If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. Cloudflare is pushing back against Piracy Shield, an Italian copyright enforcement system that lets private media companies order website blocks with no judicial oversight, no transparency, and no appeals process. When Cloudflare refused to register, Italy’s communications regulator AGCOM fined it €14 million last December. Cloudflare appealed on March 8 and is continuing its legal challenge against the system itself. The fine was calculated on Cloudflare’s global revenue, a choice AGCOM made despite Italian law capping non-compliance penalties at 2% of earnings within the relevant jurisdiction. Applied correctly to Cloudflare’s Italian revenue, the ceiling would have been roughly €140,000. AGCOM went global instead, producing a penalty nearly 100 times higher than the legal limit. Piracy Shield runs through an unsupervised portal. An unidentified group of Italian media companies submits IP addresses and websites for blocking. Registered service providers then have 30 minutes to comply. No judge reviews the requests. Targets don’t get notified before their sites go dark. There’s no mechanism to challenge a block before it takes effect and no effective path to seek redress afterward. The system was donated to the Italian government by SP Tech, a legal firm that represents several of its primary beneficiaries, including Lega Nazionale Professionisti Serie A, Italy’s top professional soccer league. Piracy Shield’s architecture reflects whose interests it was built to serve. The collateral damage has been severe. IP address blocking is structurally incapable of precision: a single IP can host thousands of unrelated sites. Piracy Shield recklessly blocked Ukrainian government educational portals. It took down European NGOs running social programs for women and children. It even cut Google Drive access for over 12 hours, locking Italian students and workers out of their files. A September 2025 study from the University of Twente found the system routinely blocks legitimate sites for months at a time. AGCOM’s response to that evidence was to expand Piracy Shield’s reach to cover global DNS providers and VPNs, services directly tied to privacy and free expression. Cloudflare raised these structural problems with AGCOM directly in 2024, proposing copyright enforcement approaches that wouldn’t require breaking the Internet’s core architecture. AGCOM ignored them. Cloudflare then challenged the system in Italian administrative courts and, alongside the Computer & Communications Industry Association, filed a formal complaint with the European Commission. The Commission responded on June 13, 2025, with a letter criticizing Piracy Shield’s lack of oversight. On December 23, 2025, an Italian court ordered AGCOM to produce the records supporting its blocking orders. Six days later, AGCOM issued the €14 million fine. AGCOM still hasn’t complied with the disclosure order. Four days before the deadline, it informed Cloudflare that some records would be available for supervised in-person inspection at an AGCOM facility in Naples. A regulator demanding oversight of its own records disclosure, in its own building, while fighting to limit what it produces, is not operating in good faith. Cloudflare is now appealing the fine and pushing for full access to those records. Its legal position is that Piracy Shield violates the EU’s Digital Services Act, which requires content restrictions to be proportionate and subject to procedural safeguards. Piracy Shield is neither. A regulatory model that lets private rightsholders issue blocking orders through a black box, with 30-minute compliance windows and no accountability, is one that other regulators can replicate. Cloudflare’s refusal to register is a refusal to become infrastructure for a private censorship system operating without transparency or oversight. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post Cloudflare Appeals €14 Million AGCOM Fine, Challenges Italy’s Piracy Shield as Illegal Censorship System appeared first on Reclaim The Net.

