Last updated: 2026.05.15
Very few, but proposed
The First Amendment provides broad protection. The main unprotected categories are: obscenity (failing the Miller test), fraud, child pornography, incitement to imminent lawless action (Brandenburg test), true threats, fighting words, and perjury. Hate speech is generally protected unless it constitutes true threats or incitement. Defamation requires proof of falsity and, for public figures, actual malice.The STOP HATE Act (proposed 2025) would ban 'hate speech', antisemitism, and 'disinformation'.
Indirect & proposed
The Algorithm Accountability Bill 2025 (proposed) would hold social media platforms liable for algorithmically distributed content, incentivising over-moderation. Similarly, the Sunset Section 230 Act and TRUMP AMERICA AI Act (both proposed) would make platforms liable for user content, forcing more restrictive moderation. The Block BEARD Act (proposed 2025) would force ISPs to block piracy websites.Indirect censorship is possible already:
- The government has pressured social media platforms to remove content under the pretext of fighting misinformation and hate speech.
- High-profile cases such as WikiLeaks, SamouraiWallet and The Pirate Bay involve domain seizures framed as law enforcement actions against crime, which are considered legal despite First Amendment concerns.
- The Digital Millennium Copyright Act (DMCA) has been misused for censorship and takedowns of legal content, as content must be removed quickly and without proving actual copyright infringement.
- TAKE IT DOWN Act: Aimed at combating non-consensual sharing of intimate images, this act could enable censorship by allowing platforms to remove content based solely on complaints, without proof of harm or an appeals process.
- PAFACA: Commonly known as the "TikTok ban", targeting apps or websites owned by foreign entities. Proponents argue it is not censorship because a new (American) owner of TikTok would still be allowed to circulate the same content.
- Stop Hiding Hate Act (New York): Forces social media platforms to report 'hate speech' incidents; while no fines for retaining legal content are imposed, it may coerce platforms into more aggressive moderation practices.
No bans
Though such laws are regularly proposed, they have so far all failed, e.g. the EARN IT Act, Lawful Access to Encrypted Data Act, and Florida's Social Media Use by Minors bill (HB 744/SB 868).VPN restrictions in some states; proposed
Utah's Senate Bill 73 does not ban VPNs for individuals but restricts their use by holding websites liable for failing to verify the age of users physically in Utah, even if they use a VPN to mask their location, and it prohibits these websites from providing instructions on how to use a VPN to bypass age checks. Some US states have proposed VPN bans or restrictions, but no laws have passed yet.Age verification in some states; proposed
Age verification laws for websites and/or social media are in place in about half of US states, but not at a federal level. The Kids Online Safety Act (proposed 2025) and SCREEN Act (proposed 2025) aim to implement restrictions federally. The proposed Kids Off Social Media Act and the proposed TRUMP AMERICA AI Act would require age verification for social media and AI chats (GUARD Act), respectively. It would also force AI chat providers to require the creation of user accounts. App Store Accountability Acts in Texas, Utah, Louisiana and other states require app stores and developers to implement age verification; Apple and Google say compliance requires collecting personally identifiable data. California's Digital Age Assurance Act forces operating systems, device makers, and app stores to send age-related signals to apps, starting in 2027. App developers are required to modify their apps to request the age signal from the OS and honour it. For now, the age signal does not require ID checks and device admins can self-declare the ages for user accounts. Similar laws have been pased in Colorado (Colorado SB26-051), though with an exemption for free and open source operating systems, and are proposed in Illinois (Illinois SB3977). More extreme laws are proposed in New York and Michigan (New York Senate Bill S8102A and Michigan SB284); they would require actual age verification (not just self-declaration) for all Internet-enabled hardware, operating systems, and app stores, in order to send an age signal to all apps and websites. Similarly, the Parents Decide Act (proposed 2026) would require age verification for all operating systems (PCs, phones etc.) on a federal US level.Passwords no, biometrics yes
Passwords are protected by the Fifth Amendment and cannot be compelled. For biometric unlocking, courts have generally allowed police to compel biometric unlocks (e.g. forcing a suspect's finger onto a phone or holding a device to their face), as established in cases like United States v. Dionisio (1973) and subsequent rulings.No bans, but devs punished
