably match works in a training set to works in the system.

Even for major tech companies, meeting these new obligations  would be a daunting task. For a small startup, throwing on such an impossible requirement could be a death sentence. If A.B. 412 becomes law, these smaller players will be forced to devote scarce resources to an unworkable compliance regime instead of focusing on development and innovation. The risk of lawsuits—potentially from copyright trolls—would discourage new startups from even attempting to enter the field.

A.I. Training Is Like Reading And It’s Very Likely Fair Use 

A.B. 412 starts from a premise that’s both untrue and harmful to the public interest: that reading, scraping or searching of open web content shouldn’t be allowed without payment. In reality, courts should, and we believe will, find that the great majority of this activity is fair use. 

It’s now bedrock internet law principle that some forms of copying content online are transformative, and thus legal fair use. That includes reproducing thumbnail images for image search, or snippets of text to search books. 

The U.S. copyright system is meant to balance innovation with creator rights, and courts are still working through how copyright applies to AI training. In most of the AI cases, courts have yet to consider—let alone decide—how fair use applies. A.B. 412 jumps the gun, preempting this process and imposing a vague, overly broad standard that will do more harm than good.

Importantly, those key court cases are all federal. The U.S. Constitution makes it clear that copyright is governed by federal law, and A.B. 412 improperly attempts to impose state-level copyright regulations on an issue still in flux. 

A.B. 412 Is A Gift to Big Tech

The irony of A.B. 412 is that it won’t stop AI development—it will simply consolidate it in the hands of the largest corporations. Big tech firms already have the resources to navigate complex legal and regulatory environments, and they can afford to comply (or at least appear to comply) with A.B. 412’s burdensome requirements. Small developers, on the other hand, will either be forced out of the market or driven into partnerships where they lose their independence. The result will be less competition, fewer innovations, and a tech landscape even more dominated by a handful of massive companies.

If lawmakers are able to iron out some of the practical problems with A.B. 412 and pass some version of it, they may be able to force programmers to research–and effectively, pay off–copyright owners before they even write a line of code. If that’s the outcome in California, Big Tech will not despair. They’ll celebrate. Only a few companies own large content libraries or can afford to license enough material to build a deep learning model. The possibilities for startups and small programmers will be so meager, and competition will be so limited, that profits for big incumbent companies will be locked in for a generation. 

If you are a California resident and want to speak out about A.B. 412, you can find and contact your legislators through this website. 

The White House executive order “restoring freedom of speech and ending federal censorship,” published Monday, misses the mark on truly protecting Americans’ First Amendment rights. 

The order calls for an investigation of efforts under the Biden administration to “moderate, deplatform, or otherwise suppress speech,” especially on social media companies. It goes on to order an Attorney General investigation of any government activities “over the last 4 years” that are inconsistent with the First Amendment. The order states in part: 

Under the guise of combatting “misinformation,” “disinformation,” and “malinformation,” the Federal Government infringed on the constitutionally protected speech rights of American citizens across the United States in a manner that advanced the Government’s preferred narrative about significant matters of public debate.

But noticeably absent from the Executive Order is any commitment to government transparency. In the Santa Clara Principles, a guideline for online content moderation authored by EFF and other civil society groups, we state that “governments and other state actors should themselves report their involvement in content moderation decisions, including data on demands or requests for content to be actioned or an account suspended, broken down by the legal basis for the request." This Executive Order doesn’t come close to embracing such a principle. 

The order is also misguided in its time-limited targeting. Informal government efforts to persuade, cajole, or strong-arm private media platforms, also called “jawboning,” have been an aspect of every U.S. government since at least 2011. Any good-faith inquiry into such pressures would not be limited to a single administration. It’s misleading to suggest the previous administration was the only, or even the primary, source of such pressures. This time limit reeks of political vindictiveness, not a true effort to limit improper government actions. 

To be clear, a look back at past government involvement in online content moderation is a good thing. But an honest inquiry would not be time-limited to the actions of a political opponent, nor limited to only past actions. The public would also be better served by a report that had a clear deadline, and a requirement that the results be made public, rather than sent only to the President’s office. Finally, the investigation would be better placed with an inspector general, not the U.S. Attorney General, which implies possible prosecutions. 

As we have written before, the First Amendment forbids the government from coercing private entities to censor speech. This principle has countered efforts to pressure intermediaries like bookstores and credit card processors to limit others’ speech. But not every communication about user speech is unconstitutional; some are beneficial, like when platforms reach out to government agencies as authoritative sources of information. 

For anyone who may have been excited to see a first-day executive order truly focused on free expression, President Trump’s Jan. 20 order is a disappointment, at best. 

The rights we have in the offline world–to speak freely, create culture, play games, build new things and do business–must be available to us online, as well. This core belief drives EFF’s work to fight the misuse of the patent system. 

Despite significant progress we’ve made over the last decade, patents, and in particular vague software patents, remain a serious threat to online rights. The median patent lawsuit isn't filed by what Americans would recognize as an ‘inventor,’ but by an anonymous limited liability company that provides no products or services, and instead uses patents to threaten others over alleged infringement. In other words, a patent troll. In the tech sector, more than 85% of patent lawsuits are filed by these “non-practicing entities.” 

That’s why at EFF, we continue to  help individuals and organizations fight patent threats related to everyday activities like using CAPTCHAs and picture menus, tracking packages or vehicles,  teaching languages,  holding online contests, or playing simple games online. 

Here’s where the fight stands as we move into 2025. 

Defending the Public’s Right To Challenge Bad Patents

In 2012, recognizing the persistent problem of an overburdened patent office issuing a countless number dubious patents each year, Congress established a system called “inter partes reviews” (IPRs) to review and challenge patents. While far from perfect, IPRs have led to the cancellation of thousands of patents that should never have been granted in the first place. 

It’s no surprise that big patent owners and patent trolls have long sought to dismantle the IPR system. After unsuccessful attempts to persuade federal courts to dismantle IPRs, they shifted tactics in the past 18 months, attempting to convince the U.S. Patent and Trademark Office (USPTO) to undermine the IPR system by changing the rules on who can use it. 

EFF opposed these proposed changes, urging our supporters to file public comments. This effort was a resounding success. After reviewing thousands of comments, including nearly 1,000 inspired by EFF’s call to action, the USPTO withdrew its proposal. 

Stopping Congress From Re-Opening The Door To The Worst Patents 

The patent system, particularly in the realm of software, is broken. For more than 20 years, the U.S. Patent Office has issued patents on basic cultural or business practices, often with little more than the addition of computer jargon or trivial technical elements. 

The Supreme Court addressed this issue a decade ago with its landmark decision in a case called Alice v. CLS Bank, ruling that simply adding computer language to these otherwise generic patents isn’t enough to make them valid. However, Alice hasn’t fully protected us from patent trolls. Even with this decision, the cost of challenging a patent can run into hundreds of thousands of dollars, enabling patent trolls to make “nuisance” demands for amounts of $100,000 or less. But Alice has dampened the severity and frequency of patent troll claims, and allowed for many more businesses to fight back when needed. 

So we weren’t surprised when some large patent owners tried again this year to overturn Alice, with the introduction of the Patent Eligibility Restoration Act (PERA), which would bring the worst patents back into the system. PERA would also have overturned the Supreme Court ruling that prevents the patenting of human genes. EFF opposed PERA at every stage, and late this year, its supporters abandoned their efforts to pass it through the 118th Congress. We know they will try again next year–we’ll be ready. 

Shining Light On Secrecy In Patent Litigation

Litigation in the U.S is supposed to be transparent, particularly in patent cases involving technologies that impact millions of  internet users daily. Unfortunately, this is not always the case. In Entropic Communications LLC v. Charter Communications, filed in the U.S. District Court for the Eastern District of Texas, overbroad sealing of documents has obscured the case from public view. EFF intervened in the case to protect the public’s right to access federal court records, as the claims made by Entropic could have wide-reaching implications for anyone using cable modems to connect to the internet. 

Our work to ensure transparency in patent disputes is ongoing. In 2016, EFF intervened in another overly-sealed patent case in the Eastern District of Texas. In 2022, we did the same in California, securing an important transparency ruling. That same year, we supported a judge’s investigation into patent owners in Delaware, which ultimately resulted in referrals for criminal investigation. The judge’s actions were upheld on appeal this year. 

It remains far too easy for patent trolls to extort and exploit individuals and companies simply for creating or using software. In 2025, EFF will continue fighting for a patent system that’s open, fair, and transparent. 

This article is part of our Year in Review series. Read other articles about the fight for digital rights in 2024.

EFF supporters get that strong encryption is tied to one of our most basic rights: the right to have a private conversation. In the digital world, privacy is impossible without strong encryption. 

That’s why we’ve always got an eye out for attacks on encryption. This year, we pushed back—successfully—against anti-encryption laws proposed in the U.S., the U.K. and the E.U. And we had a stark reminder of just how dangerous backdoor access to our communications can be. 

U.S. Bills Pushing Mass File-Scanning Fail To Advance

The U.S. Senate’s EARN IT Bill is a wrongheaded proposal that would push companies away from using encryption and towards scanning our messages and photos. There’s no reason to enact such a proposal, which technical experts agree would turn our phones into bugs in our pockets. 