If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. Brazil’s Digital ECA (Estatuto da Criança e do Adolescente Digital) took effect today, March 17, requiring nearly every tech product accessible to children to clear a long list of compliance obligations. Apps, operating systems, app stores, video games, social networks: all potentially covered, all facing fines of up to 50 million Brazilian reais (roughly US$9.44 million) or 10% of their Brazilian revenue for non-compliance. As always, the framing is child protection. The infrastructure being built is a national age verification system woven into the fabric of internet access. “Brazil has stepped forward as the first country in Latin America to pass a dedicated law to protect children’s online privacy and safety,” goes the official line. Every major technology platform operating in Brazil must now determine how old its users are and restrict what they can see accordingly. The checkbox that said “I am over 18” is explicitly banned. What replaces it costs significantly more in data. The Contradiction Written Into the Law Article 37’s sole paragraph states that regulations “may not, under any circumstances, impose, authorize, or result in the implementation of mechanisms of massive, generic, or indiscriminate surveillance.” Then Article 9 bans self-reported age. Article 12 demands “auditable” verification. The law prohibits the only mechanism that would make the law work. Auditable, non-self-declaration age verification requires collecting something real about you. The law permits a range of methods: government ID, biometric face scanning, behavioral pattern analysis that watches how you type and what you click, age inference from activity data, and educational history. Every single one of these collects sensitive personal information and creates a record. There is no method on the approved list that doesn’t involve building exactly the kind of identity infrastructure Article 37 claims to forbid. The legislators either didn’t notice the contradiction or they noticed and didn’t care. The obligation falls on platforms, not directly on every individual user. But the effect is the same. Platforms that want to comply need to verify who you are and how old you are before showing you restricted content. If you want to see it, you provide the data. If you don’t provide the data, you don’t get access. What the Law Actually Requires The Digital ECA applies to any information technology product or service intended for or likely to be accessed by minors, regardless of where it was developed, sold, or operated. The scope is deliberately broad. On January 7, Brazil’s National Data Protection Authority (ANPD) extended a deadline for 37 technology companies to submit information on their implementation progress. The names you’d expect are there: Amazon, Apple, Discord, Google, Meta, TikTok, Valve. So is Canonical, the company that makes Ubuntu Linux. Ubuntu is not a social media platform. It does not target children. Its appearance on that list tells you everything about how Brazil intends to apply this law. Any technology product with a digital presence in Brazil that could conceivably be used by a minor is now subject to regulatory oversight. That’s a definition broad enough to capture an open-source operating system used primarily by developers and IT professionals. For platforms clearly in scope, the compliance requirements stack up fast. Self-declaration is explicitly banned as an age verification method. App stores and operating systems must implement age verification systems, parental supervision tools, and share age signal data through a secure API. Social networks face no explicit age verification mandate but must suspend underage users and restrict child accounts, which they can’t achieve without some form of age determination. Users aged 16 and under must have their accounts linked to a parent or legal guardian’s account. Video game platforms must prohibit loot boxes for minors and require parental consent for any user interaction features, including chat. Providers with over one million minor users in Brazil must publish semiannual transparency reports in Portuguese. Foreign companies must maintain a legal representative in Brazil with authority to receive court orders and notifications. This isn’t a compliance checkbox. It’s a permanent legal foothold for the Brazilian state inside every major tech platform’s operations. The Law’s First Day The most concrete illustration of the law’s reach arrived before it even took effect. Rockstar Games, maker of Grand Theft Auto and Red Dead Redemption, announced that as of March 16, digital titles are “no longer purchasable from the Rockstar Games Store or Rockstar Games Launcher by our Brazilian players.” The company didn’t attempt compliance on its own storefront. It simply withdrew from it, redirecting Brazilian customers to PlayStation Store, Xbox, Steam, and Epic Games Store, platforms large enough to absorb the compliance burden themselves. Games you already own still work. New purchases through Rockstar’s own channels don’t. The company has not said whether it intends to return. Discord took a different path, and it reveals exactly what compliance costs. Starting March 9, Discord began rolling out age assurance in Brazil using a third-party vendor called k-ID. The system uses facial age estimation or identity document submission to gate access to age-restricted content and certain default settings. Discord says identity documents are “never seen by Discord.” That’s what Discord users thought would happen before October 2025, when a breach of a third-party support provider exposed approximately 70,000 government ID photos that was collected for age-related appeals. Discord didn’t hold the data directly in that case either; a vendor did. The vendor got breached and the IDs leaked. Now, Discord is building a much larger pipeline of the same category of data through a different third-party, under a law that requires the process to scale to an entire country’s user base. The promise that k-ID, the company Discord is using, won’t share the data with Discord is only as strong as k-ID’s own security practices, which Brazilian Discord users have no direct way to audit and no meaningful recourse if that promise breaks. Encryption in also in the Crosshairs The law’s content removal obligations create a separate and serious problem for encrypted messaging. Providers must put in place systems for reporting and removing content that involves exploitation, sexual abuse, kidnapping, or grooming. Article 27 establishes an affirmative duty to report such content without specifying whether that obligation is limited to material the service becomes aware of through user reports, or whether it extends to proactive scanning of messages. If Article 27 requires proactive scanning, it requires breaking end-to-end encryption. The only way to scan message content for prohibited material before it reaches a recipient is to access it before encryption activates. WhatsApp’s fundamental privacy promise, that only the sender and recipient can read a conversation, becomes legally untenable if Brazilian regulators read Article 27 that way. The law provides no exemption for encrypted services and no guidance on how they’re supposed to comply. European regulators have tried the same move. The EU’s proposed “Chat Control” law would require client-side scanning, accessing your messages on your device before encryption kicks in. Brazil’s law doesn’t go that far explicitly. It simply leaves the question open, which may amount to the same thing in enforcement. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post Brazil Launches Mandatory Age Verification Law for Online Platforms appeared first on Reclaim The Net.

