In a landmark ruling for fundamental freedoms in Colombia, the Inter-American Court of Human Rights found that for over two decades the state government harassed, surveilled, and persecuted members of a lawyer’s group that defends human rights defenders, activists, and indigenous people, putting the attorneys’ lives at risk. 

The ruling is a major victory for civil rights in Colombia, which has a long history of abuse and violence against human rights defenders, including murders and death threats. The case involved the unlawful and arbitrary surveillance of members of the Jose Alvear Restrepo Lawyers Collective (CAJAR), a Colombian human rights organization defending victims of political persecution and community activists for over 40 years.

The court found that since at least 1999, Colombian authorities carried out a constant campaign of pervasive secret surveillance of CAJAR members and their families. That state violated their rights to life, personal integrity, private life, freedom of expression and association, and more, the Court said. It noted the particular impact experienced by women defenders and those who had to leave the country amid threat, attacks, and harassment for representing victims.  

The decision is the first by the Inter-American Court to find a State responsible for violating the right to defend human rights. The court is a human rights tribunal that interprets and applies the American Convention on Human Rights, an international treaty ratified by over 20 states in Latin America and the Caribbean. 

In 2022, EFF, Article 19, Fundación Karisma, and Privacy International, represented by Berkeley Law’s International Human Rights Law Clinic, filed an amicus brief in the case. EFF and partners urged the court to rule that Colombia’s legal framework regulating intelligence activity and the surveillance of CAJAR and their families violated a constellation of human rights and forced them to limit their activities, change homes, and go into exile to avoid violence, threats, and harassment. 

Colombia's intelligence network was behind abusive surveillance practices in violation of the American Convention and did not prevent authorities from unlawfully surveilling, harassing, and attacking CAJAR members, EFF told the court. Even after Colombia enacted a new intelligence law, authorities continued to carry out unlawful communications surveillance against CAJAR members, using an expansive and invasive spying system to target and disrupt the work of not just CAJAR but other human rights defenders and journalists. 

In examining Colombia’s intelligence law and surveillance actions, the court elaborated on key Inter-American and other international human rights standards, and advanced significant conclusions for the protection of privacy, freedom of expression, and the right to defend human rights. 

The court delved into criteria for intelligence gathering powers, limitations, and controls. It highlighted the need for independent oversight of intelligence activities and effective remedies against arbitrary actions. It also elaborated on standards for the collection, management, and access to personal data held by intelligence agencies, and recognized the protection of informational self-determination by the American Convention. We highlight some of the most important conclusions below.

Prior Judicial Order for Communications Surveillance and Access to Data

The court noted that actions such as covert surveillance, interception of communications, or collection of personal data constitute undeniable interference with the exercise of human rights, requiring precise regulations and effective controls to prevent abuse from state authorities. Its ruling recalled European Court of Human Rights’ case law establishing that “the mere existence of legislation allowing for a system of secret monitoring […] constitutes a threat to 'freedom of communication among users of telecommunications services and thus amounts in itself to an interference with the exercise of rights'.” 

Building on its ruling in the case Escher et al. vs Brazil, the Inter-American Court stated that

“[t]he effective protection of the rights to privacy and freedom of thought and expression, combined with the extreme risk of arbitrariness posed by the use of surveillance techniques […] of communications, especially in light of existing new technologies, leads this Court to conclude that any measure in this regard (including interception, surveillance, and monitoring of all types of communication […]) requires a judicial authority to decide on its merits, while also defining its limits, including the manner, duration, and scope of the authorized measure.” (emphasis added) 

According to the court, judicial authorization is needed when intelligence agencies intend to request personal information from private companies that, for various legitimate reasons, administer or manage this data. Similarly, prior judicial order is required for “surveillance and tracking techniques concerning specific individuals that entail access to non-public databases and information systems that store and process personal data, the tracking of users on the computer network, or the location of electronic devices.”  

The court said that “techniques or methods involving access to sensitive telematic metadata and data, such as email and metadata of OTT applications, location data, IP address, cell tower station, cloud data, GPS and Wi-Fi, also require prior judicial authorization.” Unfortunately, the court missed the opportunity to clearly differentiate between targeted and mass surveillance to explicitly condemn the latter.

The court had already recognized in Escher that the American Convention protects not only the content of communications but also any related information like the origin, duration, and time of the communication. But legislation across the region provides less protection for metadata compared to content. We hope the court's new ruling helps to repeal measures allowing state authorities to access metadata without a previous judicial order.

Indeed, the court emphasized that the need for a prior judicial authorization "is consistent with the role of guarantors of human rights that corresponds to judges in a democratic system, whose necessary independence enables the exercise of objective control, in accordance with the law, over the actions of other organs of public power.” 

To this end, the judicial authority is responsible for evaluating the circumstances around the case and conducting a proportionality assessment. The judicial decision must be well-founded and weigh all constitutional, legal, and conventional requirements to justify granting or denying a surveillance measure. 

Informational Self-Determination Recognized as an Autonomous Human Right 

In a landmark outcome, the court asserted that individuals are entitled to decide when and to what extent aspects of their private life can be revealed, which involves defining what type of information, including their personal data, others may get to know. This relates to the right of informational self-determination, which the court recognized as an autonomous right protected by the American Convention. 

“In the view of the Inter-American Court, the foregoing elements give shape to an autonomous human right: the right to informational self-determination, recognized in various legal systems of the region, and which finds protection in the protective content of the American Convention, particularly stemming from the rights set forth in Articles 11 and 13, and, in the dimension of its judicial protection, in the right ensured by Article 25.”  

The protections that Article 11 grant to human dignity and private life safeguard a person's autonomy and the free development of their personality. Building on this provision, the court affirmed individuals’ self-determination regarding their personal information. In combination with the right to access information enshrined in Article 13, the court determined that people have the right to access and control their personal data held in databases. 

The court has explained that the scope of this right includes several components. First, people have the right to know what data about them are contained in state records, where the data came from, how it got there, the purpose for keeping it, how long it’s been kept, whether and why it’s being shared with outside parties, and how it’s being processed. Next is the right to rectify, modify, or update their data if it is inaccurate, incomplete, or outdated. Third is the right to delete, cancel, and suppress their data in justified circumstances. Fourth is the right to oppose the processing of their data also in justified circumstances, and fifth is the right to data portability as regulated by law. 

According to the court, any exceptions to the right of informational self-determination must be legally established, necessary, and proportionate for intelligence agencies to carry out their mandate. In elaborating on the circumstances for full or partial withholding of records held by intelligence authorities, the court said any restrictions must be compatible with the American Convention. Holding back requested information is always exceptional, limited in time, and justified according to specific and strict cases set by law. The protection of national security cannot serve as a blanket justification for denying access to personal information. “It is not compatible with Inter-American standards to establish that a document is classified simply because it belongs to an intelligence agency and not on the basis of its content,” the court said.  

The court concluded that Colombia violated CAJAR members’ right to informational self -determination by arbitrarily restricting their ability to access and control their personal data within public bodies’ intelligence files.

The Vital Protection of the Right to Defend Human Rights

The court emphasized the autonomous nature of the right to defend human rights, finding that States must ensure people can freely, without limitations or risks of any kind, engage in activities aimed at the promotion, monitoring, dissemination, teaching, defense, advocacy, or protection of universally recognized human rights and fundamental freedoms. The ruling recognized that Colombia violated the CAJAR members' right to defend human rights.

For over a decade, human rights bodies and organizations have raised alarms and documented the deep challenges and perils that human rights defenders constantly face in the Americas. In this ruling, the court importantly reiterated their fundamental role in strengthening democracy. It emphasized that this role justifies a special duty of protection by States, which must establish adequate guarantees and facilitate the necessary means for defenders to freely exercise their activities. 

Therefore, proper respect for human rights requires States’ special attention to actions that limit or obstruct the work of defenders. The court has emphasized that threats and attacks against human rights defenders, as well as the impunity of perpetrators, have not only an individual but also a collective effect, insofar as society is prevented from knowing the truth about human rights violations under the authority of a specific State. 

Colombia’s Intelligence Legal Framework Enabled Arbitrary Surveillance Practices 

In our amicus brief, we argued that Colombian intelligence agents carried out unlawful communications surveillance of CAJAR members under a legal framework that failed to meet international human rights standards. As EFF and allies elaborated a decade ago on the Necessary and Proportionate principles, international human rights law provides an essential framework for ensuring robust safeguards in the context of State communications surveillance, including intelligence activities. 

In the brief, we bolstered criticism made by CAJAR, Centro por la Justicia y el Derecho Internacional (CEJIL), and the Inter-American Commission on Human Rights, challenging Colombia’s claim that the Intelligence Law enacted in 2013 (Law n. 1621) is clear and precise, fulfills the principles of legality, proportionality, and necessity, and provides sufficient safeguards. EFF and partners highlighted that even after its passage, intelligence agencies have systematically surveilled, harassed, and attacked CAJAR members in violation of their rights. 

As we argued, that didn’t happen despite Colombia’s intelligence legal framework, rather it was enabled by its flaws. We emphasized that the Intelligence Law gives authorities wide latitude to surveil human rights defenders, lacking provisions for prior, well-founded, judicial authorization for specific surveillance measures, and robust independent oversight. We also pointed out that Colombian legislation failed to provide the necessary means for defenders to correct and erase their data unlawfully held in intelligence records. 

The court ruled that, as reparation, Colombia must adjust its intelligence legal framework to reflect Inter-American human rights standards. This means that intelligence norms must be changed to clearly establish the legitimate purposes of intelligence actions, the types of individuals and activities subject to intelligence measures, the level of suspicion needed to trigger surveillance by intelligence agencies, and the duration of surveillance measures. 

The reparations also call for Colombia to keep files and records of all steps of intelligence activities, “including the history of access logs to electronic systems, if applicable,” and deliver periodic reports to oversight entities. The legislation must also subject communications surveillance measures to prior judicial authorization, except in emergency situations. Moreover, Colombia needs to pass regulations for mechanisms ensuring the right to informational self-determination in relation to intelligence files. 

These are just some of the fixes the ruling calls for, and they represent a major win. Still, the court missed the opportunity to vehemently condemn state mass surveillance (which can occur under an ill-defined measure in Colombia’s Intelligence Law enabling spectrum monitoring), although Colombian courts will now have the chance to rule it out.

