After 26 years, today is my last day at EFF. It's been a terrific and wild ride — the organization has grown from a tiny band of fighty people trying to plant a flag for freedom and justice in the coming digital world into a large, established band of fighty people doing, well, much the same. The world around us has changed enormously. Our core values haven't budged.

I'm proud of what we've achieved: freeing encryption, defending coders, pushing to rein in government and corporate surveillance and ensure the right to have a private conversation online, standing up for free speech and anonymous speech, fighting for network neutrality and safe voting machines, busting stupid patents, and making sure copyright didn't become the one law that rules the internet. That's only the start. We've stopped more bad legislative, regulatory, and legal ideas than I can count, built tools that millions rely on to protect their privacy, and helped encrypt the web. I've long said EFF is the plumber of the internet — finding the clogs and barriers that prevent technology from serving freedom, justice, and innovation for everyone.  

In addition to presenting cases in courts across the land, testifying in Congress and in California, in the European Parliament and at the United Nations, I went onto the internet with Stephen Colbert and engaged in a healthy disagreement with Jon Stewart.  I wrote a lot of it down in a book, hoping to recruit others to the cause.  The work has been hard and often frustrating at times.  But looking back, the fun parts are what I remember most.   

None of it would have been possible without EFF’s stalwart members. More than 30,000 people, some with big wallets and some with small ones, give us what we need to stand up to bullies and fight for the long haul. EFF has always served as a beacon for people who know that for technology to support freedom, justice, and innovation for all the people of the world, we need a dedicated band of folks working overtime on behalf of users, innovators, and creators. 

There's still plenty left to do. We haven't killed the third-party doctrine, tamed the surveillance business model, or gotten metadata the constitutional protection it deserves. Stupid patents persist as does the overreach of DMCA section 1201 and the Computer Fraud and Abuse Act. The government is now the largest purchaser of data from shady brokers, communities everywhere are fighting license plate readers and other street-level surveillance, and we haven't reined in NSA and FBI spying nearly enough. Meanwhile, the rise of AI is supercharging problems we've fought against for years. 

But I'm proud of what we've built together. I'm grateful to every EFFer — past, present, and future — who threw in with us when the odds were long and the pay was much better elsewhere. I'm grateful to the EFF Board and especially to my mentors and friends Pam Samuelson and Shari Steele, along with my longtime partner in justice, Lee Tien, who has been working with me since the Bernstein case. Fighting for justice is easier when you have a posse: coworkers, co-counsel, coalitions, interns, volunteers, and the heroic clients who trusted us to steward their cases in ways that bent the law toward everyone's benefit. Twenty-six years later, EFF is part of a global diaspora of organizations defending internet freedom — and I'm proud of that too. 

I'm stepping down because good leaders should make way for new ones, and the time feels right. EFF is strong and full of fight. My successor Nicole Ozer — a longtime friend and collaborator — is exactly the right person for this moment. She understands EFF's role and values at a deep level and will protect them while helping the organization rise to meet what's coming. 

As for me, I'm not going far. After a few months off to reflect and walk dogs, I plan to get back into the fight for justice — likely heading back into the courtroom. And I'll be watching, cheering, donating, and wearing the merch from EFF, just like the rest of you.

EFF is on the front lines of the fight against tech-enabled tyranny, but we aren't alone. Our team depends on your help to fight back against the surveillance state.

JOIN EFF

People around the world are pushing back against the mass surveillance that undermines privacy and free expression for everyone. You can help during EFF's spring membership drive.

One of the people who joined the fight for digital rights is EFF client Will Freeman. Will created the website DeFlock.me to reveal the dangers of automated license plate readers (ALPRs)—cameras that collect location data on every vehicle they see and upload that to a massive nationwide police database. Deflock.me turns the tables by enlisting ordinary people to track the locations of tens of thousands of ALPR cameras.

But when the police spy-tech company Flock Safety went after Will's website with legal threats citing trademark law, he saw it for what it was: an attempt to silence critics and dim the light on mass surveillance.

The company will try everything it can to downplay the criticism, but EFF will be right there demanding accountability.

"I was totally unprepared to receive a cease & desist letter. I can see how most people would be bullied into submission by a threat like that. That's when I remembered Dave Maass from the EFF introduced himself via email several weeks before, so I reached out for help," Freeman says.