If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. Spain’s data protection authority just handed Yoti a 950,000 euro fine for building a biometric identity system that violated GDPR in three distinct ways. Governments around the world are mandating age verification at an unprecedented scale, and companies like Yoti exist precisely to service that demand. The fine is a signal that the infrastructure being built to satisfy those mandates is already failing its most basic legal obligations. The largest penalty, 500,000 euros, targets the core of what Yoti does. The app compares a live selfie against a stored biometric template during account setup. Yoti called this “authentication.” Spain’s AEPD called it a unique identification of a natural person, which falls squarely under GDPR’s special category protections. Half of the United States now mandates or is considering mandating age verification for accessing adult content or social media platforms, with nine states seeing their laws take effect in 2025 alone and more coming in 2026. The EU is moving in the same direction. The European Commission recently developed a blueprint for age verification that will be piloted in Denmark, France, Greece, Italy, and Spain. Australia passed laws barring children under 16 from social media entirely, requiring platforms to build age verification into their services. The legislative pressure is coordinated, accelerating, and pointed directly at companies like Yoti to deliver the technical infrastructure. At the technical level, companies have only two tools: identity-based verification, where users upload government IDs or provide documents proving their age, or inference, where platforms guess age based on behavior, device signals, or biometric analysis, most commonly facial age estimation from selfies or videos. The retention violations add another 250,000 euros. Geolocation data reportedly stayed in Yoti’s systems for five years. Video recordings from liveness detection sit around for 30 days. Fraudulent identity documents submitted during failed verification are retained beyond their original purpose and repurposed to train Yoti’s algorithms. A document submitted as evidence of fraud becomes a permanent training asset. The person who submitted it never agreed to that. Discord disclosed last year that hackers breached a vendor doing age verification services. In that single breach, around 70,000 people had their government ID cards exposed, now presumably available to cybercriminals. That’s one incident from one vendor. These companies should also be anticipated as targets for state-backed hackers, given that a database linking real identities to online behavior is exactly the kind of intelligence asset that foreign governments pursue. Yoti pushed back hard, with an appeal. “Yoti rejects in the strongest possible terms the decision of the AEPD and has begun the appeal process to the Spanish High Court,” the company said in a statement, adding that “no personal data of any app user has been breached or compromised in any way.” The company also disclosed something notable about the investigation’s conduct: “We fully cooperated with the AEPD’s information requests, but we were never notified that we were under investigation.” The appeal doesn’t change the six-month compliance deadline. Yoti has six months to demonstrate to the AEPD that its biometric data processing, consent mechanisms, and data retention practices comply with GDPR. That’s the bar. Not whether mass biometric identity verification is proportionate to the goal of keeping teenagers off adult content. Just whether this particular company stored the face scans for slightly too long and made the opt-out slightly too hard to find. The larger question, whether governments should be mandating this infrastructure at all, isn’t part of the proceeding. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post Spain Fines ID Tool Yoti for Privacy Violations in Biometric ID App appeared first on Reclaim The Net.