In all, the court ordered the state to take 16 reparation measures, including implementing a system for collecting data on violence against human rights defenders and investigating acts of violence against victims. The government must also publicly acknowledge responsibility for the violations. 

The Inter-American Court's ruling in the CAJAR case sends an important message to Colombia, and the region, that intelligence powers are only lawful and legitimate when there are solid and effective controls and safeguards in place. Intelligence authorities cannot act as if international human rights law doesn't apply to their practices.  

When they do, violations must be fiercely investigated and punished. The ruling elaborates on crucial standards that States must fulfill to make this happen. Only time will tell how closely Colombia and other States will apply the court's findings to their intelligence activities. What’s certain is the dire need to fix a system that helped Colombia become the deadliest country in the Americas for human rights defenders last year, with 70 murders, more than half of all such murders in Latin America. 

Ola Bini, the software developer acquitted last year of cybercrime charges in a unanimous verdict in Ecuador, was back in court last week in Quito as prosecutors, using the same evidence that helped clear him, asked an appeals court to overturn the decision with bogus allegations of unauthorized access of a telecommunications system.

Armed with a grainy image of a telnet session—which the lower court already ruled was not proof of criminal activity—and testimony of an expert witness to the lower court—who never had access to the devices and systems involved in the alleged intrusion—prosecutors presented the theory that, by connecting to a router, Bini made partial unauthorized access in an attempt to break into a  system  provided by Ecuador’s national telecommunications company (CNT) to a presidency's contingency center.

If this all sounds familiar, that’s because it is. In an unfounded criminal case plagued by irregularities, delays, and due process violations, Ecuadorian prosecutors have for the last five years sought to prove Bini violated the law by allegedly accessing an information system without authorization.

Bini, who resides in Ecuador, was arrested at the Quito airport in 2019 without being told why. He first learned about the charges from a TV news report depicting him as a criminal trying to destabilize the country. He spent 70 days in jail and cannot leave Ecuador or use his bank accounts.

Bini prevailed in a trial last year before a three-judge panel. The core evidence the Prosecutor’s Office and CNT’s lawyer presented to support the accusation of unauthorized access to a computer, telematic, or telecommunications system was a printed image of a telnet session allegedly taken from Bini’s mobile phone.

The image shows the user requesting a telnet connection to an open server using their computer’s command line. The open server warns that unauthorized access is prohibited and asks for a username. No username is entered. The connection then times out and closes. Rather than demonstrating that Bini intruded into the Ecuadorean telephone network system, it shows the trail of someone who paid a visit to a publicly accessible server—and then politely obeyed the server's warnings about usage and access.

Bini’s acquittal was a major victory for him and the work of security researchers. By assessing the evidence presented, the court concluded that both the Prosecutor’s Office and CNT failed to demonstrate a crime had occurred. There was no evidence that unauthorized access had ever happened, nor anything to sustain the malicious intent that article 234 of Ecuador’s Penal Code requires to characterize the offense of unauthorized access.

The court emphasized the necessity of proper evidence to prove that an alleged computer crime occurred and found that the image of a telnet session presented in Bini’s case is not fit for this purpose. The court explained that graphical representations, which can be altered, do not constitute evidence of cybercrime since an image cannot verify whether the commands illustrated in it were actually executed. Building on technical experts' testimonies, the court said that what does not emerge, or what can't be verified from digital forensics, is not proper digital evidence.

Prosecutors appealed the verdict and are back in court using the same image that didn’t prove any crime was committed. At the March 26 hearing, prosecutors said their expert witness’s analysis of the telnet image shows there was connectivity to the router. The witness compared it to entering the yard of someone’s property to see if the gate to the property is open or closed. Entering the yard is analogous to connecting to the router, the witness said.

Actually, no. Our interpretation of the image, which was leaked to the media before Bini’s trial, is that it’s the internet equivalent of seeing an open gate, walking up to it, seeing a “NO TRESPASSING” sign, and walking away. If this image could prove anything it is that no unauthorized access happened.

Yet, no expert analysis was conducted in the systems allegedly affected. The  expert witness’s testimony was based on his analysis of a CNT report—he didn’t have access to the CNT router to verify its configuration. He didn’t digitally validate whether what was shown in the report actually happened and he was never asked to verify the existence of an IP address owned or managed by CNT.

That’s not the only problem with the appeal proceedings. Deciding the appeal is a panel of three judges, two of whom ruled to keep Bini in detention after his arrest in 2019 because there were allegedly sufficient elements to establish a suspicion against him. The detention was later considered illegal and arbitrary because of a lack of such elements. Bini filed a lawsuit against the Ecuadorian state, including the two judges, for violating his rights. Bini’s defense team has sought to remove these two judges from the appeals case, but his requests were denied.

The appeals court panel is expected to issue a final ruling in the coming days.  

EFF welcomes the latest and long-awaited policy advisory opinion from Meta’s Oversight Board calling on the company to end its blanket ban on the use of the Arabic-language term “shaheed” when referring to individuals listed under Meta’s policy on dangerous organizations and individuals and calls on Meta to fully implement the Board’s recommendations.

Since the Meta Oversight Board was created in 2020 as an appellate body designed to review select contested content moderation decisions made by Meta, we’ve watched with interest as the Board has considered a diverse set of cases and issued expert opinions aimed at reshaping Meta’s policies. While our views on the Board's efficacy in creating long-term policy change have been mixed, we have been happy to see the Board issue policy recommendations that seek to maximize free expression on Meta properties.

The policy advisory opinion, issued Tuesday, addresses posts referring to individuals as 'shaheed' an Arabic term that closely (though not exactly) translates to 'martyr,' when those same individuals have previously been designated by Meta as 'dangerous' under its dangerous organizations and individuals policy. The Board found that Meta’s approach to moderating content that contains the term to refer to individuals who are designated by the company’s policy on “dangerous organizations and individuals”—a policy that covers both government-proscribed organizations and others selected by the company— substantially and disproportionately restricts free expression.

The Oversight Board first issued a call for comment in early 2023, and in April of last year, EFF partnered with the European Center for Not-for-Profit Law (ECNL) to submit comment for the Board’s consideration. In our joint comment, we wrote:

The automated removal of words such as ‘shaheed’ fail to meet the criteria for restricting users’ right to freedom of expression. They not only lack necessity and proportionality and operate on shaky legal grounds (if at all), but they also fail to ensure access to remedy and violate Arabic-speaking users’ right to non-discrimination.

In addition to finding that Meta’s current approach to moderating such content restricts free expression, the Board noted thate importance of any restrictions on freedom of expression that seek to prevent violence must be necessary and proportionate, “given that undue removal of content may be ineffective and even counterproductive.”

We couldn’t agree more. We have long been concerned about the impact of corporate policies and government regulations designed to limit violent extremist content on human rights and evidentiary content, as well as journalism and art. We have worked directly with companies and with multi stakeholder initiatives such as the Global Internet Forum to Counter Terrorism, Tech Against Terrorism, and the Christchurch Call to ensure that freedom of expression remains a core part of policymaking.

In its policy recommendation, the Board acknowledges the importance of Meta’s ability to take action to ensure its platforms are not used to incite violence or recruit people to engage in violence, and that the term “shaheed” is sometimes used by extremists “to praise or glorify people who have died while committing violent terrorist acts.” However, the Board also emphasizes that Meta’s response to such threats must be guided by respect for all human rights, including freedom of expression. Notably, the Board’s opinion echoes our previous demands for policy changes, as well as those of the Stop Silencing Palestine campaign initiated by nineteen digital and human rights organizations, including EFF.

We call on Meta to implement the Board’s recommendations and ensure that future policies and practices respect freedom of expression.

Global Elections and Platform Responsibility

This year is a major one for elections around the world, with pivotal races in the U.S., the UK, the European Union, Russia, and India, to name just a few. Social media platforms play a crucial role in democratic engagement by enabling users to participate in public discourse and by providing access to information, especially as public figures increasingly engage with voters directly. Unfortunately elections also attract a sometimes dangerous amount of disinformation, filling users' news feed with ads touting conspiracy theories about candidates, false news stories about stolen elections, and so on.

Online election disinformation and misinformation can have real world consequences in the U.S. and all over the world. The EU Commission and other regulators are therefore formulating measures platforms could take to address disinformation related to elections. 

Given their dominance over the online information space, providers of Very Large Online Platforms (VLOPs), as sites with over 45 million users in the EU are called, have unique power to influence outcomes.  Platforms are driven by economic incentives that may not align with democratic values, and that disconnect  may be embedded in the design of their systems. For example, features like engagement-driven recommender systems may prioritize and amplify disinformation, divisive content, and incitement to violence. That effect, combined with a significant lack of transparency and targeting techniques, can too easily undermine free, fair, and well-informed electoral processes.

Digital Services Act and EU Commission Guidelines

The EU Digital Services Act (DSA) contains a set of sweeping regulations about online-content governance and responsibility for digital services that make X, Facebook, and other platforms subject in many ways to the European Commission and national authorities. It focuses on content moderation processes on platforms, limits targeted ads, and enhances transparency for users. However, the DSA also grants considerable power to authorities to flag content and investigate anonymous users - powers that they may be tempted to mis-use with elections looming. The DSA also obliges VLOPs to assess and mitigate systemic risks, but it is unclear what those obligations mean in practice. Much will depend on how social media platforms interpret their obligations under the DSA, and how European Union authorities enforce the regulation.

We therefore support the initiative by the EU Commission to gather views about what measures the Commission should call on platforms to take to mitigate specific risks linked to disinformation and electoral processes.

Together with ARTICLE 19, we have submitted comments to the EU Commission on future guidelines for platforms. In our response, we recommend that the guidelines prioritize best practices, instead of policing speech. Furthermore, DSA risk assessment and mitigation compliance evaluations should focus primarily on ensuring respect for fundamental rights. 

We further argue against using watermarking of AI content to curb disinformation, and caution against the draft guidelines’ broadly phrased recommendation that platforms should exchange information with national authorities. Any such exchanges should take care to respect human rights, beginning with a transparent process.  We also recommend that the guidelines pay particular attention to attacks against minority groups or online harassment and abuse of female candidates, lest such attacks further silence those parts of the population who are already often denied a voice.

