The United States has the third-largest number of internet users in the world,1 but penetration rates and broadband connection speeds are lower than in other economically developed countries.2 According to the Pew Research Center, 95 percent of Americans reported using the internet as of 2023.3 The International Telecommunication Union reported a penetration rate of 91.8 percent in 2021.4 The speed-testing company Ookla reported a median US fixed-line broadband download speed of 242.38 Mbps (megabits per second) as of March 2024, ranking the country sixth worldwide.5 The median mobile download speed was 122.74 Mbps.

Infrastructural problems and severe weather have sometimes undermined internet access for US residents (see A2).6 For example, thousands of people in Hawaii lost mobile service and internet access after wildfires in August 2023 destroyed above-ground fiber-optic lines.7

Various federal programs have modernized the nation’s telecommunications networks.8 Implementation of the 2021 Infrastructure Investment and Jobs Act (IIJA) began in June 2022.9 The law appropriated $65 billion for broadband expansion efforts and established the ACP and the Broadband Equity, Access, and Deployment (BEAD) Program to increase high-speed internet deployment to unserved and underserved communities.10

Older members of the population, those with disabilities or less education, households with lower socioeconomic status, and people living in rural areas or on tribal lands tend to face the most significant barriers to internet access.11 High costs, inadequate infrastructure,12 and limited provider options also impede access (see A4).13

The cost of broadband internet access in the United States exceeds that in many countries with similar penetration rates, creating an “affordability crisis,” according to New America’s Open Technology Institute.14 The National Telecommunications and Information Administration (NTIA) Internet Use Survey, last fielded in 2021, showed that only 50 percent of people with an annual income below $25,000 had both fixed-line broadband and mobile data plans, compared with 80 percent of those making more than $100,000 per year.15

People living on tribal lands are among the least connected in the country.16 The NTIA reported that only 49 percent of residents on tribal lands had fixed-line home internet service as of 2022.17

US overseas territories have lower internet penetration rates than the mainland, and residents also experience high costs. American Samoa had an internet penetration rate of 72.4 percent in 2023, and Puerto Rico had an internet penetration rate of 84.8 percent in 2024.18 People in overseas territories are also more likely to depend on federal programs to pay for internet service; the ACP supported half of the households in Puerto Rico.19

Older residents use the internet at lower rates than the rest of the population. In 2023, researchers found that approximately 30 percent of US adults over age 65 did not have access to fixed-line broadband connections at home.20 Black and Hispanic adults report disparities in device use and access to high-speed internet service.21

The federal government has some programs to increase broadband access and affordability, though funding has varied. The ACP, run by the FCC, enrolled 23.3 million out of 51.6 million eligible households, of which 17.7 million were unconnected, between December 2021 and June 2024, when the program ended.22 The ACP provided a monthly subsidy for internet services of up to $30 for eligible households, or up to $75 for households on tribal lands. Support for the ACP has been widespread, but the $65 billion from the initial appropriation ran out in 2024.

The FCC’s Lifeline program has also provided long-term assistance to reduce the cost of telecommunications services. Legal challenges continued to threaten the FCC’s $8 billion Universal Service Fund (USF), which subsidizes internet connectivity in underserved areas, during the coverage period.23

The government does not impose restrictions on internet connectivity. Private telecommunications companies own and maintain the backbone infrastructure, and there are multiple connection points to the global internet, making a government-imposed disruption of service highly unlikely and difficult.

Standard Operation Procedure 303, approved by a federal task force in 2006, establishes guidelines for wireless network restrictions during a “national crisis.”24 What constitutes a “national crisis,” and what safeguards exist to prevent abuse, remain largely unknown. In 2014, the FCC clarified that it is illegal for state and local law enforcement agencies to jam mobile networks without federal authorization.25

The broadband industry in the United States has grown more concentrated over time. An estimated 83 million people have access to only one fixed-line broadband provider in their area as of 2020.26 These de facto local monopolies have exacerbated concerns about high cost and accessibility.27

Comcast leads the fixed-line broadband market, providing more than 32.3 million households with internet service as of December 2023.28 Its chief competitor, Charter Communications, serves 30.6 million households.29 Following a decade of consolidation, three national providers—AT&T, Verizon, and T-Mobile—dominate the mobile service market.30

Consolidation of the telecommunications sector has undermined consumer protection and choice. In 2019, the US Court of Appeals for the District of Columbia Circuit upheld AT&T’s acquisition of the media and entertainment company Time Warner,31 despite a challenge to the merger by the Department of Justice (DOJ).32 Less than a year later, reports of financial problems at AT&T surfaced, with customers facing price increases.33 Separately, antitrust experts have called for the reversal of a controversial 2019 merger between T-Mobile and Sprint, another mobile service provider.34 In November 2023, a federal judge advanced an antitrust case filed by AT&T and Verizon subscribers against T-Mobile, in which the subscribers argued that the T-Mobile–Sprint consolidation hurt the market and raised prices.35

Regulations in 16 states undermine the creation and operation of municipal or publicly owned broadband providers, which have the potential to challenge market consolidation, deliver higher-quality and more affordable service, and reach underserved communities, according to research from BroadbandNow.36 The state of Colorado repealed such limitations in May 2023.37

The FCC is tasked with regulating radio and television broadcasting, interstate communications, and international telecommunications that originate or terminate in the United States. It is formally an independent regulatory agency, but critics on both sides of the political spectrum argue that it has become increasingly politicized in recent years.38

The agency is led by five commissioners nominated by the president and confirmed by the Senate, with no more than three commissioners from one party. The FCC’s fifth commissioner seat, empty since early 2021, was filled in September 2023 by Anna Gomez, a telecommunications lawyer nominated by President Biden.39 Biden’s previous nominee, Gigi Sohn, had withdrawn from the confirmation process in March 2023 after her nomination encountered intense political opposition and stalled for 17 months, during which Sohn faced homophobic smears in the media.40

The FCC manages the ongoing process of broadband mapping, which determines the distribution of federal funding to states through BEAD and other programs.41 In March 2024, the FCC raised the benchmark for modern broadband service speeds to at least 100 Mbps download and 20 Mbps upload, from its previous standard of 25 Mbps download and 3 Mbps upload.42

In April 2024, the FCC restored its 2015 Open Internet Order, often referred to as the net neutrality rule. The 2024 order reclassified broadband internet providers as telecommunications services, bringing them under the FCC’s regulatory supervision, and revived rules that prevent ISPs from speeding up, slowing down, or restricting the traffic of selected websites or services at will.43 The original 2015 order had been reversed in 2017, when the commission was under different leadership.44 The FCC’s 2024 order stated that “prohibitions on blocking, throttling, and paid prioritization are critical to protecting and promoting the open Internet.”45 Civil society organizations applauded the new regulation, arguing that it would safeguard the free flow of information and protect consumers.46 In August 2024, after the coverage period, the US Sixth Circuit Court of Appeals issued a stay on implementation of the April order pending consideration of a lawsuit filed by an ISP industry group.47

In November 2023, the FCC adopted final rules that created a framework to prevent discrimination in internet access based on income, race, ethnicity, color, religion, or national origin by facilitating equal access to broadband services.48 The US Eighth Circuit Court of Appeals took up a consolidated case challenging the order in February 2024, with petitioners arguing that the order unduly expanded the commission’s jurisdiction.49

Other government agencies, such as the Department of Commerce’s NTIA, play advisory or executive roles on telecommunications, economic, and technology policies. The IIJA, an infrastructure spending measure adopted by Congress in 2021, tasked the NTIA with managing the BEAD program (see A1 and A2).50 The Federal Trade Commission (FTC) is an independent agency that oversees consumer protection and antitrust efforts, including in the technology sector. The Department of Agriculture is also an important source of funding for broadband initiatives and wields significant influence on policy.51

In general, the government does not force ISPs or content hosts to block or filter online material that would be considered protected speech under international human rights law.

