Liberty News

Google announced this week that it will be making several important changes to the way it handles users' "Location History" data. These changes would appear to make it much more difficult--if not impossible--for Google to provide mass location data in response to a geofence warrant , a change we've been asking Google to implement for years.

Geofence warrants require a provider--almost always Google--to search its entire reserve of user location data to identify all users or devices located within a geographic area during a time period specified by law enforcement. These warrants violate the Fourth Amendment because they are not targeted to a particular individual or device, like a typical warrant for digital communications. The only "evidence" supporting a geofence warrant is that a crime occurred in a particular area, and the perpetrator likely carried a cell phone that shared location data with Google. For this reason, they inevitably sweep up potentially hundreds of people who have no connection to the crime under investigation--and could turn each of those people into a suspect .

Geofence warrants have been possible because Google collects and stores specific user location data (which Google calls "Location History" data) altogether in a massive database called " Sensorvault ." Google reported several years ago that geofence warrants make up 25% of all warrants it receives each year.

Google's announcement outlined three changes to how it will treat Location History data. First, going forward, this data will be stored, by default, on a user's device, instead of with Google in the cloud. Second, it will be set by default to delete after three months; currently Google stores the data for at least 18 months. Finally, if users choose to back up their data to the cloud, Google will "automatically encrypt your backed-up data so no one can read it, including Google."

All of this is fantastic news for users, and we are cautiously optimistic that this will effectively mean the end of geofence warrants. These warrants are dangerous. They threaten privacy and liberty because they not only provide police with sensitive data on individuals, they could turn innocent people into suspects. Further, they have been used during political protests and threaten free speech and our ability to speak anonymously, without fear of government repercussions. For these reasons, EFF has repeatedly challenged geofence warrants in criminal cases and worked with other groups ( including tech companies) to push for legislative bans on their use.

However, we are not yet prepared to declare total victory. Google's collection of users' location data isn't limited to just the "Location History" data searched in response to geofence warrants; Google collects additional location information as well. It remains to be seen whether law enforcement will find a way to access these other stores of location data on a mass basis in the future. Also, none of Google's changes will prevent law enforcement from issuing targeted warrants for individual users' location data--outside of Location History--if police have probable cause to support such a search.

But for now, at least, we'll take this as a win. It's very welcome news for technology users as we usher in the end of 2023.

I'm delighted to announce that we are rolling out default end-to-end encryption for personal messages and calls on Messenger and Facebook, as well as a suite of new features that let you further control your messaging experience. We take our responsibility to protect your messages seriously and we're thrilled that after years of investment and testing, we're able to launch a safer, more secure and private service.

Since 2016, Messenger has had the option for people to turn on end-to-end encryption, but we're now changing private chats and calls across Messenger to be end-to-end encrypted by default. This has taken years to deliver because we've taken our time to get this right. Our engineers, cryptographers, designers, policy experts and product managers have worked tirelessly to rebuild Messenger features from the ground up. We've introduced new privacy, safety and control features along the way like delivery controls that let people choose who can message them, as well as app lock , alongside existing safety features like report, block and message requests. We worked closely with outside experts, academics, advocates and governments to identify risks and build mitigations to ensure that privacy and safety go hand-in-hand.

The extra layer of security provided by end-to-end encryption means that the content of your messages and calls with friends and family are protected from the moment they leave your device to the moment they reach the receiver's device. This means that nobody, including Meta, can see what's sent or said, unless you choose to report a message to us.

End-to-end encryption gives people more secure chats in Messenger. These chats will not only have all of the things people know and love, like themes and custom reactions, but also a host of new features we know are important for our community. These new features will be available for use immediately, though it may take some time for Messenger chats to be updated with default end-to-end encryption.

On 14th November, Members of the European Parliament's Civil Liberties committee voted against attempts from EU Home Affairs officials to roll out mass scanning of private and encrypted messages across Europe. It was a clear-cut vote, with a significant majority of MEPs supporting the proposed position.

A political deal struck by the Parliament's seven political groups at the end of October meant that this outcome was expected. Nevertheless, this is an important and welcome milestone, as Parliamentarians demand that EU laws are based in objective evidence, scientific reality and with respect for human rights law.

This vote signals major improvements compared to the Commission's original draft law (coined Chat Control'), which has courted controversy. The process around the legislation has faced allegations of conflicts of interest and illegal advert micro-targeting, and rulings of "maladministration". The proposal has also been widely criticised for failing to meet EU requirements of proportionality -- with lawyers for the EU member states making the unprecedented critique that the proposal likely violates the essence of the right to privacy.

