Skip to main content
Podcast Episode: Fighting Enshittification

Counter-Surveillance Success Stories

Counter-Surveillance Success Stories


During the World Cup in Rio de Janeiro, police monitored and preemptively arrested dozens of people who they assumed were plotting to commit crimes during a final World Cup match protest. The DRCI (Bureau for the Repression of Computer Crimes) led the investigation, which was largely conducted by wiretapping phones and monitoring protesters’ public social media postings.

São Paulo, Brazil

In an effort to make crypto available to the general public in Brazil, a group of São Paulo activists organized a free event, termed “CrytpoRave,” that provided digital rights enthusiasts from all backgrounds a full 24 hours of partying, activities, talks, debates, and workshops on topics about security, cryptography, hacking, freedom of speech, and privacy.

Mexico DF

When Mexican president, Enrique Peña Nieto, presented the Mexican Telecommunication Law, also known as the "Ley Telecom," human rights defenders and privacy watchdogs were alarmed to find that the proposal contained articles that would directly attack net neutrality, allow for Internet censorship and expand law enforcement powers to spy their citizens. By organizing a community CriptoRally and a series of security workshops, digital rights activists provided Mexican citizens with effective and practical tools to fighting the Ley Telecom. 

Berlin, Germany

Early on July 31, 2007, the German federal police arrived at the residence of journalist and net activist, Anne Roth and her partner, Andrej Holm. Andrej Holm is an urban sociologist working on issues of gentrification and urban development. As the armed police entered their home, they aggressively arrested Andrej and raided their home for 15 long hours.  Rightfully confused, Anne called a lawyer and was later informed that her partner was a terrorism suspect.

Activist, Anne Roth, tells her story about what it was like to live with a partner who was targeted under German anti-terrorism surveillance law. Anne decided to blog about her spying experience to protect her family’s privacy.

Berlin, Germany

In 2006, the European Union (EU) issued a directive, called the Data Retention Directive, which required communications service providers in Europe to retain a wide-range of data on its users—including location and calling information—for at least six months and up to two years. This law affected all; with the retained information, governments could paint a technical picture of each and every EU citizen’s daily life, movements, and habits. Each EU country was required to implement the directive on a national level.  

German politician and privacy advocate, Malte Spitz, exposed just how much metadata reveals about a person by creating an interactive map of his user data that was collected by his telecommunications provider under the German Data Retention law. The data retention mandate compels all ISPs and telecommunications service providers in Germany to collect and retain a subscriber's incoming and outgoing phone numbers, IP addresses, location data, and other key telecom and Internet traffic data for a certain period of time. This data depicted a disturbingly-accurate portrayal of his movements and actions over a period of six months.


The EU Data Retention Directive (DRD), adopted by the European Union in 2006, is the most prominent example of a mandatory data retention framework. The highly controversial Directive compelled all ISPs and telecommunications service providers operating in Europe to collect and retain a subscriber's incoming and outgoing phone numbers, IP addresses, location data, and other key telecom and Internet traffic data for a period of six months to two years. Since its passage, the EU Data Retention Directive has faced intense criticism.

The highly controversial EU Data Retention Directive compelled all ISPs and telecommunications service providers operating in Europe to collect and retain a subscriber's incoming and outgoing phone numbers, IP addresses, location data, and other key telecom and Internet traffic data for a period of six months to two years. An Irish constitutional challenge brought by Digital Rights Ireland (DRI) against its 2009 data retention law was referred to the European Court of Justice (ECJ). In 2014, the ECJ declared the Directive invalid.


The European Data Retention Directive compels all ISPs and telecommunications service providers operating in Europe to collect and retain a subscriber's incoming and outgoing phone numbers, IP addresses, location data, and other key telecom and Internet traffic data for a period of six months to two years. This European data retention mandate was introduced in order to increase availability of telecommunication data for the purposes of investigating and prosecuting serious crimes.

When Poland implemented the European Data Retention Directive, a law that compelled telecommunications services to retain metadata for a certain period of time, Poland not only opted for the most privacy-intrusive law but in some respects went further than what was permitted by the EU directive. For over five years, Panoptykon fought against its dangerous implementation as well as other laws that allow for non-targeted surveillance.

United States

We entrust our most sensitive, private, and important information to technology companies like Google, Facebook, and Twitter. Collectively, these companies are privy to the conversations, photos, social connections, and location data of almost everyone online. The choices these companies make affect the privacy of every one of their users. So the question is: Which companies stand with their users, embracing transparency around government data requests? Which companies have resisted improper or overbroad government demands by fighting for user privacy in the courts and in the legislature?

Who Has Your Back is an annual report released by the Electronic Frontier Foundation that evaluates a set of select companies’ policies with regard to how they treat user data when governments demand access. The report seeks to promote competition by creating a “race to the top” amongst companies who stand up for their users’ privacy in the legislature and in the courts whenever it is possible to do so.