The First Amendment of the federal constitution imposes limitations on the government's ability to compel content hosts to censor political or social viewpoints online. Broadly speaking, content hosts and social media platforms are the primary decision-makers when it comes to the provision, retention, or moderation of prohibited online content in the United States (see B3).

In recent years, there have been increased federal and state government efforts to regulate social media platforms owned by companies based in China, often due to concerns that the Chinese government could use these applications, such as the short-video platform TikTok or the messaging app WeChat, to access American users’ personal data, spread disinformation campaigns, or engage in other activities that would undermine national security and threaten human rights (see B3).52 Some regulation efforts have involved attempts to compel online app stores to remove the platforms. In November 2023, a US District Court judge cited potential constitutional violations when issuing a preliminary injunction to block a Montana law under which app store providers would have to make TikTok inaccessible to state residents starting in January 2024 or face daily fines of $10,000.53 Montana’s attorney general appealed the injunction, but announced in May 2024 that Montana would pause its appeal until the resolution of litigation against a federal law that took a similar approach (see B3).54

In June 2021, President Biden rescinded August 2020 orders by former president Donald Trump that would have effectively banned WeChat and TikTok on the grounds that they presented threats to national security.55 Biden’s 2021 order instead directed the Department of Commerce to evaluate the potential national security risks associated with applications that are owned, controlled, or managed by “foreign adversaries.”56 In June 2023, the department released final rules on how it can intervene in US business transactions involving technology products controlled by a designated foreign adversary country; the rules went into effect the following month.57

Section 230 of the Communications Act, as amended by the Telecommunications Act of 1996—commonly known as Section 230 of the Communications Decency Act—remained a subject of debate among policymakers during the coverage period (see B3).58 The law shields online service providers and content hosts from legal liability for most material created by users, including lawsuits alleging defamation or injurious falsehoods.59 However, there are exceptions to this immunity under federal criminal law, intellectual-property law, laws to combat sex trafficking, and laws protecting the privacy of electronic communications. Section 230 also ensures legal immunity for social media companies and other content providers that remove content when it violates their terms and conditions of service or their community guidelines.60

The 2018 Allow States and Victims to Fight Online Sex Trafficking Act, also referred to as SESTA/FOSTA, established new liability for internet services when they are used to promote or facilitate the prostitution of another person.61 After the bill passed in the Senate, but before it became law, reports emerged of companies preemptively censoring content: Craigslist announced that it was removing the “personals” section from its website altogether.62 Civil society activists criticized the law for motivating companies to engage in excessive censorship in order to avoid legal action.63 Sex workers and their advocates also argued that the law threatened their safety, since the affected platforms had enabled sex workers to leave exploitive situations, operate independently, communicate with one another, and build protective communities.64 In July 2023, the US Court of Appeals for the District of Columbia Circuit rejected a First Amendment challenge to SESTA/FOSTA, but narrowed the law’s scope to protect the speech of sex workers themselves, advocacy-related speech about prostitution in general, and the internet services that provide forums for such speech.65

Section 512 of the Digital Millennium Copyright Act (DMCA), enacted in 1998, created new immunity from copyright claims for online service providers. However, the law’s notice-and-takedown requirements have been criticized for impinging on speech rights,66 as they lack judicial oversight and may incentivize platforms to remove potentially lawful content. Research has shown how DMCA complaints have been filed to take down criticism, commentary, political campaign advertisements, and other speech that should be protected under international free expression standards.67

Score Change: The score declined from 4 to 3 due to a new law that compels China-based ByteDance to divest ownership of its US-based short-video platform TikTok and, if it fails to do so, requires other companies to restrict access to the platform or face civil liability, which would result in a disproportionate restriction on people’s ability to access TikTok in the United States.

The First Amendment limits the government's ability to restrict online content or block websites. Companies that host user-generated content, many of which are headquartered in the United States, have faced criticism for a lack of transparency and consistency when it comes to enforcing their own content moderation rules.

In April 2024, Congress passed, and the president signed, a supplemental appropriations bill that incorporated the Protecting Americans from Foreign Adversary Controlled Applications Act. The act aims to prevent entities based in countries designated as “foreign adversaries” from controlling more than 20 percent of a platform that hosts user-generated content. It specifically designates TikTok and other ByteDance-owned platforms, like the video editor CapCut,68 as “foreign adversary controlled applications” and requires a divestiture process such that the platforms would no longer be “controlled by a foreign adversary.” Should ByteDance not complete the divesture of TikTok’s US operations by January 19, 2025, the act bars internet companies—namely mobile app stores, cloud service providers, and file-hosting companies—from “distributing, maintaining, updating, or providing internet hosting services” to the platform, and empowers the DOJ to pursue civil penalties against any entity that violates the prohibition. The measure also empowers the president to designate other applications as a “foreign adversary controlled application” under the law, extending its scope beyond ByteDance-owned platforms.69

ByteDance representatives have stated that the company does not plan to sell TikTok’s US operations.70 In May 2024, TikTok and ByteDance challenged the new law in the District of Columbia Circuit on First Amendment and other grounds; the law restricts appeals of designation and enforcement actions to that jurisdiction.71 A group of US-based TikTok users also joined the lawsuit.72

Free speech advocates like the American Civil Liberties Union (ACLU) and the Knight First Amendment Institute raised concerns that the law threatened to restrict access to TikTok in the United States without a public record of the national security threat alleged by the government, resulting in an undue restriction on First Amendment rights.73 Other civil society groups, such as the Cato Institute and the Foundation for Individual Rights and Expression, criticized the law for not being preceded by adequate intermediate regulatory measures and for lacking safeguards governing how the executive branch designates companies as controlled by a foreign adversary.74

Previously, TikTok sought to sequester US user data and content moderation functions within a US subsidiary, among other measures, as part of a plan dubbed “Project Texas” that aimed to mitigate concerns over the platform’s ownership.75 Journalists found that China-based ByteDance staff were still able to access the data of TikTok users in the United States, including two instances in which journalists appeared to have been targeted for their reporting on the platform, indicating that Project Texas implementation was flawed.76 In March 2023, the interagency Committee on Foreign Investment in the United States (CFIUS) reportedly proposed a separate plan under which ByteDance would divest itself of TikTok.77

Section 230 of the Communications Decency Act generally shields online sites and services from legal liability for the activities of their users, allowing user-generated content to flourish on a variety of platforms (see B2).78 Despite robust legal and cultural support for freedom of speech in the United States, the scope of Section 230 has become a focus of criticism. Concerns about child sexual abuse images, defamation, cyberbullying and cyberstalking, terrorist content, and protection of children from harmful or indecent material have contributed to calls for reform of the platforms’ legal immunity for user-generated content, as have complaints that platforms are “over-moderating” certain political viewpoints.

Federal lawmakers have proposed numerous bills that would reform Section 230 and increase intermediaries’ liability for the content they host.79 The draft Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act was reintroduced in Congress in April 2023, during the previous coverage period, drawing fresh backlash from technology experts and civil society organizations over concerns that it would incentivize providers to remove online speech that is protected under international human rights standards and undermine end-to-end encryption (see C4).80 The draft Platform Accountability and Consumer Transparency (PACT) Act, reintroduced in February 2023 with a few changes,81 would require online platforms to provide expanded explanations of their content moderation practices and force them to adhere to court-mandated takedown orders.82 The bill has received recognition from some observers as a “serious” attempt to address problems with content moderation.83

The courts have recognized some Section 230 exceptions for claims resulting from a platform’s design, rather than its content, which may alleviate concerns that the law unduly insulates platforms from their responsibility to prevent harm.84 The video platform Omegle closed in November 2023, reportedly as a condition of a private settlement in a child sexual abuse case; the platform was notorious for being rife with perpetrators of child sexual abuse because it allowed anonymous users to connect at random and lacked content moderation. A federal judge in Oregon had ruled in October 2022 that Section 230 did not protect Omegle from legal liability as it related to the platform’s product design.85 The Electronic Privacy Information Center has noted that Section 230 should not apply to product liability claims, citing the Omegle case.86

