Blog

Time and time again, researchers have found numerous compromised Android devices for sale at large online retailers like Amazon. When these devices get individually reported, we have seen some noted efforts to take them down. But this is a systemic problem and Amazon and other major online retailers must make a corresponding systemic and intentional effort to stop these devices from entering people’s homes and ultimately their networks.

As a refresher: Last year, Google wrote that one major campaign, deemed BADBOX, affected 10 million uncertified devices that were running Android’s open-source software (Android Open Source Project or AOSP). These devices span from TVs and streaming devices to digital picture frames. Even now, someone can go on Amazon and Walmart and buy one of these devices. Not all of them come from Amazon and Walmart, but it’s fair to assume since they have the lion’s share of the market.

Most well-known Android-based devices don’t come with just “stock Android.” The operating system is usually Android plus additional features that the manufacturer wanted. These custom versions of Android often come with pre-installed applications that range from useful to innocuous bloatware to actual malware. Many Android OEMs (original equipment manufacturers) pre-install apps that may not be visibly represented by an icon in your list of installed apps. This obscurity makes the issue particularly hard for users to identify any potential threats.

Since the initial BADBOX analysis, there have been more reports of large campaigns and clusters of different devices participating in malicious activities that utilize people’s home networks to engage in illegal activity. Task forces in the private sector have made an effort to take down these existing Command and Control structures, but these actors may pivot and evolve to flood the market with more devices. 

Online retailers can stop this cycle. A multi-billion dollar company like Amazon should offer more resources, like their anti-fraud efforts, given that these products may have facilitated conditions for large scale attacks and illegal activity. It would also be helpful if they communicated malware-related take downs in a more visible way to consumers who are seeking very similar devices with shared characteristics.

Identifying these devices can be tricky, but it’s not impossible because they tend to follow a pattern. For example, the FBI warned consumers this year to avoid TV streaming devices that claim to provide free sports, tv shows, and movies, a common tactic used by the makers of these malware-filled Android devices that leverages people’s exhaustion from spending money on countless streaming services. We detailed what sorts of indicators to look for on a device you’ve purchased.

But it’s not just the storefronts. There are other parts of this ecosystem that need to improve too, like increased engagement in firmware transparency and the actual manufacturers of the devices themselves being held accountable for these malware laced products.

On Prime Day, we urge retailers like Amazon to better empower users with information they need to make safe and smart decisions.

Seeking transparency and accountability in Paraguay’s use of facial recognition, EFF, the Association of Technology, Education, Development, Research, Communication (TEDIC), and the Centre for Justice and International Law (CEJIL) filed a complaint with the Inter-American Commission on Human Rights against the state for arbitrarily denying access to information about its implementation and use of the technology as a tool for mass surveillance that erodes people’s privacy rights. 

The case involves the Ministry of the Interior and National Police’s installation in 2019 of surveillance cameras with facial recognition technology in Asunción. Maricarmen Sequera, a lawyer and executive director of TEDIC, filed an information request with the ministry seeking details and protocols about the implementation and use of facial recognition systems and the personal data processing involved. 

The request sought information about, among other things, whether the state had conducted human rights or data protection impact assessments, as well as if it had developed measures and protocols for avoiding abuses, illicit uses of personal data, and other risks in the deployment of the facial recognition system.

The state denied most of the information requested, arguing that implementation details, protocols, and the processing of individuals’ personal data were confidential security information. TEDIC contested the secrecy in courts, but the analyses lagged and ultimately sustained the denial of information. 

The petition filed last Friday (19) cites Inter-American standards upholding the public’s right to access information, particularly in relation to national security, that the Paraguayan authorities disregarded in denying TEDIC’s information request. The petition also argues that the refusal of information violated privacy and the right to informational self-determination.

The petition asks the Commission to recognize a violation of those rights and require the state to deliver the information requested. Further, the petition seeks an order compelling the state to adopt mandatory permanent mechanisms of active transparency regarding the acquisition, contracting, implementation, financing, functioning, and use of surveillance technologies by public bodies, especially those that incorporate processing of biometric data or artificial intelligence systems. 