We were disappointed when EARN IT was voted out of committee last year, even though several senators did make clear they wanted to see additional changes before they support the bill. Since then, however, the bill has gone nowhere. That’s because so many people, including more than 100,000 EFF supporters, have voiced their opposition. 

People increasingly understand that encryption is vital to our security and privacy. And when politicians demand that tech companies install dangerous scanning software whether users like it or not, it’s clear to us all that they are attacking encryption, no matter how much obfuscation takes place. 

EFF has long encouraged companies to adopt policies that support encryption, privacy and security by default. When companies do the right thing, EFF supporters will side with them. EFF and other privacy advocates pushed Meta for years to make end-to-end encryption the default option in Messenger. When Meta implemented the change, they were sued by Nevada’s Attorney General. EFF filed a brief in that case arguing that Meta should not be forced to make its systems less secure. 

UK Backs Off Encryption-Breaking Language 

In the U.K., we fought against the wrongheaded Online Safety Act, which included language that would have let the U.K. government strongarm companies away from using encryption. After pressure from EFF supporters and others, the U.K. government gave last-minute assurances that the bill wouldn’t be applied to encrypted messages. The U.K. agency in charge of implementing the Online Safety Act, Ofcom, has now said that the Act will not apply to end-to-end encrypted messages. That’s an important distinction, and we have urged Ofcom to make that even more clear in its written guidance. 

EU Residents Do Not Want “Chat Control” 

Some E.U. politicians have sought to advance a message-scanning bill that was even more extreme than the U.S. anti-encryption bills. We’re glad to say the EU proposal, which has been dubbed “Chat Control” by its opponents, has also been stalled because of strong opposition. 

Even though the European Parliament last year adopted a compromise proposal that would protect our rights to encrypted communications, a few key member states at the EU Council spent much of 2024 pushing forward the old, privacy-smashing version of Chat Control. But they haven’t advanced. In a public hearing earlier this month, 10 EU member states, including Germany and Poland, made clear they would not vote for this proposal. 

Courts in the E.U., like the public at large, increasingly recognize that online private communications are human rights, and the encryption required to facilitate them cannot be grabbed away. The European Court of Human Rights recognized this in a milestone judgment earlier this year, Podchasov v. Russia, which specifically held that weakening encryption put at risk the human rights of all internet users. 

A Powerful Reminder on Backdoors

All three of the above proposals are based on a flawed idea: that it’s possible to give some form of special access to peoples’ private data that will never be exploited by a bad actor. But that’s never been true–there is no backdoor that works only for the “good guys.” 

In October, the U.S. public learned about a major breach of telecom systems stemming from Salt Typhoon, a sophisticated Chinese-government backed hacking group. This hack infiltrated the same systems that major ISPs like Verizon, AT&T and Lumen Technologies had set up for U.S. law enforcement and intelligence agencies to get “lawful access” to user data. It’s still unknown how extensive the damage is from this hack, which included people under surveillance by U.S. agencies but went far beyond that. 

If there’s any upside to a terrible breach like Salt Typhoon, it’s that it is waking up some officials to understand that encryption is vital to both individual and national security. Earlier this month, a top U.S. cybersecurity chief said “encryption is your friend,” making a welcome break with the messaging we’ve seen over the years at EFF.  Unfortunately, other agencies, including the FBI, continue to push the idea that strong encryption can be coupled with easy access by law enforcement. 

Whatever happens, EFF will continue to stand up for our right to use encryption to have secure and private online communications.

This article is part of our Year in Review series. Read other articles about the fight for digital rights in 2024.

It’s critical that copyright be balanced with limitations that support users’ rights, and perhaps no limitation is more important than fair use. Critics, humorists, artists, and activists all must have rights to re-use and re-purpose source material, even when it’s copyrighted. 

Yesterday, EFF weighed in on another case that could shape the future of our fair use rights. In Sedlik v. Von Drachenberg, a Los Angeles tattoo artist created a tattoo based on a well-known photograph of Miles Davis taken by photographer Jeffrey Sedlik. A jury found that Von Drachenberg, the tattoo artist, did not infringe the photographer’s copyright because her version was different from the photo; it didn’t meet the legal threshold of “substantially similar.” After the trial, the judge in the case considered other arguments brought by Sedlik after the trial and upheld the jury’s findings. 

On appeal, Sedlik has made arguments that, if upheld, could narrow fair use rights for everyone. The appeal brief suggests that only secondary users who make “targeted” use of a copyrighted work have strong fair use defenses, relying on an incorrect reading of the Supreme Court’s decision in Andy Warhol Foundation v. Goldsmith. 

Fair users select among various alternatives, for both aesthetic and practical reasons.

Such a reading would upend decades of Supreme Court precedent that makes it clear that “targeted” fair uses don’t get any special treatment as opposed to “untargeted” uses. As made clear in Warhol, the copying done by fair users must simply be “reasonably necessary” to achieve a new purpose. The principle of protecting new artistic expressions and new innovations is what led the Supreme Court to protect video cassette recording as fair use in 1984. It also contributed to the 2021 decision in Oracle v. Google, which held that Google’s copying of computer programming conventions created for desktop computers, in order to make it easier to design for modern smartphones, was a type of fair use. 

Sedlik argues that if a secondary user could have chosen another work, this means they did not “target” the original work, and thus the user should have a lessened fair use case. But that has never been the rule. As the Supreme Court explained, Warhol could have created art about a product other than Campbell’s Soup; but his choice to copy the famous Campbell’s logo was fully justified because it was “well known to the public, designed to be reproduced, and a symbol of an everyday item for mass consumption.” 

Fair users always select among various alternatives, for both aesthetic and practical reasons. A film professor might know of several films that expertly demonstrate a technique, but will inevitably choose just one to show in class. A news program alerting viewers to developing events may have access to many recordings of the event from different sources, but will choose just one, or a few, based on editorial judgments. Software developers must make decisions about which existing software to analyze or to interoperate with in order to build on existing technology. 

The idea of penalizing these non-“targeted” fair uses would lead to absurd results, and we urge the 9th Circuit to reject this argument. 

Finally, Sedlik also argues that the tattoo artist’s social media posts are necessarily “commercial” acts, which would push the tattoo art further away from fair use. Artists’ use of social media to document their processes and work has become ubiquitous, and such an expansive view of commerciality would render the concept meaningless. That’s why multiple appellate courts have already rejected such a view; the 9th Circuit should do so as well. 

In order for innovation and free expression to flourish in the digital age, fair use must remain a flexible rule that allows for diverse purposes and uses. 

Every year, countless emails hit our inboxes telling us that our personal information was accessed, shared, or stolen in a data breach. In many cases, there is little we can do. Most of us can assume that at least our phone numbers, emails, addresses, credit card numbers, and social security numbers are all available somewhere on the internet.

But some of these data breaches are more noteworthy than others, because they include novel information about us, are the result of particularly noteworthy security flaws, or are just so massive they’re impossible to ignore. For that reason, we are introducing the Breachies, a series of tongue-in-cheek “awards” for some of the most egregious data breaches of the year.

If these companies practiced a privacy first approach and focused on data minimization, only collecting and storing what they absolutely need to provide the services they promise, many data breaches would be far less harmful to the victims. But instead, companies gobble up as much as they can, store it for as long as possible, and inevitably at some point someone decides to poke in and steal that data.

Once all that personal data is stolen, it can be used against the breach victims for identity theft, ransomware attacks, and to send unwanted spam. The risk of these attacks isn’t just a minor annoyance: research shows it can cause psychological injury, including anxiety, depression, and PTSD. To avoid these attacks, breach victims must spend time and money to freeze and unfreeze their credit reports, to monitor their credit reports, and to obtain identity theft prevention services.

This year we’ve got some real stinkers, ranging from private health information to—you guessed it—credit cards and social security numbers.

The Winners

• The Just Stop Using Tracking Tech Award: Kaiser Permanente
• The Most Impactful Data Breach for ’90s Kids Award: Hot Topic
• The Only Stalkers Allowed Award: mSpy
• The I Didn’t Even Know You Had My Information Award: Evolve Bank
• The We Told You So Award: AU10TIX
• The Why We’re Still Stuck on Unique Passwords Award: Roku
• The Listen, Security Researchers are Trying to Help Award: City of Columbus
• The Have I Been Pwned? Award: Spoutible
• The Reporting’s All Over the Place Award: National Public Data
• The Biggest Health Breach We’ve Ever Seen Award: Change Health
• The There’s No Such Thing As Backdoors for Only “Good Guys” Award: Salt Typhoon
• Breach of the Year (of the Decade?): Snowflake
• Tips to Protect Yourself
• (Dis)Honorable Mentions

The Just Stop Using Tracking Tech Award: Kaiser Permanente

In one of the year's most preventable breaches, the healthcare company Kaiser Permanente exposed 13 million patients’ information via tracking code embedded in its website and app. This tracking code transmitted potentially sensitive medical information to Google, Microsoft, and X (formerly known as Twitter). The exposed information included patients’ names, terms they searched in Kaiser’s Health Encyclopedia, and how they navigated within and interacted with Kaiser’s website or app.