In May 2023, during the previous coverage period, the Supreme Court issued two rulings on cases relating to platform liability for content posted by users.87 Gonzalez v. Google LLC raised questions about the scope of Section 230 in relation to algorithmically recommended content, which the court ultimately did not resolve.88 The ruling in Twitter v. Taamneh held that Twitter (now known as X) was not liable in a claim under a federal antiterrorism law that the platform had aided and abetted terrorist groups.89

In Murthy v. Missouri, decided after the coverage period in June 2024, the Supreme Court reversed a lower court ruling that government communications with social media platforms about harmful content violated First Amendment protections against official censorship, finding that the plaintiffs did not have standing to bring the case, in part because they had failed to establish any “concrete link” between the platforms’ content restrictions and government officials’ conduct.90 However, the Supreme Court did not provide more detailed guidance on how government agencies should engage with social media companies in keeping with the First Amendment. The case was originally filed by the state attorneys general of Missouri and Louisiana and several private plaintiffs in response to the federal government’s engagement with platforms regarding harmful online content associated with the 2020 elections and the COVID-19 pandemic. In July 2023, a federal judge in Louisiana issued a preliminary injunction that prohibited the Biden administration from contacting social media companies to request “the removal, deletion, suppression, or reduction of content containing protected free speech," with exceptions relating to illegal activity and national security. The injunction also prohibited government communications with three academic research groups: the Election Integrity Partnership (EIP), the Virality Project, and the Stanford Internet Observatory.91 In September 2023, the US Fifth Circuit Court of Appeals upheld a narrowed version of the injunction, applying it to a short list of government agencies and to any efforts to “coerce or significantly encourage” specific content moderation actions.92

In July 2024, after the coverage period, the Senate passed the Kids Online Safety Act (KOSA), which would establish a wide range of obligations for social media platforms relating to children, including disclosures about targeted advertising and standardized parental controls.93 Several civil society organizations had raised concerns about an earlier draft of the bill that authorized state attorneys general to enforce a “duty of care” standard for purported harms to children, arguing that it could be abused to restrict access to online content related to reproductive health care and the rights of LGBT+ people.94 The Senate’s 2024 version of KOSA included a more specific definition of “design features” and removed the provision allowing state attorneys general to enforce the duty of care, leaving enforcement up to the FTC.95 The measure had yet to pass in the House of Representatives.

At the state level, lawmakers have cited concerns about child safety online to limit young people’s access to social media without parental consent,96 including in Texas and Louisiana in June 2023.97 Civil society advocates argued that laws requiring platforms to impose age-verification systems, such as an April 2023 Arkansas law, would compromise peoples’ privacy (see C4). Some youth advocates also warned that parental oversight provisions could limit young people’s access to helpful information that their parents may not support, such as information about the LGBT+ community.98 Courts have blocked certain state laws on First Amendment grounds, as with an August 2023 preliminary injunction against the Arkansas law.99

Legislators in a number of states have passed restrictions specifically aimed at preventing minors from accessing pornography or other content labeled as harmful.100 The laws require or incentivize companies to implement age-verification measures to limit such access (see C4). As of March 2024, adult website operator Aylo, formerly MindGeek, had blocked access to its websites for all users in seven states in response to their respective laws.101

Some state legislative measures have sought to shape platform design for children’s safety. In June 2024, after the coverage period, New York passed a law that requires platforms to display content to children chronologically, rather than using a content-recommendation system, among other measures.102 In September 2023, a federal judge blocked the California Age-Appropriate Design Code, under which digital services must “prioritize” the well-being of children when designing and testing products, over First Amendment concerns.103

In July 2024, after the coverage period, the Supreme Court sent Moody v. NetChoice and NetChoice v. Paxton—two cases related to state-level content moderation laws from Florida and Texas, respectively—back to the lower courts, ruling that the appellate courts had not fully explored the First Amendment implications and potential impact of the laws beyond social media platforms.104 The implementation of both laws was on hold during the coverage period, while the Supreme Court considered the cases.105 In May 2022, the US 11th Circuit Court of Appeals had struck down most of Florida’s law, which threatened platforms with large fines if they failed to carry the vast majority of content posted by political candidates or broadly defined “journalistic” organizations.106 The appellate court held that companies’ content moderation practices amount to speech protected under the First Amendment, though it upheld provisions of the law relating to platform policy transparency.107 Conversely, in September 2022, the US Fifth Circuit Court of Appeals upheld the Texas law, which allows Texans to sue social media platforms with over 50 million active users in the United States for allegedly moderating content in a discriminatory manner based on “the viewpoint” of a user. Many legal experts, industry groups, and civil society organizations denounced the Fifth Circuit court’s ruling as inconsistent with Supreme Court precedents.108

North Carolina’s near-total abortion ban, which was amended and took effect in July 2023, includes a provision that prohibits websites, advertisements, and the provision of internet services to a pregnant woman in the state “solely to promote the sale of an abortion-inducing drug” administered outside of a doctor’s office.109 The prohibition, which may result in a fine up to $5,000 per violation, could be interpreted to cover a range of online speech related to reproductive health care.110 State legislators in Iowa and Texas introduced similar bills in the aftermath of the Supreme Court’s June 2022 decision in Dobbs v. Jackson Women’s Health Organization, which overturned a 1973 precedent and ruled that the constitution did not guarantee a right to abortion.111

Facebook, X, YouTube, and other major platforms have faced criticism for insufficient transparency regarding the enforcement of their respective community standards, as well as for the effects of this enforcement on marginalized populations.112 A number of studies and independent audits have identified cases of racial, gender, and other forms of discrimination in the platforms’ content moderation and advertising policies that affected the speech of people in the United States.113

Companies that serve as providers of internet infrastructure enforce their own discretionary speech policies. In September 2022, the web-security and content-delivery firm Cloudflare stopped providing services to Kiwifarms, an online forum dedicated to cyberbullying that had facilitated egregious harassment, both online and offline.114

Reports of self-censorship among journalists, commentators, and ordinary internet users are not pervasive in the United States. However, women, LGBT+ people, and members of other marginalized communities are frequent targets of online harassment and abuse, which can encourage self-censorship (see C7). Government surveillance practices may also contribute to self-censorship.115

False, manipulated, and misleading information is disseminated by both foreign and domestic entities in the United States. While some sources from across the political spectrum deliberately spread such information,116 multiple academic studies and civil society research have shown that the tactic is disproportionately utilized by powerful figures on the right.117

Political actors, such as elected officials and candidates,118 spread false and misleading information about voting, electoral administration, and electoral integrity ahead of the November 2024 general elections (see B7). False narratives from previous electoral periods—related to electronic voting machines, counting procedures, vote-by-mail procedures, voting locations, and voting requirements—remained common.119 These narratives built on false claims that the 2020 presidential election had been “stolen” from former president Trump.120 For example, a Washington Post analysis found that 500 of Trump’s posts on the Truth Social platform between November 2022 and March 2024 repeated claims about the election that have been disproven.121 More specifically, false claims about noncitizen voting have been shared by former president Trump and some state attorneys general,122 other prominent Republican officials,123 X owner Elon Musk,124 and right-wing influencers and groups.125 The persistence of such claims has raised concerns that they may contribute to refusals by certain candidates and their supporters to accept the results of the November 2024 elections.126

Foreign influence operations and technical attacks targeted US audiences during the coverage period (see C8). In September 2024, after the coverage period, the DOJ indicted two employees of the Russian state media outlet RT for allegedly operating and funding the US-based company Tenet Media, which ran a YouTube channel affiliated with a network of prominent right-wing commentators. The federal indictment alleges that the influencers received almost $10 million in compensation and echoed Russian government talking points, including about Moscow’s invasion of Ukraine.127 Also in September, a jury convicted four US citizens affiliated with the socialist Uhuru Movement of conspiracy to act as agents of Russia; the DOJ had charged them, along with three Russian nationals, for disseminating pro-Kremlin propaganda, including online.128

