United States

A Obstacles to Access 21 25
B Limits on Content 31 35
C Violations of User Rights 26 40
Last Year's Score & Status
79 100 Free
Scores are based on a scale of 0 (least free) to 100 (most free). See the research methodology and report acknowledgements.

header1 Key Developments, June 1, 2017 - May 31, 2018

  • The Federal Communications Commission (FCC) voted in December 2017 to overturn net neutrality provisions established by the 2015 Open Internet Order that required network service providers to treat internet traffic equally. The vote also diminished the FCC’s regulatory authority over broadband service providers (see Regulatory Bodies).
  • Though intended to crack down on websites that unlawfully promote prostitution or sex trafficking, the “Allow States and Victims to Fight Online Sex Trafficking Act of 2017,” signed into law in April 2018, has led companies to preemptively censor legitimate content to avoid penalties (see Content Removal).
  • The proliferation of disinformation—particularly on social media—remained a prominent concern in the aftermath of the November 2016 presidential election, leading to greater scrutiny of social media platforms (see Media, Diversity, and Content Manipulation).
  • Two new laws were enacted affecting privacy, surveillance, and data collection: the reauthorization of Section 702 of FISA until 2024, and the passage of the Clarifying Lawful Overseas Use of Data Act (CLOUD) (see Surveillance, Privacy, and Anonymity).

header2 Introduction

Internet freedom in the United States declined over the past year due to the repeal of net neutrality rules that had ensured that internet service providers (ISPs) treated internet traffic equally. There were also concerns about the proliferation of toxic content and disinformation on social media platforms, and the passage of legislation that threatens to undermine protections from intermediary liability.

In December 2017, the Federal Communications Commission (FCC) overturned net neutrality provisions established by the 2015 Open Internet Order. Without these rules, ISPs are able to speed up or slow down certain websites in favor of others. The decision was sharply criticized by public interest groups and open internet advocates, who argued that the lack of net neutrality protections will likely harm consumers and threaten access to information online.

Meanwhile, the “Allow States and Victims to Fight Online Sex Trafficking Act of 2017” (also referred to as SESTA/FOSTA) signed into law in April 2018 weakened protections from intermediary liability. While the law aims to address the very real problem of sex trafficking facilitated through the internet, opponents argued that it establishes liability for companies that host user-generated content, which can lead companies to preemptively censor legitimate content to avoid penalties. Indeed, the law’s ramifications took immediate effect: after the law was passed, Craigslist announced that it was removing its “Personals” section from its website altogether. Advocates for sex workers’ rights also argued that the law threatens their safety by diminishing safe spaces for workers to communicate with one another online.

Disinformation and hyperpartisan content continued to plague the online sphere in the past year, particularly on social media platforms. As the public learned more about how different actors spread disinformation online, scrutiny of social media platforms intensified. In October 2017, executives from Facebook, YouTube, and Twitter were called to testify before Congress in response to concern over revelations that Russia may have used social media platforms to spread disinformation and sow discord among the American public, particularly during the 2016 presidential election. Their testimonies revealed that 126 million Facebook users may have seen content produced by Russian operatives, while Twitter later disclosed it had discovered over 3,800 real accounts related to Russia’s Internet Research Agency and 36,000 bot accounts originating in Russia. Facebook’s founder and CEO Mark Zuckerberg was also called to testify in April 2018 about how his company had exposed the data of up to 87 million users to a third-party researcher, who sold that data to company Cambridge Analytica for political consulting purposes during the 2016 elections season. Stemming such manipulation tactics has been a key focus of concerted efforts by the U.S. government and companies to prevent foreign interference during the 2018 congressional midterm elections.

Government surveillance of online communications came back under the spotlight in January 2018, when Congress voted to reauthorize the FISA Amendments Act—including Section 702, which enabled the incidental collection of Americans’ communications and metadata—for another six years. Despite calls for reform, the bill passed without meaningful additional privacy protections.

The breadth of law enforcement access to user data held by companies was expanded under the Clarifying Lawful Overseas Use of Data Act, or CLOUD, signed into law on March 23, 2018. Under the act, law enforcement requests sent to US companies for user data applies to data in the companies’ possession regardless of where it is stored, including overseas. Previous requests for user data were limited to data stored within the US’s jurisdiction. CLOUD also allows foreign governments to directly petition US companies to hand over user data.

In a positive development, on June 22, 2018 (outside of this report’s coverage period), the Supreme Court ruled on a significant decision regarding access to device data in the case of Carpenter v. United States. Ruling in favor of the plaintiff, the court decided that the government is required to obtain a warrant to collect subscriber location information records from third parties like cell phone providers. Privacy advocates lauded the decision, noting that the privacy protections of cell phone location information have broader impacts on the privacy protections of other information that companies collect and store about their users.

A Obstacles to Access

The Federal Communications Commission (FCC) voted in December 2017 to overturn net neutrality provisions established by the 2015 Open Internet Order, enabling internet service providers (ISPs) to speed up or slow down certain websites in favor of others. The vote also diminished the FCC’s regulatory authority over broadband ISPs.

Availability and Ease of Access

Although the United States is one of the most connected countries in the world, the speed, affordability, and availability of its broadband networks lags behind several other developed countries. According to the latest data available from the International Telecommunication Union, internet penetration in the United States stood at 76 percent at the end of 2016.1 Broadband adoption rates are high, although home broadband use has declined slightly in recent years: 65 percent of US adults reported being home broadband users in January 2018, compared to 73 percent as of November 2016.2 While the broadband penetration rate is high by global standards, it lags significantly behind countries such as Switzerland, the Netherlands, Denmark, and South Korea.3 Moreover, access, cost, and usability remain barriers for some Americans, particularly senior citizens, people who live in rural areas, and low-income households.4 However, internet access rates for those 65 years of age and older has steadily increased over the past decade, with 68 percent of individuals in this age bracket using the internet as of 2018, according to data from Pew Research.5

The cost of broadband internet access in the United States continues to be higher than many countries in Europe with similar internet penetration rates.6 In March 2016, the FCC announced plans to expand its Lifeline program—which allows companies to offer subsidized phone plans to low-income households—to include broadband internet access as a subsidized utility.7 However, on November 16, 2017, the FCC released a proposal to place restrictions on this program.8 The proposal would limit the program to “facilities-based providers,” meaning internet resellers who do not own the network infrastructure connecting to customers’ houses would not be able to participate in the program. Public interest advocates argue that, if implemented, the measures would significantly hamper the program’s reach and make it more difficult for low-income households to obtain affordable broadband internet access. Currently, 68 percent of Lifeline recipients receive service from nonfacilities providers, and in some cases there is no alternative provider in the area.9 Research from the Brookings Institution notes that this policy would be especially detrimental to those living on tribal lands.10