The most troubling aspect of this breach is that medical information was exposed not by a sophisticated hack, but through widely used tracking technologies that Kaiser voluntarily placed on its website. Kaiser has since removed the problematic code, but tracking technologies are rampant across the internet and on other healthcare websites. A 2024 study found tracking technologies sharing information with third parties on 96% of hospital websites. Websites usually use tracking technologies to serve targeted ads. But these same technologies give advertisers, data brokers, and law enforcement easy access to details about your online activity.

While individuals can protect themselves from online tracking by using tools like EFF’s Privacy Badger, we need legislative action to make online privacy the norm for everyone. EFF advocates for a ban on online behavioral advertising to address the primary incentive for companies to use invasive tracking technology. Otherwise, we’ll continue to see companies voluntarily sharing your personal data, then apologizing when thieves inevitably exploit a vulnerability in these tracking systems.

Head back to the table of contents.

The Most Impactful Data Breach for ’90s Kids Award: Hot Topic

If you were in middle or high school any time in the ’90s you probably have strong memories of Hot Topic. Baby goths and young punk rockers alike would go to the mall, get an Orange Julius and greasy slice of Sbarro pizza, then walk over to Hot Topic to pick up edgy t-shirts and overpriced bondage pants (all the while debating who was the biggest poser and which bands were sellouts, of course). Because of the fundamental position Hot Topic occupies in our generation’s personal mythology, this data breach hits extra hard.

In November 2024, Have I Been Pwned reported that Hot Topic and its subsidiary Box Lunch suffered a data breach of nearly 57 million data records. A hacker using the alias “Satanic” claimed responsibility and posted a 730 GB database on a hacker forum with a sale price of $20,000. The compromised data about approximately 54 million customers reportedly includes: names, email addresses, physical addresses, phone numbers, purchase history, birth dates, and partial credit card details. Research by Hudson Rock indicates that the data was compromised using info stealer malware installed on a Hot Topic employee’s work computer. “Satanic” claims that the original infection stems from the Snowflake data breach (another Breachie winner); though that hasn’t been confirmed because Hot Topic has still not notified customers, nor responded to our request for comment.

Though data breaches of this scale are common, it still breaks our little goth hearts, and we’d prefer stores did a better job of securing our data. Worse, Hot Topic still hasn’t publicly acknowledged this breach, despite numerous news reports. Perhaps Hot Topic was the real sellout all along. 

Head back to the table of contents.

The Only Stalkers Allowed Award: mSpy

mSpy, a commercially-available mobile stalkerware app owned by Ukrainian-based company Brainstack, was subject to a data breach earlier this year. More than a decade’s worth of information about the app’s customers was stolen, as well as the real names and email addresses of Brainstack employees.

The defining feature of stalkerware apps is their ability to operate covertly and trick users into believing that they are not being monitored. But in reality, applications like mSpy allow whoever planted the stalkerware to remotely view the contents of the victim’s device in real time. These tools are often used to intimidate, harass, and harm victims, including by stalkers and abusive (ex) partners. Given the highly sensitive data collected by companies like mSpy and the harm to targets when their data gets revealed, this data breach is another example of why stalkerware must be stopped. 

Head back to the table of contents.

The I Didn’t Even Know You Had My Information Award: Evolve Bank

Okay, are we the only ones  who hadn’t heard of Evolve Bank? It was reported in May that Evolve Bank experienced a data breach—though it actually happened all the way back in February. You may be thinking, “why does this breach matter if I’ve never heard of Evolve Bank before?” That’s what we thought too!

But here’s the thing: this attack affected a bunch of companies you have heard of, like Affirm (the buy now, pay later service), Wise (the international money transfer service), and Mercury Bank (a fintech company). So, a ton of services use the bank, and you may have used one of those services. It’s been reported that 7.6 million Americans were affected by the breach, with most of the data stolen being customer information, including social security numbers, account numbers, and date of birth.

The small bright side? No customer funds were accessed during the breach. Evolve states that after the breach they are doing some basic things like resetting user passwords and strengthening their security infrastructure. 

Head back to the table of contents.

The We Told You So Award: AU10TIX

AU10TIX is an “identity verification” company used by the likes of TikTok and X to confirm that users are who they claim to be. AU10TIX and companies like it collect and review sensitive private documents such as driver’s license information before users can register for a site or access some content.

Unfortunately, there is growing political interest in mandating identity or age verification before allowing people to access social media or adult material. EFF and others oppose these plans because they threaten both speech and privacy. As we said in 2023, verification mandates would inevitably lead to more data breaches, potentially exposing government IDs as well as information about the sites that a user visits.

Look no further than the AU10TIX breach to see what we mean. According to a report by 404 Media in May, AU10TIX left login credentials exposed online for more than a year, allowing access to very sensitive user data.

404 Media details how a researcher gained access to the company’s logging platform, “which in turn contained links to data related to specific people who had uploaded their identity documents.” This included “the person’s name, date of birth, nationality, identification number, and the type of document uploaded such as a drivers’ license,” as well as images of those identity documents.

The AU10TIX breach did not seem to lead to exposure beyond what the researcher showed was possible. But AU10TIX and other companies must do a better job at locking down user data. More importantly, politicians must not create new privacy dangers by requiring identity and age verification.

If age verification requirements become law, we’ll be handing a lot of our sensitive information over to companies like AU10TIX. This is the first We Told You So Breachie award, but it likely won’t be the last. 

Head back to the table of contents.

The Why We’re Still Stuck on Unique Passwords Award: Roku

In April, Roku announced not yet another new way to display more ads, but a data breach (its second of the year) where 576,000 accounts were compromised using a “credential stuffing attack.” This is a common, relatively easy sort of automated attack where thieves use previously leaked username and password combinations (from a past data breach of an unrelated company) to get into accounts on a different service. So, if say, your username and password was in the Comcast data breach in 2015, and you used the same username and password on Roku, the attacker might have been able to get into your account. Thankfully, less than 400 Roku accounts saw unauthorized purchases, and no payment information was accessed.

But the ease of this sort of data breach is why it’s important to use unique passwords everywhere. A password manager, including one that might be free on your phone or browser, makes this much easier to do. Likewise, credential stuffing illustrates why it’s important to use two-factor authentication. After the Roku breach, the company turned on two-factor authentication for all accounts. This way, even if someone did get access to your account password, they’d need that second code from another device; in Roku’s case, either your phone number or email address.

Head back to the table of contents.

The Listen, Security Researchers are Trying to Help Award: City of Columbus

In August, the security researcher David Ross Jr. (also known as Connor Goodwolf) discovered that a ransomware attack against the City of Columbus, Ohio, was much more serious than city officials initially revealed. After the researcher informed the press and provided proof, the city accused him of violating multiple laws and obtained a gag order against him.

Rather than silencing the researcher, city officials should have celebrated him for helping victims understand the true extent of the breach. EFF and security researchers know the value of this work. And EFF has a team of lawyers who help protect researchers and their work. 

Here is how not to deal with a security researcher: In July, Columbus learned it had suffered a ransomware attack. A group called Rhysida took responsibility. The city did not pay the ransom, and the group posted some of the stolen data online. The mayor announced the stolen data was “encrypted or corrupted,” so most of it was unusable. Later, the researcher, David Ross, helped inform local news outlets that in fact the breach did include usable personal information on residents. He also attempted to contact the city. Days later, the city offered free credit monitoring to all of its residents and confirmed that its original announcement was inaccurate.

Unfortunately, the city also filed a lawsuit, and a judge signed a temporary restraining order preventing the researcher from accessing, downloading, or disseminating the data. Later, the researcher agreed to a more limited injunction. The city eventually confirmed that the data of hundreds of thousands of people was stolen in the ransomware attack, including drivers licenses, social security numbers, employee information, and the identities of juvenile victims, undercover police officers, and confidential informants.

Head back to the table of contents.

The Have I Been Pwned? Award: Spoutible

The Spoutible breach has layers—layers of “no way!” that keep revealing more and more amazing little facts the deeper one digs.

It all started with a leaky API. On a per-user basis, it didn’t just return the sort of information you’d expect from a social media platform, but also the user’s email, IP address, and phone number. No way! Why would you do that?

But hold on, it also includes a bcrypt hash of their password. No way! Why would you do that?!

Ah well, at least they offer two-factor authentication (2FA) to protect against password leakages, except… the API was also returning the secret used to generate the 2FA OTP as well. No way! So, if someone had enabled 2FA it was immediately rendered useless by virtue of this field being visible to everyone.

However, the pièce de resistance comes with the next field in the API: the “em_code.” You know how when you do a password reset you get emailed a secret code that proves you control the address and can change the password? That was the code! No way!

-EFF thanks guest author Troy Hunt for this contribution to the Breachies.

Head back to the table of contents.