Meta reported in August 2023 that a separate Moscow-backed influence operation seeking to undermine support for Ukraine had extended its reach to US audiences in early 2023. The operation, which was attributed to organizations linked to the Russian government, spoofed the websites of Fox News and the Washington Post to promote articles criticizing Ukrainian president Volodymyr Zelenskyy and US policy on Ukraine, and disseminated the articles on social media platforms.129 OpenAI reported in May 2024 that it had blocked activities that were associated with the operation and aimed at domestic US audiences.130 The DOJ announced the seizure of over 30 domains associated with the Russian operation in September 2024, alleging that they had been used to sway US voters ahead of the 2024 elections.131

Also in August 2023, Meta disclosed that it had removed a large network of accounts associated with a cross-platform campaign to spread positive commentary about China as well as criticism of the United States and perceived opponents of the Chinese government. Meta linked the network, which targeted audiences in the United States among many other countries, to individuals associated with Chinese law enforcement agencies.132 Researchers at Graphika and the Institute for Strategic Dialogue identified other accounts associated with the Chinese state-linked campaign that impersonated US voters, posted about the 2024 elections, and were active during the coverage period. Some accounts in the Chinese state-linked network spread pro-Trump views, while others denigrated candidates across the political spectrum, though neither tactic demonstrated significant reach or impact.133

Online news outlets in the United States are generally free from either formal arrangements or coercive mechanisms that compel them to provide favorable coverage of the government. Yet political and economic factors can sometimes intersect to incentivize a close relationship between a political party and a given news organization.134

There are no government-imposed economic or regulatory constraints on internet users’ ability to publish content. Online outlets and blogs generally do not need to register with, or have favorable connections to, the government to operate. Media sites can accept advertising from both domestic and foreign sources.

The Foreign Agents Registration Act (FARA) does not entail any direct restrictions on an outlet’s content or the ability to publish online, but it does require those who qualify as foreign agents to disclose their organizational structures and finances. US federal agencies have identified certain Chinese and Russian state media companies as “foreign missions” or “foreign agents,” and both designations come with reporting requirements and other limitations. Ambiguous wording in FARA has resulted in some US-based nonprofit organizations being forced to register as foreign agents due to their work or relationships with foreign individuals and organizations.135

In April 2024, the FCC voted to bring broadband ISPs under its regulatory supervision and restore rules that prevent ISPs from speeding up, slowing down, or restricting the traffic of selected websites or services at will (see A5). Numerous state legislatures, attorneys general, and civil society groups had sought to restore such net neutrality since the FCC’s 2017 repeal of the 2015 Open Internet Order.136 In October 2019, a federal appeals court upheld the repeal,137 but it also ruled that the FCC could not preemptively block states from enacting their own laws to safeguard net neutrality. Several states have successfully adopted laws or executive orders to that end.138

As a whole, the online environment in the United States is dynamic and diverse. People can easily find and publish content on a range of issues, covering a variety of communities, and in multiple languages. However, an upswelling of misinformation and conspiracist content has threatened the information ecosystem in recent years, weakening public trust in traditional media and government institutions and eroding the visibility and readership of more credible sources.

Many in the country are concerned about the reliability of the information space. According to a poll administered by the nonpartisan organization KFF in November 2023, some 83 percent of adults say that false information is a “major problem” in the United States, with large majorities agreeing across racial, educational, and partisan categories. At least a quarter of adults expressed persistent uncertainty about information on issues like the Israel-Hamas conflict that began in October 2023, the 2024 US elections, and the COVID-19 pandemic.139

The integrity and reliability of online information has been undermined by the spread of false and misleading information, particularly around key political events including elections (see B5).140 For example, after the coverage period, the July 2024 assassination attempt against former president Trump fueled online falsehoods across the political spectrum. Left-wing social media users spread claims that the assassination attempt was staged, and right-wing accounts spread the narrative that the attack was ordered by Democrats.141

The spread of false and misleading information has had offline impacts. In September 2024, after the coverage period, government buildings across Springfield, Ohio, were targeted with bomb threats following the spread of disparaging online rumors about the city’s Haitian immigrant community; the rumors were repeated by prominent Republican politicians, including former president Trump and Senator J. D. Vance of Ohio, the Republican nominee for vice president in the November elections.142 Unreliable information has also reportedly weakened public confidence in elections and driven calls for changes to how elections are administered at the state and local levels.143 According to polling data as of December 2023, almost 70 percent of Republicans expressed belief in the conspiracy theory that President Biden was not legitimately elected in 2020, an increase from about 60 percent in 2021.144 During the previous coverage period, two election officials in Cochise County, Arizona, initially refused to certify election results after the 2022 midterms, referencing false claims about voting machines and, separately, false allegations of electoral fraud in Arizona’s Maricopa County that had circulated widely among election denialists online.145

Independent researchers who study electoral and other misinformation have faced lawsuits, congressional subpoenas, and harassment related to their work, deterring such research and leaving the public less informed about influence operations ahead of the November 2024 elections. A September 2023 report from the Center for Democracy and Technology identified a “chilling effect” among misinformation researchers that resulted from challenges such as targeted harassment campaigns and politicized investigations by a small number of policymakers.146 For example, the Washington Post reported that month that the House Judiciary Committee’s Select Subcommittee on the Weaponization of the Federal Government had disproportionately targeted the EIP, a coalition of academic researchers formed in 2020 to conduct real-time analysis of and notify social media companies about false electoral information. The subcommittee accused the EIP of abetting government censorship.147 Research institutions that participated in the EIP have also faced a wave of litigation, and individual experts experienced virulent online harassment. Following these developments, Stanford University moved to close down the election integrity work conducted at the Stanford Internet Observatory, an EIP participant, in June 2024.148

There are no technical or legal restrictions on individuals’ use of digital tools to organize or mobilize for civic activism. However, surveillance of social media and communication platforms, targeted harassment and threats, and high costs and other barriers to internet access have sometimes undermined people’s ability to engage in online activism.

One of the most significant topics around which people mobilized during the coverage period was the Israel-Hamas war that began in October 2023. Some people who participated in pro-Palestinian protests experienced online harassment, including doxing and threats.149

Despite strong constitutional protections for the freedom to assemble, the International Center for Not-for-Profit Law has tracked numerous federal and state initiatives aimed at restricting that right, including multiple state laws passed during the coverage period that create new penalties for protesters. For example, a Louisiana law established a new offense of “conspiracy” or “aiding and abetting” others to engage in protests that involve impeding traffic, which may be interpreted to cover online expression.150

The First Amendment of the federal constitution includes protections for free speech and freedom of the press. The Supreme Court has long maintained that online speech has the highest level of constitutional protection.151

In June 2021, the Supreme Court ruled in favor of a high school student who was suspended after posting, while not on school grounds, an image on social media that used vulgarities to express frustration with her school and its cheerleading squad.152 The nearly unanimous decision found that the student’s speech was protected under the First Amendment, but the justices acknowledged some leeway for schools to regulate speech when it is genuinely disruptive in order to deal with bullying and related problems.153

In February 2023, the US Fourth Circuit Court of Appeals ruled that civilians live-streaming police activity were engaging in protected speech (see C3).154 In 2017, other federal courts had upheld the right of bystanders to use their smartphones to record police actions. However, the right to record the police continued to be contested during the coverage period, with the ACLU challenging an Indiana law that made it illegal for a person to approach within 25 feet of a police officer if told to stop.155

In March 2024, the Supreme Court announced its decision in Lindke v. Freed, a case concerning the application of the First Amendment to situations in which social media users are blocked from commenting on the personal pages of government officials when those pages are employed to communicate about government-related duties.156 The unanimous opinion established a two-step test to determine whether blocking someone on social media would be considered a “state action” and therefore subject to claims of unconstitutional censorship. Free speech advocates criticized the test for failing to strongly protect dissent in online spaces.157