Amsterdam, the Netherlands

Bits of Freedom (BOF) works to demand transparency when Dutch companies, like internet services providers, receive data requests from Dutch law enforcement agencies. BOF uses different tactics to ensure companies—many of whom are unsure of the legality of publishing transparency reports—understand the laws surrounding such practices.


The Dutch digital rights organization, Bits of Freedom, showcases their ongoing work on advocating for transparency when law enforcement agencies request user data from companies.


In Canada, millions of state requests for data from telecommunications companies are made annually for the purpose of surveillance.  As a result of work done by Christopher Parsons of Citizen Lab and the organization’s partners, Canadians have a better understanding of domestic state surveillance operations than they did just one year ago.

Canadian federal government agencies, like many government agencies around the world, often request user data from telecommunications agencies for the purpose of surveillance. With few regulations in place that force governments or corporations to explain how Canadians' telecommunications information is accessed or processed, the Citizen Lab along with its’ partners, worked over the course of a year to compile and disseminate lawfully accessible data that showed how often, for what reasons, and on what legal grounds telecommunications companies in Canada provided their subscribers' data to state agencies.

Brussels, Belgium

In 1995, the European Union (EU) adopted the Data Protection Directive (Directive 95/46/EC), which protected individual privacy by regulating the processing of personal data within the European Union. In 2012, the European Commission proposed a reform to the Directive in light of technological developments and the obvious need for greater privacy protection online.

During the consultation process before the finalization of the European Commission's reform of the European Union’s Data Protection directive, European Digital Rights (EDRi) proposed legislation that would prohibit US companies from retrieving personal data without European oversight.

Zimbabwe, Africa

In October 2013, the Zimbabwean government implemented a new law that required telecommunications providers to establish a subscriber database of all SIM card holders—connecting a subscriber’s phone numbers to the subscriber’s name, address, gender, nationality, and passport or ID number. Under the law, service providers were compelled to regularly hand over SIM card registration data to the government, who would then establish its own central subscriber information database. The database would then be available to law enforcement or national security upon simple written request.

When the government of Zimbabwe adopted a new law requiring telecommunications providers to establish a subscriber database of all SIM card holders, the Zimbabwe Human Rights NGO Forum fought back.

United Kingdom

On June 14, 2012, the UK Home Office published the Draft Communications Data Bill, which proposed the extension of data retention mandates from telecom to Internet companies.The draft bill gave the Home Secretary power to compel internet and phone companies to retain records of our calls, emails, texts, and web visits. The mandatory data retention bill was paired with provisions that allowed the police and intelligence services to obtain these records.

Liberty launched a branded campaign called “No Snoopers’ Charter” that showcased the power of communication data to reveal vast amount of private facts about a person. By painting the problem broadly, Liberty was able to engage its’ members, the media, and the public through many different avenues, including through social media channels.


(Published December 2012) Laws mandating the storage of Internet users’ traffic data have stood out for years as a threat to privacy rights in the digital realm. While the European Union’s highly controversial Data Retention Directive required EU member states to pass laws requiring Internet service providers (ISPs) to log communications data for up to two years, an even more extreme proposal surfaced in Argentina in 2005. Then-President Nestor Kirchner, who has since passed away, issued a decree amending the National Telecommunications Law of 2003.

Extreme mandatory data retention law overturned in the face of public scrutiny


(Published December 2012) Since the late 1990s, Canada has seen numerous proposals for so-called “lawful access” legislation seeking to grant police more power to intercept digital communications and access subscriber information without a warrant. Initially, the government’s latest bid for these new powers was included in an omnibus crime bill containing a host of troubling provisions. This legislative package was tabled in the fall of 2011, but no sooner did opponents of invasive online surveillance practices breathe a sigh of relief than Canada’s Bill C-30 emerged.

Online surveillance legislation put on hold after mass opposition

United Kingdom

(Published December 2012) When the UK Home Office announced its plans to implement a national biometric identity card, alarm bells went off for privacy advocates  – and the battle lines were drawn for a persistent opposition campaign that finally claimed victory eight years later.

Biometric ID Database Dismantled In Face of Public Opposition


(Published December 2012) In 2008, a Chilean website called (“strike” in English) was approached by the Cyber Crime Section of the Chilean Police. The law enforcement agency demanded that the webmaster hand over data related to pseudonymous user accounts, such as IP addresses, records of previous connections, names, and physical addresses. The targeted pseudonymous users had left comments on the website about an ongoing strike.

Privacy-invasive police requests for IP addresses successfully challenged

Subscribe to Counter-Surveillance Success Stories

Back to top

JavaScript license information