In particular, the vote shows the strong political will of the Parliament to remove the most dangerous parts of this law -- mass scanning, undermining digital security and mandating widespread age verification. Parliamentarians have recognised that no matter how important the aim of a law, it must be pursued using only lawful and legitimate measures.

At the same time, there are parts of their position which still concern us, and which would need to be addressed if any final law were to be acceptable from a digital rights point of view. Coupled with mass surveillance plans from the Council of member states and attempts from the Commission to manipulate the process, we remain sceptical about the chances of a good final outcome.

Civil liberties MEPs also voted for this position to become the official position of the European Parliament. On 20 th November, the rest of the house will be notified about the intention to permit negotiators to move forward without an additional vote. Only after that point will the position voted on today be confirmed as the European Parliament's mandate for the CSA Regulation.

Mass scanning (detection orders)

The European Parliament's position firmly rejects the premise that in order to search for child sexual abuse material (CSAM), all people's messages may be scanned (Articles 7-11). Instead, MEPs require that specific suspicion must be required -- a similar principle to warrants. This is a vital change which would resolve one of the most notorious parts of the law. The position also introduces judicial oversight of hash lists (Article 44.3), which we welcome. However, it unfortunately does not distinguish between basic hashing (which is generally seen as more robust) and perceptual hashing (which is less reliable).

At the same time, the wording also needs improvement to ensure legal certainty. The Parliament position rightly confirms that scanning must be "targeted and specified and limited to individual users, [or] a specific group of users" (Article 7.1). This means that there must be "reasonable grounds of suspicion a link [...] with child sexual abuse material" (Articles 7.1. and 7.2.(a)). However, despite attempts in Recital (21) to interpret the "specific group of users" narrowly, we are concerned that the phrasing "as subscribers to a specific channel of communications"(Article 7.1.) is too broad and too open to interpretation. he concept of "an indirect link" is also ambiguous in the context of private messages, and should be deleted or clarified.

The Parliament's position deletes solicitation (grooming) detection from the scope of detection orders, recognising the unreliability of such tools. However, the fact that solicitation remains in the scope of risk assessment (Articles 3 and 4) still poses a risk of incentivising overly-restrictive measures.

End-to-end encryption

The European Parliament's position states that end-to-end encrypted private message services -- like WhatsApp, Signal or ProtonMail -- are not subject to scanning technologies (Articles 7.1 and 10.3). This is a strong and clear protection to stop encrypted message services from being weakened in a way that could harm everyone that relies on them -- a key demand of civil society and technologists.

Several other provisions throughout the text, such as a horizontal protection of encrypted services (Article 1.3a and Recital 9a), give further confirmation of the Parliament's will to protect one of the only ways we all have to keep our digital information safe.

There is a potential (likely unintended) loophole in the Parliament's position on end-to-end encryption, however, which must be addressed in future negotiations. This is the fact that whilst encrypted 'interpersonal communications services (private messages) are protected, there is not an explicit protecting for other kinds of encrypted services ('hosting services').

It would therefore be important to amend Article 1.3a. to ensure that hosting providers, such as of personal cloud backups, cannot be required to circumvent the security and confidentiality of their services with methods that are designed to access encrypted information, and that Article 7.1. is amended so that it is not limited to interpersonal communications.

Age verification & other risk mitigation measures

The European Parliament's position is mixed when it comes to age verification and other risk mitigation measures. EDRi has been clear that mandatory age verification at EU level would be very risky -- and we are glad to see that these concerns have been acted upon. The European Parliament's position protects people's anonymity online by removing mandatory age verification for private message services and app stores, and adds a series of strong safeguards for its optional use (Article 4.3.a.(a)-(k)). This is a positive and important set of measures.

On the other hand, we are disappointed that the Parliament's position makes age verification mandatory for porn platforms (Article 4a.) -- a step that is not coherent with the overall intention of the law. What's more, the cumulative nature of the risk mitigation measures for services directly targeting children in the Parliament's position (Article 4.1.(aa)) need further attention.

This is because there is no exception given for cases where the measures might not be right for a particular service, and could instead risk platforms or services deciding to exclude young people from their services to avoid these requirements.

We recommend that there should not be mandatory age verification for porn platforms, and that risk mitigation measures should oblige providers to achieve a specific outcome, rather than creating overly-detailed (and sometimes misguided) service design requirements. We also warn that the overall CSA Regulation framework should not incentivise the use of age verification tools.

Voluntary scanning

The European Parliament's position does not include a permanent voluntary scanning regime, despite some MEPs calling for such an addition. This is an important legal point: if co-legislators agree that targeted scanning measures are a necessary and proportionate limitation on people's fundamental human rights, then they cannot leave such measures to the discretion of private entities. The Parliament's position does -- however, extend the currently-in-force interim derogation by nine months (Article 88.2).