Despite significant constitutional safeguards, laws such as the Computer Fraud and Abuse Act (CFAA) of 1986 have sometimes been used to prosecute online activity and impose harsh punishments. Certain states have criminal defamation laws in place, with penalties ranging from fines to imprisonment.158

Aggressive prosecution under the CFAA has fueled criticism of the law’s scope and application. The act prohibits accessing a computer without authorization, but fails to define the terms “access” or “without authorization,” leaving the provision open to interpretation in the courts.159 Until recently, reform efforts were largely unsuccessful.160 In April 2020, however, a court narrowed the scope of the CFAA by ruling in favor of researchers who were concerned that their work, which involved scraping data from websites, ran afoul of the law.161 The bipartisan draft Platform Accountability and Transparency Act, reintroduced in June 2023, would protect researchers from CFAA claims, among other reforms meant to increase researcher access to platform data (see B3).162

In June 2021, the Supreme Court further limited the application of the CFAA and clarified the meaning of “unauthorized access.”163 The case, Van Buren v. United States, involved the conviction of a police officer who had accessed police databases for unofficial purposes.164 Following the decision, in April 2022, the US Ninth Circuit Court of Appeals ruled in hiQ v. LinkedIn that the CFAA does not necessarily bar people from scraping data from a public website, even if the website owner does not consent.165

In October 2023, the Supreme Court declined to hear a First Amendment challenge filed by the ACLU against New Hampshire’s criminal defamation law on behalf of Robert Frese, who was arrested and charged with criminal defamation twice after criticizing his local police chief.166

Score Change: The score improved from 4 to 5 because there were fewer reports of people being arrested for their online expression than in previous years.

Prosecutions and detentions for online activities are neither frequent nor systematic. However, local police have investigated, arrested, and charged users for some online actions. For instance, people using their mobile devices or social media accounts to document law enforcement activity have been temporarily detained; most face charges such as obstruction or resisting arrest. Due to strong legal protections for free expression, these cases are often dropped by prosecutors.

Online journalists were investigated, arrested, or charged while covering pro-Palestinian protests during the coverage period, despite being visibly identified as members of the press. In October 2023, a freelance photojournalist on assignment for the news site This Is Reno was detained and cited for jaywalking while covering a pro-Palestinian protest in Reno, Nevada.167 In May 2024, Virginia police arrested the founder of news site Assigned Media while clearing a pro-Palestinian protest encampment.168

In February 2024, authorities in Tampa, Florida, arrested freelance online journalist Tim Burke on CFAA, wiretapping, and conspiracy charges after he was indicted by a federal grand jury.169 In May 2023, federal agents had raided Burke’s home and seized his equipment. Subsequent disclosures indicated that the government planned to prosecute Burke because he had reportedly obtained unaired Fox News video content and shared it with the news outlet Vice News and the civil society organization Media Matters for America; Burke has argued that no hacking was involved.170 Multiple press freedom organizations condemned the indictment, arguing that it could set a precedent that puts digital journalists at risk of prosecution for ordinary newsgathering activity.171

Online news outlets also face politicized investigations and limitations related to their work, and some have experienced disproportionate surveillance (see C5). In February 2024, a county attorney sought and obtained restraining orders against Blackwater Reports blogger Thom Roddy because of Roddy’s reporting.172 Separately that month, Dylan Myers, former editor in chief of the Scioto Valley Guardian newspaper and website, sued the Pike County, Ohio, sheriff’s department in a civil rights case, joined by the outlet and its parent company; Myers had been arrested on wiretapping charges after the Guardian published the contents of a leaked audio recording of a murder trial.173 In March 2024, Matilda Bliss and Veronica Coit, journalists with the news site Asheville Blade, appealed an April 2023 trespassing conviction stemming from their reporting.174 They had been arrested in December 2021 while covering police evictions of homeless people from an encampment in Asheville, North Carolina.175

Several cases in which people were arrested in relation to their online activities proceeded through the courts during the coverage period. In October 2023, three members of Tennessee law enforcement agencies settled a lawsuit filed by a man who had been arrested and jailed after posting a meme online about a police officer killed in the line of duty.176 In February 2024, a jury awarded $205,000 in damages to a man who had been arrested at gunpoint by Louisiana police for posting a joke about law enforcement’s response to the COVID-19 pandemic.177 In June 2024, after the coverage period, WikiLeaks founder Jullian Assange pleaded guilty to one charge under the Espionage Act,178 was sentenced to 62 months’ imprisonment, and returned to Australia after being credited with time spent in pretrial detention abroad.179 The case stemmed from WikiLeaks’ acquisition and publication of classified US documents in 2010 and 2011. Press freedom advocates warned that although the plea agreement was far less sweeping than the Espionage Act charges originally filed by the DOJ in 2019, it would have negative ramifications for the legitimate work of journalists.180

There are no federal laws restricting anonymity on the internet, as the constitution protects the right to anonymous speech in many contexts. At least one state law that stipulates journalists’ right to withhold the identities of anonymous sources has been found to apply to bloggers.181

Online anonymity has been challenged in cases involving hate speech, defamation, and libel. In 2015, a Virginia court tried to compel the customer-review platform Yelp to reveal the identities of anonymous users, but the state’s Supreme Court ruled that the company did not have the authority to do so.182 In 2019, a federal court ruled that the social media platform Reddit did not need to reveal the identity of one of its users to a plaintiff who was suing for copyright infringement.183

Laws at the state level have also weakened online anonymity. For instance, state-level laws that aim to ensure child safety online would weaken anonymity by requiring covered platforms to employ age-verification systems for their users. Such laws include those adopted in California in September 2022,184 Arkansas in April 2023,185 Utah in May 2023,186 and Texas in June 2023 (see B3).187 The Arkansas law specifically mandates the use of third-party age-verification services.188 Civil society organizations have criticized these systems—which generally oblige people to provide a government-issued identification document—not only for undermining anonymity, but also for exposing private information to potential misuse or theft.189 Courts have issued preliminary injunctions against several of the state laws due to First Amendment concerns.190

No legal limitations apply to the use of encryption, but both the executive and legislative branches have at times moved to challenge the technology.191 In 2020, the DOJ issued a joint statement with the governments of the United Kingdom, Australia, New Zealand, Canada, India, and Japan, calling on Facebook and other technology companies to facilitate government access to encrypted messages.192

In January 2024, the Strengthening Transparency and Obligations to Protect Children Suffering from Abuse and Mistreatment (STOP CSAM) Act was introduced in the Senate. The bill would grant more legal protections for companies that offer encryption for users’ communications,193 improving on a 2023 draft that civil society organizations had criticized for potentially incentivizing platforms to avoid providing end-to-end encryption (see B3).194 Similarly, during the previous coverage period, civil society organizations warned that the draft 2023 EARN IT Act threatened the privacy and security of all users by discouraging end-to-end encryption (see B3).195

The degree to which courts can force technology companies to alter their products and enable government access is unclear. The Communications Assistance for Law Enforcement Act (CALEA) of 1994 requires telephone companies, broadband providers, and interconnected Voice over Internet Protocol (VoIP) providers to design their systems so that communications can be easily intercepted when government agencies have legal authority to do so, though it does not cover online communication tools such as Gmail, Skype, and Facebook.196

Federal law enforcement agencies sought to compel Apple to unlock the encrypted smartphones of alleged perpetrators following a terrorist attack in San Bernardino, California, in 2015,197 and an attack on a Navy facility in Florida in 2019.198 In both cases Apple resisted, and agents gained access by other means. A federal judge ruled in 2016 that CALEA did not allow the government to compel Apple to unlock a smartphone.199 In December 2023, Utah’s Supreme Court ruled that criminal suspects can refuse to provide passcodes for mobile phones to law enforcement officers under the constitution’s Fifth Amendment protection against self-incrimination, potentially setting the stage for a Supreme Court review; the Utah decision aligned with a ruling by the Pennsylvania Supreme Court but conflicted with a New Jersey Supreme Court decision.200

The government’s search and seizure powers are generally limited by the constitution’s Fourth Amendment. However, the legal framework for government surveillance in the United States is open to abuse, and authorities have engaged in certain forms of monitoring, particularly on social media, with minimal oversight or transparency.