It also asks the Commission to order the state to mandatory procedures for human rights impact assessments prior to acquiring and using surveillance technologies, particularly those that collect biometric data or use artificial intelligence.

The state’s lack of transparency in this case is not an isolated incident, both in Paraguay and in Latin America, where opacity in matters of security and surveillance is the unsettling rule. The situation gets worse with the increasing normalization of intrusive surveillance technologies by states in the region.

The Special Rapporteur for Freedom of Expression of the Inter-American Commission emphasized that states should disclose surveillance capabilities and contracts, and acknowledge state use of surveillance technologies at a meaningful level of detail, to facilitate essential public debate on the necessary limitations of surveillance in democratic societies and ensure compliance with international human rights law.

We hope that the Inter-American Commission upholds the robust safeguards in the Inter-American System and advances access to information and privacy rights in a case that can set a crucial precedent for the region.

This week marks four years since Dobbs v. Jackson Women’s Health Organization overturned Roe v. Wade’s constitutional protections for people seeking abortion care. Anniversaries are a moment to take stock, and over the last four years, EFF has seen firsthand how digital rights and reproductive rights have become increasingly intertwined. One major way this has happened: the fight over abortion has also become a fight over online speech and government censorship as a steady stream of proposed laws, cease-and-desist letters, lawsuits, and government investigations have targeted the websites and online resources that help people find and learn about reproductive healthcare.

This is an effort by anti-abortion government officials to mold the information ecosystem, restrict what people can read, and cut off the ways people communicate with one another. We’ve watched this build for years, and the encouraging news is that many of these efforts have failed. The worrying news is that they keep coming. And if they’re allowed to succeed, this could have repercussions for freedom of expression online beyond reproductive rights.

Targeting Sites That Just Share Information

The clearest tell that this is also a war on speech is that officials have aimed their efforts not just at abortion providers or the entities that prescribe and sell medication abortion, but also at websites that do nothing more than tell people what their options are, how to find a doctor, and where abortion remains legal.

Cease-and-Desists & Takedown Demands

State attorneys general have been hitting these online information hubs with cease-and-desist letters and takedown demands. Just this month, for example, Alabama Attorney General Steve Marshall sent cease-and-desist letters to multiple groups with abortion-related websites, including Plan C, a public health campaign that provides educational resources and research on abortion access. Plan C doesn’t sell or ship abortion pills. It simply provides information. Marshall’s office nonetheless claimed Plan C’s website “facilitates, aids, and abets” illegal abortion. The Arkansas attorney general similarly sent out cease-and-desists to several organizations regarding their websites, including Mayday Health, which, like Plan C, provides only information and does not directly prescribe or mail pills.

What’s especially concerning is that the state doesn’t have to win, or even file, a lawsuit to get what it wants.

In another example from earlier this year, North Dakota Attorney General Drew Wrigley threatened legal action and ordered the Prairie Abortion Fund to scrub information off of its website, not because the fund sold pills, but because its site linked to several outside informational resources. The Attorney General primarily focused on the fund’s link to Plan C, meaning the biggest alleged issue was a link to a website that links to other websites where pills can be accessed.

What’s especially concerning is that the state doesn’t have to win, or even file, a lawsuit to get what it wants. Especially for smaller organizations and funds, a letter threatening legal action can be enough to chill their speech, causing them to remove important content and go quiet.

Censorship Mandates

Legislators in multiple states have also attempted to make it illegal to share resources on how to obtain an abortion, including on purely informational websites with a national or global audience. South Dakota recently passed a law making it a felony to “advertise” anything “described in a manner calculated to lead another to use or apply it for producing an abortion.” Language this broad can easily apply to websites that simply engage in First Amendment-protected advocacy or provide educational resources. Mayday Health, which operates one such website, has since sued the state in federal court to block the law. The lawsuit argues the law could reach something as small as wearing a sweatshirt that carries Mayday’s web address.