Uptake rates for internet-enabled mobile devices have increased dramatically throughout the United States in the past decade. In 2018, 95 percent of adults reported that they owned a mobile phone, and 77 percent of adults owned a smartphone, up from 35 percent in 2011.11 A growing number of people use their cell phones to view streaming video services offered by companies such as Netflix or Hulu.12 Pew Research reported in early 2018 that younger adults, people of color, and those with lower household incomes are more likely to be “smartphone-dependent,” with limited options for internet access other than their phones.13

Restrictions on Connectivity

Internet users in the United States face few government-imposed restrictions on their ability to access content online. The backbone infrastructure is owned and maintained by private telecommunications companies, including AT&T and Verizon. In contrast to countries with only a few connections to the backbone internet infrastructure, the United States has numerous connection points, which would make it nearly impossible to disconnect the entire country from the internet.

At the same time, law enforcement agencies in the United States have occasionally wielded their power to inhibit wireless internet connectivity in emergency situations. The federal government has a secret protocol for shutting down wireless internet connectivity in response to particular events, some details of which came to light following a lawsuit brought under the Freedom of Information Act in 2013.14 The protocol, known as Standard Operating Procedure (SOP) 303, was established in 2006 on the heels of a 2005 cellular-activated subway bombing in London. It codifies the “shutdown and restoration process for use by commercial and private wireless networks during national crises.” What constitutes a “national crisis” and what safeguards exist against abuse remain largely unknown, as the full SOP 303 documentation has never been released to the public.15

State and local law enforcement also have tools to jam wireless internet.16 In December 2014, the FCC issued an Enforcement Advisory clarifying that it is illegal to jam cell phone networks without federal authorization, even for state and local law enforcement agencies.17

ICT Market

While many broadband service providers operate in the United States, the industry has trended toward consolidation. On May 6, 2016, the FCC announced that it had voted to approve Charter Communications Inc.’s acquisition of Time Warner Cable and Bright House Networks; this was subsequently approved by the California Public Utilities Commission.18 As of mid-2016, two companies—Comcast and Charter Communications—controlled an estimated 70 percent of the market for fixed-line broadband internet access, with approximately 24 million and 22 million subscribers respectively.19 AT&T is the third-largest broadband provider with 15.6 million subscribers, followed by Verizon with 7 million and CenturyLink with 6 million.20 Although average broadband speeds have increased over the past decade, the majority of American households have access to only one broadband provider that offers download speeds of at least 25 Mbps.21

Further consolidation of the telecom sector threatens to limit consumer access to information and communication technologies (ICT) services. Most recently on June 14, 2018, AT&T announced that it had acquired media and entertainment company Time Warner.22 On July 12, the Justice Department announced that it would appeal the court decision that had allowed the merger to proceed.23

The FCC has made some attempts to mitigate these threats in recent merger approvals. For example, the commission included provisions within the 2016 Charter–Time Warner Cable deal that required Charter Communications to expand broadband availability to close the digital divide, including establishing new cable lines in areas of California without internet access, and providing affordable access to at least 525,000 low-income families.24 Other conditions prohibit the companies from taking steps that would privilege cable services over online video competitors, such as imposing data caps on online content that would discourage subscribers from streaming video.25 In 2015, regulators had blocked a proposed merger between Time Warner Cable and Comcast, citing concerns about Comcast’s ability to interfere with over-the-top services (such as Netflix), as well as increased market concentration.26

Americans increasingly access the internet via mobile technologies, as wireless carriers deploy advanced Long-Term Evolution (LTE) networks. Following a decade of consolidation, the US wireless market is dominated by four national carriers — AT&T, Verizon, Sprint, and T-Mobile. Verizon leads the wireless services market with 143 million subscribers, followed by AT&T with 132 million, T-Mobile with 67 million, and Sprint with 58 million.27

In April 2018, Sprint and T-Mobile announced that they had reached an agreement to merge the two companies; it is unclear whether the proposed deal will go through, since previous merger attempts have been unsuccessful.28 The US government has looked unfavorably on further consolidation of mobile networks. Regulators had blocked AT&T’s proposed merger with T-Mobile in 2011 and separately signaled that they would block a rumored merger between Sprint and T-Mobile in 2014.29

Moreover, the government has promoted mobile broadband through a series of spectrum auctions. In March 2016, the FCC began the process of buying back airwaves set aside for TV broadcasters to increase the available spectrum for wireless broadband, as outlined in the government’s 2012 National Broadband Plan, which set a goal of establishing universal broadband by 2020.30

In January 2015, then-president Barack Obama announced an initiative to encourage the development of community-based broadband services and asked the FCC to remove barriers to local investment.31 One month later, the FCC preempted (overturned) state laws in Tennessee and North Carolina that restrict local broadband services, arguing that such laws create barriers to broadband deployment.32 In August 2016, a federal court ruled that the FCC does not have the authority to preempt these state laws,33 which are also on the books in many other states. Critics contend that the ruling threatens to limit affordable broadband options for small remote communities.

Regulatory Bodies

No single agency governs the internet in the United States. The FCC is charged with regulating radio and television broadcasting, interstate communications, and international telecommunications that originate or terminate in the United States. The FCC has jurisdiction over a number of internet-related issues, though this authority was curtailed when the FCC voted in December 2017 to reverse the 2015 Open Internet Order, which had provided the legal authority for the FCC to regulate broadband internet providers as common carriers.

The FCC is led by five commissioners, nominated by the president and confirmed by the Senate, with no more than three commissioners from one party. President Donald Trump nominated Republican commissioner Ajit Pai to serve as chair on January 23, 2017.34 The FCC is currently controlled by a Republican majority.

Other government agencies, such as the Commerce Department’s National Telecommunications and Information Administration (NTIA), play advisory or executive roles with respect to telecommunications, economic and technological policies, and regulations.