Laws governing foreign intelligence surveillance have in practice permitted the collection of data on US citizens and residents. Such surveillance is regulated in part by the USA PATRIOT Act, which was passed following the terrorist attacks of September 11, 2001.201 In 2015, then president Barack Obama signed the USA FREEDOM Act, which extended expiring provisions of the PATRIOT Act, including broad authority for intelligence officials to obtain warrants for roving wiretaps of unnamed “John Doe” targets and surveillance of lone individuals with no evident connection to terrorist groups or foreign powers.202 At the same time, the new legislation was meant to end the government’s bulk collection of domestic call detail records (CDRs)—the metadata associated with telephone interactions—under Section 215 of the 2001 law. The bulk collection program, detailed in documents leaked by former National Security Agency (NSA) contractor Edward Snowden in 2013,203 had been ruled illegal by the US Second Circuit Court of Appeals earlier in 2015.204 Despite that year’s reforms, mass collection of CDRs reportedly continued, and the NSA recommended that Section 215 be allowed to expire, which it did in 2020.205 However, a “savings clause” allowed officials to continue using the authority for investigations that had begun before the expiration, or for new examinations of incidents that occurred before that date.206

Under the USA FREEDOM Act, the NSA—which focuses on foreign intelligence collection—is permitted to access US call records held by phone companies after obtaining an order from the Foreign Intelligence Surveillance Court, also called the FISA Court in reference to the 1978 Foreign Intelligence Surveillance Act.207 Requests for such access require use of a “specific selection term” (SST) representing an “individual, account, or personal device” that is suspected of being associated with a foreign power or international terrorist activity;208 this mechanism is intended to prevent broad requests for records based on an area code or other imprecise indicators. The definitions of SSTs vary, however, depending on the authority used, and civil liberties advocates have criticized them as excessively broad.209

The USA FREEDOM Act requires the FISA Court to appoint an amicus curia in any case that “presents a novel or significant interpretation of the law,” so that judges are not forced to rely on the arguments of the government alone in weighing requests. However, the court can waive the requirement at its discretion. The panel of amici curiae includes experts on privacy, civil liberties, and communications technology.210 Five people are currently designated to serve.211

Other components of the US legal framework also allow surveillance by intelligence agencies, often without adequate oversight, specificity, and transparency. Section 702, adopted in 2008 as part of the FISA Amendments Act, authorizes the NSA, acting inside the United States, to collect the communications of any foreigner overseas as long as a significant purpose of the collection is to obtain “foreign intelligence,” a term broadly defined to include any information that “relates to … the conduct of the foreign affairs of the United States.”212 Section 702 surveillance involves both “downstream” collection, in which stored communications data—including content—are obtained from US technology companies, and “upstream” collection, in which the NSA collects users’ communications as they are in transit over the internet backbone.213 Although Section 702 only authorizes the collection of information pertaining to foreign citizens outside the United States, the communications of US citizens and residents are inevitably swept up in this process in large amounts, and these too are stored in a searchable database.214 Under a 2018 reauthorization of Section 702, Federal Bureau of Investigation (FBI) agents must obtain a warrant to review the content of communications belonging to an American who is already the subject of a criminal investigation; the warrant requirement was so narrow as to exclude the majority of queries.215 The reauthorization also imposed additional transparency measures related to the authority.216

In April 2024, President Biden signed a two-year reauthorization of Section 702 as part of the Reforming Intelligence and Securing America Act (RISAA). RISAA expands the definition of service providers and the list of those who can be compelled to provide assistance under Section 702. Civil society organizations and independent experts, including a FISA Court amicus, raised concerns that the RISAA amendments could be used to compel companies to more widely adopt surveillance infrastructure.217

The Section 702 protocols that are intended to limit official access to the communications of US citizens and residents are frequently violated. A September 2023 report by a government privacy watchdog found “tens of thousands” of noncompliant queries related to civil unrest between November 2020 and December 2021.218 In the period from December 2021 to November 2022, FBI agents queried the Section 702 database for information about US citizens and residents more than 200,000 times, according to government disclosures.219 In July 2023, the FISA Court released an opinion indicating that officials had improperly searched the Section 702 database using the last names of an unidentified US senator and a state senator in June 2022, and the social security number of a state judge in October 2022.220 In May 2023, the FISA Court released an opinion documenting thousands of improper searches of communications data by the FBI, including noncompliant queries for the communications of people who joined racial justice protests in 2020, participants in the January 2021 attack on the Capitol, and 19,000 donors to an unidentified congressional campaign.221 Republican congressman Darin LaHood reported in March 2023 that he had been targeted by improper searches of the Section 702 database in 2020 or earlier.222

Previously, in October 2019, the FISA Court released three opinions in which it found that the communications data of tens of thousands of US citizens and residents had been subjected to improper searches by the FBI.223 The court also determined that the FBI had violated the law by not reporting the number of times it conducted “US person queries.”224 A subset of these violations have been linked to the NSA’s collection of communications when they merely mentioned information related to a foreign surveillance target (referred to as “about” collection), which the agency halted in 2017.225

Under Title I of FISA,226 the DOJ may obtain a court order to conduct surveillance of Americans or foreigners inside the United States if it can show probable cause to suspect that the target is a foreign power or an agent of a foreign power. In March 2020, the department’s inspector general released a memorandum documenting pervasive errors in previous FISA applications, along with a failure to abide by internal procedures meant to ensure their accuracy.227

Originally issued in 1981, Executive Order (EO) 12333 is the primary authority under which US intelligence agencies gather foreign intelligence; essentially, it governs all such collection that is not governed by FISA, and it includes most collection that takes place overseas. The extent of current NSA practices that are authorized under EO 12333 is unclear and potentially overlaps with other surveillance authorizations.228 Although EO 12333 cannot be used to target a “particular, known” US person, the very fact that bulk collection is permissible under the order ensures that the communications of US citizens and residents will be incidentally collected, and likely in very significant quantities. Moreover, questions linger as to whether the government relies on EO 12333 to conduct any surveillance inside the United States that would not be subject to judicial oversight.229 A letter from Senators Ron Wyden and Martin Heinrich that was made public in February 2022 revealed that the Central Intelligence Agency (CIA) secretly conducted bulk data collection, authorized under EO 12333, in a manner that implicated US people and with no congressional oversight. Some senators have called for more transparency regarding the kind of records that are stored and the legal framework under which they were collected.230

In criminal probes, law enforcement authorities can monitor the content of internet communications in real time only if they have obtained an order issued by a judge, under a standard that is somewhat higher than the one established under the constitution for searches of physical places. The order must reflect a finding that there is probable cause to believe a crime has been, is being, or is about to be committed.