Other state legislatures have made similar efforts. Last year, for example, Texas introduced a bill that would have made it illegal to “provide information” on how to obtain an abortion-inducing drug. If you exchanged emails, had an online chat, or created a website that shared information about legal abortion services in other states, you could have violated this bill. Luckily this particular bill did not pass, but Texas has attempted to pass similar laws for several years now.

Dressing Censorship Up as Consumer Protection

A major way anti-abortion officials are targeting online speech is by weaponizing consumer protection and deceptive advertising laws, claiming that providing information about abortion violates them. This tactic is a threat to free speech rights. The First Amendment protects publishing truthful information on a public issue, and the Supreme Court has expressly said that includes providing information about legal abortion in a state where it is illegal.

Yet states like South Dakota have continued to use deceptive advertising claims to go after abortion speech. Last year, South Dakota sent a cease-and-desist and then filed a lawsuit against Mayday Health for running ads that simply read: “Pregnant? Don’t want to be?” with a link to Mayday’s website. The state claimed the ads were “deceptive.” Mayday then counter-sued in federal court, challenging South Dakota’s actions under the First Amendment. Though the federal judge ultimately declined to step in while the parallel state case was pending, she made a point of saying she believed Mayday’s website constitutes “speech subject to protection under the First Amendment.”

Other states have attempted to run the same play. Missouri sued Planned Parenthood in 2025 under its consumer-protection statute, calling a webpage that says abortion pills are safe an “unfair and deceptive” trade practice. Florida went even further, invoking its RICO law—a law typically used for organized crime—over the same kind of statement. Florida leaned heavily on a single study funded by an anti-abortion think tank, even as major medical organizations and decades of research put the serious-complication rate below half a percent. States should not be able to cherry-pick studies in order to erase online speech.

Going After Intermediaries & Erasing Whole Websites

Some officials aren’t content to restrict only certain abortion-related content—they want the websites gone entirely.

Take, for example, the cease-and-desist letters sent by the Arkansas attorney general last year. Letters were sent directly to internet intermediaries (entities that facilitate use of the internet, such as internet service providers, web-hosting providers, or things like search engines and social media platforms). The letters demanded that both a domain registry company and a web host stop supporting a site that discusses abortion drugs. But as we know, if we cut off the host or the domain, the speech disappears for everyone—not just for people in Arkansas.

Likewise, Texas’s 2025 bill would have required intermediaries to take down abortion-related content. It’s worth remembering that the imposition of civil and criminal liability on intermediaries also conflicts with a federal law that protects online intermediaries’ ability to host user-generated speech, 47 U.S.C. § 230 (“Section 230”), including speech about abortion medication.

The push has gone federal, too. In March 2026, Senator Bill Cassidy and colleagues on the Senate Health, Education, Labor and Pensions Committee pressed the FDA to use every tool it has against online sellers, including leaning on the domain registrars that keep these sites online.

Why This Should Worry Everyone

It’s tempting to see this as limited to the fight over reproductive rights. That would be a mistake. For people seeking care, the immediate harm is obvious: the internet is often the only place to find accurate, potentially life-saving information, and every letter, lawsuit, and takedown threat makes that information harder to find and riskier to share.

But the damage doesn’t stop there. We’re witnessing a live experiment in how to use consumer-protection laws, criminal statutes, and pressure on intermediaries to suppress a disfavored viewpoint, pull information offline, and make websites disappear. To think these tactics can only be used against abortion speech would be naïve. 

We hope courts and legislatures will continue to protect free speech online. But the continued drumbeat of threatening letters, lawsuits, and investigations is its own kind of harm. Here at EFF, we’ll keep defending the right to share and read information online—about abortion, and about everything else.

