Internet Freedom Weekly: News Recap, May 18–22, 2026
This week governments kept writing rules for themselves and calling it accountability. Canada is mandating encryption backdoors, while its own security agency documented how those get exploited. Georgia stood up a speech surveillance unit with no defined criteria. Indonesia's military branded a human rights defender a foreign agent, had him attacked with acid, and then accused him of staging it. Russia's state messenger has been logging VPN status since September 2025. And that's just some of it.
May 18 through 22 brought thirteen stories across five continents. One of them is genuinely good news.
Australia's Social Media Ban Is Quietly Cutting Teens Off From the News
A February 2026 survey of 1,027 Australian teenagers found that the more affected teens are by the under-16 social media ban, the less news they consume and the fewer chances to discuss the issues they care about.
Teens are losing access to the platforms where news circulates organically among peers. A ban that measurably reduces civic engagement in the generation it claims to protect has a credibility problem child safety framing cannot fix.
Lifeline with a Catch: WTISD Has No Answer for Growing State-Ordered Shutdowns
World Telecom and Information Society Day calls for resilient digital infrastructure as a lifeline for communities. Governments ordered 940 internet shutdowns in the period covered by the latest Access Now data. The ITU's annual event has nothing to say about the most frequent threat to the thing it's celebrating.
The governments ordering blackouts during elections and protests are the same governments at the ITU table endorsing resilience as a shared goal. Treating infrastructure as the problem while ignoring who holds the switch is a political choice, not an oversight.
Indonesia's Military Brands Its Critics as Foreign Agents, Then Follows Through With Violence
A new Amnesty International report documents how Indonesia's military ran coordinated disinformation campaigns branding activists as foreign agents during the first 18 months of the Prabowo administration. Within 48 hours of a protest by human rights defender Andrie Yunus in March 2025, at least 31 military-affiliated accounts posted an identical "foreign agent" video with identical hashtags.
On March 12, 2026, Andrie was attacked with acid in Jakarta and four BAIS intelligence officers were arrested in connection with the assault. A second wave of coordinated posts followed immediately, accusing him of staging the attack for foreign funding.
Fraudulent Copyright Claims Are Silencing Kazakh and Uzbek Journalists
Reporters Without Borders documented a coordinated campaign of fraudulent trademark and copyright complaints filed using real journalists' and companies' identities, including French cosmetics group L'Oréal, to trigger takedowns against independent Kazakh and Uzbek outlets. Complaints were sent from disposable email addresses, and hundreds of posts from outlets including Respublika and BASE vanished from Facebook and YouTube.
The complaints started appearing after Respublika published a critical analysis of President Tokayev's New Year's speech. Meta and YouTube's automated systems processed them without meaningful review, and neither platform has responded publicly with a plan to address it.
Bill C-22 Is Canada's Most Ambitious Surveillance Expansion in a Generation
Canada's Bill C-22 would require electronic service providers to build surveillance access points for law enforcement on demand, retain up to one year of metadata on every user regardless of suspicion, and stay legally silent about government orders. It passed second reading in April 2026, and more than 25 civil society organizations have called for its withdrawal.
The 2024 Salt Typhoon attack, in which China exploited US-mandated wiretap infrastructure, is the case every analyst cites. Canada's own security agency noted that the attack almost certainly targeted Canadian telecoms too. The same administration that documented it is now mandating identical infrastructure on Canadian networks.
Georgia Is Handing Speech Policing to Its Interior Ministry, Without Any Rules
Georgia's Georgian Dream party announced a new Interior Ministry department to proactively monitor public communication, including social media posts and videos, for hate speech and "aggressive communication." The unit will monitor independently, prepare its own legal assessments, and refer cases directly to court. No legal definition of either term has been published.
Tbilisi City Court already fined activists and journalists over social media posts in 2025 under a provision introduced during pro-European protests. A speech surveillance unit with undefined criteria, inserted into that context, is a political tool, and the absence of any criteria is the point.
YouTube Is Asking Users to Enroll in a Biometric Database to Stop Deepfakes
YouTube expanded its Likeness Detection tool to all adults on the platform. To enroll, users submit a government-issued ID and a selfie video. YouTube stores the resulting facial template, legal name, and selfie for up to three years, with an optional consent to let Google use that data to train its AI models.