EFF and ARTICLE 19 Submission: https://www.eff.org/document/joint-submission-euelections

We’ve been saying it for 20 years, and it remains true now more than ever: the internet is an essential service. It enables people to build and create communities, shed light on injustices, and acquire vital knowledge that might not otherwise be available. And access to it becomes even more imperative in circumstances where being able to communicate and share real-time information directly with the people you trust is instrumental to personal safety and survival. More specifically, during wartime and conflict, internet and phone services enable the communication of information between people in challenging situations, as well as the reporting by on-the-ground journalists and ordinary people of the news. 

Unfortunately, governments across the world are very aware of their power to cut off this crucial lifeline, and frequently undertake targeted initiatives to do so. These internet shutdowns have become a blunt instrument that aid state violence and inhibit free speech, and are routinely deployed in direct contravention of human rights and civil liberties.

And this is not a one-dimensional situation. Nearly twenty years after the world’s first total internet shutdowns, this draconian measure is no longer the sole domain of authoritarian states but has become a favorite of a diverse set of governments across three continents. For example:

In Iran, the government has been suppressing internet access for many years. In the past two years in particular, people of Iran have suffered repeated internet and social media blackouts following an activist movement that blossomed after the death of Mahsa Amini, a woman murdered in police custody for refusing to wear a hijab. The movement gained global attention and in response, the Iranian government rushed to control both the public narrative and organizing efforts by banning social media, and sometimes cutting off internet access altogether. 

In Sudan, authorities have enacted a total telecommunications blackout during a massive conflict and displacement crisis. Shutting down the internet is a deliberate strategy blocking the flow of information that brings visibility to the crisis and prevents humanitarian aid from supporting populations endangered by the conflict. The communications blackout has extended for weeks, and in response a global campaign #KeepItOn has formed to put pressure on the Sudanese government to restore its peoples' access to these vital services. More than 300 global humanitarian organizations have signed on to support #KeepItOn.

And in Palestine, where the Israeli government exercises near-total control over both wired internet and mobile phone infrastructure, Palestinians in Gaza have experienced repeated internet blackouts inflicted by the Israeli authorities. The latest blackout in January 2024 occurred amid a widespread crackdown by the Israeli government on digital rights—including censorship, surveillance, and arrests—and amid accusations of bias and unwarranted censorship by social media platforms. On that occasion, the internet was restored after calls from civil society and nations, including the U.S. As we’ve noted, internet shutdowns impede residents' ability to access and share resources and information, as well as the ability of residents and journalists to document and call attention to the situation on the ground—more necessary than ever given that a total of 83 journalists have been killed in the conflict so far. 

Given that all of the internet cables connecting Gaza to the outside world go through Israel, the Israeli Ministry of Communications has the ability to cut off Palestinians’ access with ease. The Ministry also allocates spectrum to cell phone companies; in 2015 we wrote about an agreement that delivered 3G to Palestinians years later than the rest of the world. In 2022, President Biden offered to upgrade the West Bank and Gaza to 4G, but the initiative stalled. While some Palestinians are able to circumvent the blackout by utilizing Israeli SIM cards (which are difficult to obtain) or Egyptian eSIMs, these workarounds are not solutions to the larger problem of blackouts, which the National Security Council has said: “[deprive] people from accessing lifesaving information, while also undermining first responders and other humanitarian actors’ ability to operate and to do so safely.”

Access to internet infrastructure is essential, in wartime as in peacetime. In light of these numerous blackouts, we remain concerned about the control that authorities are able to exercise over the ability of millions of people to communicate. It is imperative that people’s access to the internet remains protected, regardless of how user platforms and internet companies transform over time. We continue to shout this, again and again, because it needs to be restated, and unfortunately today there are ever more examples of it happening before our eyes.

In a milestone judgment—Podchasov v. Russia—the European Court of Human Rights (ECtHR) has ruled that weakening of encryption can lead to general and indiscriminate surveillance of the communications of all users and violates the human right to privacy.  

In 2017, the landscape of digital communication in Russia faced a pivotal moment when the government required Telegram Messenger LLP and other “internet communication” providers to store all communication data—and content—for specified durations. These providers were also required to supply law enforcement authorities with users’ data, the content of their communications, as well as any information necessary to decrypt user messages. The FSB (the Russian Federal Security Service) subsequently ordered Telegram to assist in decrypting the communications of specific users suspected of engaging in terrorism-related activities.

Telegram opposed this order on the grounds that it would create a backdoor that would undermine encryption for all of its users. As a result, Russian courts fined Telegram and ordered the blocking of its app within the country. The controversy extended beyond Telegram, drawing in numerous users who contested the disclosure orders in Russian courts. A Russian citizen, Mr Podchasov, escalated the issue to the European Court of Human Rights (ECtHR), arguing that forced decryption of user communication would infringe on the right to private life under Article 8 of the European Convention of Human Rights (ECHR), which reads as follows:  

Everyone has the right to respect for his private and family life, his home and his correspondence (Article 8 ECHR, right to respect for private and family life, home and correspondence) 

EFF has always stood against government intrusion into the private lives of users and advocated for strong privacy guarantees, including the right to confidential communication. Encryption not only safeguards users’ privacy but also protects their right to freedom of expression protected under international human rights law. 

In a great victory for privacy advocates, the ECtHR agreed. The Court found that the requirement of continuous, blanket storage of private user data interferes with the right to privacy under the Convention, emphasizing that the possibility for national authorities to access these data is a crucial factor for determining a human rights violation [at 53]. The Court identified the inherent risks of arbitrary government action in secret surveillance in the present case and found again—following its stance in Roman Zakharov v. Russia—that the relevant legislation failed to live up to the quality of law standards and lacked the adequate and effective safeguards against misuse [75].  Turning to a potential justification for such interference, the ECtHR emphasized the need of a careful balancing test that considers the use of modern data storage and processing technologies and weighs the potential benefits against important private-life interests [62-64]. 

In addressing the State mandate for service providers to submit decryption keys to security services, the court's deliberations culminated in the following key findings [76-80]:

1. Encryption being important for protecting the right to private life and other fundamental rights, such as freedom of expression: The ECtHR emphasized the importance of encryption technologies for safeguarding the privacy of online communications. Encryption safeguards and protects the right to private life generally while also supporting the exercise of other fundamental rights, such as freedom of expression.
2. Encryption as a shield against abuses: The Court emphasized the role of encryption to provide a robust defense against unlawful access and generally “appears to help citizens and businesses to defend themselves against abuses of information technologies, such as hacking, identity and personal data theft, fraud and the improper disclosure of confidential information.” The Court held that this must be given due consideration when assessing measures which could weaken encryption.
3. Decryption of communications orders weakens the encryption for all users: The ECtHR established that the need to decrypt Telegram's "secret chats" requires the weakening of encryption for all users. Taking note again of the dangers of restricting encryption described by many experts in the field, the Court held that backdoors could be exploited by criminal networks and would seriously compromise the security of all users’ electronic communications. 
4. Alternatives to decryption: The ECtHR took note of a range of alternative solutions to compelled decryption that would not weaken the protective mechanisms, such as forensics on seized devices and better-resourced policing.  

In light of these findings, the Court held that the mandate to decrypt end-to-end encrypted communications risks weakening the encryption mechanism for all users, which was a disproportionate to the legitimate aims pursued. 

In summary [80], the Court concluded that the retention and unrestricted state access to internet communication data, coupled with decryption requirements, cannot be regarded as necessary in a democratic society, and are thus unlawful. It emphasized that a direct access of authorities to user data on a generalized basis and without sufficient safeguards impairs the very essence of the right to private life under the Convention. The Court also highlighted briefs filed by the European Information Society Institute (EISI) and Privacy International, which provided insight into the workings of end-to-end encryption and explained why mandated backdoors represent an illegal and disproportionate measure. 

Impact of the ECtHR ruling on current policy developments 

The ruling is a landmark judgment, which will likely draw new normative lines about human rights standards for private and confidential communication. We are currently supporting Telegram in its parallel complaint to the ECtHR, contending that blocking its app infringes upon fundamental rights. As part of a collaborative efforts of international human rights and media freedom organisations, we have submitted a third-party intervention to the ECtHR, arguing that blocking an entire app is a serious and disproportionate restriction on freedom of expression. That case is still pending. 

The Podchasov ruling also directly challenges ongoing efforts in Europe to weaken encryption to allow access and scanning of our private messages and pictures.

For example, the controversial UK's Online Safety Act creates the risk that online platforms will use software to search all users’ photos, files, and messages, scanning for illegal content. We recently submitted comments to the relevant UK regulator (Ofcom) to avoid any weakening of encryption when this law becomes operational. 

In the EU, we are concerned about the European Commission’s message-scanning proposal (CSAR) as being a disaster for online privacy. It would allow EU authorities to compel online services to scan users’ private messages and compare users’ photos to against law enforcement databases or use error-prone AI algorithms to detect criminal behavior. Such detection measures will inevitably lead to dangerous and unreliable Client-Side Scanning practices, undermining the essence of end-to-end encryption. As the ECtHR deems general user scanning as disproportionate, specifically criticizing measures that weaken existing privacy standards, forcing platforms like WhatsApp or Signal to weaken security by inserting a vulnerability into all users’ devices to enable message scanning must be considered unlawful. 

The EU regulation proposal is likely to be followed by other proposals to grant law enforcement access to encrypted data and communications. An EU high level expert group on ‘access to data for effective law enforcement’ is expected to make policy recommendations to the next EU Commission in mid-2024. 

We call on lawmakers to take the Court of Human Rights ruling seriously: blanket and indiscriminate scanning of user communication and the general weakening of encryption for users is unacceptable and unlawful. 

Security researchers’ work discovering and reporting vulnerabilities in software, firmware,  networks, and devices protects people, businesses and governments around the world from malware, theft of  critical data, and other cyberattacks. The internet and the digital ecosystem are safer because of their work.

The UN Cybercrime Treaty, which is in the final stages of drafting in New York this week, risks criminalizing this vitally important work. This is appalling and wrong, and must be fixed.

One hundred and twenty four prominent security researchers and cybersecurity organizations from around the world voiced their concern today about the draft and called on UN delegates to modify flawed language in the text that would hinder researchers’ efforts to enhance global security and prevent the actual criminal activity the treaty is meant to rein in.