The Reporting’s All Over the Place Award: National Public Data

In January 2024, there was almost no chance you’d have heard of a company called National Public Data. But starting in April, then ramping up in June, stories revealed a breach affecting the background checking data broker that included names, phone numbers, addresses, and social security numbers of at least 300 million people. By August, the reported number ballooned to 2.9 billion people. In October, National Public Data filed for bankruptcy, leaving behind nothing but a breach notification on its website.

But what exactly was stolen? The evolving news coverage has raised more questions than it has answered. Too bad National Public Data has failed to tell the public more about the data that the company failed to secure.

One analysis found that some of the dataset was inaccurate, with a number of duplicates; also, while there were 137 million email addresses, they weren’t linked to social security numbers. Another analysis had similar results. As for social security numbers, there were likely somewhere around 272 million in the dataset. The data was so jumbled that it had names matched to the wrong email or address, and included a large chunk of people who were deceased. Oh, and that 2.9 billion number? That was the number of rows of data in the dataset, not the number of individuals. That 2.9 billion people number appeared to originate from a complaint filed in Florida.

Phew, time to check in with Count von Count on this one, then.

How many people were truly affected? It’s difficult to say for certain. The only thing we learned for sure is that starting a data broker company appears to be incredibly easy, as NPD was owned by a retired sheriff’s deputy and a small film studio and didn’t seem to be a large operation. While this data broker got caught with more leaks than the Titanic, hundreds of others are still out there collecting and hoarding information, and failing to watch out for the next iceberg.

Head back to the table of contents.

The Biggest Health Breach We’ve Ever Seen Award: Change Health

In February, a ransomware attack on Change Healthcare exposed the private health information of over 100 million people. The company, which processes 40% of all U.S. health insurance claims, was forced offline for nearly a month. As a result, healthcare practices nationwide struggled to stay operational and patients experienced limits on access to care. Meanwhile, the stolen data poses long-term risks for identity theft and insurance fraud for millions of Americans—it includes patients’ personal identifiers, health diagnoses, medications, insurance details, financial information, and government identity documents.

The misuse of medical records can be harder to detect and correct that regular financial fraud or identity theft. The FTC recommends that people at risk of medical identity theft watch out for suspicious medical bills or debt collection notices.

The hack highlights the need for stronger cybersecurity in the healthcare industry, which is increasingly targeted by cyberattacks. The Change Healthcare hackers were able to access a critical system because it lacked two-factor authentication, a basic form of security.

To make matters worse, Change Healthcare’s recent merger with Optum, which antitrust regulators tried and failed to block, even further centralized vast amounts of sensitive information. Many healthcare providers blamed corporate consolidation for the scale of disruption. As the former president of the American Medical Association put it, “When we have one option, then the hackers have one big target… if they bring that down, they can grind U.S. health care to a halt.” Privacy and competition are related values, and data breach and monopoly are connected problems.

Head back to the table of contents.

The There’s No Such Thing As Backdoors for Only “Good Guys” Award: Salt Typhoon

When companies build backdoors into their services to provide law enforcement access to user data, these backdoors can be exploited by thieves, foreign governments, and other adversaries. There are no methods of access that are magically only accessible to “good guys.” No security breach has demonstrated that more clearly than this year’s attack by Salt Typhoon, a Chinese government-backed hacking group.

Internet service providers generally have special systems to provide law enforcement and intelligence agencies access to user data. They do that to comply with laws like CALEA, which require telecom companies to provide a means for “lawful intercepts”—in other words, wiretaps.

The Salt Typhoon group was able to access the powerful tools that in theory have been reserved for U.S. government agencies. The hackers infiltrated the nation’s biggest telecom networks, including Verizon, AT&T, and others, and were able to target their surveillance based on U.S. law enforcement wiretap requests. Breaches elsewhere in the system let them listen in on calls in real time. People under U.S. surveillance were clearly some of the targets, but the hackers also targeted both 2024 presidential campaigns and officials in the State Department. 

While fewer than 150 people have been identified as targets so far, the number of people who were called or texted by those targets run into the “millions,” according to a Senator who has been briefed on the hack. What’s more, the Salt Typhoon hackers still have not been rooted out of the networks they infiltrated.

The idea that only authorized government agencies would use such backdoor access tools has always been flawed. With sophisticated state-sponsored hacking groups operating across the globe, a data breach like Salt Typhoon was only a matter of time. 

Head back to the table of contents.

The Snowballing Breach of the Year Award: Snowflake

Thieves compromised the corporate customer accounts for U.S. cloud analytics provider Snowflake. The corporate customers included AT&T, Ticketmaster, Santander, Neiman Marcus, and many others: 165 in total.

This led to a massive breach of billions of data records for individuals using these companies. A combination of infostealer malware infections on non-Snowflake machines as well as weak security used to protect the affected accounts allowed the hackers to gain access and extort the customers. At the time of the hack, April-July of this year, Snowflake was not requiring two-factor authentication, an account security measure which could have provided protection against the attacks. A number of arrests were made after security researchers uncovered the identities of several of the threat actors.

But what does Snowflake do? According to their website, Snowflake “is a cloud-based data platform that provides data storage, processing, and analytic solutions.” Essentially, they store and index troves of customer data for companies to look at. And the larger the amount of data stored, the bigger the target for malicious actors to use to put leverage on and extort those companies. The problem is the data is on all of us. In the case of Snowflake customer AT&T, this includes billions of call and text logs of its customers, putting individuals’ sensitive data at risk of exposure. A privacy-first approach would employ techniques such as data minimization and either not collect that data in the first place or shorten the retention period that the data is stored. Otherwise it just sits there waiting for the next breach.

Head back to the table of contents.

Tips to Protect Yourself

Data breaches are such a common occurrence that it’s easy to feel like there’s nothing you can do, nor any point in trying. But privacy isn’t dead. While some information about you is almost certainly out there, that’s no reason for despair. In fact, it’s a good reason to take action.

There are steps you can take right now with all your online accounts to best protect yourself from the the next data breach (and the next, and the next):

• Use unique passwords on all your online accounts. This is made much easier by using a password manager, which can generate and store those passwords for you. When you have a unique password for every website, a data breach of one site won’t cascade to others.
• Use two-factor authentication when a service offers it. Two-factor authentication makes your online accounts more secure by requiring additional proof (“factors”) alongside your password when you log in. While two-factor authentication adds another step to the login process, it’s a great way to help keep out anyone not authorized, even if your password is breached.
• Freeze your credit. Many experts recommend freezing your credit with the major credit bureaus as a way to protect against the sort of identity theft that’s made possible by some data breaches. Freezing your credit prevents someone from opening up a new line of credit in your name without additional information, like a PIN or password, to “unfreeze” the account. This might sound absurd considering they can’t even open bank accounts, but if you have kids, you can freeze their credit too.
• Keep a close eye out for strange medical bills. With the number of health companies breached this year, it’s also a good idea to watch for healthcare fraud. The Federal Trade Commission recommends watching for strange bills, letters from your health insurance company for services you didn’t receive, and letters from debt collectors claiming you owe money. 

Head back to the table of contents.

(Dis)Honorable Mentions

By one report, 2023 saw over 3,000 data breaches. The figure so far this year is looking slightly smaller, with around 2,200 reported through the end of the third quarter. But 2,200 and counting is little comfort.

We did not investigate every one of these 2,000-plus data breaches, but we looked at a lot of them, including the news coverage and the data breach notification letters that many state Attorney General offices host on their websites. We can’t award the coveted Breachie Award to every company that was breached this year. Still, here are some (dis)honorable mentions:

ADT, Advance Auto Parts, AT&T, AT&T (again), Avis, Casio, Cencora, Comcast, Dell, El Salvador, Fidelity, FilterBaby, Fortinet, Framework, Golden Corral, Greylock, Halliburton, HealthEquity, Heritage Foundation, HMG Healthcare, Internet Archive, LA County Department of Mental Health, MediSecure, Mobile Guardian, MoneyGram, muah.ai, Ohio Lottery, Omni Hotels, Oregon Zoo, Orrick, Herrington & Sutcliffe, Panda Restaurants, Panera, Patelco Credit Union, Patriot Mobile, pcTattletale, Perry Johnson & Associates, Roll20, Santander, Spytech, Synnovis, TEG, Ticketmaster, Twilio, USPS, Verizon, VF Corp, WebTPA.

What now? Companies need to do a better job of only collecting the information they need to operate, and properly securing what they store. Also, the U.S. needs to pass comprehensive privacy protections. At the very least, we need to be able to sue companies when these sorts of breaches happen (and while we’re at it, it’d be nice if we got more than $5.21 checks in the mail). EFF has long advocated for a strong federal privacy law that includes a private right of action.

For years now, deep-pocketed individuals and corporations have been turning to civil lawsuits to silence their opponents. These Strategic Lawsuits Against Public Participation, or SLAPPs, aren’t designed to win on the merits, but rather to harass journalists, activists, and consumers into silence by suing them over their protected speech. While 34 states have laws to protect against these abuses, there is still no protection at a federal level. 

