Internet News

The government of Spanish Prime Minister Pedro Sánchez intends to implement age verification to access adult content on the internet across the board to prevent minors from viewing age-restricted websites. Spain's data regulator Agencia Española de Protección de Datos (AEPD) is developing a process to require web users to utilize a digital ID card.

The Royal Spanish Mint will be directed to develop the digital ID technology following recommendations from the AEPD. One format floated by the agency is that a user will download an app on their mobile device, a QR code, or some other type of digital document verifying their age through a government ID, health or residence cards, a driver's license, or a passport. AEPD claims that this approach minimizes risks of a data breach since third parties--such as a private sector age verification software vendor or a regulated platform--will not be able to access a user's sensitive personally identifiable information.

Unfortunately, there is no guarantee of sensitive personally identifiable information being safe in the hands of a government agency or private company. Consider a case that occurred in Louisiana, which was the first U.S. state to require an ID to view adult content. Seeking to comply with the law, the tube site Pornhub adopted an age verification solution that integrated with the state's digital identification app, LA Wallet.

Months after the deployment of LA Wallet by Pornhub, the company and the agency administering the digital wallet program were victims of a data breach. A local news report indicates that over 6 million records from the Louisiana Office of Motor Vehicles were exposed by hackers in June 2023. Names, addresses, ID numbers, social security numbers, height, weight and eye colors were exposed in a breach of a file transfer protocol.

Even with the best intention and risk mitigation, AEPD will not be able to completely prevent a breach of data. That is one major concern among critics of age verification.

Google announced this week that it will be making several important changes to the way it handles users' "Location History" data. These changes would appear to make it much more difficult--if not impossible--for Google to provide mass location data in response to a geofence warrant , a change we've been asking Google to implement for years.

Geofence warrants require a provider--almost always Google--to search its entire reserve of user location data to identify all users or devices located within a geographic area during a time period specified by law enforcement. These warrants violate the Fourth Amendment because they are not targeted to a particular individual or device, like a typical warrant for digital communications. The only "evidence" supporting a geofence warrant is that a crime occurred in a particular area, and the perpetrator likely carried a cell phone that shared location data with Google. For this reason, they inevitably sweep up potentially hundreds of people who have no connection to the crime under investigation--and could turn each of those people into a suspect .

Geofence warrants have been possible because Google collects and stores specific user location data (which Google calls "Location History" data) altogether in a massive database called " Sensorvault ." Google reported several years ago that geofence warrants make up 25% of all warrants it receives each year.

Google's announcement outlined three changes to how it will treat Location History data. First, going forward, this data will be stored, by default, on a user's device, instead of with Google in the cloud. Second, it will be set by default to delete after three months; currently Google stores the data for at least 18 months. Finally, if users choose to back up their data to the cloud, Google will "automatically encrypt your backed-up data so no one can read it, including Google."

All of this is fantastic news for users, and we are cautiously optimistic that this will effectively mean the end of geofence warrants. These warrants are dangerous. They threaten privacy and liberty because they not only provide police with sensitive data on individuals, they could turn innocent people into suspects. Further, they have been used during political protests and threaten free speech and our ability to speak anonymously, without fear of government repercussions. For these reasons, EFF has repeatedly challenged geofence warrants in criminal cases and worked with other groups ( including tech companies) to push for legislative bans on their use.

However, we are not yet prepared to declare total victory. Google's collection of users' location data isn't limited to just the "Location History" data searched in response to geofence warrants; Google collects additional location information as well. It remains to be seen whether law enforcement will find a way to access these other stores of location data on a mass basis in the future. Also, none of Google's changes will prevent law enforcement from issuing targeted warrants for individual users' location data--outside of Location History--if police have probable cause to support such a search.

But for now, at least, we'll take this as a win. It's very welcome news for technology users as we usher in the end of 2023.

I'm delighted to announce that we are rolling out default end-to-end encryption for personal messages and calls on Messenger and Facebook, as well as a suite of new features that let you further control your messaging experience. We take our responsibility to protect your messages seriously and we're thrilled that after years of investment and testing, we're able to launch a safer, more secure and private service.

Since 2016, Messenger has had the option for people to turn on end-to-end encryption, but we're now changing private chats and calls across Messenger to be end-to-end encrypted by default. This has taken years to deliver because we've taken our time to get this right. Our engineers, cryptographers, designers, policy experts and product managers have worked tirelessly to rebuild Messenger features from the ground up. We've introduced new privacy, safety and control features along the way like delivery controls that let people choose who can message them, as well as app lock , alongside existing safety features like report, block and message requests. We worked closely with outside experts, academics, advocates and governments to identify risks and build mitigations to ensure that privacy and safety go hand-in-hand.

The extra layer of security provided by end-to-end encryption means that the content of your messages and calls with friends and family are protected from the moment they leave your device to the moment they reach the receiver's device. This means that nobody, including Meta, can see what's sent or said, unless you choose to report a message to us.

End-to-end encryption gives people more secure chats in Messenger. These chats will not only have all of the things people know and love, like themes and custom reactions, but also a host of new features we know are important for our community. These new features will be available for use immediately, though it may take some time for Messenger chats to be updated with default end-to-end encryption.