There is no ban on anonymous payment methods such as Monero, but developers of privacy-preserving cryptocurrency software have been prosecuted under anti-money laundering laws, e.g. US v. Storm and US v. Rodriguez, targeting the developers of Tornado Cash (a privacy protocol that mixes cryptocurrency transactions to obscure their origin).None
No comprehensive federal requirement for ISPs to retain connection logs or metadata for all users; any retention is voluntary, though proposals have existed (e.g. SAFETY Act 2009). The CLOUD Act requires US-based providers to hand over data stored overseas on request, but does not mandate retaining data they would not otherwise keep. PRISM is an NSA intelligence program enabling collection of internet communications from US-based tech companies (allowing for the compelled disclosure of content or metadata held by providers when targeted at non-US persons outside the US), but is not a data retention law.No, but proposed
In April 2026, the FCC approved a proposal requiring telecom providers (including VoIP services) to verify customers’ identities before activating service.Platform-agnostic, can use browser + OTP
Government services such as Login.gov or ID.me support browser-based login with password + OTP (via SMS, email, or authenticator app), and no Android/iOS smartphone is mandatory for access or authentication.Last updated: 2026.05.15
Restricted
Mostly relating to vaguely defined 'hate speech' and Holocaust denial under Criminal Code §318 & §319.Proposed Bill C-9 (2025) would also ban Nazi and Hamas symbols and widen the definition of 'hate speech', particularly for anti-religious offences.
(+ failed laws like Bill C-36 (failed 2021) or Bill C-63 (failed 2025, which would have introduced a maximum penalty of life imprisonment for hate crime offences including non-violent 'hate propaganda'))
Selective censorship
ISPs have been ordered to block websites associated with copyright infringement, though major sites like Anna's Archive and The Pirate Bay remain available. Critics also worry that the Online Streaming Act enables state control over what Canadians see online: it extends the CRTC's regulatory authority to online platforms (YouTube, Netflix, Spotify etc.), requiring them to promote Canadian content, with critics warning of algorithm manipulation and government overreach.No, but proposed
Bill C-26, focused on cybersecurity and expanded surveillance powers, passed Parliament and reached Senate review in June 2024. The Senate found technical flaws and amended it, sending it back to the House of Commons. As of July 2025, it has not yet become law. Bill C-22 (Lawful Access Act 2026) is a proposed surveillance bill that would compel electronic service providers to create a backdoor to their services to provide law enforcement access to data (including encrypted data). The bill also bans companies from even revealing the existence of these orders publicly.No, but proposed
Bill S-209, aimed at mandatory age verification for access to online adult content, returned to the Senate for first reading in May 2025. Debate continues with a focus on privacy and implementation challenges. The bill has not yet been enacted.No bans, but restrictions
Monero has been delisted from most Canadian-accessible CEX due to KYC regulations, though it is not banned per se. Additionally, Trudeau's Emergencies Act was invoked to temporarily restrict cryptocurrency transactions (including Monero) to disrupt funding for the Freedom Convoy protests, but this did not constitute an outright ban.No, but proposed
Bill C-22 (Lawful Access Act 2026) is a proposed surveillance bill that would compel electronic service providers to store Canadians’ metadata for a year.Platform-agnostic, can use browser + OTP
Government services such as GCKey or Sign-In Partner support browser-based login with password + OTP (via SMS, email, or authenticator app), and no Android/iOS smartphone is mandatory for access or authentication.Last updated: 2026.03.11
Severe limitations of speech
Mostly relating to vaguely defined 'hate speech' and display of National Socialist symbols, under the Racial Discrimination Act 1975 and the Criminal Code Amendment (Hate Crimes) Bill 2025"The laws at both federal and NSW levels aim to curb hate-fueled violence, particularly against Jewish Australians. They criminalize advocating force or violence against protected groups, toughen penalties for Nazi-related symbolism, and even impose mandatory minimum sentences for some offenses.The new laws stretched the rules in ways that might make civil liberties advocates nervous. Previously, to be charged with urging violence against a group, prosecutors had to prove intent. Now? Recklessness will do. This means you don't have to actually intend for violence to happen — just failing to consider the possibility could land you in serious trouble.