Time is running out—the final negotiations over the treaty end Feb. 9. The talks are the culmination of two years of negotiations; EFF and its international partners have raised concerns over the treaty’s flaws since the beginning. If approved as is, the treaty will substantially impact criminal laws around the world and grant new expansive police powers for both domestic and international criminal investigations.

Experts who work globally to find and fix vulnerabilities before real criminals can exploit them said in a statement today that vague language and overbroad provisions in the draft increase the risk that researchers could face prosecution. The draft fails to protect the good faith work of security researchers who may bypass security measures and gain access to computer systems in identifying vulnerabilities, the letter says.

The draft threatens security researchers because it doesn’t specify that access to computer systems with no malicious intent to cause harm, steal, or infect with malware should not be subject to prosecution. If left unchanged, the treaty would be a major blow to cybersecurity around the world.

Specifically, security researchers seek changes to Article 6, which risks criminalizing essential activities, including accessing systems without prior authorization to identify vulnerabilities. The current text also includes the ambiguous term “without right” as a basis for establishing criminal liability for unauthorized access. Clarification of this vague language as well as a  requirement that unauthorized access be done with malicious intent is needed to protect security research.

The signers also called out Article 28(4), which empowers States to force “any individual” with knowledge of computer systems to turn over any information necessary to conduct searches and seizures of computer systems. This dangerous paragraph must be removed and replaced with language specifying that custodians must only comply with lawful orders to the extent of their ability.

There are many other problems with the draft treaty—it lacks human rights safeguards, gives States’ powers to reach across borders to surveil and collect personal information of people in other States, and forces tech companies to collude with law enforcement in alleged cybercrime investigations.

EFF and its international partners have been and are pressing hard for human rights safeguards and other fixes to ensure that the fight against cybercrime does not require sacrificing fundamental rights. We stand with security researchers in demanding amendments to ensure the treaty is not used as a tool to threaten, intimidate, or prosecute them, software engineers, security teams, and developers.

 For the statement:
https://www.eff.org/deeplinks/2024/02/protect-good-faith-security-research-globally-proposed-un-cybercrime-treaty

For more on the treaty:
https://ahc.derechosdigitales.org/en/

UN Member States are meeting in New York this week to conclude negotiations over the final text of the UN Cybercrime Treaty, which—despite warnings from hundreds of civil society organizations across the globe, security researchers, media rights defenders, and the world’s largest tech companies—will, in its present form, endanger human rights and make the cyber ecosystem less secure for everyone.

EFF and its international partners are going into this last session with a unified message: without meaningful changes to limit surveillance powers for electronic evidence gathering across borders and add robust minimum human rights safeguard that apply across borders, the convention should be rejected by state delegations and not advance to the UN General Assembly in February for adoption.

EFF and its partners have for months warned that enforcement of such a treaty would have dire consequences for human rights. On a practical level, it will impede free expression and endanger activists, journalists, dissenters, and everyday people.

Under the draft treaty's current provisions on accessing personal data for criminal investigations across borders, each country is allowed to define what constitutes a "serious crime." Such definitions can be excessively broad and violate international human rights standards. States where it’s a crime to  criticize political leaders (Thailand), upload videos of yourself dancing (Iran), or wave a rainbow flag in support of LGBTQ+ rights (Egypt), can, under this UN-sanctioned treaty, require one country to conduct surveillance to aid another, in accordance with the data disclosure standards of the requesting country. This includes surveilling individuals under investigation for these offenses, with the expectation that technology companies will assist. Such assistance involves turning over personal information, location data, and private communications secretly, without any guardrails, in jurisdictions lacking robust legal protections.

The final 10-day negotiating session in New York will conclude a series of talks that started in 2022 to create a treaty to prevent and combat core computer-enabled crimes, like distribution of malware, data interception and theft, and money laundering. From the beginning, Member States failed to reach consensus on the treaty’s scope, the inclusion of human rights safeguards, and even the definition of “cybercrime.” The scope of the entire treaty was too broad from the very beginning; Member States eventually drops some of these offenses, limiting the scope of the criminalization section, but not evidence gathering provisions that hands States dangerous surveillance powers. What was supposed to be an international accord to combat core cybercrime morphed into a global surveillance agreement covering any and all crimes conceived by Member States. 

The latest draft, released last November, blatantly disregards our calls to narrow the scope, strengthen human rights safeguards, and tighten loopholes enabling countries to assist each other in spying on people. It also retains a controversial provision allowing states to compel engineers or tech employees to undermine security measures, posing a threat to encryption. Absent from the draft are protections for good-faith cybersecurity researchers and others acting in the public interest.

This is unacceptable. In a Jan. 23 joint statement to delegates participating in this final session, EFF and 110 organizations outlined non-negotiable redlines for the draft that will emerge from this session, which ends Feb. 8. These include:

• Narrowing the scope of the entire Convention to cyber-dependent crimes specifically defined within its text.
• Including provisions to ensure that security researchers, whistleblowers, journalists, and human rights defenders are not prosecuted for their legitimate activities and that other public interest activities are protected. 
• Guaranteeing explicit data protection and human rights standards like legitimate purpose, nondiscrimination, prior judicial authorization, necessity and proportionality apply to the entire Convention.

• Mainstreaming gender across the Convention as a whole and throughout each article in efforts to prevent and combat cybercrime.
  

It’s been a long fight pushing for a treaty that combats cybercrime without undermining basic human rights. Without these improvements, the risks of this treaty far outweigh its potential benefits. States must stand firm and reject the treaty if our redlines can’t be met. We cannot and will not support or recommend a draft that will make everyone less, instead of more, secure.

The UAE confirmed this week that it has placed 84 detainees on trial, on charges of “establishing another secret organization for the purpose of committing acts of violence and terrorism on state territory.” Suspected to be among those facing trial is award-winning human rights defender Ahmed Mansoor, also known as the “the million dollar dissident,” as he was once the target of exploits that exposed major security flaws in Apple’s iOS operating system—the kind of “zero-day” vulnerabilities that fetch seven figures on the exploit market. Mansoor drew the ire of UAE authorities for criticizing the country’s internet censorship and surveillance apparatus and for calling for a free press and democratic freedoms in the country.

Having previously been arrested in 2011 and sentenced to three years' imprisonment for “insulting officials,'' Ahmed Mansoor was released after eight months due to a presidential pardon influenced by international pressure. Later, Mansoor faced new speech-related charges for using social media to “publish false information that harms national unity.” During this period, authorities held him in an unknown location for over a year, deprived of legal representation, before convicting him again in May 2018 to ten years in prison under the UAE’s draconian cybercrime law. We have long advocated for his release, and are joined in doing so by hundreds of digital and human rights organizations around the world.

At the recent COP28 climate talks, Human Rights Watch and Amnesty International and other activists conducted a protest inside the UN-protected “blue zone” to raise awareness of Mansoor’s plight, as well the cases of both UAE detainee Mohamed El-Siddiq and Egyptian-British activist  Alaa Abd El Fattah. At the same time, it was reported by a dissident group that the UAE was proceeding with the trial against 84 of its detainees.

We reiterate our call for Ahmed Mansoor’s freedom, and take this opportunity to raise further awareness of the oppressive nature of the legislation that was used to imprison him. The UAE’s use of its criminal law to silence those who speak truth to power is another example of how counter-terrorism laws restrict free expression and justify disproportionate state surveillance. This concern is not hypothetical; a 2023 study by the Special Rapporteur on counter-terrorism found widespread and systematic abuse of civil society and civic space through the use of similar laws supposedly designed to counter terrorism. Moreover, and problematically, references 'related to terrorism’ in the treaty preamble are still included in the latest version of a proposed United Nations Cybercrime Treaty, currently being negotiated with more than 190 member states, even though there is no  agreed-upon definition of terrorism in international law. If approved as currently written, the UN Cybercrime Treaty has the potential to substantively reshape international criminal law and bolster cross-border police surveillance powers to access and share users’ data, implicating the human rights of billions of people worldwide, and could enable States to justify repressive measures that overly restrict free expression and peaceful dissent.

Private communication is a fundamental human right. In the online world, the best tool we have to defend this right is end-to-end encryption. Yet throughout 2023, politicians across Europe attempted to undermine encryption, seeking to access and scan our private messages and pictures. 

But we pushed back in the EU, and so far, we’ve succeeded. EFF spent this year fighting hard against an EU proposal (text) that, if it became law, would have been a disaster for online privacy in the EU and throughout the world. In the name of fighting online child abuse, the European Commission, the EU’s executive body, put forward a draft bill that would allow EU authorities to compel online services to scan user data and check it against law enforcement databases. The proposal would have pressured online services to abandon end-to-end encryption. The Commission even suggested using AI to rifle through peoples’ text messages, leading some opponents to call the proposal “chat control.”

EFF has been opposed to this proposal since it was unveiled last year. We joined together with EU allies and urged people to sign the “Don’t Scan Me” petition. We lobbied EU lawmakers and urged them to protect their constituents’ human right to have a private conversation—backed up by strong encryption. 

Our message broke through. In November, a key EU committee adopted a position that bars mass scanning of messages and protects end-to-end encryption. It also bars mandatory age verification, which would have amounted to a mandate to show ID before you get online; age verification can erode a free and anonymous internet for both kids and adults. 

We’ll continue to monitor the EU proposal as attention shifts to the Council of the EU, the second decision-making body of the EU. Despite several Member States still supporting widespread surveillance of citizens, there are promising signs that such a measure won’t get majority support in the Council. 

Make no mistake—the hard-fought compromise in the European Parliament is a big victory for EFF and our supporters. The governments of the world should understand clearly: mass scanning of peoples’ messages is wrong, and at odds with human rights. 

A Wrong Turn in the U.K.

EFF also opposed the U.K.’s Online Safety Bill (OSB), which passed and became the Online Safety Act (OSA) this October, after more than four years on the British legislative agenda. The stated goal of the OSB was to make the U.K. the world’s “safest place” to use the internet, but the bill’s more than 260 pages actually outline a variety of ways to undermine our privacy and speech. 

