Internet Freedom Monthly: News Recap, April 2026
April produced one hell of a dominant pattern running across 34 stories at the same time, with governments tightening control over information on every front simultaneously, using every tool available and every excuse that tested well. A journalist jailed for Facebook posts in Vietnam. A photographer sentenced to ten years for filming a fire in Bahrain. ICE deploying zero-click spyware on US soil and calling it drug enforcement. The EU's own age verification app cracked in under two minutes, then patched, then still being mandated as the infrastructure of the future.
This recap covers 34 articles published in April 2026. The tools varied from story to story, with espionage charges in Hungary, a biometric dragnet in Germany, and a $707 million budget cut to America's top cybersecurity agency, but the mechanism held constant: power shrinking the space where information moves freely, with the people on the receiving end told it was for safety, children, or national security. The excuse rotates. The direction doesn't change.
India Wants to Turn Every Platform Into a Government Compliance Machine
India's government has spent years ordering platforms to remove political content, cutting internet access during elections and protests, and watching courts stay its own censorship mechanisms, only to keep finding new regulatory angles. The draft IT Rules amendments MeitY published on March 30, 2026, land squarely in that tradition, proposing changes that hand the executive binding control over online speech without going near parliament or a judge, wrapped in the ministry's language about an "open, safe, trusted, and accountable internet." The public comment window was fifteen days, which Internet Freedom Foundation researchers said was insufficient time to respond to changes that could reshape the entire platform governance framework.
The White House Now Wants to Track Every Mail-In Ballot Voters Cast
The Trump administration has spent over a year insisting that non-citizen voting is a crisis threatening American elections, despite decades of audits, recounts, and investigations consistently showing it is extraordinarily rare, and so naturally the response is a federal database of every American citizen's immigration and identity records cross-referenced against voter rolls in all fifty states, with barcodes on mail-in ballot envelopes and prosecution threats for anyone who doesn't comply. The infrastructure to surveil every ballot cast is being built in the name of a problem that credible investigations have consistently failed to find.
Hungary Charges Journalist with Espionage for Reporting on Russian Influence
Szabolcs Panyi already knew Hungary's government was reading his messages, given that Amnesty International confirmed his phone had been infected with Pegasus spyware in 2021 while he was investigating the Orban circle, but on March 26, Gergely Gulyas announced criminal espionage charges against Panyi for his work at investigative outlets Direkt36 and VSquare on suspicion of coordinating with foreign intelligence services. With Hungary's judiciary now largely under executive control, the charges serve as both punishment and warning, with no independent court left to meaningfully push back.
OpenAI Built a Child Safety Coalition Around Rules It Stands to Profit From
OpenAI spent years lobbying against California child safety legislation, opposing the bill that would have tightly restricted kids' access to AI chatbots, pushing a weaker alternative, and introducing a competing ballot initiative to kill the one Common Sense Media filed and then showing up as the driving force behind a new child safety coalition pushing age verification standards that its own products are positioned to implement. The coalition frames its work as protecting children, but the specific standards it advocates map almost exactly onto infrastructure OpenAI is already building and stands to monetize.
Happy Fact-Checking Day – Governments Are Using It to Censor You
International Fact-Checking Day on April 2 is a genuine occasion worth acknowledging, given that the vocabulary of disinformation, harmful content, and information integrity took a decade to build by independent journalists and researchers trying to give the public better tools against manipulation. But governments in Brazil, India, the EU, and the US have systematically co-opted that vocabulary to justify blocking content that embarrasses them politically, with "fact-checking" becoming the procedural cover for what is functionally political censorship. The language built to protect the public is now being used against it by the same institutions the public built it to hold accountable.
Vietnam Sends a Journalist to Prison for Posting About Politics on Facebook
Huynh Ngoc Tuan served ten years in Vietnamese prison for critical political writings, and his daughter Huynh Thuc Vy was later jailed for a blog post that included defacing a Vietnamese flag, and now Tuan, who resumed journalism after his release, is heading back to prison, this time for posting about politics on Facebook in a country where that is, apparently, a criminal offense with a significant sentence attached. Vietnam has spent decades making clear that political journalism is not a career it tolerates, and every returned sentence confirms that the government intends to keep it that way.
