Daniel sent us this one — he wants to talk about the Electronic Frontier Foundation. Specifically, the history of the organization, the major initiatives they've backed, and the ways they spotlight practices that threaten internet freedom. And honestly, this is one of those institutions where the more you dig into what they've actually done, the more remarkable it gets. They're currently suing the Department of Justice over warrantless border device searches — filed just this January — and that's not even their most ambitious case right now.
It really isn't. And the border search case gets at something fundamental about how the Fourth Amendment has been interpreted at ports of entry. The government has long claimed what's called the border search exception — the idea that they can search anything and anyone crossing the border without a warrant. EFF is arguing that your phone is not the same thing as your suitcase. A suitcase doesn't contain your entire medical history, your private conversations with your spouse, your financial records, your location history going back years. The legal theory here is actually really interesting — they're building on the Supreme Court's reasoning in Riley versus California, the 2014 case that said police need a warrant to search your phone during an arrest.
Because a phone isn't just a container.
And the border search exception was designed for physical contraband — undeclared goods, drugs, things you can hold. EFF's argument is that applying it to a device that contains the equivalent of millions of pages of personal documents is a category error. It's like saying customs can read your diary, your letters, your photo albums, and your bank statements just because you crossed an imaginary line. The case is still in early stages, but it's the kind of thing EFF has been doing for thirty-six years now — taking a principle that seems abstract and finding the perfect case to test it.
Let's rewind to how this all started, because the founding story is genuinely wild and I think a lot of people don't know it. It was 1990. Steve Jackson Games — a tabletop RPG publisher in Austin, Texas — was running a bulletin board system, a BBS, which is what passed for an online community before the web existed. The Secret Service raided their offices and seized their computers.
The reason they raided them is almost too absurd to believe. There was a document on the BBS — it was a draft of a sourcebook for a cyberpunk role-playing game called GURPS Cyberpunk. The Secret Service saw this document and believed it was an actual manual for computer crime. They didn't understand that it was fiction. They also misread a phone number — there was a phone phreaking document on the BBS, and they thought a number in it was connected to something illegal when it was actually just a typo. So armed federal agents stormed a game company, seized their computers, and took the BBS offline — a BBS that had over three hundred users. Those users' private emails were stored on those seized machines. And the Secret Service read them.
Steve Jackson Games nearly went under. They had a book in production — the very GURPS Cyberpunk sourcebook the agents were confused about — and the seized computers had the only copies of the files. The company lost something like a hundred and twenty-five thousand dollars in revenue.
This is where the EFF comes in. John Perry Barlow — who was a lyricist for the Grateful Dead, by the way, and also a Wyoming cattle rancher — he got wind of what happened. So did John Gilmore, who was one of the early employees at Sun Microsystems and a major figure in the early internet, and Mitch Kapor, who founded Lotus Development Corporation. These three men looked at what happened to Steve Jackson Games and saw the future — they saw that law enforcement fundamentally did not understand digital technology, and that this ignorance was going to lead to massive civil liberties violations. So they founded the Electronic Frontier Foundation in July 1990, specifically to take on the Steve Jackson Games case.
Steve Jackson Games versus United States Secret Service — the court ruled that the Secret Service had violated the Privacy Protection Act and the Stored Communications Act. It was the first case to establish that email stored on a BBS had some level of Fourth Amendment protection. The court awarded damages, but more importantly, it set a precedent that law enforcement couldn't just seize servers and read everyone's private messages without consequences. The judge literally said the Secret Service had engaged in "gross negligence.
Which is judicial language for "what were you thinking.
But here's what I think is key about the founding — EFF could have been just a legal defense fund. They could have taken the Steve Jackson case, won it, and closed up shop. Instead, they built an institution designed to fight the next hundred cases like it. And they realized very early that you couldn't just fight in court — you had to build the technical infrastructure that made rights real.
That's the part that distinguishes them from, say, the ACLU. The ACLU does incredible work, but they're fundamentally a litigation and advocacy organization. EFF litigates and advocates, but they also write code. They build tools. They fund infrastructure. And that came directly out of the Crypto Wars in the 1990s.
The Crypto Wars. This is one of my favorite chapters in the history of computing, and EFF was absolutely central to it. Let me set the stage — it's the early 1990s, and the US government treats encryption as a munition. Strong cryptography was classified as a weapon under the Arms Export Control Act, which meant you couldn't export software with strong encryption outside the United States. The National Security Agency and the FBI were deeply worried that widespread encryption would make their surveillance capabilities useless. So they proposed something called the Clipper Chip.
