<shameless self-promotion>

I will be a guest on two live podcasts discussing various AI things, the law, and probably some privacy disasters. You should listen in!

• Legal4Tech A recovering lawyer’s guide to AI (2025-02-13, at 16:00 GMT).

  • I’ll be chatting with two different Giacomos (Giacomo Amodio and Giacomo Degasperi) about the fractal complexity of things, AI, and law. I have forewarned them that I may swear.

• RegInt: Decoding AI Regulation #19 | LLMs Know What You Posted Last Summer (2025-02-17, at 16:00 GMT).

  • Peter Hense and Tea Mustać and I will have a collective therapy session about the whole machine unlearning thing, and given how their podcasts normally progress, some zingers about the current state of AI.

PS: If you would like to have me speak (on your blog, at a conference, or within your organization), feel free to reach out. I always like to hear myself talk, and I’ve been told that I’m actually funny sometimes.

</shameless self promotion>

I'm going to be honest with all of you — I am in a low place right now.

As an ex-pat American (now Irish!), it's been hard not to feel like the world itself is imploding, especially after January 20. That enshrined concepts like democracy, fundamental rights, the rule of law, privacy and the protection of our data, as well as personal autonomy are not only under attack, but being absolutely crushed under the weight of dictators, billionaires, and big tech. Sometimes, the destruction is happening by people who fit into all three categories.

Now, I want to believe that it isn't as bad as it feels — to be a little less of a privacy Cassandra — but honestly? It all feels so. fucking. bleak. And the news isn’t inspiring much confidence that anything will get better in the foreseeable future.

But I can't write a blog post on the privacy disaster that represents the current state of the world. I mean, I can, but that isn’t very helpful. And nobody really wants to read yet another pundit piece about how Phony Stark, the Dictator-in-Chief, or the Republican Party (or their counterparts around the world) are determined to enact their own blitzkrieg on fundamental rights in America and abroad. So instead, I'm going to:

1. highlight some of the organizations out there fighting back and doing good in the world;

2. share some of the tech & companies developing tools that we can all use to protect ourselves;

3. actually say something nice about laws that are having a positive impact; and finally

4. recommend a cat-themed book, with helpful kitty-based suggestions on resisting fascists.

Where applicable, I've also included some links to encourage folks to help — either directly, financially, or through evangelism and signal-boosting.

For some of you, I recognize that none of this will be new, and that's ok. To make up for that, I’ve included adorable cat pictures at the bottom. Consider this a suggested list for the folks who feel similarly defeated, and may be looking for answers against what feels like hopeless odds. Or a funny book about cats and cat pictures.

Organizations

There are dozens of nonprofits and NGOs that focus on privacy, data protection, cybersecurity, consumer & fundamental rights. I have not attempted to list them all. Instead, I want to share a few that are near and dear to me. If there are a few near and dear to you, leave them in the comments and details about the good work they're doing.

Leave a comment

• The Electronic Frontier Foundation: The EFF has been a tireless crusader in protecting online rights, bolstering fair use, championing and defending privacy & civil liberties, protecting journalists, fighting authoritarian policies in the courts, and even developing technologies that protect us all. They work hard to keep privacy nihilism at bay, and even have loads of free guides helping everyone stay private and secure online and in meatspace. (Donate)

• Privacy International: Privacy International is the UK cousin of the EFF. They prioritize privacy and digital rights in the UK and EU, but also has a wider, more global base. They're a bit more policy and outreach-focused compared to the EFF, but they have brought over 20 cases in the CJEU, US and UK courts, and the European Court of Human Rights. (Donate)

• Access Now: Access now is a truly global enterprise, and they're far broader than just an advocacy org for privacy and surveillance concerns. They also do a lot of innovative work, like deploying technology teams on the ground to support activists and communities in the parts of the world where human rights are being eroded by the day. As part of their #KeepItOn Coalition, they have successfully reversed government policies that cut off or shutdown internet access, and hold tech companies to account on transparency (which is worth a review!) (Donate)

• World Ethical Data Foundation: The folks behind WEDF are near and dear to my heart — I joined their team last year, and while things are still slow-going (and we need more funding!), WEDF has done some amazing work in relation to AI ethics, including developing the Open Standard, providing policy & research on the attack vectors targeting democracies worldwide (y'know, like broligarchies), and building out archives and technical repositories for collecting, sharing, and promoting human rights and fundamental freedoms-relevant information. (Donate)