The Federal Communications Commission wants to require telecommunications providers to collect vast amounts of personal information from every person who wants a phone number in the name of combatting scam and spam calls. This plan will fail to combat the deluge of unwanted calls people in the United States receive every day while giving untrustworthy companies a gold mine of information that would harm everyday consumer’s privacy, access to communications, and ability to speak freely. 

The requirement to provide ID and an address would completely cut off the ability to have an anonymous phone line, which would mean many people in the most precarious situations imaginable: domestic violence and human trafficking survivors, unhoused people, and children without stable homes, would not be able to gain access to a crucial lifeline. EFF, along with ACLU, has submitted comments advising the FCC to abandon this proposal entirely. 

This Rule Will Not Decrease Spam Calls 

Requiring phone providers to collect consumers’ information will not appreciably decrease or eliminate unwanted calls. The FCC knows this because it confesses in its own rulemaking that “the most effective way to prevent unwanted calls from reaching American consumers is by ensuring they never enter the network.” Further, the Federal Trade Commission found that “a significant proportion, if not the majority, of unwanted robocalls originate from overseas.” Collecting the personal information of everyone who wants to make a phone call will not put a dent in fraudulent calls. 

What will address unwanted calls is the FCC’s STIR/SHAKEN technical standards, which already exist. While STIR/SHAKEN is not perfect, it is actually a technical solution to the problem of spam calls. And where less than 50% of American telecommunication providers have fully implemented the protocol, the FCC should put its energy toward 100% compliance to reduce the scale of unwanted calls, instead of collecting consumer’s private information. 

The FCC gives away the true reason for this proposal in their own comments: this is a move to shut down the very existence of anonymous phones, aka burner phones. FCC says in their comments: 

“Enhanced KYC information can assist law enforcement to more easily identify callers that use the network to perpetuate crimes by ensuring that voice providers have accurate and complete customer information. The KYC information gathered and verified would help ensure that law enforcement gets accurate information in response to subpoenas when investigating crimes. For example, can enhanced KYC rules assist law enforcement in investigating organized criminal groups that use the network to facilitate illegal activities? Can they be used to deter or detect trafficking operations that use communication networks to buy and sell illicit goods?”

Anonymous phones are not just used by people to break the law, they are also used by activists who wish to remain anonymous, privacy conscious consumers, people escaping domestic violence, people escaping human trafficking, journalists who need to reach out to confidential sources, and other people in desperate situations. Anonymous phone lines are a lifeline to many, one which this proposal would cut off without any alternative. 

Mass Data Collection Makes Us All Less Safe

Mass data collection of individuals does not address unwanted calls, but it does 

make us all less safe online. The telecommunications industry has proven time and again that they’re poor stewards of personal information. They’ve been at the center of several large-scale data breaches in recent years and their data practices leave much to be desired.

In 2024, AT&T disclosed two large data breaches. One in which 7.6 million existing account holders and more than 65 million former customers had their information leaked onto the dark web, and another in which more than 100 million customer account call and text logs were downloaded. Another large provider, Comcast, suffered a data breach in 2023 where nearly 36 million account holder’s information was stolen, including the last four digits of their Social Security Number and date of birth. 

In 2024, the nation’s CALEA infrastructure, which law enforcement uses to tap and trace calls, was breached in the Salt Typhoon attacks. Experts maintain that U.S. communications networks remain vulnerable, and even this administration acknowledges these attacks as an ongoing threat. 

If telecoms can’t even protect the most sensitive communications infrastructure in the nation how can we expect that they will protect our identities?

In addition to their poor cybersecurity practice, these providers themselves abuse the information in their possession. In Scott v AT&T, AT&T, among others, made consumer information available to hundreds of third parties without the consumer’s express consent. Though the case was dismissed because AT&T forces its consumers to sign arbitration agreements, it shows the complete lack of care for their consumers’ privacy. 