The Clipper Chip was a hardware encryption device that the government wanted to mandate in all communications equipment. It used an algorithm called Skipjack, which was classified — nobody outside the NSA knew how it worked. And here was the key part — it had a built-in backdoor. Every Clipper Chip had a "key escrow" system where the government could decrypt any communication if they had a warrant.
The technical weakness here was profound and EFF was among the first to articulate why. The Skipjack algorithm itself was actually reasonably strong — it was an 80-bit key, which was decent for the time. The problem wasn't the algorithm. The problem was the key escrow system. You had this thing called the Law Enforcement Access Field, or LEAF, which was basically a copy of the session key encrypted with a government-held key. If law enforcement had a warrant, they could get the government-held key and decrypt the LEAF, which gave them the session key, which gave them the entire conversation. The vulnerability was that if anyone — anyone — ever compromised the government's escrow key database, every Clipper Chip conversation ever recorded could be decrypted. It was a single point of failure for the entire nation's communications security.
EFF's role in defeating the Clipper Chip was multifaceted. They did public education — explaining in plain language why this was a terrible idea. They lobbied Congress. They organized the tech industry, which was initially hesitant to oppose the government publicly. And they supported academic researchers who were publishing papers demonstrating alternative approaches to encryption that didn't require backdoors.
Then they did something that was pure theater — pure, brilliant, technical theater. In 1998, EFF built a machine called Deep Crack. It was a custom-built computer designed to brute-force the Data Encryption Standard, DES, which was the government-approved encryption standard at the time. DES used a 56-bit key, and the government's position was that 56 bits was strong enough for civilian use — that it would take too long and cost too much to crack. EFF spent two hundred and ten thousand dollars building a machine that could crack a 56-bit DES key in fifty-six hours.
Fifty-six hours.
Fifty-six hours. They proved, conclusively and publicly, that the encryption the government was telling everyone to use was trivially breakable by anyone with a modest budget. Two hundred and ten thousand dollars is not nation-state money — that's a well-funded startup, a mid-size company, a university research grant. The demonstration was devastating. It directly led to the adoption of the Advanced Encryption Standard, AES, with much longer key lengths.
This is the pattern that repeats throughout EFF's history — they don't just argue that a policy is bad. They demonstrate why it's technically broken. They show their work.
The other landmark case from this era was Bernstein versus United States Department of Justice. Daniel Bernstein — who was a PhD student at UC Berkeley at the time — had developed an encryption algorithm called Snuffle. He wanted to publish the source code, both in print and online. The government told him he couldn't, because the encryption algorithm was a "munition" under export control laws. Bernstein sued, arguing that source code is speech protected by the First Amendment. EFF backed the case heavily.
This went on for years.
It went on for eight years. 1995 to 2003. The Ninth Circuit Court of Appeals ruled in 1999 that source code is indeed protected speech under the First Amendment. The government's export controls on encryption were an unconstitutional prior restraint on speech. This ruling is the legal foundation for basically all modern open-source encryption software. Without Bernstein versus DOJ, you don't have OpenSSL, you don't have the encryption in Firefox and Chrome, you don't have Signal, you don't have the entire ecosystem of open cryptographic tools. The idea that publishing code is an act of speech — that's not an obvious legal conclusion, and EFF fought for eight years to establish it.
They won the Crypto Wars — or at least the first round. But EFF doesn't just sue. You mentioned they build. Talk about the tools.
The most famous one is probably the Tor Project. EFF was the original funder of Tor — the onion router — back in 2004 and 2005. Tor is now an independent nonprofit, but EFF provided the early financial and institutional support that got it off the ground. Tor is, at its core, a network of volunteer-run servers that bounce your traffic through multiple layers of encryption — hence the onion metaphor — so that no single point in the network knows both where the traffic came from and where it's going. It's the closest thing we have to anonymous communication on the internet.
EFF didn't just write a check. They co-developed tools that made Tor usable for ordinary people.