And that's when EFF stepped in. Recognizing DeFlock.me as a quintessential expression of grassroots advocacy and a form of criticism protected by the U.S. First Amendment, EFF's lawyers helped Will fight back. And the Big Surveillance Tech flinched.

But these battles against Flock's Spying tools rage on. In cities around the country, privacy advocates are pressuring officials to block or end contracts for ALPRs—and winning. The company will try everything it can to downplay the criticism, but EFF will be right there demanding accountability.

Get the new Claw Back member t-shirt featuring a fierce feline swatting at community surveillance. You might empathize with him, but there’s a better way. Let’s end the law enforcement contracts, harmful practices, and twisted logic that enable mass spying in the first place.

"I'm really grateful the EFF was able to step in and help. Without them, free speech would be only for those wealthy enough to defend themselves against billion dollar companies. We've grown a lot since then and are expanding our efforts to expose and push back against mass surveillance on our streets," Freeman says.

Support the movement

stop mass surveillance tech today when you join EFF

____________________

EFF is a member-supported U.S. 501(c)(3) organization. We've received top ratings from the nonprofit watchdog Charity Navigator since 2013! Your donation is tax-deductible as allowed by law.

In the rush to block young people from certain parts of the internet, lawmakers are creating a privacy and security nightmare for everyone. This scenario is already playing out globally. Help us stop it and keep the web open and accessible for all.

JOIN EFF

Protect the web for everyone

Even with the best intentions, every online age verification scheme has the same result: users are forced to reveal sensitive personal information to third parties simply to access the web. Once that valuable data is centralized, it becomes an immediate target for leaks, hacks, and misuse. This isn’t hypothetical: it has already happened several times.

By age gating the web, we serve up a honeypot of private info ripe for bad actors. But you can help us stop this when you join EFF.

Support digital rights in EFF's new Claw Back member t-shirt and Privacy Badger Crewneck.

Thanks to our members, EFF is on the front lines fighting against online age gating and identity verification online. We’re working with lawmakers to pass better policies, educating the public, and fighting the wildfire of age verification proposals around the world. Now all we need is you.

🐝 No, It’s Not a Bug

We all want young people to be safe online, but we don’t need to trade everyone's digital rights to achieve it. These new restrictive mandates are used to justify government-led censorship and expanded surveillance. That's no accident.

Whether you trust today’s lawmakers or not, handing anyone keys to new forms of censorship and surveillance is a serious risk. Because history shows us that these powers are always abused. It’s time to demand better.

Join EFF today

Help us claw back your privacy

____________________

EFF is a member-supported U.S. 501(c)(3) organization. We've received top ratings from the nonprofit watchdog Charity Navigator since 2013! Your donation is tax-deductible as allowed by law.

We recently updated our privacy policy for the first time since 2022. Most of the changes are clarifications, reorganizations, and improvements in transparency, particularly around how third-party tools that run parts of our site operate. But one change is substantive enough that we want to address it directly.

The Change You Should Know About: Opt-In Email Tracking

We want to know how we’re doing with our advocacy: which campaigns get your attention and which do not, which topics you are very interested in, which less so, and which not at all. It helps us to do our work better and to prioritize or rethink our strategies as we push to build support for freedom, justice and innovation around the world.

So, to give us a rough picture of how we’re doing, we are introducing the option for you to provide explicit, opt-in consent for us to see how you interact with the emails we send you. That includes whether you open emails, and whether you click on the links inside them.

We know what you’re thinking: Doesn’t EFF strongly oppose nonconsensual tracking? You bet we do. Sneaky email tracking is ubiquitous on the web and EFF’s opposition to it remains unchanged. We have never used email tracking pixels and we’re not changing that. We’re not building profiles and we’re not sharing the data and we’re definitely not selling it.

But we do want to give you the option of allowing us to learn about how our communications are landing with you. Here’s how consent will work. We will ask, and if you say yes, we’ll be able to see whether you opened an email or not, and whether you clicked on any links. That's it.

If you say no, or ignore the ask entirely, nothing will change and we’ll do no tracking.

If you say yes, you can change your mind and opt out at any time by clicking an opt-out link in any future email or by contacting membership@eff.org.