ICE Is Deploying Zero-Click Spyware on US Soil and Calling It Drug Enforcement
The Biden administration paused ICE's contract with spyware maker Paragon Solutions in October 2024 under an executive order prohibiting federal agencies from using commercial spyware that poses risks to national security, but the Trump administration reinstated it because the same zero-click surveillance capability that was a national security risk one administration ago is now drug enforcement, and the legal constraints that applied in 2024 apparently do not apply in 2025. "Zero-click" means no interaction is required from the target: the phone is compromised before the person being surveilled does anything at all.
Pill Testers Posted a Killer Opioid Warning Before a Festival, and Meta Deleted It
Australian pill testing organizations exist specifically to identify dangerous substances in the drug supply and warn people before they end up in ambulances, and when one of them posted an opioid warning ahead of a music festival, naming the specific lethal compound circulating in that batch, Meta deleted it for violating drug content policies, with no mechanism to distinguish between content promoting drug use and content explicitly designed to prevent overdose deaths. The people doing public health harm reduction work are being moderated by an algorithm that cannot tell the difference between a warning and an advertisement.
Not One Government Has Been Convicted for Deploying Spyware on Its Own People
Intellexa's founder Tal Dilian was sentenced to prison for his role in Greece's Predator spyware scandal, making him the rare commercial actor to face consequences, but not one government official across any of the EU member states implicated in spyware use has faced criminal charges, despite the EU's own PEGA inquiry finding illegitimate use in at least four member states and linking at least eighteen to commercial spyware purchases. Every international instrument designed to hold governments accountable for surveillance abuse has produced investigations, reports, and non-binding recommendations, and that is where accountability ends.
Iraq Banned Telegram to Silence Armed Groups, and VPN Downloads Already Spiked
Iraq's federal government blocked Telegram starting around April 3, citing its use by armed factions to coordinate drone activity, hitting major cities including Baghdad, Basra, Najaf, Saladin, Kirkuk, and Diyala while leaving the Kurdistan region unaffected, and VPN sign-ups in Iraq spiked 1,200% in the days following the ban, with usage continuing to climb as of April 7. Governments keep treating platform bans as a tool for silencing armed groups and keep discovering that the groups adapt immediately while everyone else loses access to their primary communication infrastructure.
Trump Is Slashing $707M From the Agency Keeping America's Networks Safe
Trump's FY2027 budget proposes cutting $707 million from CISA, the top federal cybersecurity agency, while eliminating its programs that counter foreign misinformation and propaganda, with the White House labeling it a "hub in the Censorship Industrial Complex." That is the same agency Trump created in 2018 and that he turned on after it accurately debunked his 2020 election fraud claims. Gutting the agency responsible for protecting critical infrastructure and election security, on the grounds that it once said true things that were politically inconvenient, is the kind of institutional sabotage that does not advertise its own consequences.
Lithuania Moves to Politicize Its National Broadcaster Amid Mass Protests
Lithuania's ruling coalition has been pushing to reshape the governance of national broadcaster LRT since late 2025, using a politically motivated audit as the pretext, and the revised proposal goes further than the original, expanding political representation on the supervisory council and granting it powers that legal experts say amount to editorial censorship over a broadcaster that Lithuanian law explicitly protects from political interference. Mass protests have followed, but politicians have publicly said they intend to push the legislation through regardless of public opposition.
Greece's Predator Case Has a Verdict and a Loophole, and the Loophole Is Winning
Greece's Supreme Court was assigned to investigate the Predator spyware scandal on April 7, 2026, after Athens prosecutors split the case file and forwarded its most serious component, but a misdemeanor court had already sentenced four defendants, including Tal Dilian, to a combined 126 years in prison, with Greece's five-year statute of limitations for misdemeanors meaning that charges dating to early 2021 are expiring daily and the clock is functionally dissolving the case before the serious charges have even been heard. A conviction exists, but accountability for the officials who ordered the surveillance does not.