Since assuming his role as chair of the FCC, Pai has taken a number of steps toward deregulating the telecommunications industry, most notably the decision to diminish the FCC’s ability to regulate internet service providers and roll back net neutrality protections. On March 1, 2017, the Commission voted to freeze the broadband privacy guidelines that the FCC had passed the previous October.35 The guidelines would have required broadband providers to obtain opt-in consent from consumers before they could use and share information such as a user’s web browsing history and app usage data, and would have given consumers the ability to opt-out of the use and sharing of other types of personally identifiable information.36 In late March, Congress went a step further and voted to repeal the broadband privacy guidelines under the Congressional Review Act,37 which effectively prevents the FCC from enacting similar rules in the future.38 In February 2017, the FCC also ended its review of whether zero-rating practices, which provide free internet access under certain conditions, violate net neutrality principles and enabled the practice to continue.39 Critics argue that zero-rating services could harm competition.40

During this report’s coverage period, in December 2017, the FCC voted to reverse the net neutrality rules established by the 2015 Open Internet Order, which had prohibited network operators from giving preferential treatment to favored content or from blocking disfavored content on both fixed and wireless networks. The repeal went into effect outside the coverage period, on June 11, 2018,41 allowing internet service providers to speed up, slow down, or block some websites in favor of others at will. The repeal also overturned some of the FCC’s regulatory authority over broadband ISPs.42 FCC chairman Ajit Pai argued that this decision would reinstate a light-touch regulatory model that is good for innovation and for consumers.43 However, the decision was sharply criticized by civil society and public interest groups, who argued that the decision will harm consumers,44 is an abandonment of the FCC’s responsibility to protect freedom of expression online,45 and will likely result in a less free and open internet.46 Polls indicate that the majority of Americans are in favor of net neutrality.47

Several state legislatures, attorneys general, and civil society groups have since taken up the fight to reinstate net neutrality on the local and federal levels. Following the FCC’s decision, 21 state attorneys general filed a lawsuit with the US Court of Appeals in the DC circuit, claiming that the FCC’s decision was “arbitrary and capricious” and violated several aspects of federal law. 48 Civil society groups and nonprofits including Mozilla,49 Public Knowledge,50 the Open Technology Institute,51 and Free Press52 filed protective petitions urging the US Courts of Appeals for the DC and First Circuits to review the FCC’s decision. The governors of Montana and New York signed executive orders barring state agencies from conducting business with ISPs that violate net neutrality,53 and several other state legislatures are considering bills that would requires ISPs in the state to abide by net neutrality principles.54 In September 2018, California passed its own net neutrality law; the Department of Justice announced plans to sue the state hours after the bill was signed into law.55

The scaling back of the Lifeline program and the ending of review of zero-rating practices (see “Availability and Ease of Access”) have contributed to a range of critics, from Democratic lawmakers to the New York Times editorial board to public interest groups, decrying Pai’s FCC agenda as putting corporations ahead of consumers and circumventing the public process.56

B Limits on Content

The passage of the “Allow States and Victims to Fight Online Sex Trafficking Act of 2017,” or SESTA/FOSTA, in March 2018 to address the problem of sex trafficking facilitated through the internet has had the unintended consequence of pushing companies to preemptively remove legitimate content. Meanwhile, the growing prevalence of disinformation and partisan media continued to have a significant impact on the online media landscape.

Blocking and Filtering

In general, the US government does not force ISPs or content hosts to block or filter online content. Some states require publicly funded schools to install filtering software on their computers to block obscene, illegal, or harmful content.1 The Children’s Internet Protection Act of 2000 (CIPA) requires public libraries that receive certain federal government subsidies to install filtering software that prevents users from accessing child pornography or visuals that are considered obscene or harmful to minors. Libraries that do not receive the specified subsidies from the federal government are not obliged to comply with CIPA, but more public libraries are seeking federal aid in order to mitigate budget shortfalls.2 Under the Supreme Court’s interpretation of the law, adult users can request that the filtering be removed without having to provide a justification. However, not all libraries allow this option, arguing that decisions about filtering should be left to the discretion of individual libraries.3

Content Removal

A recent legislative initiative to address the problem of sex trafficking facilitated through the internet has had the unintended consequence of pushing companies to preemptively remove legitimate content. On March 21, 2018, the Senate passed the “Allow States and Victims to Fight Online Sex Trafficking Act of 2017,” also referred to as SESTA/FOSTA, which President Trump signed into law on April 11. The law establishes legal liability for internet services that are used to “promote or facilitate prostitution of five or more persons, or […] acts with reckless disregard that such conduct contributes to sex trafficking.” 4 Previously, under Section 230 of the Communications Decency Act, companies would not generally be held liable for the illegal content of their users unless notified of its existence (see more on Section 230 below). Civil society advocates criticized the bill for undermining internet freedom, since companies would be forced to preemptively censor their users or face the threat of legal action.5 After the bill was passed by the Senate but before it became law, reports surfaced of companies already censoring content: Craigslist announced that it was removing its “Personals” section from its website altogether,6 and sex workers reported that they could no longer access some of their Google Drive files containing adult content.7 Further, sex workers and community advocates argue that the bill threatens their safety, since platforms that have been targeted—such as Backdoor, sections of Craigslist, and other online forums—made it possible for sex workers to leave exploitive situations, communicate with one another, and build protective communities.8

The government does not directly censor any particular political or social viewpoints online, although legal rules do restrict certain types of content on the internet. Illegal online content, including child pornography and content that infringes on copyright, is subject to removal through a court order or similar legal process if it is hosted within the United States. Aside from these examples, government pressure on ISPs or content hosts to remove content is not a widespread issue. Social media companies and other content providers may remove content that violates their terms and conditions.9

One of the most significant protections for online free expression in the United States is Section 230 of the Communications Decency Act of 1934 (CDA 230), amended by the Telecommunications Act of 1996, which generally shields online sites and services from legal liability for the activities of their users, allowing user-generated content to flourish on a variety of platforms.10 However, public concern over intellectual property violations, child pornography, protection of minors from harmful or indecent content, harassing or defamatory comments, publication of commercial trade secrets, gambling, financial crime, and terrorist content have presented a strong impetus for aggressive legislative and executive action, and some laws, such as SESTA/FOSTA, have threatened to undermine the broad protections for intermediaries of CDA 230.11