Today, Reps. Jamie Raskin (D-MD) and Kevin Kiley (R-CA) introduced the bipartisan Free Speech Protection Act. This bill is the best chance we’ve seen in many years to secure strong federal protection for journalists, activists, and everyday people who have been subject to harassing meritless lawsuits. 

take action

Tell Congress We Don't want a weaponized court system

The Free Speech Protection Act is a long overdue tool to protect against the use of SLAPP lawsuits as legal weapons that benefit the wealthy and powerful. This bill will help everyday Americans of all political stripes who speak out on local and national issues. 

Individuals or companies who are publicly criticized (or even simply discussed) will sometimes use SLAPP suits to intimidate their critics. Plaintiffs who file these suits don’t need to win on the merits, and sometimes they don’t even intend to see the case through. But the stress of the lawsuit and the costly legal defense alone can silence or chill the free speech of defendants. 

State anti-SLAPP laws work. But since state laws are often not applicable in federal court, people and companies can still maneuver to manipulate the court system, filing cases in federal court or in states with weak or nonexistent anti-SLAPP laws. 

SLAPPs All Around 

SLAPP lawsuits in federal court are increasingly being used to target activists and online critics. Here are a few recent examples: 

Coal Ash Company Sued Environmental Activists

In 2016, activists in Uniontown, Alabama—a poor, predominantly Black town with a median per capita income of around $8,000—were sued for $30 million by a Georgia-based company that put hazardous coal ash into Uniontown’s residential landfill. The activists were sued over statements on their website and Facebook page, which said things like the landfill “affected our everyday life,” and, “You can’t walk outside, and you cannot breathe.” The plaintiff settled the case after the ACLU stepped in to defend the activist group. 

Shiva Ayyadurai Sued A Tech Blog That Reported On Him

In 2016, technology blog Techdirt published articles disputing Shiva Ayyadurai’s claim to have “invented email.” Techdirt founder Mike Masnick was hit with a $15 million libel lawsuit in federal court. Masnick, an EFF Award winner,  fought back in court and his reporting remains online, but the legal fees had a big effect on his business. With a strong federal anti-SLAPP law, more writers and publishers will be able to fight back against bullying lawsuits without resorting to crowd-funding. 

Logging Company Sued Greenpeace 

In 2016, environmental non-profit Greenpeace was sued along with several individual activists by Resolute Forest Products. Resolute sued over blog post statements such as Greenpeace’s allegation that Resolute’s logging was “bad news for the climate.” (After four years of litigation, Resolute was ordered to pay nearly $1 million in fees to Greenpeace—because a judge found that California’s strong anti-SLAPP law should apply.) 

Congressman Sued His Twitter Critics And Media Outlets 

In 2019, anonymous Twitter accounts were sued by Rep. Devin Nunes, then a congressman representing parts of Central California. Nunes used lawsuits to attempt to unmask and punish two Twitter users who used the handles @DevinNunesMom and @DevinCow to criticize his actions as a politician. Nunes filed these actions in a state court in Henrico County, Virginia. The location had little connection to the case, but Virginia’s weak anti-SLAPP law has enticed many plaintiffs there. 

Over the next few years, Nunes went on to sue many other journalists who published critical articles about him, using state and federal courts to sue CNN, The Washington Post, his hometown paper The Fresno Bee, MSNBC, a group of his own constituents, and others. Nearly all of these lawsuits were dropped or dismissed by courts. If a federal anti-SLAPP law were in place, more defendants would have a chance of dismissing such lawsuits early and recouping their legal fees. 

Fast Relief From SLAPPs

The Free Speech Protection Act gives defendants of SLAPP suits a powerful tool to defend themselves.

The bill would allow a defendant sued for speaking out on a matter of public concern to file a special motion to dismiss, which the court must generally decide on within 90 days. If the court grants the speaker-defendant’s motion, the claims are dismissed. In many situations, defendants who prevail on an anti-SLAPP motion will be entitled to have the plaintiff reimburse them for their legal fees. 

take action

Tell Congress to pass the free speech protection act

EFF has been defending the rights of online speakers for more than 30 years. A strong federal anti-SLAPP law will bring us closer to the vision of an internet that allows anyone to speak out and organize for change, especially when they speak against those with more power and resources. Anti-SLAPP laws enhance the rights of all. We urge Congress to pass The Free Speech Protection Act. 

Update 11/21/2024: The Senate Judiciary Committee voted 11-10 in favor of PREVAIL, and several senators expressed concerns about the bill. Thanks to EFF supporters who spoke out! We will continue to oppose this misguided bill. 

Good news: the Senate Judiciary Committee has dropped one of the two terrible patent bills it was considering, the patent-troll-enabling Patent Eligibility Restoration Act (PERA).

Bad news: the committee is still pushing the PREVAIL Act, a bill that would hamstring the U.S.’s most effective system for invalidating bad patents. PREVAIL is a windfall for patent trolls, and Congress should reject  it.

Take Action

Tell Congress: No New Bills For Patent Trolls

One of the most effective tools to fight bad patents in the U.S. is a little-known but important system called inter partes review, or IPR. Created by Congress in 2011, the IPR process addresses a major problem: too many invalid patents slip through the cracks at the U.S. Patent and Trademark Office. While not an easy or simple process, IPR is far less expensive and time-consuming than the alternative—fighting invalid patents in federal district court.

That’s why small businesses and individuals rely on IPR for protection. More than 85% of tech-related patent lawsuits are filed by non-practicing entities, also known as “patent trolls”—companies that don’t have products or services of their own, but instead make dozens, or even hundreds, of patent claims against others, seeking settlement payouts.

So it’s no surprise that patent trolls are frequent targets of IPR challenges, often brought by tech companies. Eliminating these worst-of-the-worst patents is a huge benefit to small companies and individuals that might otherwise be unable to afford an IPR challenge themselves. 

For instance, Apple used an IPR-like process to invalidate a patent owned by the troll Ameranth, which claimed rights over using mobile devices to order food. Ameranth had sued over 100 restaurants, hotels, and fast-food chains. Once the patent was invalidated, after an appeal to the Federal Circuit, Ameranth’s barrage of baseless lawsuits came to an end. 

PREVAIL Would Ban EFF and Others From Filing Patent Challenges

The IPR system isn’t just for big tech—it has also empowered nonprofits like EFF to fight patents that threaten the public interest. 

In 2013, a patent troll called Personal Audio LLC claimed that it had patented podcasting. The patent titled “System for disseminating media content representing episodes in a serialized sequence,” became the basis for the company’s demand for licensing fees from podcasters nationwide. Personal Audio filed lawsuits against three podcasters and threatened countless others.  

EFF took on the challenge, raising over $80,000 through crowd-funding to file an IPR petition. The Patent Trial and Appeals Board agreed: the so-called “podcasting patent,” should never have been granted. EFF proved that Personal Audio’s claims were invalid, and our victory was upheld all the way to the Supreme Court. 

The PREVAIL Act would block such efforts. It limits IPR petitions to parties directly targeted by a patent owner, shutting out groups like EFF that protect the broader public. If PREVAIL becomes law, millions of people indirectly harmed by bad patents—like podcasters threatened by Personal Audio—will lose the ability to fight back.

PREVAIL Tilts the Field in Favor of Patent Trolls

The PREVAIL Act will make life easier for patent trolls at every step of the process. It is shocking that the Senate Judiciary Committee is using the few remaining hours it will be in session this year to advance a bill that undermines the rights of innovators and the public.  

Patent troll lawsuits target individuals and small businesses for simply using everyday technology. Everyone who can meet the legal requirements of an IPR filing should have the right to challenge invalid patents. Use our action center today and tell Congress: that’s not a right we want to give up today. 

Take Action

Tell Congress: reject the prevail act

More on the PREVAIL Act: 

• EFF’s blog on how the PREVAIL Act takes rights away from the public
• Our coalition opposition letter to the Senate Judiciary Committee opposing PREVAIL
• Read why patients rights and consumer groups also oppose PREVAIL

Update 11/21/2024: The Senate Judiciary Committee voted 11-10 in favor of PREVAIL, and several senators expressed concerns about the bill. Thanks to EFF supporters who spoke out! We will continue to oppose this misguided bill. 

Update 11/14/2024: The PERA and PREVAIL patent bills were pulled at the last minute today, without getting a committee vote. Senators are right to have concerns with these deeply flawed bills. We hope to engage with the next Congress on real patent fixes—changes that will create a more fair system for small companies and everyday users of tech.  Thanks to all those who spoke out! If you haven't told Congress your opinion on these terrible patent bills, you can still do so using our action center linked below. Help us move the next Congress in a different direction. 

This week, the Senate Judiciary Committee is set to use its limited time in the lame-duck session to vote on a bill that would make the patent system even worse. 

The Patent Eligibility Restoration Act (S. 2140), or PERA, would undo vital limits on computer technology patents that the Supreme Court established in the  landmark 2014 Alice v. CLS Bank decision. Alice barred patent applicants from obtaining patents simply by adding generic computer language to abstract ideas. 

Take Action

Tell Congress: No New Bills For Patent Trolls

While Alice hasn’t fully fixed the problems of the patent system, or patent trolling, it has led to the rejection of hundreds of terrible software patents, including patents on crowdfunding, tracking packages, photo contests, watching online ads, computer bingo, upselling, and many others. 