• Spirit Legal: I'll admit I have a soft spot for Peter, Tillman, and all the many stellar lawyers at Spirit Legal, but the bottom line is, they're addressing the collective action problem in a way that actually might lead to positive change: through representative actions (aka, class actions) against big tech companies. The team have some impressive wins under their belt, and just launched a new zinger against TikTok and X in Germany. The lawsuits address violations of German and EU law, particularly the Digital Services Act (DSA), the GDPR, and the new AI Act. In addition to demanding an immediate cessation of unlawful practices by both platforms, the lawsuits seek multi-billion-euro damages. And personally, I hope they're successful: especially against Apartheid Clyde.

Technologies

• Let's Encrypt & Certbot: In 2013, the vast majority of websites (83%) were unencrypted. By 2024, that trend had reversed. Now well over 90% of web traffic is encrypted using HTTPS, which ensures that web connections are secure, and protected against eavesdroppers, hijackers, and even sloppy governments. Much of this came about because a handful of engineers (Peter Eckersley (RIP), Josh Aas, Eric Rescorla, & J. Alex Halderman), decided to do something about the problem, by developing a free, automated, easy to use process and software tool (Certbot) that allows domain & website owners to install and register validated encryption certificates to make their sites more secure. (Donate to Let's Encrypt; You can donate to Certbot by supporting the EFF!)

• Encrypted Email: Encrypted email is no longer just a thing for techies. Tools like Pretty Good Privacy (PGP) and the GNU Privacy Guard (GPG) have been around for 30 years(!), but few people used them, because frankly, the early implementations required a level of Linux-fu that few had, beyond aged neckbeards and deeply-privacy-focused Germans. Now, we have mail services and easy-to-use GUIs and tools (including Tuta, Mailbox.org, and yes, Proton), who make the process of encrypting email seamless.
  

  I honestly don't care which one of these tools you use, but if you're worried about the prying eyes of government getting access to your emails (and you probably should be, especially if you're a civil servant, woman, trans person, or any other 'undesirable' in the US), ditch Gmail and consider one of these options.

• Encrypted Messaging/Communications: I would be remiss if I didn't mention Signal and WhatsApp. While I'm not as optimistic that WhatsApp itself will remain a robust end-to-end encrypted solution (given that it's owned by Meta), the protocol it and Signal are based on is robust, and the spread of these tools has become ubiquitous. Hell, most of Ireland uses WhatsApp (because text messaging here costs a fortune), which means they're less likely to be snooped on by the government. (Donate to Signal)

• DeepTech solutions focused on PETs: DeepTech refers to a class of technology companies & startups that are focused on solving large, complex, global challenges. Unlike other startups, the tend to invest loads of resources and time in tackling problem well before GTM. While the majority of DeepTech firms prioritize global challenges like climate change, health, AI, and quantum computing, there are a number of privacy- and data-protection focused companies out there.
  

  One of my readers mentioned Utrecht, NL-based Roseman Labs, which is focused on creating shared data lakes using secure multi-party compute (SMPC), a privacy-enhancing technology (PETs) that allow parties to share, link, and analyze data without revealing the actual information itself. Individual records remain private and stored in secret shares. Zama, based out of Paris, France, is doing interesting things with fully-homomorphic encryption (FHE), primarily for (d)apps and the blockchain, but also in relation to ML training. The company's ConcreteML developer library allows data scientists to turn regular training models into homomorphic equivalents — protecting user privacy and personal data. Other tools, like PySyft by OpenMined, combine these approaches, along with differentially private techniques.

• Other Protocols: There appears to be quite a bit of good coming out of the development of cryptographic tools like zk-SNARK and other privacy-enhancing technologies. zk-SNARK is a cryptographic process that allows for parties to prove that they are in possession of information without revealing the information itself.1 The most common use-cases for using zk-SNARKs are mostly in crypto/blockchain, but it's also possible to use this for identity management, electronic voting, age verification, and other use-cases where one party needs to demonstrate that they meet sone criteria (e.g., over 21), without providing additional information (like a government ID).

Laws

• The General Data Protection Regulation (GDPR): Say what you will about the GDPR (I definitely have), but it's very clear that it has been effective, at least in raising awareness, if not motivating organizational behavioral change. I've personally helped organizations improve their data practices to meet obligations under the GDPR — whether that's by steering them away from unnecessary data collection, ensuring data remains stored only for as long as is necessary, securing data, and building in privacy & data protection by design and default practices, including DPIAs.