Congress has passed several laws designed to restrict adult pornography and shield children from harmful or indecent content online, such as the Child Online Protection Act of 1998 (COPA), but these laws have been overturned by courts due to their ambiguity and potential infringements on the First Amendment of the Constitution, which protects freedom of speech and the press. On the other hand, advertisement, production, distribution, and possession of child pornography—on the internet and in all other media—is prohibited under federal law and can carry a sentence of up to 30 years in prison. According to the Child Protection and Obscenity Enforcement Act of 1988, producers of sexually explicit material must keep records proving that their models and actors are over 18 years old. In addition to prosecuting individual offenders, the Department of Justice, the Department of Homeland Security, and other law enforcement agencies have asserted their authority to seize the domain name of a website allegedly hosting child abuse images after obtaining a court order.12

Intended to help protect against sex trafficking of children, the SAVE Act became law in May 2015.13 The final text of the legislation was changed to make it illegal to knowingly advertise content related to sex trafficking, a higher requirement than an earlier draft that would have established liability for “knowledge of” or “active disregard for the likelihood of” hosting such content.14 At the same time, the law still establishes federal criminal liability for third-party content, which could lead to companies choosing to over censor rather than face criminal penalties, or to limit the practice of monitoring content altogether so as to avoid “knowledge” of illegal content.15

For copyright infringement claims, the removal of online content is dictated by the safe harbor provisions created in Section 512 of the Digital Millennium Copyright Act (DMCA).16 Operating through a “notice-and-take-down” mechanism, internet companies are shielded from liability if they remove infringing content upon receipt of a DMCA notice. However, because companies have the incentive to err on the side of caution and remove any hosted content subject to a DMCA notice, there have been occasions where overly broad or fraudulent DMCA claims have resulted in the removal of content that would otherwise be excused under free expression, fair-use, or educational provisions.17 In some cases, the immediate removal of content through DMCA requests has been used to target political campaign advertisements, since they result in content being unavailable during the campaign season and are unlikely to be challenged in court after the campaign ends.18

Media, Diversity, and Content Manipulation

While the online environment in the United States continues to be vibrant and diverse, the growing prevalence of disinformation and partisan media over the past few years has had a significant impact on the online media landscape. Internet users continue to exercise self-censorship due to concerns of government surveillance as well as online harassment by other internet users.

The proliferation of disinformation—particularly on social media—remained a prominent concern in the aftermath of the November 2016 presidential election. Over the past year, scrutiny of social media platforms intensified, as the public learned more about how different actors spread disinformation online. In October 2017, executives from Facebook, YouTube, and Twitter were called to testify in a hearing before Congress in response to concern over revelations that Russia may have used social media platforms to spread disinformation and sow discord among the American public, particularly during the 2016 presidential election.19 Their testimonies revealed that 126 million Facebook users may have seen content produced by Russian operatives,20 while Twitter later disclosed it had discovered over 3,800 real accounts related to the Internet Research Agency in Russia and 36,000 bot accounts originating in Russia.21 It remains unclear what effect this content may have had on the election, though the companies have each taken steps to remove such content or accounts from their platforms.22

In April 2018, Facebook founder and CEO Mark Zuckerberg testified in two congressional hearings about his company’s role in the Cambridge Analytica scandal, in which it was revealed that Facebook had exposed the data of up to 87 million users to a third-party researcher, who sold that data to company Cambridge Analytica for political consulting purposes.23 While the focus of the hearings was largely on consumer privacy issues regarding Facebook’s collection and sharing of user information, the hearings also touched on questions related to what Facebook executives knew about how Russian actors like the Internet Research Agency used Facebook’s platform and to what end. In February 2018, Robert Mueller, Special Counsel for the Department of Justice, issued an indictment of Russian operatives including the Internet Research Agency.24 The indictment detailed ways in which the group conspired to use social media platforms, including Facebook, Instagram, Twitter, and YouTube, with the “stated goal of spread[ing] distrust towards candidates and the political system in general.”25

Hyperpartisan media outlets and social media users continued to flourish online and affect the visibility of and attention paid to more balanced sources of news and information.26 In mid-2018, several tech companies separately decided to ban and remove content from the conspiracy theorist Alex Jones for violating the companies’ terms of service on hate speech.27 Most notably, Jones had regularly propagated a false theory that the 2012 school shooting in Sandy Hook, Connecticut, had been staged, a theory that had led to harmful threats against the victims’ parents. Apple first removed podcasts from Jones’ Infowars network from its iPhone Podcast app in August 2018; Facebook, Spotify, YouTube, PayPal, and eventually Twitter followed suit with similar bans and removals. In September, Apple subsequently removed the Infowars app itself from the App Store after the ban on the network’s podcasts led to a spike in the app’s popularity.28

Trump continued to place restrictions on the press and access to information, which extended to the online sphere as well. On May 23, 2018, a federal judge ruled that President Trump’s practice of blocking his critics from following his Twitter account was unconstitutional, finding that the president’s Twitter feed acts as a public forum and thus blocking members of the public from interacting with the account violates the First Amendment.29

Reports of self-censorship among journalists, lawyers, and everyday internet users persist. Online harassment is one of the driving forces behind self-censorship. A report published by Amnesty International in November 2017 found that 33 percent of women in the United States had experienced online harassment, and that of the women surveyed across eight countries who had experienced online harassment, 76 percent changed how they used social media as a result.30

Journalists report that government pressure and threats to the security of their digital communications has had a chilling effect on their ability to investigate and publish freely in recent years. Although the Constitution includes core protections for freedom of the press, the government does bring some enforcement actions against whistleblowers and journalists. Several recent studies have concluded that the aggressiveness with which the Department of Justice investigates leaks—as well as pervasive government surveillance programs such as those disclosed by Edward Snowden in 2013—causes journalists and writers to self-censor and raises concerns about whether they are able to protect the confidentiality of their sources.31

Everyday American citizens also change their behavior in response to extensive government surveillance. A study published in Journalism & Mass Communication Quarterly in February 2016 found that priming participants with subtle reminders about mass surveillance had a chilling effect on individuals’ willingness to publicly express minority opinions online.32

Digital Activism

Political activity in the United States has increasingly moved online in recent years.33 Some of the most visible social movements over the last few years—the Black Lives Matter movement, the Women’s March, the #MeToo movement, and the student-led gun control movement—have augmented on-the-ground organizing with online social media tools. A study by Crimson Hexagon and the PEORIA Project at George Washington University found that on Twitter in the fall of 2017, the #MeToo hashtag was used to talk about sexual harassment more than 7 million times.34

The Black Lives Matter movement—which started in 2013 with the hashtag #blacklivesmatter—has become a prominent example of a “decentralized but coordinated”35 social justice movement that has strategically used social media to organize protests against police violence and shift national conversations about race. Information released by Twitter revealed that the #blacklivesmatter hashtag had been used over 12 million times since it was created, making it the third-most-used hashtag on the platform.36

C Violations of User Rights

During the reporting period, a few arrests were reported in relation to online activities, while journalists and citizens were continually harassed for covering protests on social issues. Two new laws were enacted affecting privacy, surveillance, and data collection: the reauthorization of Section 702 of FISA until 2024, and the passage of the Clarifying Lawful Overseas Use of Data Act, or CLOUD.