A Lack of Anonymity Silences People 

Mass data collection of individuals just to have a phone number will also harm and silence people. Anonymity in calls provides people the safety they may require to organize themselves, speak freely, and seek services. Anonymous phone calls give people the courage to participate in politics, organize themselves, reach out to a suicide or sexual-assault hotline, an addiction-recovery sponsor, seek medical care, seek escape from a violent and coercive situation, and do much more. Without this anonymity, people may otherwise not do any of these things. 

It will prevent many from obtaining phone numbers at all. 

Not everyone has all the information the FCC wants to require. The FCC wants people’s physical addresses, defined so narrowly that it’s essentially a home address. Not everyone has a stable home address, so those individuals would be not able to get phone service. 

FCC suggests that a government-issued identification should be required for any phone service. About 15 million adult U.S. citizens do not have a driver’s license, while about 2.6 million do not have any form of government-issued photo ID. Others don’t have access to their identifying documents, they may be controlled by an abusive spouse or parent, human trafficker, cult, or someone else from whom a secondary phone line could help a person escape. Estimates show another 21 million adult U.S. citizens do not have a non-expired driver’s license, and over 34.5 million adult citizens have neither a driver’s license nor a state ID card with their current name or address. 

These numbers do not include non-U.S. citizens who do not have current government-issued identification, including undocumented immigrants who cannot obtain a state ID or driver’s license. Black American and Hispanic Americans are disproportionately less likely to have current drivers’ licenses, and Americans with disabilities and Americans with lower annual incomes are also less likely to have current driver’s licenses. 

The FCC’s proposal will not decrease the amount of unwanted calls. All it will do is set up a data collection regime that harms everyday, law abiding Americans. This proposal makes us less secure online, strips away our right to anonymous speech in calls, and actively disconnects those Americans who are already at the margins. EFF recommends the FCC discard this proposal in its entirety. 

The window for reply comments can still be filed until July 26th. Express comments, which are appropriate for most individuals, can be filed on the FCC website. See the suggested language below to help you get started. 

When a car passes an automated license plate reader (ALPR), its plate is captured and instantly compared against a list of vehicles that police are actively looking for or that police have identified for real-time surveillance. These are called “hotlists,” and EFF has learned that one used by agencies across the country targets immigrants on behalf of Immigration and Customs Enforcement (ICE). 

Agencies using Flock Safety ALPR systems commonly allow the plates their cameras collect to be compared against the FBI’s National Crime Information Center (NCIC) hotlists. These hotlists are broken into “topics,” such as “Gang or Suspected Terrorist,” “Stolen Vehicle,” and “Missing Person.” 

Flock Safety told EFF via email: “Local agencies add/remove license plates from the NCIC list. The FBI curates the NCIC list, and pushes it out to local agencies. Once the list leaves the FBI, they do not see any agency alerts. They only see when a local agency adds or removes plates from the list.”

But one list is different: The “Immigration Violator” hotlist is populated exclusively by ICE, and it is the only agency authorized to enter or maintain records in this system, according to the NCIC operator manual. It includes license plates associated with administrative warrants, which are issued by ICE agents without judicial review. The manual further describes the data:

The Immigration Violator File contains records on criminal aliens who have been deported for drug trafficking, firearms trafficking, or serious violent crimes and on foreign-born individuals who have violated some section of the Immigration and Nationality Act.

And: 

If the ICE has reasonable grounds to believe that the subject may be operating a particular vehicle or a vehicle bearing a particular license plate, the vehicle and/or license data may be included in the record.

Buried in the Flock Safety administrative interface, there is a drop-down menu where agencies select which NCIC topics to subscribe to. If Immigration Violator is selected, the local agency will receive an alert that a vehicle ICE is looking for has been sighted. According to Flock Safety, ICE itself does not get an alert, although the local agency may contact ICE to let them know. Many agencies also participate or collaborate with immigration enforcement (through, for example, 287(g) agreements) and may take steps to stop a vehicle based on one of these alerts. 

In many places, using ALPRs for immigration enforcement is against city or state law–or at minimum, against agency policy. But using this hotlist is immigration enforcement. 