The law also takes a broad approach to Nazi symbolism. Displaying a swastika was already illegal in some contexts, but now similar prohibitions apply to a range of extremist symbols, with penalties jumping from one year in prison to five. And if you're caught making a "Nazi salute?" Enjoy your 12-month mandatory minimum sentence." - Reclaim The Net
. The Combatting Antisemitism, Hate and Extremism Bill 2026, passed in 01/26, significantly restricts speech in ways that are dangerous and unusual.It criminalizes public conduct or expression (including online) if it would cause a 'reasonable person' to feel intimidated or harassed, without requiring proof of actual harm, real victims, or incitement to violence. The law shifts the burden of proof onto the accused for certain offenses (like displaying prohibited hate symbols), forcing them to justify exemptions. Furthermore it empowers the government to blacklist so-called hate groups based on executive discretion, and (even retroactively) punishes mere association, membership, or support with up to 15 years in prison. This goes far beyond typical hate speech laws in other countries, which usually demand intent to incite hatred or violence and include stronger safeguards for political, academic, or journalistic expression, making this bill exceptionally broad, subjective, and restricting free speech.Widespread censorship
The Australian Communications and Media Authority enforces content restrictions on Australian-hosted Internet content and maintains a blocklist of websites. The eSafety Commission can order removal of 'harmful' content and block websites, which has included archive.org and specific videos on platforms like X [1], [2]. ISPs have also been ordered to block websites for copyright infringement (e.g. Anna's Archive, The Pirate Bay). The Online Safety Act requires age verification for accessing potentially 'harmful' content, creating further indirect censorship.Yes (backdoor on demand)
The Assistance and Access Act 2018 allows intelligence and police agencies to compel technology companies to build in backdoor access. For example, the government demanded that Signal create a backdoor, which it has so far refused.Not banned, but restrictions
Social media firms are expected per eSafety guidance to block VPNs as they can be used to bypass Australia’s under-16 ban. In practice, platforms may have to blacklist VPN-associated IPs because they can't prove a VPN user isn't an Australian under 16. Alternatively, they would need to cross-check an account's historical IPs and collected location data in order to detect and block VPN use for Australians only.Age verification
The Online Safety Bill 2024 mandates age verification for websites, apps and social media. Originally, it was limited to age verification for using social media and adult websites, but the requirements have since been extended to app stores, online games, YouTube and search engines like Google and Bing. Since 2026, Apple requires age verification to install age-restricted apps on iOS.Yes
The Cybercrime Act 2001 grants police (with a magistrate's order) the power to require "a specified person to provide any information or assistance that is reasonable and necessary" to access evidential computer data, understood to include mandatory decryption. Failure to comply carries a penalty of 6 months' imprisonment.No bans, but restrictions
However, Monero has been delisted from most CEX for Australian users due to KYC and other regulations, even though it's not banned per se.Yes (24 months)
The Data Retention Act 2015 requires retention of ISP metadata (IPs, connection logs, browsing history), email and telephony metadata (including mobile phone locations) for 2 years.Limited support, iOS/Android/AOSP required
For certain government tasks requiring strong authentication (e.g. ATO linkage, DIN), you either need the myID app on an Android/iOS smartphone or must handle the process in person. For now, the myID app (not to be confused with the myGov app, which enforces Play Integrity checks and is not required for authentication) seems to work on non-stock Android such as LineageOS or GrapheneOS, though it is only available on the Play Store - requiring a Google account (a possible workaround is using Aurora Store, though this is unsupported).Last updated: 2026.04.02
Severe limitations of speech
Illegal speech includes vaguely defined 'hate speech', anti-immigration speech (in 2025 the government deployed a social media surveillance unit to monitor such posts), speech likely to cause 'distress', 'indecent' or 'offensive' speech, 'false' or 'misleading' information, obscenity, insults, advocating against the monarchy (treason laws prohibit advocating the abolition of the monarchy or imagining the death of the monarch), blaspheming Islam"England now has a blasphemy law" - The Spectator - There is no official blasphemy law criminalizing criticism of Islam or Muslims. However, concerns have grown over recent prosecutions for actions deemed offensive to Islam (e.g., Quran burning) under existing public order and hate crime laws. Multiple high-profile cases and political discussions suggest a de facto return to blasphemy law principles via prosecution tactics, but no explicit blasphemy legislation has been passed as of July 2025.Furthermore, anti-Islam activists such as Ryan Williams and Tommy Robinson have been asked by police to unlock their phones and charged under Schedule 7 of the Terrorism Act 2000.