We have heard many EFF members say that EFF is one of the only organizations that they trust with consent to track their emails. That trust is important, and we do not take it lightly. But it led us to think that if we ask, enough of you would agree that we could have a better picture of how our campaigns and other emails to you are landing and that, in turn, could help us decide what to double down on and what to change.

By giving you a real ability to consent, EFF is taking a very different path than most of the web. Asking isn’t the norm; it’s more or less never an option to say no and dark patterns often make it hard even if it looks like you can. Unfortunately, estimates have shown that 2/3s of emails received by users contain tracking, regardless of whether the senders received explicit consent at the time when a recipient signs up to receive their mailings. Automatic, nonconsensual tracking doesn’t have to be the default, and it shouldn’t be.

We hope our approach works and it inspires others. It shouldn’t be an abnormality that users are not tracked by default, and that only users who feel comfortable doing so choose to consent to tracking. We hope that our example will show mailing platforms, organizations, and users that a privacy-protective approach is better and worth doing and can still give an email sender a solid understanding what campaigns and other messages resonate with recipients. We weighed this decision carefully. We know that email tracking is something we've criticized when used covertly or without meaningful consent and that many people don’t like at all. For EFF, an opt-in requirement isn't a formality. It's the key distinction between a sneaky strategy and an aboveboard relationship with you. And to us, it’s just a common sense approach based on respect.

It’s also consistent with our advocacy and approach to technology. We have said for many years that strong consumer privacy laws must require real opt-in consent before data is collected. And we have walked our talk in other ways as well, including in pushing for Do Not Track policies and in Privacy Badger, which protects you from ads and trackers that violate the principle of user consent.

Again, this behavior has been our suggestion for privacy policies, and privacy laws. In 2022 we released a guide for nonprofits that recommended the following:

Not tracking email open rates can, unfortunately, sometimes cause list “hygiene” problems, because it becomes difficult to know whether email subscribers on your list are still interested. You can send occasional emails to ensure subscribers want to receive emails, either using open or click tracking, and informing people that the purpose of that specific email is to determine active subscribers. The essential point is to let users know when you are using tracking, and to do it in a limited way when possible....

The Internet Archive found that while they preferred to use no open tracking in their emails to subscribers, too many unreachable email addresses had been added to their list over the years, and some email addresses had even become spam traps. To continue working with their email service provider, they needed to activate some tracking. They needed email open data to know whether an email address was still active or not; but they didn’t need or want gender, age, or demographic data. They settled on informing users that their email open rates are being tracked, and offering the alternate option to sign up for plain-text versions of their emails, which won't transmit any data at all.

In 2019, we recommended that all strong consumer privacy laws must include opt-in consent for data collection. We wrote:

Right to opt-in consent

New legislation should require the operators of online services to obtain opt-in consent to collect, use, or share personal data, particularly where that collection, use, or transfer is not necessary to provide the service.

Any request for opt-in consent should be easy to understand and clearly advise the user what data the operator seeks to gather, how they will use it, how long they will keep it, and with whom they will share it. This opt-in consent should also be ongoing—that is, the request should be renewed any time the operator wishes to use or share data in a new way, or gather a new kind of data. And the user should be able to withdraw consent, including for particular purposes, at any time.

Opt-in consent is better than opt-out consent. The default should be against collecting, using, and sharing personal information. Many consumers cannot or will not alter the defaults in the technologies they use, even if they prefer that companies do not collect their information.

We are sticking to those recommendations, which unfortunately are not yet the law, and following our principles.

We hope that you will feel comfortable opting in, but we also respect that you need to make that decision for yourself, and that you may need to change it as you go. We’ll do our part to make that as clear and easy as possible. And if you do agree, we’ll be grateful for getting a chance to learn a little more about how we’re doing, hopefully in ways that can make us even more effective at ensuring that technology supports freedom, justice and innovation for all the people of the world.

Other Changes: Clarity and Stronger Protections

The rest of the update is largely about being more precise and provide more transparency into our practices.