Estonia Rejects EU Social Media Ban, Says Brussels Should Be Targeting Big Tech
The European Parliament passed a non-binding resolution in November 2025 calling for an EU-wide minimum age of 16 for social media, but Estonia's Justice and Digital Affairs Minister Liisa Pakosta rejected the approach, saying blanket age verification is easily bypassed and the actual target should be enforcing existing EU law against the platforms, making Estonia and Belgium the only two member states to decline the Jutland Declaration, a pan-European age verification commitment signed in October 2025. The argument that the DSA already gives regulators the tools they need, and the problem is enforcement rather than new surveillance infrastructure, is the correct one, and almost nobody in Brussels wants to hear it.
Massachusetts House Votes to Ban Kids From Social Media Against the Evidence
The Massachusetts House voted 129-25 on April 8 to ban children under 14 from social media, with parental consent required for 14- and 15-year-olds, mirroring Florida's HB 3, which has been partially blocked, contested, and partially reinstated by a divided federal appeals court since it passed in 2024, and a large-scale 2025 University of Manchester study found no consistent evidence that social media use causes harm to youth mental health, joining a series of systematic reviews reaching similar conclusions. The evidence base for these bans does not exist, and legislators are passing them anyway, which tells you what this is actually about.
Tunisia Sentences a TV Commentator to 18 Months in Prison for Migration Remarks
On April 13, 2026, a Tunisian appeals court upheld the conviction of political commentator and lawyer Sonia Dahmani, reducing her sentence to 18 months under Decree-Law 54, for remarks she made on Carthage+ TV in 2024 about racism and migration, which is all the offense consisted of, an opinion about a political topic expressed on a television program. Dahmani is a CPJ 2025 International Press Freedom Award winner whose case has drawn international attention without producing any change in Tunisia's approach to prosecuting speech it finds inconvenient, and Decree-Law 54 has become the primary instrument for silencing commentators across the political spectrum.
Germany Is Building the Biometric Dragnet the EU Explicitly Banned
Germany's federal cabinet moved a legislative package in April expanding BKA and federal police powers to include automated biometric online image matching via a new provision in the Code of Criminal Procedure, allowing dragnet searches that compare photos of suspects against publicly accessible social media images at scale, despite the EU AI Act nominally prohibiting real-time remote biometric identification in public spaces. Legal experts pointed out that automated comparison of millions of web images in fractions of a second is technically impossible without first building exactly the kind of structured, searchable face database the regulation was designed to prevent, making the government's assurances that "no permanent state image database will be built" largely meaningless.
The US Government May Be Treating VPN Users as Foreigners to Spy on Them
NSA targeting rules may classify VPN users as foreign intelligence targets regardless of US citizenship, with the underlying logic being that routing traffic through a VPN creates enough ambiguity about the user's national origin to justify applying foreign collection authorities, meaning the act of protecting your privacy online could be the trigger that strips the legal protections you were using a VPN to preserve. There is no disclosed legal constraint confirmed to prevent this, and the people most likely to be using VPNs for legitimate privacy reasons are precisely the population most affected by a rule that treats privacy-seeking behavior as a foreignness signal.
Google Promised to Warn Users Before Giving Data to Cops and Then Didn't
Google made a public commitment to notify users before handing geofence and keyword warrant data to law enforcement, giving people at least some opportunity to seek legal protection before their location history or search queries were turned over, and then broke it, handing data to law enforcement without the promised notification in cases where it decided the circumstances justified skipping that step. A privacy commitment that evaporates whenever compliance becomes inconvenient is not a privacy commitment. It is a press release, and treating it as anything more than that is a mistake users are paying for.
Four Journalists Sentenced in Turkey for Commentary That Offended the Wrong People
Four journalists were sentenced by Turkish courts in April for commentary and opinions expressed in their published work, with the charges framing editorial positions as offenses against individuals with sufficient political connections to bring criminal complaints, continuing a pattern in which Turkish courts have functioned as a mechanism for suppressing press criticism through the threat and reality of criminal conviction rather than through any transparent censorship regime. Turkey has been running this playbook long enough that it barely registers internationally anymore, which is precisely what makes it effective.