, 'prejudicial stereotyping' of MuslimsThe Free Speech Union launches legal challenge against Government over Islamophobia definitionThe Free Speech Union has launched a legal challenge against the UK government over its proposed official definition of "anti-Muslim hostility", warning that the vague wording could effectively create a "blasphemy law by the back door" and stifle legitimate debate about religion. The group argues the policy risks suppressing free speech, elevating one faith above others, and encouraging frivolous complaints, despite existing laws already protecting against discrimination. The challenge, expected to proceed as a judicial review, also targets the appointment of an "anti-Muslim hostility tsar" to oversee the definition’s application.
(since 2026), and more (UK defamation laws are among the strictest in the western world, imposing a high burden of proof on defendants). Key laws: Malicious Communications Act 1988Prohibits sending letters, electronic communications, or articles with the purpose to cause distress or anxiety by conveying messages that are indecent, grossly offensive, or false (known or believed to be false by sender). Covers hate speech that is racially or religiously motivated. Jurisprudence may interpret any pro-White or nationalist sentiments as incitement, even benign expressions like "Love your Nation" or "It's OK to be White" (e.g., in the case of Samuel Melia). Criminalizes any malicious communications in general, including insults. Prison sentences up to 2 years possible., the Hate Crime and Public Order (Scotland) Act (addresses stirring up hatred on grounds of race, religion, and sexual orientation; covers threatening communications and breach of the peace aggravated by hatred), and the Online Safety Act 2023 (particularly §179)Enforces investigations and regulation of harmful online content, including disinformation. Section 179 establishes offence of false communications."Section 179 criminalizes knowingly false communications intended to cause 'non-trivial psychological or physical harm.' The wording here is as vague as it is dangerous. What qualifies as 'non-trivial psychological harm'? If the government decides that criticisms of its handling of the grooming gang scandal cause emotional distress to MPs—or, conveniently, to the public—it could label them as harmful misinformation. Knowing the penalties - up to 51 weeks in prison and unlimited fines - citizens may think twice before questioning the government on sensitive issues. And that's the goal: silence through fear."
. Furthermore, until 2026, police recorded non-crime hate incidents (NCHIs) which are classified as legal speech but remain on police records and may appear in background checks.Widespread censorship
ISPs have been ordered to block websites associated with copyright infringement (e.g. Anna's Archive, The Pirate Bay) and Russian government propaganda (e.g. RT). Indirect censorship through the Online Safety Act, which requires removal of speech that could be illegal in the UK, as well as age verification for accessing potentially 'harmful' contentincluding: Sexually explicit content. Content which encourages, promotes or provides instructions for: suicide, deliberate self-injury, or disordered eating or behaviors associated with an eating disorder. Content which is abusive or incites hatred against people by targeting any of the following characteristics: race, religion, sex, sexual orientation, disability, or gender reassignment. Bullying content. Violent content which: encourages, promotes or provides instructions for an act of serious violence against a person, or depicts real or realistic serious violence against a person, an animal, or a fictional creature, including the graphic depiction of a serious injury. Content which encourages, promotes, or provides instructions for a challenge or stunt highly likely to result in serious injury to the person who does it or to someone else. Content which encourages a person to ingest, inject, inhale, or self-administer a physically harmful substance, or a substance in physically harmful quantity. Content that shames or otherwise stigmatises body types or physical features. Content that promotes or romanticizes depression, hopelessness and despair. Filesharing websites.. Many UK-based websites have been forced to close or have blocked UK IPs due to the OSA.Yes (backdoor on demand)
The Investigatory Powers Amendment Act 2024 expands government powers to demand access to encrypted communications. The Online Safety Act, particularly Clause 122, allows Ofcom to compel companies to break end-to-end encryption, enabling mass surveillance - this has already been used against Apple, forcing them to stop offering iCloud E2EE in the UK. Since 2026, the OSA authorises Ofcom to require online platforms to deploy automated client-side scanning of user messages, images, and videos before encryption applies.Not banned, but restrictions
