This year was defined by “surveillance, censorship, and shrinking civic space” according to Access Now’s executive director, Alejandro Mayoral Baños.
Despite the sobering headlines, the US-based digital rights organization says there’s still hope. Resistance has continued and, as Baños puts it, “communities refused to disappear.”
I spoke to members of Access Now about the most pressing developments from the past 12 months. Here’s what they told me.
Spyware continues to proliferate
Four years on from the Pegasus Project revelations, reports suggest that spyware remains a significant threat to privacy.
This year, Graphite – a tool developed by Paragon Solutions – was found to have been used to track journalists and activists in Europe. While an Italian parliamentary committee report confirmed the government had used the spyware against human rights activists, it stopped short of admitting to the monitoring of journalists
Apple and WhatsApp were unaware of the floors that Paragon’s products were exploiting. In other words, the attackers were targeting zero-day vulnerabilities.
Traditional cybersecurity best practices offer little help against this type of threat. While a trusted VPN provider protects your data while it is moving across the internet, spyware targets a device’s operating system.
By attacking the device in this way, spyware operators can often gain total access to your digital life – capturing every keystroke, eavesdropping through your microphone, and even turning on your camera.
Most dangerously, these are often zero-click attacks, meaning that unlike traditional attacks, the target doesn’t have to click a suspicious link or open a file.
“Mercenary spyware continued to prove that it is evolving faster than safeguards,” says Rand Hammoud, Surveillance Campaigns Lead at Access Now.
While WhatsApp and Apple confirmed they had patched the specific vulnerabilities exploited, the mercenary spyware industry is incredibly resilient. It continues to source new entry points via the murky international market for zero-day vulnerabilities.
This secretive global market involves hackers selling unpatched software flaws to the highest bidder – usually governments or private companies – that then use them to break into devices before the manufacturers even know the vulnerability exists.
Fortunately, there was some progress for digital rights defenders this year. Most notably, the Pall Mall Process launched a new Code of Practice for States in April, as Hammound explained.
The Code is a voluntary, non-binding document which pushes for greater accountability, oversight, and transparency among participating nations.
There was also progress at the EU level, where the bloc’s export control rules integrated human rights language. However, Hammoud warns that the dual-use control list – which governs how EU-based companies sell and transfer surveillance equipment – is undermined by “weak catch-all clauses and uneven national practices” that leave room for evasion.
“Bottom line: 2025 shifted the question from ‘do we need rules?’ to ‘who will actually enforce them?’ — because victims can’t be protected by principles alone,” Hammoud said.
AI-enabled digital warfare
While spyware is highly targeted, Access Now has also monitored a much larger shift: the development of AI-driven systems designed for use during active conflict.
Marwa Fatafta, MENA Policy and Advocacy Director at Access Now, said there’s been a “troubling shift” in recent years with “the rapid militarization of civilian technologies and personal data.” It’s a process that has blurred the lines between the tools we use for daily life and the systems now being used on the battlefield.
“Gaza stands as a stark example of how warfare evolves when mass surveillance and AI-driven systems are woven into military operations with no restraints” Fatafta said.
The technology is varied but is often used to generate targets at a speed no human analyst can match. That’s down to a deadly combination of automated systems, such as Lavender, alongside AI tracking tools that use mass-collected data.
The technologies being used have raised significant ethical concerns, particularly due to a lack of accountability, control and accuracy.
Earlier this year, the head of the United Nations called such “killer robots” politically unacceptable and “morally repugnant.” Despite mounting international pressure, however, there remain few meaningful regulations on its use.
“We can no longer afford to treat digital warfare as a peripheral issue,” Fatafta concludes.
EU rolls back digital rights protections
An organization once expected to introduce meaningful protections – the European Union – now seems to be moving in the opposite direction. According to Access Now, the bloc is failing to live up to its reputation as a “privacy-first” regulator.
“After several years of being at the forefront of regulating digital rights protections, the European Union seems to be turning its back on the very ‘gold standards’ it worked so hard to establish,” according to Daniel Leufer, Emerging Technologies Policy Lead at Access Now.
A wave of regulatory moves over the past 12 months has placed end-to-end encryption in the crosshairs, including proposals to expand mandatory data retention and increase the monitoring of private conversations.
The stakes are high: current proposals seek to establish “lawful access” to encrypted data. This could effectively end the era of truly “no-log” VPN services in Europe.
These are part of a broader shift, according to Leufer, in which the European Commission has been “bending over backwards to accommodate the most excessive demands of industry lobbying and undermining key digital rights safeguards.”
And the future doesn’t look promising. Leufer warns that the policies proposed in 2025 may only be the beginning. He suggest that digital rights advocates must now brace for a significant struggle to preserve hard-won protections across data protection, privacy, and artificial intelligence.
What’s next?
As 2026 approaches, significant hurdles remain in the fight to protect fundamental human rights online. Organizations like Access Now will continue to push for better regulatory constraints on everything from mercenary spyware to AI-enabled weapons, alongside a renewed fight for meaningful data protection around the globe.
Alongside these high-level regulatory efforts, the tech community will continue to build its own safeguards. Expect new privacy-by-design products ranging from decentralized, no-log VPNs to messaging apps that offer post-quantum encryption.
For Access Now, the mission for the coming year is clear. The goal is, says Baños, “not to return to normal, but to build a stronger, fairer, and more accountable digital rights ecosystem.” It’s a vision that privacy advocates around the world will doubtless share.
https://cdn.mos.cms.futurecdn.net/eaqFCS6NSS3vVeV9L3eVuU-2112-80.png
Source link
samuel.woodhams@futurenet.com (Samuel Woodhams)