The EU Built a Free Age Verification App That Still Demands Your National ID
The EU released a free age verification app designed to give member states a ready-made compliance tool ahead of Digital Services Act enforcement timelines, but the app still requires users to submit their national identity document to complete verification, meaning the "free" infrastructure solution being offered to platforms is built on a foundation of mandatory national ID collection for anyone who wants to access age-restricted content online. The fact that the app is free does not change what it costs users to use it.
Algeria Arrested Its Most Persistent Journalist Before the Pope Arrived
Algeria arrested its most frequently imprisoned journalist again in April, with the timing falling just before Pope Francis's visit, an occasion involving substantial international press attention, suggesting the government moved to remove a persistent critical voice from the landscape before foreign journalists descended on the country. The journalist's repeated arrest and release cycle is itself a story about how Algeria manages its press environment, not with a single definitive suppression but with a pattern of disruption designed to exhaust the people doing the work.
The EU's Age Verification App Was Hacked in Two Minutes and Patched the Next Day
Security consultant Paul Moore bypassed the EU's free age verification app in under two minutes by deleting two values from a plain-text, user-editable config file, the same file that controlled PIN encryption and rate limiting, and the vulnerability was patched within 24 hours, which is impressively fast and entirely beside the point given that the app is being positioned as critical digital infrastructure for age verification across the EU. An age verification system that can be bypassed by editing a config file is not a security system. It is a compliance checkbox with a known workaround built into its architecture.
Agencies Failed Three Girls in Southport and the UK Wants to Ban VPNs as an Answer
The Southport attack involved documented failures by multiple statutory agencies that had contact with the attacker before the killings, but the UK government's response has included calls to restrict VPN access on the grounds that VPNs were used to access content that may have radicalized him, treating privacy infrastructure used by millions of people as a contributing cause of an attack whose actual causes are documented in agency failure reports. Banning VPNs would not have prevented Southport, would not prevent the next attack, and would remove a privacy tool from everyone who uses it legitimately in exchange for the political appearance of doing something.
Italy's Postal Service Turned Banking Apps Into Spyware and Got Fined $15M for It
Italy's Garante fined Poste Italiane 6.6 million euros and its payments subsidiary Postepay 5.9 million euros for illegally processing millions of users' personal data through the BancoPosta and Postepay apps, which made invasive device-level data collection a condition of using what are, for many Italians, essential financial services, meaning users had no meaningful choice about consenting to surveillance of their devices if they wanted to access their own bank accounts. The fine is significant by European standards and represents a real enforcement action, but it landed years after the collection had already occurred at scale.
Arkansas' Social Media Censorship Law Got Blocked in Court for the Third Time
On April 20, 2026, a federal court blocked Arkansas Act 900 on First Amendment grounds, issuing a preliminary injunction that marks the third time the state has had a social media age-gating law stopped by a court, after its original Act 689 was permanently blocked and a second attempt met the same fate, with the court finding that requiring minors to obtain parental consent to access social media constitutes a prior restraint on constitutionally protected speech. Arkansas has now invested significant legislative and legal resources in three consecutive attempts to pass a law that federal courts keep finding unconstitutional.
PlayStation Rolls Out Age Verification in UK and Ireland With No Announcement
Sony began rolling out age verification for PlayStation accounts in the UK and Ireland with no formal press release, announcing it only through a quietly updated FAQ page and an email to existing users, with adult accounts set to lose access to certain features from June 2026 unless they verify their age, meaning Sony moved age-gating infrastructure into production affecting millions of users while actively minimizing public attention to the rollout. Not verifying your age from June 2026 means losing functionality on hardware you already bought, which is a fairly significant change to communicate through a FAQ update.