The OSA requires platforms to take action to prevent individuals from encountering certain illegal content, which will likely mandate the use of intrusive scanning systems. Even worse, it empowers the British government, in certain situations, to demand that online platforms use government-approved software to scan for illegal content. The U.K. government said that content will only be scanned to check for specific categories of content. In one of the final OSB debates, a representative of the government noted that orders to scan user files “can be issued only where technically feasible,” as determined by the U.K. communications regulator, Ofcom. 

But as we’ve said many times, there is no middle ground to content scanning and no “safe backdoor” if the internet is to remain free and private. Either all content is scanned and all actors—including authoritarian governments and rogue criminals—have access, or no one does. 

Despite our opposition, working closely with civil society groups in the UK, the bill passed in September, with anti-encryption measures intact. But the story doesn't end here. The OSA remains vague about what exactly it requires of platforms and users alike. Ofcom must now take the OSA and, over the coming year, draft regulations to operationalize the legislation. 

The public understands better than ever that government efforts to “scan it all” will always undermine encryption, and prevent us from having a safe and secure internet. EFF will monitor Ofcom’s drafting of the regulation, and we will continue to hold the UK government accountable to the international and European human rights protections that they are signatories to. 

2023 has been an unfortunate reminder that the right to free expression is most fragile for groups on the margins, and that it can quickly become a casualty during global conflicts. Threats to speech arose out of the ongoing war in Palestine. They surfaced in bills and laws around the world that explicitly restrict LGBTQ+ freedom of expression and privacy. And past threats—and acts—were ignored by the United Nations, as the UN’s Secretary-General announced it would grant Saudi Arabia host status for the 2024 Internet Governance Forum (IGF).

LGBTQ+ Rights

Globally, an increase in anti-LGBTQ+ intolerance is impacting individuals and communities both online and off. The digital rights community has observed an uptick in censorship of LGBTQ+ websites as well as troubling attempts by several countries to pass explicitly anti-LGBTQ+ bills restricting freedom of expression and privacy—bills that also fuel offline intolerance against LGBTQ+ people, and force LGBTQ+ individuals to self-censor their online expression to avoid being profiled, harassed, doxxed, or criminally prosecuted. 

One prominent example is Ghana's draconian ‘'Promotion of Proper Human Sexual Rights and Ghanaian Family Values Bill, 2021.' This year, EFF and other civil society partners continued to call on the government of Ghana to immediately reject this draconian bill and commit instead to protecting the human rights of all people in Ghana.

To learn more about this issue, read our 2023 Year in Review post on threats to LGBTQ+ speech.

Free Expression in Times of Conflict

The war in Palestine has exacerbated existing threats to free expression Palestinians already faced,, particularly those living in Gaza. Most acutely, the Israeli government began targeting telecommunications infrastructure early on in the war, inhibiting Palestinians’ ability to share information and access critical services. At the same time, platforms have failed to moderate misinformation (while overmoderating other content), which—at a time when many Palestinians can’t access the internet—has created an imbalance in information and media coverage.

EFF teamed up with a number of other digital rights organizations—including 7amleh, Access Now, Amnesty International, and Article 19—to demand that Meta take steps to ensure Palestinian content is moderated fairly. This effort follows the 2021 campaign of the same name.

The 2024 Internet Governance Forum

Digital rights organizations were shocked to learn in October that the 2024 Internet Governance Forum is slated to be held in Saudi Arabia. Following the announcement, we joined numerous digital rights organizations in calling on the United Nations to reverse their decision.

EFF has, for many years, expressed concern about the normalization of the government of Saudi Arabia by Silicon Valley companies and the global community. In recent years, the Saudi government has spied on its own citizens on social media and through the use of spyware; imprisoned Wikipedia volunteers for their contributions to access to information on the platform; sentenced a PhD student and mother of two to 34 years in prison and a subsequent travel ban of the same length; and sentenced a teacher to death for his posts on social media.

The UK Threatens Expression

We have been disheartened this year to see the push in the UK to pass its Online Safety Bill. EFF has long opposed the legislation, and throughout 2023 we stressed that mandated scanning obligations will lead to censorship of lawful and valuable expression. The Online Safety Bill also threatens another basic human right: our right to have a private conversation. From our point of view, the UK pushed the Bill through aware of the damage it would cause.

Despite our opposition, working closely with civil society groups in the UK, the bill passed in September. But the story doesn't end here. The Online Safety Act remains vague about what exactly it requires of platforms and users alike, and Ofcom must now draft regulations to operationalize the legislation. EFF will monitor Ofcom’s drafting of the regulation, and we will continue to hold the UK government accountable to the international and European human rights protections that they are signatories to. 

New Hope for Alaa Abd El Fattah Case

While 2023 has overall been a disappointing year for free expression, there is always hope, and for us this has come in the form of renewed efforts to free our friend and EFF Award Winner, Alaa Abd El Fattah. 

This year, on Alaa’s 42nd birthday (and his tenth in prison), his family filed a new petition to the UN Working Group on Arbitrary Detention in the hopes of finally securing his release. This latest appeal comes after Alaa spent more than half of 2022 on a hunger strike in protest of his treatment in prison, which he started on the first day of Ramadan. A few days after the strike began, on April 11, Alaa’s family announced that he had become a British citizen through his mother. There was hope last year, following a groundswell of protests that began in the summer and extended to the COP27 conference, that the UK foreign secretary could secure his release, but so far, this has not happened. Alaa's hunger strike did result in improved prison conditions and family visitation rights, but only after it prompted protests and fifteen Nobel Prize laureates demanded his release.

This holiday season, we are hoping that Alaa can finally be reunited with his family.

This blog is part of our Year in Review series. Read other articles about the fight for digital rights in 2023.

At the end of every year, we look back at the last 12 months and evaluate what has changed for the better (and worse) for digital rights.  While we can be frustrated—hello ongoing attacks on encryption—overall it's always an exhilarating reminder of just how far we've come since EFF was founded over 33 years ago. Just the scale alone it's breathtaking. Digital rights started as a niche, future-focused issue that we would struggle to explain to nontechnical people; now it's deeply embedded into all of our lives.

The legislative, court, and agency fights around the world this year also helped us see and articulate a common thread: the need for a "privacy first" approach to laws and technology innovation.  As we wrote in a new white paper aptly entitled "Privacy First: A Better Way to Address Online Harms," many of the ills of today’s internet have a single thing in common, and it is that they are built on a business model of corporate surveillance and behavioral advertising.  Addressing that problem could help us make great strides in a range of issues, and avoid many of the the terrible likely impacts of many of today's proposed "solutions."

Instead of considering proposals that would censor speech and put children's access to internet resources at the whims of state attorneys general, we could be targeting the root cause of the concern: internet companies' collection, storage, sales, and use of our personal information and activities to feed their algorithms and ad services. Police go straight to tech companies for your data or the data on everyone who was near a certain location.  And that's when they even bother with a court-overseen process, rather than simply issuing a subpoena, showing up and demanding it, or buying data from data brokers. If we restricted what data tech companies could keep and for how long, we could also tackle this problem at the source. Instead of unconstitutional link taxes to save local journalism, laws that attack behavioral advertising--built on collection of data--would break the ad and data monopoly that put journalists at the mercy of Big Tech in the first place.

Concerns about what is feeding AI, social media algorithms, government spying (either your own or another country's), online harassment, getting access to healthcare--so much can be better protected if we address privacy first. EFF knows this, and it's why, in 2023, we did things like launch the Tor University Challenge, urge the Supreme Court to recognize that the Fifth Amendment protects you from being forced to give your phone's passcode to police, and work to fix the dangerously flawed UN Cybercrime Treaty. Most recently, we celebrated Google's decision to limit the data collected and kept in its "Location History" as a potentially huge step to prevent geofence warrants that use Google's storehouse of location data to conduct massive, unconstitutional searches sweeping in many innocent bystanders. 

Of course, as much as individuals need more privacy, we also need more transparency, especially from our governments and the big corporations that rule so much of our digital lives. That's why EFF urged the Supreme Court to overturn an order preventing Twitter—now X—from publishing a transparency report with data about what, exactly, government agents have asked the company for. It's why we won an important victory in keeping laws and regulations online and accessible. And it's why we defended the Internet Archive from an attack by major publishers seeking to cripple libraries' ability to give the rest of us access to knowledge into the digital age.

All of that barely scratches the surface of what we've been doing this year. But none of it would be possible without the strong partnership of our members, supporters, and all of you who stood up and took action to build a better future. 

EFF has an annual tradition of writing several blog posts on what we’ve accomplished this year, what we’ve learned, and where we have more to do. We will update this page with new stories about digital rights in 2023 every day between now and the new year.

• Surveillance and the U.S.-Mexico Border
• The Great Interoperability Convergence
• EFF Continues Fight Against Unconstitutional Geofence and Keyword Search Warrants
• Electronic Frontier Alliance Comes Back Strong
• Artificial Intelligence and Policing
• Sketchy and Dangerous Android Children’s Tablets and TV Set-Top Boxes
• Corporate Spy Tech and Inequality
• Protecting Encryption And Privacy In The US
• The Last Mile of Encrypting the Web
• Recent Surveillance Revelations, Enduring Latin American Issues
• Surveillance Self-Defense
• EFF Membership
• International Threats to Freedom of Expression
• The U.S. Supreme Court’s Busy Year of Free Speech and Tech Cases
• Equitable Access to the Law Got Stronger
• The Atlas of Surveillance Hits Major Milestones
• Kids Online Safety Shouldn’t Require Massive Online Censorship and Surveillance
• Protecting Students from Faulty Software and Legislation
• In the Trenches of Broadband Policy
• Fighting For Your Digital Rights Across the Country
• First, Let’s Talk About Consumer Privacy
• States Attack Young People’s Constitutional Right to Use Social Media
• Fighting European Threats to Encryption
• Taking Back the Web with Decentralization
• How To Fight Bad Patents
• Google’s Corporate Paternalism in The Browser
• Digital Rights for LGBTQ+ People

Today, EFF joins more than 25 civil society organizations to launch the Coalition #MigrarSinVigilancia ("To Migrate Without Surveillance"). The Latin American coalition’s aim is to oppose arbitrary and indiscriminate surveillance affecting migrants across the region, and to push for the protection of human rights by safeguarding migrants' privacy and personal data.

On this International Migrants Day (December 18), we join forces with a key group of digital rights and frontline humanitarian organizations to coordinate actions and share resources in pursuit of this significant goal.