Legal Environment

The First Amendment of the Constitution includes protections for free speech and freedom of the press. In 1997, the Supreme Court reaffirmed that online speech has the highest level of constitutional protection.1 Lower courts have consistently struck down attempts to regulate online content.

Companies are generally shielded from liability for the activities of their users by Section 230 of the Communications Decency Act, though the enactment of SESTA/FOSTA in April 2018 weakened liability protections in an effort to address the problem of sex trafficking facilitated online (see “Content Removal”). Meanwhile, the DMCA provides a safe harbor to intermediaries that take down allegedly infringing material after notice from the copyright owner (see “Content Removal”).2 A number of US laws also protect speech from harmful corporate actions, including corporate surveillance that may lead users to self-censor, and failure of private actors to sufficiently protect internet users’ personal information from unauthorized access (see “Surveillance, Privacy, and Anonymity”).

Nonetheless, aggressive prosecution under the Computer Fraud and Abuse Act (CFAA) of 1986 has fueled criticism of the law’s scope and application. It is illegal to access a computer without authorization under CFAA, but the law fails to define the term “without authorization,” leaving the provision open to interpretation in the courts.3 In one prominent case from 2011, programmer and internet activist Aaron Swartz secretly used Massachusetts Institute of Technology servers to download millions of files from JSTOR, a service providing academic articles. Prosecutors sought harsh penalties for Swartz under CFAA, which could have resulted in up to 35 years imprisonment.4 Swartz committed suicide in 2013 before he was tried. After his death, a bipartisan group of lawmakers introduced “Aaron’s Law,” a piece of legislation that would prevent the government from using CFAA to prosecute terms of service violations and stop prosecutors from bringing multiple redundant charges for a single crime.5 The bill was reintroduced in 2015, but did not garner enough support to move forward.6

There are no legal restrictions on user anonymity on the internet, and constitutional precedents protect the right to anonymous speech in many contexts. There are also state laws that stipulate journalists’ right to withhold the identities of anonymous sources, and at least one such law has been found to apply to bloggers.7 The legal framework for government surveillance, however, has been open to abuse. In June 2015, President Obama signed the USA Freedom Act into law, introducing some restrictions on the way the National Security Agency (NSA) can access information about American citizens from their phone records. Other laws used to authorize surveillance have yet to be reformed (see “Surveillance, Privacy, and Anonymity”).

On April 3, 2017, President Trump signed S.J. Resolution 34, which nullified the FCC’s broadband privacy guidelines (see “Regulatory Bodies”).8 The joint resolution rolled back regulations introduced in October 2016 that would have given consumers more control over how their personal information is collected and used by broadband ISPs. In contrast, several states have considered legislation to protect internet users’ privacy rights.9 As of May 2018, the Illinois “right to know” bills (SB 1502 and HB 2774) were still being considered by the state legislature. The Minnesota bill had passed the state Senate with widespread bipartisan support but was later removed from a larger spending bill during private negotiations.10 On June 8, the California state legislature enacted AB 375,11 also known as the California Consumer Privacy Act of 2018, which allows Californians to demand information from businesses in the state about how their personal data is collected, used, and shared.12

Prosecutions and Detentions for Online Activities

Prosecutions or detentions for online activities, particularly for online speech, are relatively infrequent given broad protections under the First Amendment. However, there have been prosecutions related to threats posted on social media, arrests related to filming police interactions, and problematic prosecutions under the CFAA. In addition, Customers and Border Patrol agents at international airports are increasingly forcing travelers, including American citizens, to turn over their cell phone passcodes or risk detention (see “Surveillance, Privacy, and Anonymity”).

Reported arrests in relation to online activities in the past year include:

  • In December 2017, police arrested Christopher Daniels, also known as Rakem Balogun, in part because of his Facebook posts that Federal Bureau of Investigation (FBI) agents claimed advocated for violence against police.13 Members of his community accused the FBI of targeting Daniels as a “black identity extremist.” Daniels was indicted for unlawful possession of a firearm, but the charges were dropped in May.
  • On April 3, 2018, Manuel Duran, a journalist who runs the local Spanish-language news website Memphis Noticias, was arrested while covering an immigration protest.14 Charges against him were dropped but he was detained and held by Immigration and Customs Enforcement (ICE) officials after his hearing.

Police have periodically detained individuals who uploaded images or broadcasted live video of police activity with their phones, posing a threat to First Amendment protections.15 Most of the arrests have been made on unrelated charges, such as obstruction or resisting arrest, since openly filming police activity is a protected right. In July 2016, police in Louisiana detained store owner Abdullah Muflahi for six hours and confiscated his cellphone after he filmed the fatal shooting of Alton Sterling by police.16 Chris LeDay, a Georgia-based musician who shared another video of the same incident on Facebook, was arrested soon after for unpaid traffic fines.17 In contrast, in July 2017, federal courts upheld the right of bystanders to use their smartphones to record police actions.18

Previously, the government used the CFAA to prosecute Matthew Keys, a former Tribune Company journalist and social media editor who had given log-in credentials to the hacking group Anonymous. Keys was convicted in October 2015 and sentenced to two years’ imprisonment on April 13, 2016.19 Some critics of CFAA argued that Keys’ sentencing was overly harsh, and that many of his crimes could be charged as misdemeanors.20 Many states also have their own laws related to computer hacking or unauthorized access. Several smaller cases in the past few years highlighted the shortcomings and lack of proportionality of these laws.21

Surveillance, Privacy, and Anonymity

During the reporting period, new laws were enacted affecting privacy, surveillance, and data collection, including the reauthorization of Section 702 of FISA until 2024 and the passage of the Clarifying Lawful Overseas Use of Data Act (CLOUD Act). Warrantless searches of travelers’ cell phones at the border also continued to be a significant problem, with new policies released from Customs and Border Protection (CPB).