The Fight for Encryption We Keep Coming Back To
The battle over encryption has the same structure every time, with governments arguing that end-to-end encryption prevents them from detecting serious crimes, proposing backdoor or scanning requirements framed as targeted and limited, and security researchers explaining that a backdoor accessible to authorized parties is a backdoor accessible to anyone who can compromise those parties, and then the debate resets. The current legislative pressure on encryption, from the EU's Chat Control to the UK's Online Safety Act, connects to the longer history of attempts to weaken cryptographic standards, and the technical argument against backdoors has not changed because the underlying mathematics has not changed.
How and Why Online Regulation Is Increasingly Being Written by Telecom Realities
Internet governance is not decided by the institutions nominally responsible for it, including ICANN, the ITU, and national legislatures, but shaped substantially by the physical and commercial infrastructure through which traffic actually flows, with submarine cable routes, peering agreements, and telecom market concentration functioning as de facto regulatory mechanisms that operate below the level of public policy debate. The analysis covers how chokepoints in the physical internet create leverage for governments and corporations to filter, surveil, and block traffic in ways that formal governance frameworks are not designed to address or even see.
Latin America's Digital Squeeze: Who Controls Online Speech?
The real shift in Latin American internet freedom is no longer about access or infrastructure but about who decides what speech stays online, with governments across the region, including Brazil, Mexico, and Venezuela, moving to legislate content moderation in ways that give state actors formal mechanisms to demand removal of politically inconvenient content under frameworks that nominally target disinformation or harmful speech. The pattern maps closely onto what happened in Europe a few years earlier, with the key difference being that Latin American governments are adopting the regulatory vocabulary of platform accountability while using it more nakedly to target political opposition.
Why Central Asia Is Becoming One of the World's Most Overlooked Internet-Control Regions
Across Kazakhstan, Kyrgyzstan, Tajikistan, Uzbekistan, and Turkmenistan, governments have steadily expanded their control over internet infrastructure through a combination of platform blocking, content filtering, connectivity shutdowns during political unrest, and legal frameworks that criminalize speech critical of state officials, largely without the international attention that comparable developments in Russia or China attract. Central Asia's internet control environment is not a recent development. It is a mature system that has been built out over two decades and is now being reinforced with more sophisticated technical tools and tighter legal frameworks.
Western Democracies Are Hijacking the Internet Just Like Authoritarian States
France is ramping up DNS blocking to fight piracy and extending it to third-party resolvers, the ones people use for privacy or reliability, in a country that presents itself as a free democracy, and the pattern holds across Western Europe and North America, with governments that loudly criticize Chinese and Russian internet control adopting technically similar measures under different justifications. The gap between what Western democracies say about internet freedom and what their actual policy trajectory looks like has been closing for years, and April 2026 produced multiple examples of that gap closing further.
Stop Begging Big Tech for Privacy When They Sell it to the State
Tech executives post privacy manifestos while their companies operate data extraction infrastructure that governments can tap through legal process, contractor relationships, and informal cooperation, across apps, cloud logins, ad tech platforms, and government contractor systems, and the gap between the stated commitment and the operational reality is not a bug or a lapse but a structural feature of how these businesses generate revenue. Asking the same companies that profit from data collection to protect you from the governments that can legally compel that data is the wrong framework, and April's coverage of Google's broken notification commitment and Meta's content moderation choices illustrates why.
Sayed Baqer Al-Kamel Filmed a Fire in Bahrain and Got 10 Years for It
Bahraini freelance photographer Sayed Baqer Al-Kamel was sentenced to 10 years in prison on April 28, 2026, after filming a burning high-rise in Bahrain's Seef district and posting the footage online, with the conviction resting on charges of promoting pro-Iran sentiment, meaning Bahrain's government looked at a man filming a fire and decided the real offense was what the footage implied about the state's relationship with Iran. Ten years for documentation of a fire is not a misapplication of a law designed for something else. It is the law working as Bahrain's government intends it to work.
Be part of the resistance, quietly.
Get Mysterium VPN
Dominykas is a technical writer with a mission to bring you information that will help you in keeping your digital privacy and security protected at all times. If there's knowledge that can help keep you safe online, Dominykas will be there to cover it.
Related Articles
.png)
.png){kind=small}