  
  Things could, of course, always be better, and regulators could do a better job actually enforcing against and collecting all those fines (cough DPC cough), but anyone who says that the GDPR hasn't done anything meaningful is either grossly uninformed, lying, or has an agenda.

• The Digital Markets Act (DMA): I continue to believe that the DMA is a law that will continue to have positive results far beyond its competitive roots. For one, it’s targeted (and only imposes its burdens on the worst big tech offenders who can afford and have the resources to comply). Another reason it’s so effective is Article 5, which prevents said gatekeepers from leveraging network effects and undue market influence to further enshitify the internet. I wrote a whole bunch about why I love the DMA here. The DMA specifically prevents gatekeepers from using data across their systems without transparency and consent, and this has been a net win for data protection & privacy in a relatively short amount of time.

• The AI Act: One of the unambiguous benefits of the AI Act is the outright ban on certain prohibited uses of AI. The list is modest, but impactful, and goes to the heart of preventing some of the worst AI Systems from coming into existence, or continuing to profit off of their data-invasive practices (like Clearview AI, which should have been banned for reals years ago). While the jury’s still out on its application to high-risk systems, I suspect we’ll see more positive outcomes as other parts of the law come into effect.

• The CCPA: The CCPA, along with various related advisories and privacy enforcement actions by the CA Attorney General and the California Privacy Protection Agency (CPPA), have forced many big tech and healthcare companies to implement and further improve the data subject request mechanisms (access, rectification, objection, right to opt out of sale/sharing). Along with the growing list of US states adopting their own privacy laws, this has led to behavioral change that promotes actual transparency and grants much-needed data subject rights, even for those who live in states without any protections. The use of 'stipulated judgments' by the California AG, has brought modest fines, but far more action. In conjunction with the CPPA’s managed DELETE Act/Data Broker Registry, limits are finally being imposed on data brokers, surveillance capitalists, and other bottom-feeding businesses.

• The Illinois Biometric Information Privacy Act (BIPA): I appreciate BIPA, because it's been one of the most effective privacy laws in the US since its inception in 2008, largely because it is the only biometric law that allows for private action. For example, Meta's violations of BIPA for the non-consensual use of its "Tag Suggestions" feature, led to a landmark $650 million settlement and positive data protection outcomes for consumers. Other states, including Texas and Washington, are also following suit, though they do not include a private right of action. Sadly, BIPA's standard for calculating violations (originally, every scan/transaction using an individual’s biometric data constituted a violation) was neutered in August 2024, and so it's unclear if it will remain as robust or effective.

Some Light Reading

Finally, I had to share this book recommendation:

Stewart "Brittlestar" Reynolds wrote a cute and very short (49 pages!) handbook on surviving and fighting against fascists — "The Subtle Art of Resistance: Lessons from Cats for Surviving Fascism" (includes an affiliate link). Clearly, anyone who reads this blog can instantly see why I'm recommending it today. Cats, it turns out, are some of the best teachers of surviving and thriving against hostile oppressors (I mean, they put up with gigantic, loud, clumsy gorilla pigs like you and I, after all).

Much of the guidance isn't new, but it is sprinkled with fun kitty wisdom. I’ve summarized some of Brittlestar’s finer points with pictures of my cats:

• be unpredictable (take bold leaps, make questionable decisions that have an impact)

  

  

• use chaos and defiance deliberately & strategically (less blind rage, more strategic knocking over of things)

  

• be nice when necessary, but keep your claws at the ready (aka, employ the soft kitty belly trap)

  

• occupy spaces like you own them (especially when they’re warm and recently-vacated)

  

• don't accept surveillance (leashes or collars); keep yourself hard to find or pin down (remember: the fascist obsession with control depends entirely on knowing where you are).

There's more in these pages, but if you're in a low place, it will at least brighten your day. And with that — I'm off to think about what else can be done, and tracking down another privacy disaster.

Finally, as the EFF notes in its article 'Privacy Isn't Dead', 'Privacy is a process, not a single thing ... We might not always have the upper hand, but we are often able to negotiate.' The same holds true for resistance, and protecting fundamental rights. Don't give in to the monsters — we need to fight them tooth and claw until the bitter end.