Modern surveillance by law enforcement in the United States is governed by the USA PATRIOT Act, which was passed following the terrorist attacks of September 11, 2001, expanding government surveillance and investigative powers in terrorism and criminal investigations.22 On June 2, 2015, President Obama signed the USA FREEDOM Act into law, extending expiring provisions of the PATRIOT Act, including broad authority to conduct roving wiretaps of “John Doe” targets and “lone wolf” surveillance.23 At the same time, the law significantly reformed the bulk collection of phone records under Section 215, a program detailed in documents leaked by former NSA contractor Edward Snowden in 201324 that was later ruled illegal by the Second Circuit Court of Appeals in May 2015.25

The USA FREEDOM Act replaced the bulk collection program with a system that allows the NSA to access records held by phone companies with an order from the Foreign Intelligence Surveillance court (FISA court).26 Requests for that access require the use of a “specific selection term” (SST) representing an “individual, account, or personal device,”27 which is intended to prohibit broad requests for records based on zip code or other indicators, and can only be extended or renewed in certain circumstances.28 The SST provision also applies when intelligence agents use FISA pen registers and trap and trace devices (instruments that will capture a phone’s outgoing or incoming records) and to national security letters (secret subpoenas to request call records issued by the FBI).29

The USA FREEDOM Act further changed the way private companies publicly report on government requests they receive for user information. The Department of Justice (DOJ) limits the disclosure of information about national security letters, including in the transparency reports voluntarily published by some internet companies and service providers.30 In 2014, the DOJ reached a settlement with Facebook, Google, LinkedIn, Microsoft, and Yahoo that would permit the companies to disclose the number of government requests they receive, but only in aggregated bands of 0–249 or 0–999.31 Twitter, not a party to the settlement, filed suit against the DOJ in October 2014 on grounds that the rules amounted to an unconstitutional prior restraint that violates the company’s First Amendment rights.32 In May 2016, a judge partially dismissed Twitter’s case but gave the company the opportunity to refile.33 The USA FREEDOM Act allows companies the option of more granular reporting, though reports containing more detail are still subject to time delays and their frequency is limited.34

The USA FREEDOM Act also required that the FISA court appoint an amicus curiae, an individual (or several) qualified to provide legal arguments that “advance the protection of individual privacy and civil liberties.”35 Five individuals are currently designated to serve as amicus curiae.36

Despite these improvements, other surveillance programs revealed by the NSA leaks were authorized under laws that, though partially reformed since they were exposed in 2013, still contain scope for surveillance that lacks oversight, specificity, and transparency:

  • Section 702 of FISA Amendments Act of 2008: Section 702 was used to authorize “Downstream” (also known as PRISM) and “Upstream” collection (see below), the controversial programs under which the NSA reportedly collects users’ communications data—including the content—directly from US tech companies and through the physical infrastructure of undersea cables.37 Section 702 only authorizes the collection of information about foreign citizens, yet the content of Americans’ communications incidentally swept up in this process is also collected and stored in a searchable database.38 The USA FREEDOM Act made no changes to this practice or to the NSA’s access to the communications content collected. Rather, it limits the use of information about US citizens in court or in other government proceedings, but only if the NSA did not follow existing procedures to minimize the likelihood of collecting that information. The FISA court determines whether or not those procedures were followed.39

In October 2016, during the FISA court’s annual review and reauthorization of surveillance conducted under Section 702, the government notified the FISA court judge that it had reported widespread violations of protocols intended to limit access to Americans’ communications by NSA analysts (these details were revealed when the information was declassified in May 2017).40 “Upstream” collection, which captures any communications that mention a foreign target—not just communications to and from a foreign target—is more likely than other programs to incidentally collect communications sent between US citizens, which is outside the scope of lawful surveillance.41 The report showed analysts had failed to take steps to ensure that they are not searching the upstream database when conducting queries.

In response, the court delayed reauthorizing the program, and in April 2017 the NSA director recommended that the agency halt its collection of Americans’ communications if they merely mentioned a surveillance target (referred to as “about collection”), and instead only collect communications to and from the target.42 Privacy advocates welcomed the NSA decision to halt this type of collection, and emphasized that the government’s findings underscore the need for legislative reform of Section 702.

As Congress prepared to reauthorize the FISA Amendments Act, including Section 702, for another six years toward the end of 2017, a bipartisan coalition of members of Congress sought to amend the draft law to include increased privacy protections. One amendment, which was cut during the drafting process, would have required officials to obtain a warrant before accessing information belonging to US citizens that is swept up in process of foreign data collection. However, the final bill, passed on January 18, 2018, did contain a similar-sounding provision43 requiring a warrant only in cases where an FBI agent wants to read the content of emails belonging to an American who is already part of an investigation; observers noted that the wording is too narrow to apply in most cases.44

Section 702 was ultimately reauthorized with few changes and did not address the issue of “about” collection, which means that nothing in the law would prevent the NSA from restarting the program. The final text included some measures to increase transparency, such as requiring the NSA to notify Congress in the event that it resumes the practice of “about” collection, and requiring the Attorney General to brief members of Congress about how the government uses information collected under Section 702 in official proceedings such as criminal prosecutions.45 However, privacy and civil liberties advocates warn that the reauthorization effectively codifies some of the more problematic aspects of Section 702 surveillance practices, including “about” collection and the backdoor search loophole.46

  • Executive Order 12333: Originally issued in 1981, Executive Order (EO) 12333 outlines how and when the NSA or other agencies may conduct surveillance on US citizens and other individuals within the United States,47 authorizing the collection of US citizens’ metadata and the content of communications if that data is collected “incidentally.”48 The extent of current NSA practices authorized under EO12333 is unclear, but documents from the NSA leaks suggest that EO12333 was used to authorize the so-called MYSTIC program, which was reportedly used to capture all of the incoming and outgoing phone calls of one or more target countries on a rolling basis. The Intercept identified the Bahamas, Mexico, Kenya, and the Philippines as targets in 2014.49 In December 2014, Congress passed a law that included a requirement that the NSA develop “procedures for the retention of incidentally acquired communications” collected pursuant to EO12333, and that such communications may not be retained for more than five years except when subject to certain broad exceptions.50 In January 2015, then-president Obama updated a 2014 policy directive that put in place important new restrictions relevant to EO12333 on the use of information collected in bulk for foreign intelligence purposes.51 Civil society groups continue to campaign for its complete reform.52