This Post is for Paid Supporters Reclaim your digital freedom. Get the latest on censorship and surveillance, and learn how to fight back. SUBSCRIBE Already a supporter? Sign In. (If you’re already logged in but still seeing this, refresh this page to show the post.) The post Your Phone’s Ads Are Spying for the Government. These Simple Changes Can Help appeared first on Reclaim The Net.

If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. Congress is about to stage one of its annual spectacles: reauthorizing Section 702 of the Foreign Intelligence Surveillance Act. Normally, this is an already messy affair, but President Trump has decided to spice things up by suggesting that Republicans attach the SAVE America Act to the must-pass FISA bill. The result is a headache for House Speaker Mike Johnson. “Maybe you put them together, because a lot of people feel very strongly about FISA,” Trump told House Republicans at their retreat last week. That might be the understatement of the year. The Foreign Intelligence Surveillance Act, or FISA, was created to let the US government collect intelligence on foreigners. In theory, it targets only non-US citizens abroad. In reality, it has become a tool for sweeping up Americans’ communications on a massive scale. Section 702, the part now up for reauthorization, allows intelligence agencies to grab emails, texts, and calls from foreign targets and, in doing so, they routinely capture the American side of those conversations. This incidental collection has become anything but incidental. The FBI treats Section 702 data as a domestic treasure trove, conducting millions of warrantless searches of Americans’ communications each year. It effectively bypasses the Fourth Amendment, giving federal agencies legal cover to monitor Americans without warrants, often funneling the information into ordinary criminal investigations. FISA’s original promise of balancing security and privacy has been eroded by decades of routine overreach. GOP leadership had been planning a clean extension, but Trump’s intervention opens the door for a faction of conservatives, led by Rep. Anna Paulina Luna, to insist on a legislative package deal. Luna didn’t vote to reauthorize FISA in 2024, but she and other SAVE supporters are already signaling they will use their leverage to shape the House floor debate. Johnson likely has the votes to pass FISA with bipartisan support, but the rule vote, the procedural step determining how the floor debate proceeds, is the real landmine. Conservatives have yet to announce support, and procedural votes have long been the preferred weapon for those who want leverage without responsibility. On the Senate side, the SAVE Act faces a grim outlook. Senate Majority Leader John Thune has offered no guarantees that SAVE will hitch a ride with FISA, prompting Rep. Chip Roy to call the Senate’s moves “performance theater” and Rep. Keith Self to accuse Thune of “gaslighting the American people,” adding, “This is nothing but a show vote.” If the Senate fails, Luna’s pressure campaign in the House is likely to intensify. FISA watchers should expect procedural obstruction and rhetorical fireworks as SAVE Act advocates push to attach reforms to the surveillance authority before it lapses on April 20. The SAFE Act, sponsored by Senators Mike Lee and Dick Durbin, offers a mix of modest reforms and symbolic gestures. Among the wins: The FBI would need a warrant before reading the content of Americans’ communications collected incidentally. Parallel construction, the sleight-of-hand technique used to hide the original, possibly unconstitutional, source of evidence, is limited. The government must disclose the Section 702 source when using it in court. Data broker loopholes are partially closed, reducing the market for personal location and communications data. Expired surveillance powers under Section 215 of the Patriot Act are explicitly retired. For anyone who has followed US surveillance law, these are small but meaningful improvements. But the SAFE Act still leaves gaping holes. The definition of “electronic communication service providers” remains ambiguous, the FBI can still query databases to see whether Americans are involved without a warrant, and practices like “Abouts collection” are still not explicitly prohibited. Here is where the circus comes in. The Senate is expected to debate the SAVE Act this week, but with Democrats opposed and key Republicans unconvinced, it is expected to fail. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post The FISA Surveillance Tool Is Up for Renewal, and the SAVE Act Is Riding Shotgun appeared first on Reclaim The Net.