PERA would not only revive these dangerous technology patents, but also expand patenting of human genes—a type of patent the Supreme Court essentially blocked in 2013. 

The Senate Judiciary is also scheduled to vote on the PREVAIL Act (S. 2220) that seeks to severely limit the public’s ability to challenge bad patents at the patent office. These challenges are among the most effective tools for eliminating patents that never should have been granted in the first place. 

Passing these bills would sell out the public interest to a narrow group of patent holders. EFF stands together with a broad coalition of patients rights groups, consumer rights organizations, think tanks, startups, and business organizations to oppose these harmful bills. 

This week, we need to show Congress that everyday users and creators won’t support laws that foster more patent abuse. Help us send a clear message to your representatives in Congress today. 

Take Action

Tell Congress to reject pera and prevail

The U.S. Senate must reject bills like these that would allow the worst patent scams to expand and thrive. 

In 2022, three companies with strange names and no clear business purpose beyond  patent litigation filed dozens of lawsuits in Delaware federal court, accusing businesses of all sizes of patent infringement. Some of these complaints claimed patent rights over basic aspects of modern life; one, for example, involved a  patent that pertains to the process of clocking in to work through an app.

These companies–named Mellaconic IP, Backertop Licensing, and Nimitz Technologies–seemed to be typical examples of “patent trolls,” companies whose primary business is suing others over patents or demanding licensing fees rather than providing actual products or services. 

However, the cases soon took an unusual turn. The Delaware federal judge overseeing the cases, U.S. District Judge Colm Connolly, sought more information about the patents and their ownership. One of the alleged owners was a food-truck operator who had been promised “passive income,” but was entitled to only a small portion of any revenue generated from the lawsuits. Another owner was the spouse of an attorney at IP Edge, the patent-assertion company linked to all three LLCs. 

Following an extensive investigation, the judge determined that attorneys associated with these shell companies had violated legal ethics rules. He pointed out that the attorneys may have misled Hau Bui, the food-truck owner, about his potential liability in the case. Judge Connolly wrote: 

[T]he disparity in legal sophistication between Mr. Bui and the IP Edge and Mavexar actors who dealt with him underscore that counsel's failures to comply with the Model Rules of Professional Conduct while representing Mr. Bui and his LLC in the Mellaconic cases are not merely technical or academic.

Judge Connolly also concluded that IP Edge, the patent-assertion company behind hundreds of patent lawsuits and linked to the three LLCs, was the “de facto owner” of the patents asserted in his court, but that it attempted to hide its involvement. He wrote, “IP Edge, however, has gone to great lengths to hide the ‘we’ from the world,” with "we" referring to IP Edge. Connolly further noted, “IP Edge arranged for the patents to be assigned to LLCs it formed under the names of relatively unsophisticated individuals recruited by [IP Edge office manager] Linh Deitz.” 

The judge referred three IP Edge attorneys to the Supreme Court of Texas’ Unauthorized Practice of Law Committee for engaging in “unauthorized practices of law in Texas.” Judge Connolly also sent a letter to the Department of Justice, suggesting an investigation into “individuals associated with IP Edge LLC and its affiliate Maxevar LLC.” 

Patent Trolls Tried To Shut Down This Investigation

The attorneys involved in this wild patent trolling scheme challenged Judge Connolly’s authority to proceed with his investigation. However, because transparency in federal courts is essential and applicable to all parties, including patent assertion entities, EFF and two other patent reform groups filed a brief in support of the judge’s investigation. The brief argued that “[t]he public has a right—and need—to know who is controlling and benefiting from litigation in publicly-funded courts.” Companies targeted by the patent trolls, as well as the Chamber of Commerce, filed their own briefs supporting the investigation. 

The appeals court sided with us, upholding Judge Connolly’s authority to proceed, which led to the referral of the involved attorneys to the disciplinary counsel of their respective bar associations. 

After this damning ruling, one of the patent troll companies and its alleged owner made a final effort at appealing this outcome. In July of this year, the U.S. Court of Appeals for the Federal Circuit ruled that investigating Backertop Licensing LLC and ordering its alleged owner to testify was “an appropriate means to investigate potential misconduct involving Backertop.” 

In EFF’s view, these types of investigations into the murky world of patent trolling are not only appropriate but should happen more often. Now that the appeals court has ruled, let’s take a look at what we learned about the patent trolls in this case. 

Patent Troll Entities Linked To French Government

One of the patent trolling entities, Nimitz Technologies LLC, asserted a single patent, U.S. Patent No. 7,848,328, against 11 companies. When the judge required Nimitz’s supposed owner, a man named Mark Hall, to testify in court, Hall could not describe anything about the patent or explain how Nimitz acquired it. He didn’t even know the name of the patent (“Broadcast Content Encapsulation”). When asked what technology was covered by the patent, he said, “I haven’t reviewed it enough to know,” and when asked how he paid for the patent, Hall replied, “no money exchanged hands.” 

The exchange between Hall and Judge Connolly went as follows: 

Q. So how do you come to own something if you never paid for it with money?

A. I wouldn't be able to explain it very well. That would be a better question for Mavexar.

Q. Well, you're the owner?

A. Correct.

Q. How do you know you're the owner if you didn't pay anything for the patent?

A. Because I have the paperwork that says I'm the owner.

(Nov. 27, 2023 Opinion, pages 8-9.) 

The Nimitz patent originated from the Finnish cell phone company Nokia, which later assigned it and several other patents to France Brevets, a French sovereign investment fund, in 2013. France Brevets, in turn, assigned the patent to a US company called Burley Licensing LLC, an entity linked to IP Edge, in 2021. Hau Bui (the food truck owner) signed on behalf of Burley, and Didier Patry, then the CEO of France Brevets, signed on behalf of the French fund. 

France Brevets was an investment fund formed in 2009 with €100 million in seed money from the French government to manage intellectual property. France Brevets was set to receive 35% of any revenue related to “monetizing and enforcement” of the patent, with Burley agreeing to file at least one patent infringement lawsuit within a year, and collect a “total minimum Gross Revenue of US $100,000” within 24 months, or the patent rights would be given back to France Brevets. 

Burley Licensing LLC, run by IP Edge personnel, then created Nimitz Technologies LLC— a company with no assets except for the single patent. They obtained a mailing address for it from a Staples in Frisco, Texas, and assigned the patent to the LLC in August 2021, while the obligations to France Brevets remained unchanged until the fund shut down in 2022.

The Bigger Picture

It’s troubling that patent lawsuits are often funded by entities with no genuine interest in innovation, such as private equity firms. However, it’s even more concerning when foreign government-backed organizations like France Brevets manipulate the US patent system for profit. In this case, a Finnish company sold its patents to a French government fund, which used US-based IP lawyers to file baseless lawsuits against American companies, including well-known establishments like Reddit and Bloomberg, as well as smaller ones like Tastemade and Skillshare.

Judges should enforce rules requiring transparency about third-party funding in patent lawsuits. When ownership is unclear, it’s appropriate to insist that the real owners show up and testify—before dragging dozens of companies into court over dubious software patents. 

Related documents: 

• Memorandum and Order referring counsel to disciplinary bodies (Nov. 23, 2023) 
• Federal Circuit Opinion affirming the order requiring Lori LaPray to appear “for testimony regarding potential fraud on the court,” as well as the District Court’s order of monetary sanction against Ms. LaPray for subsequently failing to appear

At EFF we’ve long noted that you cannot build a backdoor that only lets in good guys and not bad guys. Over the weekend, we saw another example of this: The Wall Street Journal reported on a major breach of U.S. telecom systems attributed to a sophisticated Chinese-government backed hacking group dubbed Salt Typhoon.

According to reports, the hack took advantage of systems built by ISPs like Verizon, AT&T, and Lumen Technologies (formerly CenturyLink) to give law enforcement and intelligence agencies access to the ISPs’ user data. This gave China unprecedented access to data related to U.S. government requests to these major telecommunications companies. It’s still unclear how much communication and internet traffic, and related to whom, Salt Typhoon accessed.

That’s right: the path for law enforcement access set up by these companies was apparently compromised and used by China-backed hackers. That path was likely created to facilitate smooth compliance with wrong-headed laws like CALEA, which require telecommunications companies to facilitate “lawful intercepts”—in other words, wiretaps and other orders by law enforcement and national security agencies. While this is a terrible outcome for user privacy, and for U.S. government intelligence and law enforcement, it is not surprising. 

The idea that only authorized government agencies would ever use these channels for acquiring user data was always risky and flawed. We’ve seen this before: in a notorious case in 2004 and 2005, more than 100 top officials in the Greek government were illegally surveilled for a period of ten months when unknown parties broke into Greece’s “lawful access” program. In 2024, with growing numbers of sophisticated state-sponsored hacking groups operating, it’s almost inevitable that these types of damaging breaches occur. The system of special law enforcement access that was set up for the “good guys” isn’t making us safer; it’s a dangerous security flaw. 