Cookies on eff.org: The new policy tightens our cookie practices. Previously, we carved out exceptions for "remember me" and logged-in users; now we don't use persistent ID cookies on the eff.org domain at all. We also clarified that other EFF-operated sites‚ like acteff.org and shopeff.org‚ have their own cookie policies and that our policies aren’t the ones that apply there. We’re not happy that you have to navigate multiple policies like this, but it’s one of the ways that the cookie ecosystem has gotten unfortunately complex. We want to be sure you know that and know where to look for all the information.

Third-party tool transparency: Similarly, while the vast majority of EFF’s public-facing websites, online tools and tech projects are created internally, self-hosted, and self-maintained, some of them are not. In this new policy, we are working to be more detailed and explicit in the new policy about those third-party services, and how they operate under their own privacy policies, not solely ours.

To help you understand exactly what choices you have when using these tools, we're publishing dedicated Privacy Guides for each of them. The first is live now for our shop, which runs on Shopify: EFF Shopify Privacy Guide. Guides for our other third-party tools are coming soon. As always, we recommend installing Privacy Badger to limit exposure from third-party tracking.

Overall, EFF believes that when a project like the Atlas of Surveillance doesn't exist, and we think it should, we build it and maintain it. But what matters most to us is protecting your digital rights. So the time required to maintain and upgrade the tools we have built has to be weighed against our need to build new projects to fight new fights. And sometimes, a tool that was needed when we built it, like EFF’s Action Center, can be replaced by something that can take some of the weight off our internal staff.

To help make space for new projects, we carefully investigate services we rely on—like our campaign tools, payment processors, and online shop—and look for third party options that are the best in the industry and offer a level of privacy our users deserve. In this new privacy policy we try to give you as much information about those third-party services as we can.

GDPR data management: We added a clear, dedicated process for users in the EU and elsewhere to request deletion of their personal data. Email info@eff.org with the subject line "GDPR Data Deletion Request" and we'll respond within the legally required timeframe.

Data retention: We reorganized and clarified how long we keep different types of records (communications, financial records, donation paperwork) into a cleaner list. The substance is unchanged, but the structure should make it easier to find what's relevant to you.

Action Center: You may notice that the previous policy included a dedicated section on our Action Center - how we handled your campaign participation data, what we retained, and so on. That section is gone because we're transitioning our campaign tools to a third-party provider. This is the kind of situation the new third-party transparency language addresses: that provider operates under its own privacy policy, which we'll link to in its dedicated Privacy Guide. Our commitment to your privacy in those contexts doesn't change‚ it just lives in a different place now.

What Hasn't Changed

The fundamentals remain what they've always been: we don't sell your information, we don't share it with third parties without your real (not manufactured or dark-patterned) consent, outside of legal requirements we cannot change. We actively push back on legal demands we believe are improper. EFF's mission is to protect your digital rights, and our own practices will continue to reflect that. The changes we’ve described above will help us in that mission.

support EFF

You can read the full updated policy at eff.org/policy. If you have questions, we're always reachable at info@eff.org.

Millions of people around the world use EFF's Privacy Badger. This browser extension blocks the hidden trackers that twist your web browsing into a commodity for Big Tech, advertisers, scammers, and data brokers. But did you know that we’re trying to solve an issue that’s even bigger than creepy ads and user profiling? You can help.

JOIN EFF

Online tracking isn't just creepy and unethical. It also enables government surveillance. Widespread commercial surveillance and weak privacy laws allow data brokers to harvest your data and sell it to law enforcement agencies including the FBI, CBP, and ICE. The government exploits this system to buy sensitive information about you that they would ordinarily need a warrant to collect, like your location over time. 

With your help, EFF is fighting back. Our team is working to enact stronger laws to uphold your privacy. We’re advocating for consumer rights in the courts. We’re investigating how these technologies affect our communities. And we’re cutting off surveillance advertising at the source with tools like Privacy Badger for everyone. You can support this work as an EFF member.

End Mass Surveillance

Privacy is a human right because it gives you a fundamental measure of security and freedom. That is why we at EFF focus on your ability to have private conversations and interact with the world using technologies that you choose. But when tools that many of us must rely on serve corporate surveillance, they also feed government surveillance. We owe it to ourselves to fight the mass spying used to control and intimidate people. Let’s do this.

For a limited time, you can join EFF as a monthly or one-time donor and pick up a new Privacy Badger Crewneck sweatshirt. The embroidered Privacy Badger mascot appears above Traditional Chinese for "privacy” because human rights are universal.