The deepfake removal mechanism is genuinely useful. But the specific implementation means solving your deepfake problem requires building Google's biometric database for them under terms Google controls. Biometric data cannot be reset after a breach, and the scale Google is building at makes that risk concrete.
Discord Is End-to-End Encrypting Every Voice and Video Call, No Opt-In Required
As of March 2026, every Discord voice and video call is end-to-end encrypted by default, covering direct messages, group DMs, voice channels, and Go Live streams. Discord built its own open-source protocol, DAVE, audited by Trail of Bits, and extended it across desktop, mobile, browsers, and gaming consoles. Text messages remain unencrypted.
This is plainly good news. Discord shipped an open protocol, had it audited, and published the results. The general direction of travel has been toward less encryption, with Meta quietly removing E2EE from Instagram chats and governments across Europe lobbying to weaken it. Discord moved the other way.
EU Member States Are Still Getting Police Data Protection Wrong Eight Years Later
A shadow evaluation commissioned by European Digital Rights covering Bulgaria, France, Germany, Greece, and Slovenia found that implementation of the Law Enforcement Directive remains fragmented and insufficient, eight years after it took effect. In all five states, national laws give police wide discretionary power to refuse data access requests, with Bulgaria and Greece imposing blanket restrictions the Court of Justice has found incompatible with the directive.
Bulgaria continues collecting biometric data from anyone accused of an intentional criminal offense despite the Court of Justice finding it unlawful in two rulings, while France runs facial recognition across millions of records because “the database is too large to search manually.” The EU is expanding cross-border police data sharing on the premise that member states comply with this directive, and they do not.
Tennessee Retiree Jailed for Posting a Trump Meme Wins $835,000 Settlement
Larry Bushart, a 61-year-old retired law enforcement officer, spent 37 days in a Tennessee jail for posting a Trump meme as a Facebook comment in response to Charlie Kirk’s candlelight vigil. The arrest warrant omitted that the shooting the meme referenced was in a different state, 695 miles away, nearly two years earlier. Sheriff Nick Weems later admitted on television that he and his deputies knew this from the start.
On May 20, 2026, Bushart settled a federal civil rights lawsuit for $835,000. The Constitution caught up with the officials who fabricated the legal basis for his arrest, and that is a win worth stating.
Texas AG Goes After Meta's Smart Glasses Over Biometric Privacy Violations
Texas AG Ken Paxton issued a Civil Investigative Demand to Meta over its Ray-Ban AI glasses, targeting an always-on recording mode whose LED does not activate, footage routed to Nairobi contractors who reviewed intimate content, including bathroom visits and sexual activity, and Meta's plans to add facial recognition identifying bystanders without consent.
Meta settled a $1.4 billion biometric privacy lawsuit with Texas in July 2024 without admitting wrongdoing, then shipped a wearable camera product collecting the same category of data, pointed outward at everyone around the wearer.
Russia's State Messenger Can Record You, Detect Your VPN, and Straight-Up Gaslight You
Russia's state-backed app MAX has been mandatory on every new smartphone since September 2025. A security researcher's reverse-engineering found 15 surveillance issues, including VPN detection at five points and a hidden module reporting the user's real IP, device ID, and VPN status to a domain absent from MAX's privacy policy.
Digital rights group RKS Global confirmed 14 claims fully, 6 partially, and none outright false. MAX called the analysis "fake," while the Russian state legislated this app onto every new phone, whitelisted its domain so it survives censorship events that kill everything else, and controls the company that builds it.
Europol Took Down the VPN That Showed Up in Nearly Every Major Cybercrime Case
Europol-led Operation Saffron dismantled First VPN on May 19–20, seizing 33 servers, shutting down its primary domains, and arresting the alleged administrator in Ukraine. Investigators seized the full user database, generating 83 intelligence packages and identifying 506 users internationally across 21 ongoing investigations.
First VPN was built from the ground up for the criminal ecosystem, openly marketed on Russian-language cybercrime forums, and appeared in nearly every major Europol-supported cybercrime investigation in recent years. The risk going forward is the one that always follows these takedowns, with governments pointing at criminal VPN infrastructure to justify restricting legitimate services and collapsing a distinction that is very much intentional.
Be part of the resistance, quietly.
Get Mysterium VPN
Dominykas is a technical writer with a mission to bring you information that will help you in keeping your digital privacy and security protected at all times. If there's knowledge that can help keep you safe online, Dominykas will be there to cover it.
Related Articles
.png)
.png){kind=small}