HTTPS Everywhere was a browser extension — co-developed by EFF and the Tor Project — that automatically redirected websites from insecure HTTP to encrypted HTTPS whenever possible. At its peak, it had millions of users. It's since been retired because HTTPS is now the default on the web, which is itself a victory. The fact that a tool designed to fix a broken default is no longer needed because the default got fixed — that's a win. Then there's Privacy Badger, which is EFF's anti-tracking browser extension. Unlike ad blockers that use static lists of known trackers, Privacy Badger learns as you browse. It watches for third-party domains that appear to be tracking you across multiple sites and blocks them automatically. It's a behavioral approach to privacy rather than a list-based approach.
Certbot is one of those tools that most people have never heard of but has probably affected their lives. It's a free, open-source tool that automates the process of obtaining and installing SSL and TLS certificates from Let's Encrypt. Before Certbot and Let's Encrypt, getting an HTTPS certificate was expensive and technically complicated — you had to pay a certificate authority, generate keys, configure your server manually. Certbot reduced that to a single command line. It's one of the main reasons HTTPS adoption went from about forty percent of page loads in 2015 to over ninety percent today. EFF built the tool that made encryption the default on the web, not just a luxury for big companies.
That's a theme with them — they don't just advocate for encryption, they make it trivial to deploy. They remove the friction. Which brings us to the surveillance battles, because that's where EFF's work really ramped up after 9/11.
The post-9/11 period was when EFF went from being a digital rights organization to being one of the most effective civil liberties organizations in the country, period. The Patriot Act was passed in October 2001, and Section 215 — the so-called "library records provision" — gave the government sweeping authority to collect "any tangible thing" relevant to a terrorism investigation. The NSA interpreted this as authorization for bulk collection of phone records — metadata on every call made in the United States.
This was secret.
The public didn't know it was happening until 2013, when Edward Snowden leaked the documents. But EFF had already been suing over warrantless surveillance for years before Snowden. The case was Jewel versus NSA — filed in 2008 — and it alleged that the NSA's dragnet surveillance of phone and internet communications was unconstitutional. EFF's client was Carolyn Jewel, an AT&T customer. The case was consolidated with other challenges and dragged on for years. It's still, in some form, ongoing.
The companion case actually got a ruling.
First Unitarian Church of Los Angeles versus NSA. The church had a member who was an attorney for a charity that was under surveillance, and the surveillance was chilling the church's ability to communicate confidentially with its members. In 2015, the Second Circuit Court of Appeals ruled that the NSA's bulk metadata collection program was illegal — it exceeded what Section 215 actually authorized. That ruling directly led to the USA Freedom Act, which ended bulk collection under Section 215 and required the government to get specific court orders for specific records. It wasn't a complete victory — the surveillance apparatus is still vast — but it was the first time a court had said, explicitly, that the NSA's interpretation of the law was wrong.
The Snowden disclosures in 2013 supercharged all of this. EFF became the legal hub for challenging mass surveillance. They represented Snowden himself for a period. They filed amicus briefs in dozens of cases. They built a whole Surveillance Self-Defense guide — which we should talk about later — to help ordinary people understand their threat models and protect themselves.
One of the things EFF surfaced that I think doesn't get enough attention is the Stingray problem. Stingrays are cell-site simulators — they're devices that pretend to be cell phone towers, tricking nearby phones into connecting to them. Once a phone connects, the Stingray can capture its unique identifiers, its location, and potentially the content of calls and texts. Police departments across the country were buying these things with federal grant money and using them without warrants — often with nondisclosure agreements from the manufacturer, the Harris Corporation, that required them to hide the technology's existence from judges and defense attorneys.
Police were using surveillance technology that they'd agreed, contractually, to lie about in court.
And EFF's litigation and public records requests forced this into the open. They filed Freedom of Information Act requests with dozens of police departments, uncovered the contracts, published the documentation, and then used that evidence in court to challenge warrantless Stingray use. The result was that multiple state supreme courts and eventually the US Supreme Court — in Carpenter versus United States in 2018 — ruled that accessing historical cell phone location data requires a warrant. The government can't just get it from the phone company without probable cause.
Let's fast-forward to the threats EFF is fighting right now, because the landscape in 2026 looks different from 2013 in some ways and eerily similar in others. You mentioned the border device search lawsuit. What else is on their docket?
The biggest fight right now is probably encryption backdoors — again. The Crypto Wars never ended, they just changed venues. The UK's Online Safety Bill — which is now the Online Safety Act — includes provisions that could require platforms to scan encrypted messages for child sexual abuse material, which effectively means breaking end-to-end encryption. The European Union has similar proposals floating around. In the US, the RESTRICT Act was introduced in 2023 and is still active in various forms — it's framed as a TikTok ban bill, but the language is broad enough to give the executive branch sweeping authority to restrict technologies and services.