Advertising VPNs as a means to bypass content restrictions can be illegal under the Online Safety Act. The House of Lords proposed in 12/25 (HL Bill 135) mandatory age verification for VPN users. The Starmer government is also looking into banning VPNs for minors.Age verification & imprint obligation
The Online Safety Act 2023 requires age verification for websites and apps for a variety of potentially 'harmful' contentSexually explicit content. Content which encourages, promotes or provides instructions for: suicide, deliberate self-injury, or disordered eating or behaviors associated with an eating disorder. Content which is abusive or incites hatred against people by targeting any of the following characteristics: race, religion, sex, sexual orientation, disability, or gender reassignment. Bullying content. Violent content which: encourages, promotes or provides instructions for an act of serious violence against a person, or depicts real or realistic serious violence against a person, an animal, or a fictional creature, including the graphic depiction of a serious injury. Content which encourages, promotes, or provides instructions for a challenge or stunt highly likely to result in serious injury to the person who does it or to someone else. Content which encourages a person to ingest, inject, inhale, or self-administer a physically harmful substance, or a substance in physically harmful quantity. Content that shames or otherwise stigmatises body types or physical features. Content that promotes or romanticizes depression, hopelessness and despair. (not limited to sexually explicit content). Ofcom requested social media platforms (as well as Youtube) to implement age verification. Apple is requiring age verification on iOS since March 2026; if you refuse you will be unable to download age-restricted apps, incoming and outgoing messages are scanned for nudity and blocked if detected, and Apple's "Web Content Filters" will block explicit websites both in Safari and third-party browsers (these filters run at Webkit level and can't be circumvented with a VPN). Apple claims that "UK law requires you to confirm you are an adult to change content restrictions", although this is false as the OSA doesn't actually require OS-level age verification - yet Ofcom has praised Apple for their restrictions. As of 12/25, the government wants to 'encourage' Google and Apple to implement mandatory client-side AI scanning of photos and videos on all smartphones, blocking nudity unless the user has verified their age. The House of Lords proposed (HL Bill 135) banning all users from social media unless age-verified as 16+. The Electronic Commerce (EC Directive) Regulations 2002 impose imprint obligations for websites, including non-commercial websites with small commercial elements such as advertising banners.Yes
The Regulation of Investigatory Powers Act 2000 compels disclosure of encryption keys or decryption of encrypted data. Refusal carries a maximum sentence of 2 years' imprisonment, or 5 years in cases involving national security or child indecency.No bans, but restrictions
However, Monero has been delisted from most CEX for British users due to KYC and other regulations, even though it's not banned per se.Yes (12 months)
The Investigatory Powers Act 2016 requires retention of ISP metadata (IPs, connection logs, browsing history), email and telephony metadata (including mobile phone locations) for 1 year.May need Google or Apple account & device
Government services such as GOV.UK One Login, HMRC, and NHS support browser-based login with password + OTP (via SMS or authenticator app), so a smartphone is not required for normal sign-in. However, to verify your identity or register a new company, you need the GOV.UK One Login Android/iOS app, or alternatively you can verify your identity in person at a post office, or answer security questions online (dependent on Experian credit-reference data, which may not work with a sparse credit history or no UK bank account). The Android app uses Play Integrity and is only available from Google Play, requiring a Google account and stock Android (incompatible with GrapheneOS or LineageOS). The government is also planning a digital ID scheme ("Brit Card") for all citizens, which will most likely require an Android/iOS app with yet to be determined alternatives for those without a smartphone.Last updated: 2026.04.23
Severe limitations of speech