You can also get a set of puffy stickers as a token of thanks. Our little Ghostie protects privacy in Arabic, English, Japanese, Persian, Russian, and Spanish.

Claw Back! This year’s member t-shirt is hot off the press featuring an orange cat swatting at the street-level surveillance equipment multiplying in our communities. You might empathize with him, but there’s a better way. Let’s end the law enforcement contracts, harmful practices, and twisted logic that enable mass spying in the first place.

You can support our mission for technology in the public interest today. Join the movement and become an EFF member.

____________________

EFF is a member-supported U.S. 501(c)(3) organization. We've received top ratings from the nonprofit watchdog Charity Navigator since 2013! Your donation is tax-deductible as allowed by law.

Last week, we released apkeep version 1.0.0, the latest edition of our command-line Android package downloading software. Rather than indicating major changes for the project, this milestone instead signifies arriving at a relatively stable and mature place after gradual iteration on the project over the course of over four years.

What’s New in 1.0.0

We do have a few fresh features we’ve packed into this latest release, though—all focused on the Google Play Store: 

• You can now download a dex metadata file associated with an app containing a Cloud Profile, which provides information on app performance based on real usage. 
• You can now provide a token generated by the Aurora Store’s dispenser to log in anonymously for app downloads. 
• Users can specify their own device profiles when downloading apps from Google Play, which the store uses to deliver the app variant which works for your particular device specifications. 
• We’ve also fixed an authentication bug introduced by the Play Store API.

In addition to the various Linux, Windows, and Android environments we support, we’re also happy to announce that since the last release in October we’ve been included in Homebrew for macOS users!

How Researchers Use apkeep to Understand the Android App Landscape

Researchers and users contributed most of the features of this release, including downloading dex metadata containing Google’s Cloud Profiles. This feature helps them use the tool in their own research of highlighting how these Android compilation profiles can be a vital source of information for evaluating dynamic testing. Numerous other projects have cited apkeep usage in their own workflows. For example, Exodus Privacy uses it to power the εxodus tool’s downloads when they monitor the privacy properties of apps. Various research teams have noted their own use of the tool in whitepapers, including one team who used the tool to download 21,154 apps in a widespread study of Android evasive malware. We are proud to provide a reliable tool in the toolbox they use to power their work.

What’s in Store for apkeep?

Our goals with apkeep have remained constant: provide a reliable, fast, and safe way to download apps from multiple app providers, not just the Google Play Store. While we’ve focused on it as the major Android app provider of choice across much of the world, we’ve expanded support to other stores as well, such as F-Droid for downloading open source apps. We’d like to continue broadening apkeep’s list of supported providers, to make it easy to do comparative analysis of apps provided in different contexts. For this, we’d love your contributions.

How You Can Help

If you’re using apkeep as part of your own toolbox (whether using it to do malware analysis, auditing apps, or simply using it as an app archiving tool), let us know! And if you like what we do, please consider donating to EFF to support our work.

In September 2024, Amandla Thomas-Johnson was a Ph.D. candidate studying in the U.S. on a student visa when he briefly attended a pro-Palestinian protest. In April 2025, Immigration and Customs Enforcement (ICE) sent Google an administrative subpoena requesting his data. The next month, Google gave Thomas-Johnson's information to ICE without giving him the chance to challenge the subpoena, breaking a nearly decade-long promise to notify users before handing their data to law enforcement. 

Google names a handful of exceptions to this promise (such as if Google receives a gag order from a court) that do not apply to Thomas-Johnson's case. While ICE “requested” that Google not notify Thomas-Johnson, the request was not enforceable or mandated by a court. Today, the Electronic Frontier Foundation sent complaints to the California and New York Attorneys General asking them to investigate Google for deceptive trade practices for breaking that promise. You can read about the complaints here. Below is Thomas-Johnson's account of his ordeal. 

Out of touch but not out of reach 

I thought my ordeal with U.S. immigration authorities was over a year ago, when I left the country, crossing into Canada at Niagara Falls.  