Under a set of complex statutes, US law enforcement and intelligence agencies can monitor communications content and communications records, or metadata, under varying degrees of oversight as part of criminal or national security investigations. The government may request that companies store such data for up to 180 days under the Stored Communications Act, but how they otherwise collect and store communications content and records varies by company.53

Law enforcement access to metadata generally requires a subpoena issued by a prosecutor or investigator without judicial approval;54 a warrant is only required in California under the California Electronic Communications Privacy Act, which has been in effect since January 1, 2016.55 In criminal probes, law enforcement authorities can monitor the content of internet communications in real-time only if they have obtained an order issued by a judge, under a standard that is actually a little higher than the one established by the Constitution for searches of physical places. The order must reflect a finding that there is probable cause to believe that a crime has been, is being, or is about to be committed.

The status of stored communications is more uncertain. One federal appeals court has ruled that the Constitution applies to stored communications, so that a judicial warrant is required for government access.56 However, the 1986 Electronic Communications Privacy Act states that the government can obtain access to email or other documents stored in the cloud with a subpoena.57 In April 2016, the House of Representatives passed the Email Privacy Act, which would require the government to obtain a probable cause warrant before accessing email or other private communications stored with cloud service providers.58 The bill was reintroduced in January 2017, passed the House, and has been referred to the Committee on the Judiciary in the Senate.59

The breadth of law enforcement access to user data held by companies was expanded under the Clarifying Lawful Overseas Use of Data Act, or CLOUD (S. 232860 and H.R. 494361 ), signed into law on March 23, 2018, as part of a government spending bill.62 Introduced with the intention of updating the 1986 Stored Communications Act to clarify policies governing cross-border data transfers,63 CLOUD determined that law enforcement requests sent to US companies for user data under the Stored Communications Act applies to data in the company’s possession regardless of where it is stored, including overseas. Previous requests for user data were limited to data stored within the US’s jurisdiction. CLOUD also allows foreign governments to directly petition US companies to hand over user data.64 Proponents of the law, including several large US tech firms,65 argued that the previous legal framework was outdated and cumbersome, requiring law enforcement to go through the potentially lengthy mutual legal assistance treaty (MLAT) process between countries to obtain information pertaining to local crimes because that data happens to be stored overseas.66 Civil liberties advocates argue that the law undermines privacy by giving governments new powers to compel companies to hand over user data.67

In addition to surveilling private communications, law enforcement agencies have also monitored websites and social media platforms for suspected criminal activity. In October 2016, the ACLU reported that police were conducting social media surveillance using a tool called Geofeedia, which allows users to aggregate social media content by location (such as a protest site); the company specifically marketed its service to law enforcement agencies.68 Following the ACLU’s report, Facebook, Twitter, and Instagram shut off Geofeedia’s access to their data.69

In recent years, there has been a significant increase in warrantless searches of travelers’ cell phones by border agents when they attempt to enter the United States, tripling from 857 searches in October 2015 to 2,560 searches in October 2016.70 In one case, an American NASA engineer who was flying back from South America was detained and told to hand over the passcode for his phone, even though it was the property of the NASA lab where he worked.71 On April 4, 2017, several senators introduced legislation that would require border patrol agents to obtain a warrant before searching the contents of a cell phone, and would prohibit agents from detaining people for more than four hours while trying to get them to unlock their phones. As of mid-2018, the bill had not been voted on.72 Meanwhile, in March 2018, the Trump administration announced plans to require anyone applying to immigrate to the United States to submit five years of social media history.73

User data is otherwise protected under Section 5 of the Federal Trade Commission Act (FTCA), which has been interpreted to prohibit internet entities from deceiving users about what personal information is being collected and how it is being used, as well as from using personal information in ways that harm users without offering countervailing benefits. In addition, the FTCA has been interpreted to require entities that collect users’ personal information to adopt reasonable security measures to safeguard it from unauthorized access. State-level laws in 47 states and the District of Columbia also require entities that collect personal information to notify consumers—and, usually, consumer protection agencies—when they suffer a security breach leading to unauthorized access of personal information. Section 222 of the Telecommunications Act prohibits telecommunications carriers from sharing or using information about their customers’ use of the service for other purposes without customer consent. This provision has historically only applied to phone companies’ records about phone customers, but following the FCC’s net neutrality order, it also applied to ISPs’ records about broadband customers.74

While there are no legal restrictions on anonymous communication online, some social media platforms require users to register using their real names through Terms of Service or other contracts.75 Online anonymity has been challenged in cases involving hate speech, defamation, or libel. In one recent example, a Virginia court tried to compel the crowdsourced review platform Yelp to reveal the identities of anonymous users, before the Supreme Court of Virginia ruled that it did not have the authority.76

Recent cases have also raised the question of the degree to which the courts can force technology companies to comply with court orders, particularly those that would require the companies to alter their products. Following a terrorist attack in San Bernardino in December 2015, the federal government sought to compel Apple to unlock a passcode-protected iPhone belonging to one of the perpetrators. Because some iPhones are programmed to permanently block access to all of the phone’s encrypted data once an incorrect passcode is entered too many times, the government issued a court order that would compel Apple to create new software enabling the FBI to access the phone.77 Security experts argued that requiring companies to create “backdoors” for law enforcement to access encrypted data would undermine security and public trust.78

Conversely, there have been efforts to codify rules that would bar the government from requiring surveillance backdoors. In June 2018, a bipartisan effort renewed a push to pass the Encrypt Act that would prohibit state and local governments from mandating “backdoor” access to devices.79 The bill had originally been introduced in 2016.