EFF's position on encryption is absolutist. They oppose any form of mandated backdoor, any form of client-side scanning, any form of encryption weakening — under any circumstances.
Which brings us to one of the hard questions. In 2025, Signal disclosed that they had discovered and patched a zero-day vulnerability that could have allowed an attacker to execute code on a recipient's device through a malicious message. Signal didn't disclose the vulnerability for six months while they worked on a patch. Law enforcement criticized this — they argued that if Signal had disclosed sooner, other platforms could have protected themselves, and that the delay potentially put users at risk from attackers who might have independently discovered the same vulnerability.
EFF defended Signal's decision.
EFF's argument was that responsible disclosure timelines are a judgment call, that six months for a complex vulnerability in a widely-deployed messaging app is not unreasonable, and that the law enforcement criticism was bad faith — an attempt to undermine trust in encrypted platforms. And I think EFF was right on the merits of that specific case, but it does raise a broader question. If you take an absolutist position on encryption, you are going to end up defending positions that a lot of reasonable people find uncomfortable. You're going to defend the right of people to communicate in ways that do make law enforcement's job harder, even in cases involving serious crimes.
That extends to speech too. EFF has defended the free speech rights of some awful people. They filed an amicus brief in support of the domain name registry in the case of a neo-Nazi website. They've defended the right of terrorist organizations to have their content hosted online under certain circumstances. Not because they agree with the content — obviously they don't — but because they believe that the principle of free speech has to apply to everyone or it applies to no one.
The way I think about this — and I've wrestled with it — is that EFF's role is to be the boundary-pushing edge of digital civil liberties. They're not a government agency that has to balance competing interests. They're an advocacy organization whose job is to argue the strongest possible case for liberty, knowing that the courts and the legislature will find the compromise position. If EFF compromised preemptively, if they said "well, we support encryption except in these cases," the Overton window would shift and the eventual compromise would be much worse. Their absolutism serves a function in the ecosystem.
That's the pragmatic defense. I think there's also a principled one, which is that the tools of surveillance and censorship are rarely used only against the people we all agree are bad. They get used against dissidents, journalists, activists, minority groups. The neo-Nazi's free speech precedent is the same precedent that protects the Black Lives Matter organizer.
And you see this playing out in real time with the AI training data cases. EFF has filed amicus briefs in Authors Guild versus OpenAI and Getty Images versus Stability AI, arguing that training AI models on publicly available data is transformative fair use. Their position is that scraping the open web to build AI is, legally, more like reading books in a library than photocopying them — the model learns patterns, it doesn't store copies.
Which is controversial even among people who generally support EFF.
A lot of artists and writers feel betrayed by this position. They see their work being used to train systems that could replace them, and EFF is arguing that this is legally and ethically fine. EFF's counterargument is that a restrictive interpretation of fair use in AI training would primarily benefit large corporations that can afford to license training data, while shutting out open-source AI development and academic research. They're worried about a world where only Google and OpenAI can build foundation models because only they can afford the licensing fees. But I'll be honest — I'm not sure they're right about this. The creative labor concerns are real, and I think the "transformative use" doctrine is being stretched in ways the courts never anticipated.
Then there's the flip side of AI — the surveillance applications. EFF has been sounding the alarm on AI-powered facial recognition, predictive policing, automated content moderation that's biased and unaccountable. So their AI position is actually nuanced in a way that gets lost — they're pro-innovation on the training side and deeply skeptical on the deployment side.
They filed a major amicus brief in 2024 arguing that the First Amendment protects the right to scrape publicly available data for research purposes, but they've also been the leading voice against government use of Clearview AI's facial recognition database, which scraped billions of faces from social media without consent. The distinction they're drawing — and it's a coherent one — is between using public data to build tools that benefit the public and using public data to build tools that surveil the public. The same act of scraping can serve either purpose, and the legal framework should distinguish between them.
One of the things EFF does that I think is underappreciated is the transparency work. The National Security Letter litigation, for example. NSLs are administrative subpoenas issued by the FBI — no judge signs off on them — and they almost always come with a gag order that forbids the recipient from disclosing that they received one. EFF has been suing over this for years.