Access to metadata for law enforcement, as opposed to intelligence, generally requires a subpoena issued by a prosecutor or investigator without judicial approval.231 Judicial warrants are only required in California under the California Electronic Communications Privacy Act (CalECPA).232

According to one ruling in federal court, law enforcement officials must obtain a judicial warrant to access stored communications.233 However, the 1986 Electronic Communications Privacy Act (ECPA) states that the government can obtain access to email or other documents stored in the cloud with a subpoena, subject to certain conditions.234

In January 2024, the San Francisco Police Department obtained a warrant to access news site Indybay’s electronic data, in order to identify a person who claimed in a post on the site to have committed vandalism at a police credit union. The outlet contested the warrant, arguing that the warrant application did not identify Indybay as a news outlet; the department ultimately let the warrant expire.235

Federal authorities claim to have much greater leeway to conduct searches without a warrant in “border zones”—defined as up to 100 miles from any land or sea border, an area encompassing about 200 million residents.236 Under Directive No. 3340-049a of 2018, US Customs and Border Protection (CBP) asserts broad powers to conduct device searches and claims the authority to require travelers to provide their device passwords to CBP personnel.237 Courts remain split on the legality of the searches, however.238 In July 2024, a federal court in New York ruled that electronic device searches at the border required a probable cause warrant.239 In May 2023, another federal judge in New York had similarly ruled in favor of a warrant requirement for manual device searches at the border.240 The US First Circuit Court of Appeals in Boston had found the practice of warrantless device searches at the border to be constitutional in 2021.241

CBP reported 44,700 electronic device searches during the coverage period.242 In September 2022, the Washington Post reported on a letter one senator sent to CBP that revealed how information collected through these searches—including contact lists, call logs, photos, and messages—is collated into a searchable database called the Automated Targeting System and made accessible to CBP personnel without a warrant.243

There have been concerns about federal, state, and local government agencies’ use of more targeted surveillance tools. To limit the use of spyware in the United States, the Biden administration instituted a new policy in February 2024 that would impose visa restrictions on foreign individuals and associated individuals involved in the misuse of commercial spyware.244 The administration had previously issued an executive order in March 2023 that barred federal agencies from the “operational” use of commercial spyware products that could be employed by foreign governments to violate human rights or target people from the United States, or that otherwise present national security risks.245

Prior to that order, the New York Times reported in December 2022 that the Drug Enforcement Administration had purchased and deployed Graphite, a spyware tool produced by the Israeli company Paragon, in its foreign operations, though it was not clear whether Graphite was used to target Americans.246 In January 2022, a New York Times investigation revealed that the FBI had purchased and tested Pegasus spyware, a notorious surveillance product developed by the Israeli firm NSO Group, though there was no evidence that the tool had been deployed against people in the United States.247

Several government entities, including the Department of Homeland Security (DHS), have purchased extraction technology from companies like the Israeli firm Cellebrite that allow officials to extract information stored on a device or online within seconds.248 An October 2020 report from the nonprofit UpTurn revealed that more than 2,000 state and local law enforcement agencies also had such technology.249 In February 2022, the Intercept reported that all but one of the 15 US cabinet departments had Cellebrite products, including departments and agencies that had little association with intelligence collection, such as the Department of Agriculture and the Centers for Disease Control and Prevention.250

Federal, state, and local law enforcement bodies have access to a range of advanced tools for monitoring social media platforms and sharing the information they collect with other agencies,251 without clear oversight or safeguards for individual rights.252 For example, emails obtained by the Intercept indicate that the US Marshals Service used services from Dataminr, a social media monitoring company, to track protests related to the Dobbs decision from May to July 2022.253 Journalist Cerise Castle obtained documents from the Los Angeles Police Department in late 2023 that indicated officers had flagged the news site Knock LA, among others, for social media surveillance because of Castle’s reporting for the outlet about extrajudicial police violence.254 Local police have also created fake social media accounts to infiltrate users’ networks and gain access to more personal information.255 In September 2023, the Brennan Center for Justice released DHS documents that pointed to the routine use of fake social media accounts by CBP and Immigration and Customs Enforcement (ICE).256

In 2019, the Department of State enacted a new policy that vastly expanded its collection of social media information.257 It required people applying for a US visa, numbering about 15 million each year, to provide their social media user names, their email addresses, and their phone numbers going back five years.258 In February 2022, DHS and CBP proposed requiring applicants for entry under the Visa Waiver Program to provide their social media handles.259 404 Media reported in August 2023 that CBP had purchased software from a company that purports to sell emotion-recognition technology, for use in screening travelers’ social media accounts.260

Dozens of law enforcement agencies have access to cell-site simulators or IMSI (international mobile device subscriber identity) catchers—commonly known as “stingrays” after a prominent brand name—that mimic mobile network towers and cause nearby phones to send identifying information; the technology enables police to track targeted phones or determine the phone numbers of people in a given area. As of September 2024, the Electronic Frontier Foundation had identified 84 agencies across the country that have acquired IMSI catchers.261 Several courts have affirmed that police must obtain a warrant before employing stingray technology.262 In February 2023, the DHS inspector general found that the US Secret Service and ICE had failed to follow federal policies, including privacy statutes, when using stingrays.263

In September 2022, the Associated Press reported on the extent to which local police have access to Fog Reveal, a subscription product that collects and analyzes huge amounts of commercially available location data generated by mobile applications.264 A Wall Street Journal report in October 2023 demonstrated that government agencies often purchase commercially available consumer advertising data, including information collected via mobile phone applications, and store the records in official or government-adjacent databases (see C6).265

There are few legal constraints on the collection, storage, and transfer of data by private or public actors in the United States. ISPs and content hosts collect vast amounts of information about users’ online activities, communications, and preferences. This information can be subject to government requests for access, typically through a subpoena, court order, search warrant, or national security letter.

In general, the country lacks a comprehensive federal data-protection law that would limit how private companies can use personal information, though a number of bills have been proposed.266 The latest attempt at a comprehensive federal privacy bill, the American Privacy Rights Act (APRA), was passed by the House Committee on Energy and Commerce’s Subcommittee on Innovation, Data, and Commerce in May 2024.267 APRA included data security and minimization standards, data usage transparency requirements, the right to opt out of the use of algorithms to make consequential decisions, and other data rights for users.268 In June 2024, after the coverage period ended, the full committee’s markup session for APRA was abruptly canceled after changes to the draft sparked opposition from both sides of the aisle, putting the future of the bill in jeopardy.269

In April 2024, a bipartisan majority in the House passed the Fourth Amendment Is Not for Sale Act, which would prohibit law enforcement and intelligence agencies from buying sensitive personal information like geolocation data from private companies and require the agencies to obtain a warrant, among other measures.270 The Senate subsequently voted against appending the bill to RISSA (see C5),271 and its status remained unclear at the end of the coverage period.

Also in April 2024, Congress passed and the president signed a supplemental appropriations bill that incorporated the Protecting Americans’ Data from Foreign Adversaries Act, which would stop data brokers from selling US personally identifiable information to “foreign adversaries” like China, Russia, North Korea, and Iran.272 President Biden issued an executive order in February 2024 mandating that federal agencies take action to prevent Americans’ sensitive personal data from being sold or transferred to “countries of concern.”273

Given the lack of a comprehensive federal law, the FTC in August 2022 announced that it was seeking public comment on whether the agency should institute new regulatory restrictions to limit harmful commercial surveillance.274 A notice of proposed rulemaking had not been released as of the end of the coverage period, though the FTC launched several enforcement actions aimed at companies selling detailed location data.275

Most legislative activity on data privacy has occurred at the state or local level.276 California’s privacy framework, the 2018 California Consumer Privacy Act (CCPA) and the 2020 California Privacy Rights Act (CPRA),277 remains the most robust in the country. The CCPA and CPRA allow state residents to obtain information from businesses about how their personal data are collected, used, and shared.278 Among other powers granted to them under the CPRA, consumers can request that personal information held by a business be corrected, opt out of automated decision-making technology, and opt out of certain information sharing.279 As of September 2024, 20 states had passed comprehensive data-privacy laws, and additional states had introduced narrower privacy bills.280

Under the USA FREEDOM Act of 2015, companies are permitted to report granular detail on certain types of government requests, under some constraints.281 In 2019, a filing under the Freedom of Information Act (FOIA) revealed that the FBI had used national security letters—a form of secret administrative subpoena that the bureau can issue to demand certain types of communications and financial records—to access personal data from a much broader group of entities than previously understood,282 including Western Union, Bank of America, the credit-reporting agencies Equifax and TransUnion, the University of Alabama at Birmingham, Kansas State University, major ISPs, and tech and social media companies.

