The State of State Surveillance
Governments have always surveilled their citizens. What’s changed in the 2020s is the scale, the automation, and the normalization. Mass surveillance that would have been technically impossible and politically unthinkable twenty years ago is now routine — often conducted not by spy agencies directly, but by purchasing data from commercial brokers or compelling tech companies to build backdoors into their own products.
Here’s where things stand in early 2026 — and where people are fighting back.
The Expanding Dragnet
FISA Section 702: Renewed and Expanded
In April 2024, the US Congress reauthorized Section 702 of the Foreign Intelligence Surveillance Act — the legal backbone of the NSA’s mass surveillance apparatus — for two more years. But it didn’t just renew; it expanded. The new language broadened the definition of “electronic communications service providers” who can be compelled to assist with surveillance, potentially sweeping in data centers, cloud providers, and any business that operates network equipment. Civil liberties groups called it the largest expansion of US surveillance authority since the original Patriot Act.
For non-Americans, the implications are direct: any data stored with a US-based cloud provider — Google, Microsoft, Apple, Amazon — is accessible to US intelligence agencies under Section 702, regardless of where the data subject lives or where the server is physically located.
The UK’s Online Safety Act Targets Encryption
The United Kingdom’s Online Safety Act, which received Royal Assent in late 2023, continues to cast a long shadow over encrypted communications. The law gives Ofcom (the UK communications regulator) the power to require platforms to use “accredited technology” to scan messages for illegal content — including in end-to-end encrypted services. In 2025, Ofcom began formal consultations on implementing these scanning requirements, prompting Signal president Meredith Whittaker to reiterate that Signal would leave the UK market rather than compromise its encryption.
The fundamental problem remains: there is no way to scan encrypted messages for specific content without breaking the encryption for everyone. A backdoor for the government is a backdoor for every hacker, foreign intelligence service, and criminal who discovers it.
The EU Chat Control Debate Continues
The European Commission’s proposed “Chat Control” regulation — which would require messaging platforms to scan all private messages, including encrypted ones, for child sexual abuse material (CSAM) — remained deadlocked through 2025 and into 2026. Multiple EU member states, led by Germany, have blocked the proposal in the Council, arguing that mass scanning of private communications is incompatible with fundamental rights. However, the Commission has not withdrawn the proposal, and a revised version that would make scanning “voluntary” (but with strong incentives) is under discussion.
The pattern is consistent across jurisdictions: governments use child safety as the justification for breaking encryption, but the infrastructure built would enable surveillance of any content, for any purpose, at any time.
Data Broker Loopholes: Buying What You Can’t Legally Spy On
Perhaps the most insidious surveillance expansion has been the quietest. US government agencies — including the FBI, DHS, IRS, and military branches — have spent hundreds of millions of dollars purchasing location data, web browsing data, and other personal information from commercial data brokers. This data, collected from smartphone apps and advertising networks, provides surveillance capabilities that would require a warrant if obtained directly. By purchasing it on the open market, agencies argue they don’t need one.
In 2025, a partially declassified report from the Office of the Director of National Intelligence acknowledged that the volume and sensitivity of commercially purchased data “in some cases may be as revealing as the content of communications” that the Fourth Amendment protects. Despite this admission, no legislation has been passed to close the loophole.
Automated License Plate Surveillance Goes Nationwide
Flock Safety, the dominant provider of automated license plate reader (ALPR) cameras in the United States, now operates networks in over 5,000 communities. The company’s cameras photograph every passing vehicle and feed the data into a searchable national database. Law enforcement can query the system to track any vehicle’s movements across jurisdictions — effectively creating a retroactive GPS tracker for every car in the country, without a warrant. In 2025, Flock expanded its systems with AI features that can categorize vehicles by type, color, and even bumper stickers.