Governments increasingly use technologies to monitor migrants, asylum seekers, and others moving across borders with growing frequency and intensity. This intensive surveillance is often framed within the concept of "smart borders" as a more humanitarian approach to address and streamline border management, even though its implementation often negatively impacts the migrant population.

EFF has been documenting the magnitude and breadth of such surveillance apparatus, as well as how it grows and impacts communities at the border. We have fought in courts against the arbitrariness of border searches in the U.S. and called out the inherent dangers of amassing migrants' genetic data in law enforcement databases.  

The coalition we launch today stresses that the lack of transparency in surveillance practices and regional government collaboration violates human rights. This opacity is intertwined with the absence of effective safeguards for migrants to know and decide crucial aspects of how authorities collect and process their data.

The Coalition calls on all states in the Americas, as well as companies and organizations providing them with technologies and services for cross-border monitoring, to take several actions:

1. Safeguard the human rights of migrants, including but not limited to the rights to migrate and seek asylum, the right to not be separated from their families, due process of law, and consent, by protecting their personal data.
2. Recognize the mental, emotional, and legal impact that surveillance has on migrants and other people on the move.
3. Ensure human rights safeguards for monitoring and supervising technologies for migration control.
4. Conduct a human rights impact assessment of already implemented technologies for migration control.
5. Refrain from using or prohibit technologies for migration control that present inherent or serious human rights harms.
6. Strengthen efforts to achieve effective remedies for abuses, accountability, and transparency by authorities and the private sector.

We invite you to learn more about the Coalition #MigrarSinVigilancia and the work of the organizations involved, and to stand with us to safeguard data privacy rights of migrants and asylum seekers—rights that are crucial for their ability to safely build new futures.

EFF has signed on to the following letter alongside 33 other organizations in support of a submission to the United Nations Working Group on Arbitrary Detention (UNWGAD), first published here by English PEN. To learn more about Alaa's case, visit Offline.

23 November 2023

Dear Members of the United Nations Working Group on Arbitrary Detention,

We, the undersigned 34 freedom of expression and human rights organisations, are writing regarding the recent submission to the United Nations Working Group on Arbitrary Detention (UNWGAD) filed on behalf of the award-winning writer and activist Alaa Abd El-Fattah, a British-Egyptian citizen.

On 14 November 2023, Alaa Abd El-Fattah and his family filed an urgent appeal with the UNWGAD, submitting that his continuing detention in Egypt is arbitrary and contrary to international law. Alaa Abd El-Fattah and his family are represented by an International Counsel team led by English barrister Can Yeğinsu.

Alaa Abd-El Fattah has spent much of the past decade imprisoned in Egypt on charges related to his writing and activism and remains arbitrarily detained in Wadi al-Natrun prison and denied consular visits. He is a key case of concern to our organisations.

Around this time last year (11 November 2022), UN Experts in the Special Procedures of the UN Human Rights Council joined the growing chorus of human rights voices demanding Abd el-Fattah’s immediate release.

We, the undersigned organisations, are writing in support of the recent UNWGAD submission and to urge the Working Group to consider and announce their opinion on Abd El-Fattah’s case at the earliest opportunity.

Yours sincerely,

Brett Solomon, Executive Director, Access Now

Ahmed Samih Farag, General Director, Andalus Institute for Tolerance and Anti-Violence Studies

Quinn McKew, Executive Director, ARTICLE 19

Bahey eldin Hassan, Director, Cairo Institute for Human Rights Studies (CIHRS)

Jodie Ginsberg, President, Committee to Protect Journalists

Sayed Nasr, Executive Director, EgyptWide for Human Rights

Ahmed Attalla, Executive Director, Egyptian Front for Human Rights

Samar Elhusseiny, Programs Officer, Egyptian Human Rights Forum (EHRF)

Jillian C. York, Director for International Freedom of Expression, Electronic Frontier Foundation

Daniel Gorman, Director, English PEN

Wadih Al Asmar, President, EuroMed Rights

James Lynch, Co-Director, FairSquare

Ruth Kronenburg, Executive Director, Free Press Unlimited

Khalid Ibrahim, Executive Director, Gulf Centre for Human Rights (GCHR)

Adam Coogle, Deputy Middle East Director, Human Rights Watch

Mostafa Fouad, Head of Programs, HuMENA for Human Rights and Civic Engagement

Sarah Sheykhali, Executive Director, HuMENA for Human Rights and Civic Engagement

Baroness Helena Kennedy KC, Director, International Bar Association’s Human Rights Institute

Matt Redding, Head of Advocacy, IFEX

Alice Mogwe, President, International Federation for Human Rights (FIDH), within the framework of the Observatory for the Protection of Human Rights Defenders

Shireen Al Khatib, Acting Director, The Palestinian Center For Development and Media Freedoms (MADA)

Liesl Gerntholtz, Director, Freedom To Write Center, PEN America

Grace Westcott, President, PEN Canada

Romana Cacchioli, Executive Director, PEN International

Tess McEnery, Executive Director, Project on Middle East Democracy (POMED)

Antoine Bernard, Director of Advocacy and Assistance, Reporters Sans Frontières

Ricky Monahan Brown, President, Scottish PEN

Ahmed Salem, Executive Director, Sinai Foundation for Human Rights (SFHR)

Mohamad Najem, Executive Director, SMEX

Mazen Darwish, General Director, The Syrian Center for Media and Freedom of Expression (SCM)

Mai El-Sadany, Executive Director, Tahrir Institute for Middle East Policy (TIMEP)

Kamel Labidi, Board member, Vigilance for Democracy and the Civic State

Aline Batarseh, Executive Director, Visualizing Impact

Menna Elfyn, President, Wales PEN Cymru

Miguel Martín Zumalacárregui, Head of the Europe Office, World Organisation Against Torture (OMCT), within the framework of the Observatory for the Protection of Human Rights Defenders

Legal intern Muhammad Essa Fasih contributed to this post.

Social media is a crucial means of communication in times of conflict—it’s where communities connect to share updates, find help, locate loved ones, and reach out to express grief, pain, and solidarity. Unjustified takedowns during crises like the war in Gaza deprives people of their right to freedom of expression and can exacerbate humanitarian suffering.

In the weeks since war between Hamas and Israel began, social media platforms have removed content from or suspended accounts of Palestinian news sites, activists, journalists, students, and Arab citizens in Israel, interfering with the dissemination of news about the conflict and silencing voices expressing concern for Palestinians.

The platforms say some takedowns were caused by security issues, technical glitches, mistakes that have been fixed, or stricter rules meant to reduce hate speech. But users complain of unexplained removals of posts about Palestine since the October 7 Hamas terrorist attacks.

Meta’s Facebook shut down the page of independent Palestinian website Quds News Network, a primary source of news for Palestinians with 10 million followers. The network said its Arabic and English news pages had been deleted from Facebook, though it had been fully complying with Meta's defined media standards. Quds News Network has faced similar platform censorship before—in 2017, Facebook censored its account, as did Twitter in 2020.

Additionally, Meta’s Instagram has locked or shut down accounts with significant followings. Among these are Let’s Talk Palestine, an account with over 300,000 followers that shows pro-Palestinian informative content, and Palestinian media outlet 24M. Meta said the accounts were locked for security reasons after signs that they were compromised.

The account of the news site Mondoweiss was also banned by Instagram and taken down on TikTok, later restored on both platforms.

Meanwhile, Instagram, Tiktok, and LinkedIn users sympathetic to or supportive of the plight of Palestinians have complained of “shadow banning,” a process in which the platform limits the visibility of a user's posts without notifying them. Users say the platform limited the visibility of posts that contained the Palestinian flag.

Meta has admitted to suppressing certain comments containing the Palestinian flag in certain “offensive contexts” that violate its rules. Responding to a surge in hate speech after Oct.7, the company lowered the threshold for predicting whether comments qualify as harassment or incitement to violence from 80 percent to 25 percent for users in Palestinian territories. Some content creators are using code words and emojis and shifting the spelling of certain words to evade automated filtering. Meta needs to be more transparent about decisions that downgrade users’ speech that does not violate its rules.

For some users, posts have led to more serious consequences. Palestinian citizens of Israel, including well-known singer Dalal Abu Amneh from Nazareth, have been arrested for social media postings about the war in Gaza that are alleged to express support for the terrorist group Hamas.

Amneh’s case demonstrates a disturbing trend concerning social media posts supporting Palestinians. Amneh’s post of the Arabic motto “There is no victor but God” and the Palestinian flag was deemed as incitement. Amneh, whose music celebrates Palestinian heritage, was expressing religious sentiment, her lawyer said, not calling for violence as the police claimed.

She received hundreds of death threats and filed a complaint with Israeli police, only to be taken into custody. Her post was removed. Israeli authorities are treating any expression of support or solidarity with Palestinians as illegal incitement, the lawyer said.

Content moderation does not work at scale even in the best of times, as we have said repeatedly. At all times, mistakes can lead to censorship; during armed conflicts they can have devastating consequences.

Whether through content moderation or technical glitches, platforms may also unfairly label people and communities. Instagram, for example, inserted the word “terrorist” into the profiles of some Palestinian users when its auto-translation converted the Palestinian flag emoji followed by the Arabic word for “Thank God” into “Palestinian terrorists are fighting for their freedom.” Meta apologized for the mistake, blaming it on a bug in auto-translation. The translation is now “Thank God.”

Palestinians have long fought private censorship, so what we are seeing now is not particularly new. But it is growing at a time when online speech protections are sorely needed. We call on companies to clarify their rules, including any specific changes that have been made in relation to the ongoing war, and to stop the knee jerk reaction to treat posts expressing support for Palestinians—or notifying users of peaceful demonstrations, or documenting violence and the loss of loved ones—as incitement and to follow their own existing standards to ensure that moderation remains fair and unbiased.

Platforms should also follow the Santa Clara Principles on Transparency and Accountability in Content Moderation notify users when, how, and why their content has been actioned, and give them  the opportunity to appeal. We know Israel has worked directly with Facebook, requesting and garnering removal of content it deemed incitement to violence, suppressing posts by Palestinians about human rights abuses during May 2021 demonstrations that turned violent.