Internet Wiretaps Have Always Been A Bad Idea

Passed in 1994, CALEA requires that makers of telecommunications equipment provide the ability for government eavesdropping. In 2004, the government dramatically expanded this wiretap mandate to include internet access providers. EFF opposed this expansion and explained the perils of wiretapping the internet.  

The internet is different from the phone system in critical ways, making it more vulnerable. The internet is open and ever-changing.  “Many of the technologies currently used to create wiretap-friendly computer networks make the people on those networks more pregnable to attackers who want to steal their data or personal information,” EFF wrote, nearly 20 years ago.

Towards Transparency And Security

The irony should be lost on no one that now the Chinese government may be in possession of more knowledge about who the U.S. government spies on, including people living in the U.S., than Americans. The intelligence and law enforcement agencies that use these backdoor legal authorities are notoriously secretive, making oversight difficult. 

Companies and people who are building communication tools should be aware of these flaws and implement, where possible, privacy by default. As bad as this hack was, it could have been much worse if it wasn’t for the hard work of EFF and other privacy advocates making sure that more than 90% of web traffic is encrypted via HTTPS. For those hosting the 10% (or so) of the web that has yet to encrypt its traffic, now is a great time to consider turning on encryption, either using Certbot or switching to a hosting provider that offers HTTPS by default.

What can we do next? We must demand real privacy and security.  

That means we must reject the loud law enforcement and other voices that continue to pretend that there are “good guy only” ways to ensure access. We can point to this example, among many others, to push back on the idea that the default in the digital world is that governments (and malicious hackers) should be able to access all of our messages and files. We’ll continue to fight against US bills like EARN IT, the EU “Chat Control” file-scanning proposal, and the UK’s Online Safety Act, all of which are based on this flawed premise. 

It’s time for U.S. policymakers to step up too. If they care about China and other foreign countries engaging in espionage on U.S. citizens, it’s time to speak up in favor of encryption by default. If they don’t want to see bad actors take advantage of their constituents, domestic companies, or security agencies, again—speak up for encryption by default. Elected officials can and have done so in the past. Instead of holding hearings that give the FBI a platform to make digital wiretaps easier, demand accountability for the digital lock-breaking they’re already doing. 

The lesson will be repeated until it is learned: there is no backdoor that only lets in good guys and keeps out bad guys. It’s time for all of us to recognize this, and take steps to ensure real security and privacy for all of us.

Update 9/26/24: The hearing and scheduled committee vote on PERA and PREVAIL was canceled. Supporters can continue to register their opposition via our action, as these bills may still be scheduled for a vote later in 2024. 

The U.S. Senate Judiciary Committee is set to vote this Thursday on two bills that could significantly empower patent trolls. The Patent Eligibility Restoration Act (PERA) would bring back many of the abstract computer patents that have been barred for the past 10 years under Supreme Court precedent. Meanwhile, the PREVAIL Act would severely limit how the public can challenge wrongly granted patents at the patent office. 

Take Action

Tell Congress: No New Bills For Patent Trolls

EFF has sent letters to the Senate Judiciary Committee opposing both of these bills. The letters are co-signed by a wide variety of civil society groups, think tanks, startups, and business groups that oppose these misguided bills. Our letter on PERA states: 

Under PERA, any business method, methods of practicing medicine, legal agreement, media content, or even games and entertainment could be patented so long as the invention requires some use of computers or electronic communications… It is hard to overstate just how extreme and far-reaching such a change would be.

If enacted, PERA could revive some of the most problematic patents used by patent trolls, including: 

• The Alice Corp. patent, which claimed the idea of clearing financial transactions through a third party via a computer. 
• The Ameranth patent, which covered the use of  mobile devices to order food at restaurants. This patent was used to sue over 100 restaurants, hotels, and fast-food chains just for merely using off-the-shelf technology.  
• A patent owned by Hawk Technology Systems LLC, which claimed generic video technology to view surveillance videos, and was used to sue over 200 hospitals, schools, charities, grocery stores, and other businesses. 

The changes proposed in PERA open the door to patent compounds that exist in nature which nobody invented

A separate letter signed by 17 professors of IP law caution that PERA would cloud the legal landscape on patent eligibility, which the Supreme Court clarified in its 10-year-old Alice v. CLS Bank case. “PERA would overturn centuries of jurisprudence that prevents patent law from effectively restricting the public domain of science, nature, and abstract ideas that benefits all of society,” the professors write.  

The U.S. Public Interest Research Group also opposes both PERA and PREVAIL, and points out in its opposition letter that patent application misuse has improperly prevented generic drugs from coming on to the market, even years after the original patent has expired. They warn: 

“The changes proposed in PERA open the door to patent compounds that exist in nature which nobody invented, but are newly discovered,” the group writes. “This dramatic change could have devastating effects on drug pricing by expanding the universe of items that can have a patent, meaning it will be easier than ever for drug companies to build patent thickets which keep competitors off the market.” 

Patients’ rights advocacy groups have also weighed in. They argue that PREVAIL “seriously undermines citizens’ ability to promote competition by challenging patents,” while PERA “opens the door to allow an individual or corporation to acquire exclusive rights to aspects of nature and information about our own bodies.” 

Generic drug makers share these concerns. “PREVAIL will make it more difficult for generic and biosimilar manufacturers to challenge expensive brand-name drug patent thickets and bring lower-cost medicines to patients, and PERA will enable brand-name drug manufacturers to build even larger thickets and charge higher prices,” an industry group stated earlier this month. 

We urge the Senate to heed  the voices of this broad coalition of civil society groups and businesses opposing these bills. Passing them would create a more unbalanced and easily exploitable patent system. The public interest must come before the loud voices of patent trolls and a few powerful patent holders. 

Take Action

Tell Congress to reject pera and prevail

Documents: 

• EFF Coalition Letter Opposing PERA
• EFF Coalition Letter Opposing PREVAIL
• IP Law Academics Letter Opposing PERA
• US PIRG Letter Opposing PERA and PREVAIL
• Generation Patient, I-MAK, R Street, US PIRG Letter Opposing PERA and PREVAIL
• Association for Accessible Medicines Statement Opposing on PERA and PREVAIL

Update 9/26/24: The hearing and scheduled committee vote on PERA and PREVAIL was canceled. Supporters can continue to register their opposition via our action, as these bills may still be scheduled for a vote later in 2024. 

Update 9/20/24: The Senate vote scheduled for Thursday, Sep. 19 has been rescheduled for Thursday, Sep. 26. 

A patent on crowdfunding. A patent on tracking packages. A patent on photo contests. A patent on watching an ad online. A patent on computer bingo. A patent on upselling. 

These are just a few of the patents used to harass software developers and small companies in recent years. Thankfully, they were tossed out by U.S. courts, thanks to the landmark 2014 Supreme Court decision in Alice v. CLS Bank. The Alice ruling  has effectively ended hundreds of lawsuits where defendants were improperly sued for basic computer use. 

Take Action

Tell Congress: No New Bills For Patent Trolls

Now, patent trolls and a few huge corporate patent-holders are upset about losing their bogus patents. They are lobbying Congress to change the rules–and reverse the Alice decision entirely. Shockingly, they’ve convinced the Senate Judiciary Committee to vote this Thursday on two of the most damaging patent bills we’ve ever seen.

The Patent Eligibility Restoration Act (PERA, S. 2140) would overturn Alice, enabling patent trolls to extort small business owners and even hobbyists, just for using common software systems to express themselves or run their businesses. PERA would also overturn a 2013 Supreme Court case that prevents most kinds of patenting of human genes.

Meanwhile, the PREVAIL Act (S. 2220) seeks to severely limit how the public can challenge bad patents at the patent office. Challenges like these are one of the most effective ways to throw out patents that never should have been granted in the first place. 

This week, we need to show Congress that everyday users and creators won’t stand for laws that actually expand avenues for patent abuse.

The U.S. Senate must not pass new legislation to allow the worst patent scams to expand and flourish. 

Take Action

Tell Congress: No New Bills For Patent Trolls

A misguided bill that would have required many people to show ID to get online has died without getting a floor vote in the California legislature, where key deadlines for bill passage passed this weekend. Thank you to our supporters for helping us to kill this wrongheaded bill, especially those of you who took the time to reach out to your legislators. 

EFF opposed this bill from the start. Bills that allow politicians to define what is “sexually explicit” content and then enact punishments for those who engage with it are inherently censorship bills—and they never stop with minors. 

A.B. 3080 would have required an age verification system, most likely a scanned uploaded government-issued ID, to be erected for any website that had more than 33% “sexually explicit” content. The proposal did not, and could not have, differentiated between sites that are largely graphic sexual content and a huge array of sites that have some content that is appropriate for minors, along with other content that is geared towards adults. Bills like this are similar to having state prosecutors insist on ID uploads in order to turn on Netflix, regardless of whether the movie you’re seeking is G-rated or R-rated. 

Political attempts to use pornography as an excuse to censor and control the internet are now almost 30 years old. These proposals persist despite the fact that applying government overseers to what Americans read and watch is not only unconstitutional, but broadly unpopular. In Reno v. ACLU, the Supreme Court overruled almost all of the Communications Decency Act, a 1996 law that was intended to keep “obscene or indecent” material away from minors. In 2004, the Supreme Court again rejected an age-gated internet in ACLU v. Ashcroft, striking down most of a federal law of that era. 