Illegal speech includes vaguely defined 'hate speech' (including "liking" a post, per LG Meiningen, 2022) (Penal Code §130), insulting religions (§166), Holocaust denial (§130, §189), insults (§185), insulting politicians (§188, including cases where calling politicians "imbecile", "fat", a "penis", or "Pinocchio" have led to prosecution), National Socialist symbols and phrases (§86, which extends beyond obvious symbols like swastikas to phrases such as 'Alles für Deutschland'), disparagement of the President or state symbols (§90), revealing someone's biological sex or birth name or misgendering them (Self-Determination Act, with fines up to €10,000), and more (German defamation laws are also very strict, imposing a high burden of proof on the defendant).Widespread censorship
ISPs have been ordered to block websites associated with copyright infringement (e.g. Anna's Archive, The Pirate Bay), Russian government propaganda (e.g. RT), and far-right politics. The NetzDG requires social media platforms to remove illegal speech within strict timeframes, effectively forcing over-censorship of even legal speech.EU:
The EU's Digital Services Act (DSA) creates obligations for 'content moderation' against not just illegal content but also legal but 'harmful' content such as 'disinformation' (including truthful information, as a Berlin court ruled) or 'negative effects on civic discourse or elections', and will also require age verification from many websites. In 12/2025, the EU Commission fined X €120m for spurious 'transparency failures' under the DSA, which has been interpreted as a punishment for not censoring enough.
Potential backdoors, and proposed
EU:eIDAS Art. 45, an EU regulation, can act as a potential backdoor by obliging browsers to trust government-designated certificate authorities, technically allowing lawful man-in-the-middle interception of HTTPS traffic. So far, no major browser has implemented Art. 45 QWAC support as envisioned, and open-source and non-EU browsers can largely ignore it.
Various EU proposals aim to ban E2EE or mandate backdoors/client-side scanning, including the ProtectEU strategy (at initial policy stage; no legislation passed, but raising alarm among privacy advocates) and the HLG Recommendations on 'Access to Data for Effective Law Enforcement' (non-binding but informing future legislation). Chat Control is a law package proposed by the EU Commission numerous times, which would have either required or encouraged scanning of private communications, including on end‑to‑end encrypted services such as messengers. The EU Parliament has repeatedly rejected indiscriminate mass scanning and client‑side scanning of end‑to‑end encrypted services (most recently in March 2026). The file is now in so‑called trilogue talks between the EU Parliament, the Council (EU Member States), and the EU Commission, where they are trying to reconcile their very different positions, with more clarity expected later in 2026.
No, but proposed
In 04/2026 the SPD revealed plans to force social media platforms to block VPNs in order to prevent circumvention of the proposed mandatory age verification.Age verification & imprint obligation
§5 TMG prescribes imprint obligations for websites, including non-commercial websites with small commercial elements such as advertising banners.Since 12/2025, an amendment to the Youth Protection Act (JMStV) mandates that content harmful to minors must be restricted to adults, requiring age verification for websites. In 04/2026 the SPD revealed plans to make age verification via EUDI Wallet appThe wallet only lets the social media platform know your age, but the act of verification itself creates a record with the government that you accessed a specific service, at a specific time, from a specific device. Furthermore, the German implementation of the wallet will be only available on Stock Android and iOS and require a Google or Apple account to be installed. mandatory to access social media. VPNs should be blocked from accessing social media.
EU:
The EU's Digital Services Act (DSA) will require mandatory age verification for websites and apps containing 'potentially harmful' content and requires platforms to supply the government with the identity of online accounts who are publishing 'harmful' opinions (90% of such requests received by X in 2024 came from Germany). Chat Control is a law package proposed by the EU Commission numerous times, which would have required or de facto enforced age verification for the creation of email or messenger accounts and could severely restrict anonymous communication. The EU Parliament has repeatedly opposed such far‑reaching measures (most recently in March 2026). The file is now in so‑called trilogue talks between the EU Parliament, the Council (EU Member States), and the EU Commission, where they are trying to reconcile their very different positions, with more clarity expected later in 2026. The EU Parliament on 2025.11.27 approved Report A10-0213/2025, proposing mandatory recurring age verification (every 3 months) for social media, video platforms and AI chatbots - a non-binding resolution but expected to significantly influence national and EU policy.