Despite vigorous debate, there have been no legislative changes regarding the use of encryption, nor is there any indication that the government is currently planning to move forward with the technical solutions it has proposed.80 While the Communications Assistance for Law Enforcement Act (CALEA) currently requires telephone companies, broadband carriers, and interconnected Voice over Internet Protocol (VoIP) providers to design their systems so that communications can be easily intercepted when government agencies have the legal authority to do so, it does not cover online communications tools such as Gmail, Skype, and Facebook.81 Calls to update CALEA to cover online applications and communications have not been successful. In 2013, 20 technical experts published a paper explaining why such expansion (known as “CALEA II”) would create significant internet security risks.82

Other legal implications of law enforcement access to devices have been debated in the courts. In March 2016, a Maryland state appellate court issued a ruling stating that law enforcement must obtain a warrant before using “covert cell phone tracking devices” known by the product name Stingray.83 Several court decisions subsequently affirmed that police must obtain a warrant before using these devices.84 Stingray devices act like cell phone towers, causing nearby cell phones to send identifying information and thus allowing law enforcement to track targeted phones or determine the phone numbers of people in a nearby area. In its decision, the Maryland court rejected the argument that individuals are effectively “volunteering” their private information when they choose to turn on their phones, since doing so allows third parties (the phone company’s cell towers) to send and receive signals from the phone.85 This was the first court decision addressing whether a warrant is required in the use of Stingray devices.86

On May 18, 2017, The Detroit News obtained court documents showing that police had used Stingray devices to find and arrest an undocumented immigrant.87 Privacy advocates argue that because Stingray devices collect information from cell phones in the area surrounding the target, and thus constitute mass surveillance, their use by law enforcement should be limited to serious cases involving violent crimes, not immigration violations.88

In a positive development, on June 22, 2018 (outside of this report’s coverage period), the Supreme Court ruled on a significant decision regarding access to device data in the case of Carpenter v. United States. Ruling in favor of the plaintiff, the court decided that the government is required to obtain a warrant in order to collect subscriber location information records from third parties like cell phone providers.89 Privacy advocates lauded the decision, noting that the privacy protections of cell phone location information have broader impacts on the privacy protections of other information that companies collect and store about their users.90 The decision also significantly diminishes the third-party doctrine, or the idea that Fourth Amendment protections to privacy do not extend to most types of information one voluntarily hands over to third parties (such as telecommunications companies).91 While the full impact of this decision on the privacy landscape in the United States will continue to unfold for years to come, it is regarded as a step forward in protecting people’s private information from unwarranted and unfettered government access.

Intimidation and Violence

Journalists continue to face increased levels of harassment and threats online. An issue that has become more prominent during the #MeToo movement is the plight of female journalists, who face “rampant online gendered harassment” in the course of doing their jobs, according to a study published in April 2018.92 Journalists also face threats for writing about political topics, particularly in the highly charged and often vitriolic environment of online public discourse. Several journalists have reported being doxxed—having their home addresses, phone numbers, and other personal details posted online—and have received violent threats directed at themselves or their family members, causing them to think twice before writing about potentially controversial topics.93

Harassment and threats online, particularly aimed at certain groups, also undermined the ability of users to exercise their rights to freedom of expression. The Pew Research Center found that one in four black Americans has faced online harassment because of their race or ethnicity.94 A report by Amnesty International found that 33 percent of women in the United States had experienced online abuse or harassment at least once.95

The growing trend of citizens filming or livestreaming protests with mobile devices has been met with undue harassment at the hands of the authorities. Researcher Dragana Kaurin interviewed people who had used their phones to film high-profile videos of the violent arrests and police killings of African Americans—including Freddie Gray, Eric Garner, Walter Scott, Philando Castile, Alton Sterling, and others—in recent years. Her research documented numerous reports of police retaliation, harassment, physical violence, doxxing, and other forms of intimidation to deter community members from filming police brutality.96

For example, in September and October 2017, journalists and citizen “vloggers” (video bloggers) covering protests in St. Louis, Missouri, were subjected to pepper spray and arrest or detainment by police:97

  • Independent live-streamer and photographer Heather DeMain was pepper sprayed by police while covering the protests on September 29.98
  • Independent live-streamer Jon Ziegler was arrested and pepper sprayed while covering protests on September 17. Though he was arrested amid police “kettling,” during which about a hundred people were boxed in and arrested indiscriminately, it appears that several of the police officers recognized Ziegler from his work.99
  • On October 3, several more arrests took place, and Jon Ziegler was arrested for a second time. Two journalists, a reporter and a cameraman, from the online news outlet The Young Turks were also arrested, despite the fact that they were wearing press badges and informed police officers that they were journalists.100

Besides while at protests, bloggers and other ICT users generally are not subject to extralegal intimidation or violence from state actors. However, police have used intimidation and threats to discourage bystanders from filming or uploading footage, particularly surrounding protests related to police violence against African Americans, despite citizens’ legal right to film police interactions openly if they are not interfering with police activities.

Technical Attacks

Cyberattacks continue to threaten the security of networks and databases in the United States. In May 2017, a massive cyberattack dubbed “WannaCry” infected hundreds of thousands of computers and spread through networks around the world, freezing users’ files and demanding payment to unlock them.101 Though the impact on the United States was less severe than other countries, it did affect several corporations and health care networks.102 In December 2017, the US government officially blamed North Korea for the attack.103

In March 2018, the Trump administration publicly accused Russia of targeting US infrastructure in a series of cyberattacks that began in late 2015. The attacks targeted US and European nuclear power plants and water and electrical systems, compromising some of them, though the attacks did not go so far as to shut down these systems.104

In response to these incidents and others, the United States has taken a series of legal and policy measures to address growing cyber threats. On May 11, 2017, President Trump issued an executive order on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” which holds government agency heads accountable for securing the IT infrastructure of their departments, and promotes sharing IT resources across agencies in order to secure a “more resilient executive branch IT architecture.”105

In December 2015, President Obama signed an omnibus bill that included a version of the Cybersecurity Information Sharing Act already passed in the Senate. The law requires the Department of Homeland Security to share information about threats with private companies, and allows companies to voluntarily disclose information to federal agencies without fear of being sued for violating user privacy.106 Civil liberties advocates said that privacy protections in the final text of the bill were not strong enough, and valuable requirements had been eliminated from earlier drafts that would have removed from disclosures any personal information not needed to identify cybersecurity threats. Critics also said that allowing companies to voluntarily disclose data to any federal agency—including the Department of Defense and the NSA—undermines civilian control of cybersecurity programs and blurs the line between the use of this data for cybersecurity and law enforcement purposes.107

On United States

See all data, scores & information on this country or territory.

See More
  • Global Freedom Score

    83 100 free
  • Internet Freedom Score

    76 100 free