The right of adults to read and watch what they want online is settled law. It is also a right that the great majority of Americans want to keep. The age-gating systems that propose to analyze and copy our biometric data, our government IDs, or both, will be a huge privacy setback for Americans of all ages. Electronically uploading and copying IDs is far from the equivalent of an in-person card check. And they won’t be effective at moderating what children see, which can and must be done by individuals and families. 

Other states have passed online age-verification bills this year, including a Texas bill that EFF has asked the U.S. Supreme Court to evaluate. Tennessee’s age-verification bill even includes criminal penalties, allowing prosecutors to bring felony charges against anyone who “publishes or distributes”—i.e., links to—sexual material. 

California politicians should let this unconstitutional and censorious proposal fade away, and resist the urge to bring it back next year. Californians do not want mandatory internet ID checks, nor are they interested in fines and incarceration for those who fail to use them. 

The Senate just passed a bill that will let the federal and state governments investigate and sue websites that they claim cause kids mental distress. It’s a terrible idea to let politicians and bureaucrats decide what people should read and view online, but the Senate passed KOSA on a 91-3 vote.   

TAKE ACTION

Don't let congress censor the internet

Bill proponents have focused on some truly tragic stories of loss, and then tied these tragedies to the internet. But anxiety, eating disorders, drug abuse, gambling, tobacco and alcohol use by minors, and the host of other ills that KOSA purports to address all existed well before the internet. 

The Senate vote means that the House could take up and vote on this bill at any time. The House could also choose to debate its own, similarly flawed, version of KOSA. Several members of the House have expressed concerns about the bill. 

The members of Congress who vote for this bill should remember—they do not, and will not, control who will be in charge of punishing bad internet speech. The Federal Trade Commission,  majority-controlled by the President’s party, will be able to decide what kind of content “harms” minors, then investigate or file lawsuits against websites that host that content. 

Politicians in both parties have sought to control various types of internet content. One bill sponsor has said that widely used educational materials that teach about the history of racism in the U.S. causes depression in kids. Kids speaking out about mental health challenges or trying to help friends with addiction are likely to be treated the same as those promoting addictive or self-harming behaviors, and will be kicked offline. Minors engaging in activism or even discussing the news could be shut down, since the grounds for suing websites expand to conditions like “anxiety.” 

KOSA will lead to people who make online content about sex education, and LGBTQ+ identity and health, being persecuted and shut down as well. Views on how, or if, these subjects should be broached vary widely across U.S. communities. All it will take is one member of the Federal Trade Commission seeking to score political points, or a state attorney general seeking to ensure re-election, to start going after the online speech his or her constituents don’t like. 

All of these speech burdens will affect adults, too. Adults simply won’t find the content that was mass-deleted in the name of avoiding KOSA-inspired lawsuits; and we’ll all be burdened by websites and apps that install ID checks, age gates, and invasive (and poorly functioning) software content filters. 

The vast majority of speech that KOSA affects is constitutionally protected in the U.S., which is why there is a long list of reasons that KOSA is unconstitutional. Unfortunately, the lawmakers voting for this bill have hand-waved away those concerns. They’ve also blown off the voices of millions of young people who will have their free expression constricted by this bill, including the thousands who spoke to EFF directly about their concerns and fears around KOSA. 

We can’t rely solely on lawsuits and courts to protect us from the growing wave of anti-speech internet legislation, with KOSA at its forefront. We need to let the people making the laws know that the public is becoming aware of their censorship plans—and won’t stand for them.

TAKE ACTION

Our Freedom Of Speech Doesn't End Online

The U.S. patent system is broken, particularly when it comes to software patents. At EFF, we’ve been fighting hard for changes that make the system more sensible. Last month, we got a big victory when we defeated a set of rules that would have mangled one of the U.S. Patent and Trademark Office (USPTO)’s most effective systems for kicking out bad patents. 

In 2012, recognizing the entrenched problem of a patent office that spewed out tens of thousands of ridiculous patents every year, Congress created a new system to review patents called “inter partes reviews,” or IPRs. While far from perfect, IPRs have resulted in cancellation of thousands of patent claims that never should have been issued in the first place. 

At EFF, we used the IPR process to crowd-fund a challenge to the Personal Audio “podcasting patent” that tried to extract patent royalty payments from U.S. podcasters. We won that proceeding and our victory was confirmed on appeal.

It’s no surprise that big patent owners and patent trolls have been trying to wreck the IPR system for years. They’ve tried, and failed, to get federal courts to dismantle IPRs. They’ve tried, and failed, to push legislation that would break the IPR system. And last year, they found a new way to attack IPRs—by convincing the USPTO to propose a set of rules that would have sharply limited the public’s right to challenge bad patents. 

That’s when EFF and our supporters knew we had to fight back. Nearly one thousand EFF supporters filed comments with the USPTO using our suggested language, and hundreds more of you wrote your own comments. 

Today, we say thank you to everyone who took the time to speak out. Your voice does matter. In fact, the USPTO withdrew all three of the terrible proposals that we focused on. 

Our Victory to Keep Public Access To Patent Challenges 

The original rules would have greatly increased expanded what are called “discretionary denials,” enabling judges at the USPTO to throw out an IPR petition without adequately considering the merits of the petition. While we would like to see even fewer discretionary denials, defeating the proposed limitations patent challenges is a significant win.

First, the original rules would have stopped “certain for-profit entities” from using the IPR system altogether. While EFF is a non-profit, for-profit companies can and should be allowed to play a role in getting wrongly granted patents out of the system. Membership-based patent defense organizations like RPX or Unified Patents can allow small companies to band together and limit their costs while defending themselves against invalid patents. And non-profits like the Linux Foundation, who joined us in fighting against these wrongheaded proposed rules, can work together with professional patent defense groups to file more IPRs. 

EFF and our supporters wrote in opposition to this rule change—and it’s out. 

Second, the original rules would have exempted “micro and small entities” from patent reviews altogether. This exemption would have applied to many of the types of companies we call “patent trolls”—that is, companies whose business is simply demanding license fees for patents, rather than offering actual products or services. Those companies, specially designed to threaten litigation, would have easily qualified as “small entities” and avoided having their patents challenged. Patent trolls, which bully real small companies and software developers into paying unwarranted settlement fees, aren’t the kind of “small business” that should be getting special exemptions from patent review. 

EFF and our supporters opposed this exemption, and it’s out of the final rulemaking. 

Third, last year’s proposal would have allowed for IPR petitions to be kicked out if they had a “parallel proceeding”—in other words, a similar patent dispute—in district court. This was a wholly improper reason to not consider IPRs, especially since district court evidence rules are different than those in place for an IPR. 

EFF and our supporters opposed these new limitations, and they’re out. 

While the new rules aren’t perfect, they’re greatly improved. We would still prefer more IPRs rather than fewer, and don’t want to see IPRs that otherwise meet the rules get kicked out of the review process. But even there, the new revised rules have big improvements. For instance, they allow for separate briefing of discretionary denials, so that people and companies seeking IPR review can keep their focus on the merits of their petition. 

Additional reading: 

• EFF Comments on the 2024 Notice of Proposed Rulemaking
• EFF Comments on the 2023 Advance Notice of Proposed Rulemaking

The EU Council has now passed a 4th term without passing its controversial message-scanning proposal. The just-concluded Belgian Presidency failed to broker a deal that would push forward this regulation, which has now been debated in the EU for more than two years. 

For all those who have reached out to sign the “Don’t Scan Me” petition, thank you—your voice is being heard. News reports indicate the sponsors of this flawed proposal withdrew it because they couldn’t get a majority of member states to support it. 

Now, it’s time to stop attempting to compromise encryption in the name of public safety. EFF has opposed this legislation from the start. Today, we’ve published a statement, along with EU civil society groups, explaining why this flawed proposal should be withdrawn.  

The scanning proposal would create “detection orders” that allow for messages, files, and photos from hundreds of millions of users around the world to be compared to government databases of child abuse images. At some points during the debate, EU officials even suggested using AI to scan text conversations and predict who would engage in child abuse. That’s one of the reasons why some opponents have labeled the proposal “chat control.” 

There’s scant public support for government file-scanning systems that break encryption. Nor is there support in EU law. People who need secure communications the most—lawyers, journalists, human rights workers, political dissidents, and oppressed minorities—will be the most affected by such invasive systems. Another group harmed would be those whom the EU’s proposal claims to be helping—abused and at-risk children, who need to securely communicate with trusted adults in order to seek help. 

The right to have a private conversation, online or offline, is a bedrock human rights principle. When surveillance is used as an investigation technique, it must be targeted and coupled with strong judicial oversight. In the coming EU council presidency, which will be led by Hungary, leaders should drop this flawed message-scanning proposal and focus on law enforcement strategies that respect peoples’ privacy and security. 

Further reading: 

• EFF and EDRi Coalition Statement on the Future of the CSA Regulation