By that point, the Trump administration had effectively turned federal power against international students like me. After I attended a pro-Palestine protest at Cornell University—for all of five minutes—the administration’s rhetoric about cracking down on students protesting what we saw as genocide forced me into hiding for three months. Federal agents came to my home looking for me. A friend was detained at an airport in Tampa and interrogated about my whereabouts. 

I’m currently a Ph.D. student. Before that, I was a reporter. I’m a dual British and Trinadad and Tobago citizen. I have not been accused of any crime. 

I believed that once I left U.S. territory, I had also left the reach of its authorities. I was wrong. 

The email

Weeks later, in Geneva, Switzerland, I received what looked like a routine email from Google. It informed me that the company had already handed over my account data to the Department of Homeland Security. 

At first, I wasn’t alarmed. I had seen something similar before. An associate of mine, Momodou Taal, had received advance notice from Google and Facebook that his data had been requested. He was given advanced notice of the subpoenas, and law enforcement eventually withdrew them before the companies turned over his data. 

Google had already disclosed my data without telling me.

I assumed I would be given the same opportunity. But the language in my email was different. It was final: “Google has received and responded to legal process from a law enforcement authority compelling the release of information related to your Google Account.” 

Google had already disclosed my data without telling me. There was no opportunity to contest it. 

Google’s broken promise

To be clear, this should not have happened this way. Google promises that it will notify users before their data is handed over in response to legal processes, including administrative subpoenas. That notice is meant to provide a chance to challenge the request. In my case, that safeguard was bypassed. My data was handed over without warning—at the request of an administration targeting students engaged in protected political speech. 

Months later, my lawyer at the Electronic Frontier Foundation obtained the subpoena itself. On paper, the request focused largely on subscriber information: IP addresses, physical address, other identifiers, and session times and durations. 

But taken together, these fragments form something far more powerful—a detailed surveillance profile. IP logs can be used to approximate location. Physical addresses show where you sleep. Session times would show when you were communicating with friends or family. Even without message content, the picture that emerges is intimate and invasive.  

State power meets private data

What this experience has made clear is that anyone can be targeted by law enforcement. And with their massive stores of data, technology companies can facilitate those arbitrary investigations. Together, they can combine state power, corporate data, and algorithmic inference in ways that are difficult to see—and even harder to challenge. 

The consequences of what happened to me are not abstract. I left the United States. But I do not feel that I have left its reach. Being investigated by the federal government is intimidating. Questions run through your head. Am I now a marked individual? Will I face heightened scrutiny if I continue my reporting? Can I travel safely to see family in the Caribbean? 

Who, exactly, can I hold accountable?

Update: This post has been updated to include more information about Google's exceptions to their notification policy, none of which applied to the subpoena targeting Thomas-Johnson.

Another court has ruled that copyright can’t be used to keep our laws behind a paywall. The U.S. Court of Appeals for the Third Circuit upheld a lower court’s ruling that it is fair use to copy and disseminate building codes that have been incorporated into federal and state law, even though those codes are developed by private parties who claim copyright in them. The court followed the suggestions EFF and others presented in an amicus brief, and joined a growing list of courts that have placed public access to the law over private copyright holders’ desire for control.

UpCodes created a database of building codes—like the National Electrical Code—that includes codes incorporated by reference into law. ASTM, a private organization that coordinated the development of some of those codes, insists that it retains copyright in them even after they have been adopted into law, and therefore has the right to control how the public accesses and shares them. Fortunately, neither the Constitution nor the Copyright Act support that theory. Faced with similar claims, some courts, including the Fifth Circuit Court of Appeals, have held that the codes lose copyright protection when they are incorporated into law. Others, like the D.C. Circuit Court of Appeals in a case EFF defended on behalf of Public.Resource.Org, have held that, whether or not the legal status of the standards changes once they are incorporated into law, making them fully accessible and usable online is a lawful fair use.

In this case, the Third Circuit found that UpCodes’s copying of the codes was a fair use, in a decision closely following the D.C. Circuit’s reasoning. Fair use turns on four factors listed in the Copyright Act, and the court found that all four favored UpCodes to some degree.

On the first factor, the purpose and character of the use, the court found that UpCodes’s use was “transformative” because it had a separate and distinct purpose from ASTM—informing people about the law, rather than just best practices in the building industry. No matter that UpCodes was copying and disseminating entire safety codes verbatim—using the codes for a different purpose was enough. And UpCodes being a commercial venture didn’t change the outcome either, because UpCodes wasn’t charging for access to the codes.