The 2024 lawsuit against the FBI over NSLs was a big one. EFF represented a company — they can't name the company because of the gag order, which is itself part of the problem — that received an NSL demanding user data. The company wanted to challenge the NSL in court and wanted to tell its users that their data had been demanded. The FBI said no. EFF argued that the permanent gag order violates the First Amendment — it's a prior restraint on speech with no time limit and no judicial review. The case is still pending.
We've covered the history, the tools, the litigation, the current fights. Let's talk about what the average person can actually do with all this information, because I think there's a risk of this conversation feeling like a tour of threats with no exit.
The single most valuable thing EFF produces for ordinary people — and I mean this sincerely — is the Surveillance Self-Defense guide. It's free, it's online, and it walks you through building a threat model. Not "here's the ten tools you must use" — it starts by asking: who are you worried about? A foreign government? Your own government? The tools and practices are completely different depending on the answer. Most people are simultaneously over-protected against threats they don't face and under-protected against threats they do. The guide fixes that.
The guide is not technical. It's written for people who don't know what a public key is.
Another concrete action: run a Tor relay. Not a Tor exit node — those have legal complications — but a middle relay or a bridge. It's low-risk, it helps the network, and it's a way of contributing to anonymity infrastructure without being a lawyer or a cryptographer. EFF has guides for this too.
Donating is the obvious one. EFF gets about seventy percent of its funding from individual donations, not from big tech companies or foundations. They have about eighty staff and an annual budget around thirty-five million dollars — which, when you think about what they accomplish with that, is remarkable. That's less than the marketing budget of a mid-size tech company.
Probably the most impactful thing — and this sounds simple but it's not — is to use end-to-end encrypted services by default and push back against legislation that weakens encryption. When your member of Congress proposes a bill that includes "lawful access" provisions — which is always the euphemism for backdoors — let them know you oppose it. EFF makes this easy with their action center, which has pre-written letters for specific bills. The reason encryption backdoors keep getting proposed is that the people who want them are organized and loud, and the people who oppose them are diffuse and quiet. Changing that ratio is the single most effective thing a non-technical person can do.
I'd add — subscribe to the EFFector newsletter. It's not a fundraising spam machine. It's informative, with case updates, legislative tracking, and technical analysis that you won't find anywhere else. It's how you stay informed without having to follow fifteen different legal dockets.
There's one limitation worth noting, though. EFF does not do individual legal representation. If you personally have a digital rights issue — your account got suspended, you're facing a gag order, your device was searched at the border — EFF won't take your case. They do impact litigation, which means they pick cases that set precedents. If you need a lawyer, they can refer you to organizations that do direct representation, but they won't represent you themselves. That's a common misconception.
To wrap this up — EFF has been fighting these fights for thirty-six years, and the core tensions haven't changed that much. It's still about whether the government can read your messages, whether corporations can track you without consent, whether publishing code is speech, whether the Fourth Amendment applies to digital spaces. The technology changes — it was BBSes, then email, then smartphones, now AI — but the principles are remarkably stable.
The open question that I keep coming back to is what happens when AI-generated content floods the internet. EFF's "code is speech" doctrine was established in the context of encryption algorithms written by humans. Does it apply to code written by AI? Does it apply to AI-generated malware? The First Amendment analysis gets complicated when the speaker isn't a person. I think this is going to be the next major frontier for digital rights law, and I expect EFF to be at the center of it — probably arguing positions that make a lot of people uncomfortable, which is exactly what they should be doing.
The tension between the right to encryption and the right to safety — or the demand for safety — isn't going away. If anything, it's going to intensify as AI makes both surveillance and evasion more powerful. EFF's role as the absolutist voice for digital liberty is going to become more important, not less, even when — maybe especially when — their positions are unpopular.
Now: Hilbert's daily fun fact.
Hilbert: In 1905, a Hanseatic League trade manual circulated on Sakhalin Island included a rule that herring merchants must settle disputes using a designated "salt arbitrator" whose fee was exactly one barrel of the disputed fish, and whose decision was final unless both parties agreed the arbitrator had fallen asleep during testimony.
The specificity of "fallen asleep during testimony" suggests that happened more than once.
I have so many questions about the salt arbitrator's career path.
This has been My Weird Prompts. Thanks to our producer, Hilbert Flumingtop. If you want to dig deeper into anything we talked about today, the EFF's website at EFF dot org has their full case archives, all their tools, and the Surveillance Self-Defense guide. You can find us at myweirdprompts dot com or wherever you get your podcasts. We'll be back next week.