The horrific violence and death in Gaza is heartbreaking. People are crying out to the world, to family and friends, to co-workers, religious leaders, and politicians their grief and outrage. Labeling large swaths of this outpouring of emotion by Palestinians as incitement is unjust and wrongly denies people an important outlet for expression and solace.

Update 11/14/2023: The LIBE committee adopted the compromise amendments by a large majority. Once the committee's version of the law becomes the official position of the European Parliament, attention will shift to the Council of the EU. Along with our allies, EFF will continue to advocate that the EU reject proposals to require mass scanning and compromise of end-to-end encryption.

A key European parliamentary committee has taken an important step to defend user privacy, including end-to-end encryption. The Committee on Civil Liberties, Justice and Home Affairs (LIBE) has politically agreed on much-needed amendments to a proposed regulation that, in its original form, would allow for mass-scanning of people’s phones and computers. 

The original proposal from the European Commission, the EU’s executive body, would allow EU authorities to compel online services to analyze all user data and check it against law enforcement databases. The stated goal is to look for crimes against children, including child abuse images. 

But this proposal would have undermined a private and secure internet, which relies on strong encryption to protect the communications of everyone—including minors. The EU proposal even proposed reporting people to police as possible child abusers by using AI to rifle through people’s text messages. 

Every human being should have the right to have a private conversation. That’s true in the offline world, and we must not give up on those rights in the digital world. We deserve to have true private communication, not bugs in our pockets. EFF has opposed this proposal since it was introduced. 

More than 100 civil society groups joined us in speaking out against this proposal. So did thousands of individuals who signed the petition demanding that the EU “Stop Scanning Me.” 

The LIBE committee has wisely listened to those voices, and now major political groups have endorsed a compromise proposal that has language protecting end-to-end encryption. Early reports indicate the language will be a thorough protection that includes language disallowing client-side scanning, a form of bypassing encryption. 

The compromise proposal also takes out earlier language that could have allowed for mandatory age verification. Such age verification mandates amount to requiring people to show ID cards before they get on the internet; they are not compatible with the rights of adults or minors to speak anonymously when necessary. 

The LIBE committee is scheduled to confirm the new agreement  on November 13. The language is not perfect; some parts of the proposal, while not mandating age verification, may encourage its further use. The proposal could also lead to increased scanning of public online material that could be less than desirable, depending on how it’s done. 

Any time governments access peoples’ private data it should be targeted, proportionate, and subject to judicial oversight. The EU legislators should consider this agreement to be the bare minimum of what must be done to protect the rights of internet users in the EU and throughout the world. 

Despite an Ecuadorian court’s unanimous acquittal of security expert Ola Bini in January this year due to complete lack of evidence, Ecuador’s attorney general's office has moved to appeal the decision, perpetuating several years of unjust attacks on Bini’s rights. 

In the context of the Internet Governance Forum 2023 (IGF) held in Japan, the Observation Mission on the Bini case, which includes EFF and various digital and human rights groups, analyzed how advocates can utilize key elements of the judgment that found Bini not guilty. The Mission released a new statement pointing out these elements. The statement also urges Ecuadorian authorities to clarify Bini's procedural status as the attorney general's office has been posing difficulties for Bini's compliance with the precautionary measures still pending against him, particularly the requirement of periodic appearances to the AG's office.  

The full statement in Spanish is available here. 

Below we’ve summarized these key elements, which are critical for the protection of digital rights.

Irrelevant Evidence. The court characterized all evidence presented by the attorney general's office as irrelevant or unfit: "None of these elements led to a procedural truth for the purpose of proving any crime." With this decision, the court refused to convict Bini based on stereotyped views of security experts.  It has refused to apply criminal law based on a person's identity, connections, or activity, instead of actual conduct, or to apply criminal law based on a "political and arbitrary interpretation of what constitutes the security of the State and who could threaten it." Politically motivated prosecutions like Bini’s receive extensive media coverage, but what is often presented as "suspicious" is neither technically nor legally consistent. Civil society has worked to raise awareness among journalists about what is at stake in such cases, and to prevent judicial authorities from being pressured by publicized political accusations. 

The Importance of Proper Digital Evidence. The court emphasized the necessity of proper evidence to prove that an alleged computer crime occurred and that the image of a telnet session presented in Bini’s case is not fit for this purpose. The court explained that graphical representations, which can be altered, does not constitute evidence of a cybercrime since an image cannot verify whether the commands illustrated in it were actually executed. Building on technical experts' testimonies, the court said that what does not emerge or can be verified from digital forensics is not proper digital evidence. The Observation Mission's statement notes this is a key precedent that clarifies the type of evidence that is considered technically valid for proving alleged computer crimes. 

Unauthorized Access. The court clarified the meaning of unauthorized access, even though no access was proven in Bini's case. According to the court, access without authorization of a computer system requires the breach of some security system, which the ruling understands as overcoming technical barriers or using access credentials without authorization. In addition, and following Ecuador's penal code, the criminal offense of unauthorized access also requires proving an illegitimate purpose or malicious intent. While prosecutors failed to prove that any access has taken place (much less an unauthorized access), this interpretation aids in setting a precedent for defining unauthorized access in digital rights cases. It's particularly crucial as it ensures that individuals who test systems for vulnerabilities and report them do not face undue criminalization.

In light of these key elements, the Observation Mission's statement stresses that it is essential for Ecuadorian appellate authorities to affirm the lower court’s acquittal of Bini. It's also imperative that authorities clarify his procedural status and the requirement for periodic appearances, as any violation of his fundamental rights raises concerns about the legitimacy of the proceedings.

The Case's Legacy and Global Implications

This verdict has significant implications for digital rights beyond Bini's case. It underscores the importance of incorporating malicious intent into the configuration of computer crimes in legal and public policy discussions, as well as the importance of guarding against politically motivated prosecutions that rely on suspicion and public fear. 

Bini's case serves as a beacon for the defense of digital rights. It establishes critical precedents for the treatment of evidence, the importance of digital forensics, and relevant elements for assessing the offense of unauthorized access. It's a testament to the global fight for digital rights and an opportunity to safeguard the work of those who enhance our privacy, security, and human rights in the digital era.

Amidst the global wave of countries looking at Big Tech revenues and how they relate to the growing news media crisis, many are asking whether and how tech companies should  compensate publishers for the journalism that circulates on their platforms. This has become another flash point in Brazil’s heated agenda regarding platform regulation.

Draft proposals setting a “remuneration obligation” for digital platforms started to pop up in the Brazilian congress after Australia adopted its own News Media Bargaining Code. The issue gained steam when the rapporteur of PL 2630 (the so-called “Fake News bill”), Orlando Silva, presented a new draft in early 2022, including a press remuneration provision. Subsequent negotiations  moved this remuneration proposal to a different draft bill, PL 2370. The remuneration rules are similar to the current version of another draft proposal in Brazil’s Chamber of Deputies (PL 1354).

While the main disputed issues revolve around who should get paid, for what, and how remuneration is measured, there is a baseline implicit question that deserves further analysis: What are the ultimate goals of making digital platforms pay for journalistic content? Responses from those supporting the proposal include redressing Big Tech's unfair exploitation of their relationship with publishers, fixing power asymmetries in the online news distribution market, and preserving public interest journalism as an essential piece of democratic societies.

These are all important priorities. But if what we want in the end is to ensure a vibrant, plural, diverse and democratic arena for publishing and discussing news and the world, there are  fundamental tenets that should guide how we frame and pursue this goal.

These tenets are:

- We want people to widely read, share, comment, and debate news. We also want people to be able to access the documents and information underlying reporting to better reflect on them. We want plural and diverse sources of information to thrive. Access to information and free expression are human and fundamental rights that measures seeking to strengthen journalism must champion, not jeopardize. They are rights intrinsically related to upholding journalism as a key element of democratic societies.

- We want to fortify journalism and a free and diverse media. The overreliance of news outlets on Big Tech is a reality we must change, rather than reinforcing it. Proper responses should aim at building alternatives to the centralized intermediary role that few dominant digital platforms play in how information and revenues are distributed. Solutions that entrench this role and further consolidate publishers’ dependency on Big Tech are not fit for purpose. 

But before we discuss solutions that policymakers should embrace, let’s delve a little more into the underlying problems we should tackle.

An Account of Ad-Tech Industry’s Disruption of Journalism Sustainability

We have already written a good chunk on how Big Tech has disrupted the media's traditional business model.

While the ad-tech turmoil on how news businesses used to work back in the day affects journalism as a public interest good, even back in the day, the presence of thriving news players didn’t necessarily mean a plural and diverse media environment. Brazil is sadly, and historically, a compelling example of that. Adopting appropriate structural measures to tackle market concentration would probably have led to a different story. Even if an independent, diverse, and public interest journalism landscape doesn’t automatically follow from a robust news market, fixing asymmetries and distortions in such market do play a critical role in enabling a stronger journalism landscape.