On the second factor, the nature of the copyrighted work, the Third Circuit joined other appeals courts in finding that laws are facts, and stand at “the periphery of copyright’s core protection.” And this included codes that were “indirectly” incorporated—meaning that they were incorporated into other codes that were themselves incorporated into law.

The third factor looks at the amount and substantiality of the material used. The court said that UpCodes could not have accomplished its purpose—providing access to the current binding laws governing building construction—without copying entire codes, so the copying was justified. Importantly, the court noted that UpCodes was justified in copying optional parts of the codes as well as “mandatory” sections because both help people understand what the law is.

Finally, the fourth factor looks at potential harm to the market for the original work, balanced against the public interest in allowing the challenged use. The court rejected an argument frequently raised by copyright holders—that harm can be assumed any time materials are posted to the internet for all to access. Instead, the court held that when a use is transformative, a rightsholder has to bring evidence of harm, and that harm will be balanced against the public benefit. Because “enhanced public access to the law is a clear and significant public benefit,” and ASTM hadn’t shown significant evidence that UpCodes had meaningfully reduced ASTM’s revenues, the fourth factor was at least neutral. It didn’t matter to the court that ASTM offered to provide copies of legally binding standards to the public on request, because “the mere possibility of obtaining a free technical standard does not nullify the public benefits associated with enhanced access to law.”

This is a good result that will expand the public’s access to the laws that bind us—something that’s more important than ever given recent assaults on the rule of law. In the future, we hope that courts will recognize that codes and standards lose copyright when they are incorporated into law, so that people don’t have to spend years and legal fees litigating fair use just to exercise their rights.

(Note: This post is also cross-posted on the Let's Encrypt blog)

As announced earlier this year, Let's Encrypt now issues IP address and six-day certificates to the general public. The Certbot team here at the Electronic Frontier Foundation has been working on two improvements to support these features: the --preferred-profile flag released last year in Certbot 4.0, and the --ip-address flag, new in Certbot 5.3. With these improvements together, you can now use Certbot to get those IP address certificates!

If you want to try getting an IP address certificate using Certbot, install version 5.4 or higher (for webroot support with IP addresses), and run this command:

sudo certbot certonly --staging \
  --preferred-profile shortlived \
  --webroot \
  --webroot-path <filesystem path to webserver root> \
  --ip-address <your ip address>

Two things of note:

• This will request a non-trusted certificate from the Let's Encrypt staging server. Once you've got things working the way you want, run without the --staging flag to get a publicly trusted certificate.
• This requests a certificate with Let's Encrypt's "shortlived" profile, which will be good for 6 days. This is a Let's Encrypt requirement for IP address certificates.

As of right now, Certbot only supports getting IP address certificates, not yet installing them in your web server. There's work to come on that front. In the meantime, edit your webserver configuration to load the newly issued certificate from /etc/letsencrypt/live/<ip address>/fullchain.pem and /etc/letsencrypt/live/<ip address>/privkey.pem.

The command line above uses Certbot's "webroot" mode, which places a challenge response file in a location where your already-running webserver can serve it. This is nice since you don't have to temporarily take down your server.

There are two other plugins that support IP address certificates today: --manual and --standalone. The manual plugin is like webroot, except Certbot pauses while you place the challenge response file manually (or runs a user-provided hook to place the file). The standalone plugin runs a simple web server that serves a challenge response. It has the advantage of being very easy to configure, but has the disadvantage that any running webserver on port 80 has to be temporarily taken down so Certbot can listen on that port. The nginx and apache plugins don't yet support IP addresses.

You should also be sure that Certbot is set up for automatic renewal. Most installation methods for Certbot set up automatic renewal for you. However, since the webserver-specific installers don't yet support IP address certificates, you'll have to set a --deploy-hook that tells your webserver to load the most up-to-date certificates from disk. You can provide this --deploy-hook through the certbot reconfigure command using the rest of the flags above.

We hope you enjoy using IP address certificates with Let's Encrypt and Certbot, and as always if you get stuck you can ask for help in the Let's Encrypt Community Forum.