Separately, the government may request that companies store targeted data for up to 180 days under the 1986 Stored Communications Act (SCA).283

In 2018, the Supreme Court ruled narrowly in Carpenter v. United States that the government is required to obtain a warrant in order to access seven days or more of subscriber location records from mobile service providers.284 The ruling diminished, in a limited way, the third-party doctrine—the idea that Fourth Amendment privacy protections do not extend to most types of information that are handed over voluntarily to third parties, such as telecommunications companies.285

Also in 2018, the geographical scope of law enforcement access to user data held by companies was expanded under the Clarifying Lawful Overseas Use of Data (CLOUD) Act.286 The act stipulated that law enforcement requests sent to US companies for user data under the SCA would apply to records in the company’s possession, including overseas. The CLOUD Act also allowed certain foreign governments to enter into bilateral agreements with the United States and then petition US companies to hand over user data,287 bypassing the “mutual legal assistance treaty” (MLAT) process.288 CLOUD Act agreements have been signed with the United Kingdom and Australia.289

User information is otherwise protected under Section 5 of the Federal Trade Commission Act (FTCA), which has been interpreted to prohibit internet entities from deceiving customers about what types of personal information are being collected from them and how they are used.

Private companies may comply with both legal demands and voluntary requests for user data from the government. In December 2023, Senator Wyden revealed that US government investigators use push-notification data to track Americans, and that the DOJ prohibited Apple and Google from publicizing the process.290 A January 2023 report from the ACLU disclosed a database of sensitive financial information that DHS and Arizona officials had obtained from money-order companies.291

Government bodies have purchased phone location data to aid in investigations and law enforcement, sidestepping judicial and other forms of oversight (see C5).292 The NSA disclosed in January 2024 that it purchases domestic internet traffic data from data brokers.293 In June 2023, the Office of the Director of National Intelligence declassified a January 2022 report finding that intelligence agencies purchase data on the commercial market, including location data, under “policies that may not accord sufficient protection.”294

The Dobbs decision reignited calls for Congress to pass a privacy law and for companies to limit the data they collect and share with state officials, particularly in states where abortion had been criminalized after Dobbs, as such information could be used for prosecutions.295 A 2022 Gizmodo investigation identified 32 data brokers selling information from an estimated 2.9 billion profiles of people determined to be pregnant or who searched for maternity products online, as well as from 478 million customer profiles categorized as “interested” in becoming or “intended” to become pregnant.296 Vice News similarly reported that the data broker SafeGraph was selling aggregated data, including location information, of people who visited abortion and reproductive health clinics.297 In response to the concerns, the FTC announced that it would to the extent of its legal authority protect Americans against companies that exploit health, location, and other sensitive information.298 In April 2023, the commission and other federal bodies improved safeguards for health data by expanding definitions of “personally identifiable health information,” restricting the use of some marketing technologies for health care, and extending protections for patient records under the 1996 Health Insurance Portability and Accountability Act to cover consumer health data.299

Facebook, complying with a search warrant sent in June 2022, provided Nebraska police with private messages between Celeste Burgess, a 17-year-old at the time, and her mother Jessica Burgess in what became a felony case related to an illegal abortion that was induced through medication.300 In July 2023, Celeste Burgess was sentenced to 90 days in jail after pleading guilty to concealing human remains; Jessica Burgess was sentenced to two years’ imprisonment in September 2023 after pleading guilty to violating the state’s abortion law.301

Police issue “geofence” warrants to gain access to information from electronic devices within a given geographic area, raising due process and proportionality concerns. In July 2024, the US Fourth Circuit Court of Appeals ruled that a geofence warrant did not amount to a Fourth Amendment search.302 Several federal judges have ruled that such broad location-based warrants violate the Fourth Amendment.303 In December 2023, Google voluntarily limited its access to users’ location data by encrypting Google Maps location history and moving location data storage to user devices, making it more difficult for the company to fulfill geofence warrants.304

Internet users are generally free from extralegal intimidation or violence by state actors. However, online harassment is a long-standing and growing problem in the United States. A 2021 report from the Pew Research Center found that 41 percent of adults in the United States have experienced online harassment.305

In recent years, people involved with election administration and certification have faced increasing online harassment, due in part to conspiracy theories about their role in supposed fraud schemes (see B5 and B7). In May 2024, a Brennan Center for Justice poll of local election officials found that 38 percent had experienced threats, harassment, or abuse, and that of those threatened, about a third received threats through social media.306 In August 2024, after the coverage period, federal authorities charged a Colorado man for allegedly posting online death threats aimed at Arizona and Colorado election officials, among others, that referenced conspiracy theories.307

State and local officials also face online abuse. A report published by the Brennan Center for Justice in January 2024 found that over 40 percent of the state legislators surveyed reported threats or attacks in the past three years. The abuse is often more severe for women, people of color, members of religious minority groups, or members of the LGBT+ community.308 For example, a Latina local official interviewed for a May 2023 Princeton University report said that she had been targeted with racialized death threats, including photos of lynchings, on social media.309 A Princeton University survey released in April 2024 found that threats and harassment aimed at local officials had shifted toward online and remote methods during the coverage period.310

In general, online harassment and threats, including doxing, disproportionately affect women and members of marginalized demographic groups.311 Some 33 percent of women under age 35 reported that they had faced sexual harassment online, according to a 2021 Pew Research Center report.312 A June 2024 report from the Anti-Defamation League found that 65 percent of transgender people surveyed had experienced online harassment because of their identity in the past 12 months, the highest of any demographic group assessed.313

Online journalists are at times exposed to physical violence or intimidation by police, particularly while covering protests. During a protest in Los Angeles against the Dobbs decision in June 2022, a reporter for the online news site LA Taco was repeatedly shoved by police officers, despite displaying clear identification as a member of the press.314 Beyond isolated cases of violence, US-based journalists have faced growing online harassment. Almost a third of the 368 journalists from local outlets surveyed by the International Women’s Media Foundation reported experiencing “digital violence.”315

Online harassment and real-world threats are sometimes fueled by rumors and misinformation (see B7). For example, in September 2023, a Las Vegas newspaper reporter became the target of online and physical threats for her coverage of the alleged murder of a retired police chief after social media users accused her of covering up the story.316

Cyberattacks pose an ongoing threat to the security of websites and networks in the United States. Civil society groups, journalists, and politicians have also been subjected to targeted technical attacks.

Media organizations sometimes experience cyberattacks. In May 2024, two websites linked to the far-right media commentator Andy Ngo were hacked and defaced.317 In May 2023, during the previous coverage period, the Philadelphia Inquirer briefly closed its newsroom because of a ransomware attack.318 Also in May 2023, the news site Black Star News was taken offline and had articles removed from its website; the outlet indicated that the cyberattack may have been motivated by its reporting.319

Some attacks have been traced to foreign actors, including ahead of the 2024 elections. In August 2024, after the coverage period, the email accounts of senior Trump campaign advisers were breached; the perpetrators of the cyberattack, which investigators linked to Iran, reportedly offered stolen files to news organizations. Federal authorities also reportedly concluded that Iranian state actors were responsible for attempted hacks aimed at the Republican and Democratic presidential campaigns.320 In March 2024, US and British authorities announced criminal charges against Chinese state-linked hackers who targeted elected officials, journalists, activists, and businesses starting in 2010.321 In September 2023, the DOJ indicted nine Russian nationals who had used malware tools to steal money from American organizations.322

Ransomware and other types of cyberattacks against federal, state, and local government institutions are common. In April 2024, for example, the US Cybersecurity and Infrastructure Security Agency was hacked and forced to isolate two key computer systems.323 In January 2024, cyberattacks disabled the emergency dispatch system in Bucks County, Pennsylvania, brought down judicial systems in Washington County, Pennsylvania, halted public transit in the Kansas City area, and facilitated outages at Douglas County Libraries in Colorado.324

Cyberattacks and ransomware attacks were especially prevalent against health care providers during the coverage period. In August 2023, 16 hospitals and over 165 clinics in multiple states were the victims of a ransomware cyberattack that closed emergency departments, primary care services, and acute care hospitals.325 Again, in November 2023, a network of 30 hospitals in multiple states was targeted by ransomware, diverting patients to other health care facilities.326