For example, Sparks Police Department’s ALPR transparency portal lists immigration enforcement among the “prohibited uses.” Yet, records show Sparks utilizes ICE’s Immigration Violator hotlist.

Many agencies publicly acknowledge using NCIC hotlists, but don’t publish which ones. So, EFF filed public records requests with agencies around the country to figure how to identify at least which agencies may be using the Immigration Violator hotlist. Here are links to the documents from the 13 agencies that have responded so far. 

Knowing whether your agency has this box checked isn’t just useful information—it’s the kind of evidence that can change how officials vote when a contract comes up for renewal. So, how can you find out if your local agency is using the Immigration Violator list? It takes some digging, and you may not be successful. But here’s what has worked for us in some instances. 

STEP 1: Conduct background research. 

The first questions you want to try to answer are: 

• Does your local agency use Flock Safety ALPRs, and if so, 
• Are they using NCIC hotlists? 

To answer the first question, here are two sites to try: 

• AtlasofSurveillance.org – This is an EFF project to catalog the technologies law enforcement agencies use. You can search for your agency to see if they use ALPR.

• EyesonFlock.com  – This site includes an index of every agency that maintains a Flock Safety “Transparency Portal.” These portals often disclose what hotlists an agency uses. You’ll want to look for your agency, then click the outbound link to their transparency portal, if they have one. 

Once you’re on the transparency portal, you’ll want to look for two things. 

• Is “immigration enforcement” a prohibited use? If it is, you might find that the agency is violating its own policies. 

• Does the agency list “NCIC” as one of its hot lists? 

Not all agencies disclose this information, so even if you don’t find anything, you can move on to these next steps. 

STEP 2: File a public records request. 

Every state has a law that allows the public to request information from the government. This can often be done by emailing the police department or sheriff’s office, using the agency’s online public records portal. You can usually find these emails or portals quickly online by searching for the agency’s website and contact information. You can also subscribe to a service like MuckRock, which is how we filed these requests. 

We have developed language to request the hotlist topics. It doesn’t always work, due to differences in how agencies interpret public records laws, but it is still worth a shot. 

STEP 3: Wait for a response.

Depending on the agency and the state law, it may take anywhere from days to weeks to receive a response. 

If the agency provides the records, they might look something like this: 

If “Immigration Violator” is checked, then yes–police are scanning vehicles for immigration enforcement. 

You can then put this information to work, sharing it with local reporters or bringing it directly to city officials who have the authority to modify, restrict, or cancel your agency’s Flock contract. This is especially important if the agency has the box checked but also claims ALPR data is not used for immigration enforcement. Government officials like easy fixes, and “uncheck the box” is about as easy as it gets. But remember: If that’s where it stops, the infrastructure for immigration surveillance stays fully intact, and the system is one policy, personnel change, or error away from being switched back on.

In many cases, you will not receive records. The agency may claim it’s protected under legal exemptions or that it is not actually a public record under state law. For example, we received rejections from the Abington Police Department in Massachusetts and the Akron Police Department in Ohio.

If that happens, push back politely. You can explain that many other agencies across the country have produced this information and that it would greatly help inform the public. You can try contacting the police department’s public information officer. Another option is alerting local press that the agency is refusing to disclose basic information about a public surveillance system, shutting residents out of decisions about how that system is being used. If you have the resources and time, you may also consider litigating a denial or lack of response.

You can also email your city council or board of supervisors member. Explain why this matters: The law enforcement agency may be facilitating immigration enforcement in secret, potentially in violation of its own policies. Ask them to use their oversight authority to demand answers from the agency, including pressing the vendor directly. Elected officials hold real leverage here: In most cities, either the council or the city manager controls the contract, and both are accountable to the public. If your agency’s contract is up for renewal—or if a new pilot program is on the horizon—this is exactly the kind of information that should be part of that public debate before officials sign anything.

While we have filed dozens of these requests, we need locals to help gather even more. Drop us a line with the records you receive (or don’t) at aos@eff.org.