When it comes to the relations between digital platforms and publishers, tech’s intermediation of the distribution of news content poses a series of issues. It starts with platforms' incentives to keep people on their sites rather than clicking through the actual content, and goes beyond. Here we highlight some of them:

• Draining media advertising funds to digital platforms – Tech intermediaries pocket a huge portion of the money that advertisers pay for displaying ads online. It’s not only that digital platforms like Instagram and Google Search compete with news outlets making “ad spots” up for grabs. Even when the advertiser displays its ad on a news publisher website, much of the money paid stays with intermediaries along the way. In the UK, a study of the British advertisers’ association ISBA showed that only half of the ad money spent ultimately reached the news publishers. If in the analog era the main intermediary acting to place ads in media outlets was an advertising agency, nowadays there is an intricate ad-tech chain by which different players also get their bite. 
• Complexity and opacity of the ad-tech ecosystem – How much do intermediaries get and how does the ecosystem operate are not simple questions to answer. The ad-tech ecosystem is both complex and opaque. The ISBA’s study itself stressed the hurdles of finding consistent and standardized data about its inner workings and the flow of advertising money across the intermediaries’ chain. Yet, one critical aspect of this ecosystem has already stood out – the reigning position that Google and Meta enjoy in the ad-tech stack. 
• Ad-tech stack duopoly and market abuse – As we spelled out here, the ad-tech stack operates through real-time auctions that offer available online spaces for ad display combined with users’ profiling in a run-up for our attention. This stack includes: a “supply-side platform” (SSP), which acts as the publisher’s broker offering ad spots (usually called “ad inventory”) and related user eyeballs; a “demand-side platform” (DSP), which represents the advertisers and help them manage the purchasing of ad slots and find the “most effective” impression for their ads considering user data; and a marketplace for ad spots where supply and demand meet. As we noted, there are many companies that offer one or two of these services, but Google and Meta offer all three. Plus, they also compete with publishers by selling ad slots on YouTube or Facebook and Instagram, respectively. Google and Meta represent both buyers and sellers on a marketplace they control, collecting fees at each step of the way and rigging the bidding to their own benefit. They faced investigations of illegal collusion to rig the market in their favor by protecting Google’s dominance in exchange for preferential treatment for Meta. Although authorities decided not to pursue this specific case, other antitrust investigations and actions against their abusive conducts in the ad-tech market are in progress.
• Making journalism dependent on surveillance advertising – Trading audience attention is not new in how the news market operates. But an integrated and unrelenting system of user tracking, profiling and targeting did come about in our digital era with the rise of Big Tech’s main way of doing business. A whole behavioral advertising industry has developed grounded in the promises and perils of delivering more value based on dragnet surveillance of our traits, relations, moves, and inferred interests. Big Tech companies rule this territory and shape it in such a way as to hold publishers hostages to their gimmicks. Making journalism reliant on surveillance advertising is a deal that serves to entrench few tech players as must-needed ad gatekeepers since this is not a trivial structure to build and maintain. This structure is also directly abusive to users, who are continuously tracked and profiled, feeding a vicious cycle. We shouldn't need pervasive, behavioral surveillance for journalism to thrive.

All these problems relate to Big Tech's unfair exploitation of their relationship with news organizations. But none of them are copyright issues. Copyright is a poor framework for addressing concerns about journalism sustainability. The copyright approach to the fight between tech and news relies on the assumption that journalists and media outlets, as copyright holders, are empowered to license (and thus control and block) quotation and discussion of the news of the day. That logic threatens the first fundamental tenet we presented above as it would undermine both the free discussion of important reporting and reporting itself. Copyright proposals also purport to create a remuneration dynamic that tracks and measures the “use” of journalistic content of each copyright holder so that each one can receive the corresponding compensation. Even when not explicitly attached to copyright law, proposals of journalistic remuneration based on the “use” of news content pose many challenges. Australia’s compensation arrangements are a mixed bag with several issues deriving from this and other problems we outline below.

Why Brazil Shouldn’t Follow Australia’s Code or Any “Content Use-Based” Models

Australia’s News Media Bargaining Code is a declared inspiration for Brazil’s debate over a remuneration right for publishers, endorsed by Big Media players and decision makers. As per the Code’s model, private remuneration agreements between news businesses and digital platforms result from these platforms making news content available on their services. The law details what “making content available” means, the conditions the Treasurer must follow to designate digital platforms that are bound by the law, the requirements news businesses must meet to benefit from the bargaining rules, the obligations that designated digital platforms have in relation to registered news businesses, and mechanisms for mediation and arbitration in case both parties fail to reach an agreement. 

Although Google and Meta have closed more than 30 agreements during the law’s first year in force, none of them is actually under the Code’s purview. The two tech giants’ strategic moves regarding the new law avoided any formal designations of digital platforms as per the Code’s rules (as James Meese notes in “The Decibel” podcast).

So far, the Code has served as a bargaining tool for media players to reach agreements with Google and Meta outside the law’s guarantees. Both due to the Code’s language and the unfolding bargaining practice, the Australian model brings a set of lessons we shouldn’t overlook. Professor Diana Bossio’s analysis points out some of them:

First, the lack of transparency in the agreements has deepened imbalances among media players competing for market share in an already concentrated ecosystem. Smaller, independent organizations unaware of higher sums secured by major outlets have struck deals for very modest amounts and lost key professionals to larger groups that used the new funding source to pay salaries above the usual market rate. Second, the tech platforms used agreements to bolster their own news products, such as “Google News Showcase,” according to their content and business priorities. Third, Google and Meta are the ones ultimately determining what is and which media outlets produce public interest journalism that gets to be paid. As a result, they are actually the ones deciding the “winners and losers of the Australian media industry.” In sum, Bossio states that

Lack of transparency and designation means the tech platforms have been able to act in the best interests of their own business priorities, rather than in the interest of the code’s stated aim of supporting public-interest journalism.

Canada’s Online News Act sought to address some of the pitfalls of the Australian model but has been struggling with securing its enforcement. Both Google and Meta have said the law is unworkable for their businesses, and Meta has decided to block news content for everyone accessing Facebook and Instagram in Canada. The company argues that people don’t come to Meta’s platforms for news, and that the only way it “can reasonably comply with this legislation is to end news availability for people in Canada.”

By ceasing to make news available on its platforms, Meta dodges Canada’s remuneration obligation. This is one of the traps of basing a remuneration arrangement on the “use” of journalistic content by online platforms, as the current draft of PL 2370 in Brazil does. Digital platforms can simply filter news out. If lawmakers respond by compelling them to carry news content in order to avoid such blocking, they fall yet in another trap – that of undermining platforms’ ability to remove harmful or otherwise problematic content under their terms of service. But the traps don’t end there. The “use” of journalistic content as the basis for remuneration is also bad because:

• It encourages "clickbait" content.
• It ends up favoring dominant or sensationalist media players.
• It fosters and deepens structures for monitoring user sharing of links and content, which poses both data privacy and tech market concentration concerns.
• It faces clear hurdles in circumscribing what “use” is, measuring such “use” in relation to each news organization, and supervising whether the remuneration is compatible with the amount of content “used.”

What should we do, then?

Which Alternatives Can Pave the Proper Way Forward

Let’s recall our fundamental tenets for achieving the end goal of ensuring a vibrant, plural, diverse, and democratic arena for publishing and discussing news and the world we live in. First, measures aimed at strengthening journalism shouldn’t serve to curb the circulation and discussion of news. Access to information and free expression are human and fundamental rights that these measures must champion, not endanger. Second, fortifying a free, independent, and diverse press entails the creation of alternatives to overcome news outlets’ dependency on Big Tech, instead of reinforcing it.

While PL 2370 and PL 1354 are important vectors for going a step further towards journalism sustainability in Brazil, their current language still fails to properly meet such concerns.

The draft bills follow the model of private agreements between digital platforms and news companies based on the “use” of journalistic content. Setting the kind of “use” that triggers remuneration vis-à-vis reasonable use exceptions has been complex and debated. The fear that this approach ends up favoring only the big players or that the money doesn’t get to the journalists actually doing the work has also driven discussions. Worryingly, there are no transparency requirements in the drafts for such remuneration deals. The bills don’t look at the market distortions we presented earlier. Relatedly, they don’t explore alternative approaches to Big Tech’s central intermediation role in how information and revenues are distributed. In fact, they may serve to cement the current dependency course.

By combining structural market measures and a policy decision to strengthen journalism, Brazilian decision makers, including Congress, should instead:

• Establish restrictions for companies to operate in two or more parts of the ad-tech stack. Big Tech firms would have to choose if they want to represent the “demand-side”, the “supply side” or offer the “marketplace” where both meet. A draft law in the U.S. aims precisely to bridle such abusive situation and can inspire the Brazilian draft legislation. 
• Ramp up the transparency of the ad-tech ecosystem and the flow of ad spending. For example, by requiring ad-tech platforms to disclose the underlying criteria (including figures) used to calculate ad revenues and viewership, backstopped by independent auditors.
• Adopt further measures that can reduce Big Tech’s dominant role as intermediaries of publishers’ revenues coming from ads or subscribers. For example, to allow smaller players to participate in real-time bidding, incentivize more competitive solutions in such ecosystem, and open up the market of app stores. Currently, Google or Apple pocket 30 percent of every in-app subscription or micropayment dollar. As we noted, the EU and the U.S. are taking measures to change that. 
• Build on Brazil's data protection legal framework  to stop surveillance advertising and return to contextual ads, which are based on the context in which it appears: what article it appears alongside of, or which publication. Rather than following users around to target them with ads, contextual advertisers seek out content that is relevant to their messages, and place ads alongside that content. This would dismiss the data advantage enjoyed by Big Tech companies in the ad ecosystem.

The measures above could likely be enough to rebalance the power asymmetries between digital platforms and news outlets, especially regarding larger media players. However, Brazil’s background indicates that this alone may fail to advance an independent, diverse, and public interest journalism landscape. The proper policy decision to pursue this goal is not to foster private and non-transparent agreements based on how much platforms or people “use” news.There are better approaches, such as establishing public subsidies for advancing journalism sustainability. The policy goal of strengthening journalism as a decisive element of democratic societies translates into a policy decision to financially support its flourishment. In addition to promoting structural market measures, the government should direct resources towards this goal. Considering the many funding priorities and budget constraints, a viable and sound path is using the collection of ad-tech players' taxation to create a fund managed by an independent, multistakeholder committee. The committee and the funding allocation would abide by strict transparency rules, representativeness criteria, and oversight.

With that, the discussion over who gets paid, for what, and which other initiatives are important to fund to pave a way of less dependency between news organizations and Big Tech could go way beyond bargaining agreements and have this fund as a catalyst based on guidelines set by law. This could also free the remuneration model from the problematic aspiration of tracking the "use" of news content and dispensing payments accordingly.

The idea of creating a fund is not new in Brazilian debates about journalism sustainability. Following global discussions, the Brazilian National Federation of Journalists (FENAJ) has been advocating for a fund considering the model of Brazil’s Audiovisual Sector Fund (FSA), which is part of a consistent policy fostering the audiovisual sector in the country. The idea gained support from Brazil's Digital Journalism Association (AJOR) and other civil society organizations. Brazilian decision makers should look at FSA’s experience to build a sounder path, putting in place, of course, the necessary checks and balances to prevent risks of capture and undue interference. As noted above, the collection of resources should rely on a relevant portion of revenue-related taxation of ad-tech players rather than the use of journalistic content. Moreover, transparency, public oversight, and democratic criteria to allocate the money are among the essential commitments to be set to ensure a participative, multistakeholder, and independent journalism fund.

We hope the crucial issues and alternatives outlined here can help to build a stronger way forward in Brazil’s take of upholding journalism before the dominant role of Big Tech companies.