The Growing Resistance
Signal Becomes the Default
The encrypted messaging app Signal crossed 100 million monthly active users in 2025, driven partly by government overreach. Every time a government announces plans to break encryption, Signal downloads spike. The app has become the default communication tool for journalists, activists, lawyers, and an increasing number of ordinary people who simply don’t want their conversations read by anyone else.
Signal’s resistance has been principled and absolute. The organization has repeatedly stated it will shut down operations in any jurisdiction that requires it to compromise encryption. This stance has made Signal the benchmark against which other encrypted services are measured.
Privacy-First Jurisdictions Strengthen Protections
Switzerland tightened its Federal Act on Data Protection (revDSG) in 2025, expanding individual rights and increasing penalties for violations. The revised law strengthened Switzerland’s position as one of the world’s most protective jurisdictions for personal data — and one of the few where intelligence agencies face genuine legal constraints on domestic surveillance.
Iceland, already home to some of the world’s strongest press freedom and data protection laws, passed additional legislation restricting government access to communications metadata without judicial authorization. These jurisdictions are proving that strong privacy protections and functional government are not mutually exclusive.
The VPN and Encrypted DNS Surge
Global VPN usage continued to climb in 2025, driven not just by privacy enthusiasts but by ordinary users in countries with aggressive surveillance regimes. Mullvad VPN, which accepts cash payments and requires no account information, reported record growth. Encrypted DNS services (DNS-over-HTTPS and DNS-over-TLS) became default settings in Firefox and Brave, preventing ISPs and governments from monitoring which websites users visit.
Courts Push Back on Mass Surveillance
In a landmark 2025 ruling, the European Court of Human Rights found that the UK’s bulk interception regime — even as reformed after the Snowden revelations — violated Article 8 (right to privacy) of the European Convention on Human Rights. The ruling didn’t ban bulk interception outright but established that mass surveillance programs require far stronger oversight, authorization, and safeguards than currently exist in most countries.
In the US, a federal appeals court ruled that geofence warrants — which compel Google to identify every person who was near a specific location at a specific time — constitute unconstitutional general searches in violation of the Fourth Amendment. Google subsequently announced it would move location data storage to users’ devices, making geofence warrants technically impossible to fulfill.
Grassroots Encryption Adoption
Perhaps the most powerful form of resistance isn’t legal or political — it’s technical. Encrypted email (via Proton Mail and Tuta), encrypted cloud storage, encrypted messaging, and encrypted DNS are all growing faster than their unencrypted equivalents. Each user who adopts end-to-end encryption removes themselves from the pool of easily surveilled communications. At sufficient scale, this makes mass surveillance technically impractical, regardless of what the law allows.
What You Can Do
Government surveillance feels overwhelming because it’s designed to. The goal is to make resistance seem futile, compliance seem inevitable. But the tools to protect yourself exist and are often free:
- Use end-to-end encrypted messaging. Signal for personal conversations. No exceptions, no compromises.
- Encrypt your email. Proton Mail and Tuta both offer free tiers with end-to-end encryption.
- Choose your jurisdiction. Data stored in Switzerland, Iceland, or the EU has stronger legal protections than data stored in the US, UK, or Australia (the Five Eyes countries).
- Use a VPN. Mullvad or IVPN — both accept anonymous payment and keep no logs.
- Encrypt your DNS. Use DNS-over-HTTPS in your browser or system-wide. Quad9 (9.9.9.9) is a good privacy-respecting option.
- Minimize your data footprint. Every piece of data that doesn’t exist can’t be surveilled, breached, or subpoenaed. Start by removing yourself from data brokers — our free Data Purge tool walks you through opting out of the major brokers that sell your personal information to advertisers, insurers, and government agencies.
The surveillance state depends on two things: legal permission and technical access. You may not be able to change the laws overnight, but you can absolutely limit the technical access — starting today.
I Am NOT The Product was built on this principle: Swiss-hosted, zero-knowledge encrypted, and architecturally designed so that even we can’t access your data. Because the best defense against surveillance isn’t trusting the right company — it’s making surveillance technically impossible.