Passwords no, biometrics yes
Courts have generally held that passwords are protected from compelled disclosure (right against self-incrimination), while biometric unlocks can be compelled as physical evidence. A 2025 OLG Bremen ruling (Ref. 1 ORs 26/24) confirmed forced fingerprint unlocking is legal; police may also collect fingerprints for later use to unlock a device (LG Ravensburg AZ 2 Qs 9/23).Partially banned
EU:Art. 79 of the EU's Anti-Money Laundering Regulation states that, starting in 2027, financial service providers such as banks and crypto exchanges are not allowed to handle privacy-preserving cryptocurrencies such as Monero. However, it will remain legal to hold, send, and receive Monero in self-custodial wallets, and to accept Monero payments (e.g. VPN providers).
No, but proposed
Despite several attempts, mandatory data retention (Vorratsdatenspeicherung) has been declared unconstitutional. In April 2026, the German government passed a law to make it mandatory for ISPs (and on demand, messengers and email providers) to store IPs for 3 months. The law still needs to be approved by the Bundesrat (upper chamber). In the past, similar laws ("Vorratsdatenspeicherung") have been declared unconstitutional by the courts and it is possible that this law, if passed, will also be repealed in the future. EU:An EU Council paper from 12/2025 (WK 16133/2025 INIT) proposed mandatory 1-year metadata retention (IP addresses and phone locations) applying to telecom operators, cloud platforms, domain hosts, payment processors, and even E2EE messengers such as WhatsApp and Signal.
Cross-platform, with open source app
Some tasks requiring strong authentication require the AusweisApp, either on an Android/iOS smartphone with NFC support or on a desktop computer with a compatible USB smartcard reader. Linux is explicitly supported as a desktop OS. The AusweisApp is open source, has been ported to FreeBSD, and is available on F-Droid. While the smartcard reader requires an upfront purchase, everything can be done without a smartphone or proprietary OS.EU:
The upcoming EU Digital Wallet is still in development, but it seems that it will only be available as an app for iOS and stock Android (requiring Play Integrity and the Play Store), making an Apple or Google account mandatory.
Last updated: 2026.03.13
Restricted
Mostly relating to vaguely defined 'hate speech' (Gayssot Act 1990 & Law of 30 Dec 2004), Holocaust denial, and positive representation of drugs or incitement to their consumption (Penal Code §222-234 to §222-239).Widespread censorship
ISPs as well as third-party DNS and VPN providers have been ordered to block websites associated with copyright infringement (e.g. The Pirate Bay), Russian government propaganda (e.g. RT), and far-right politics.EU:
The EU's Digital Services Act (DSA) creates obligations for 'content moderation' against not just illegal content but also legal but 'harmful' content such as 'disinformation' (including truthful information, as a Berlin court ruled) or 'negative effects on civic discourse or elections', and will also require age verification from many websites. In 12/2025, the EU Commission fined X €120m for spurious 'transparency failures' under the DSA, which has been interpreted as a punishment for not censoring enough.
Potential backdoors, and proposed
EU:eIDAS Art. 45, an EU regulation, can act as a potential backdoor by obliging browsers to trust government-designated certificate authorities, technically allowing lawful man-in-the-middle interception of HTTPS traffic. So far, no major browser has implemented Art. 45 QWAC support as envisioned, and open-source and non-EU browsers can largely ignore it.
Various EU proposals aim to ban E2EE or mandate backdoors/client-side scanning, including the ProtectEU strategy (at initial policy stage; no legislation passed, but raising alarm among privacy advocates) and the HLG Recommendations on 'Access to Data for Effective Law Enforcement' (non-binding but informing future legislation). Chat Control is a law package proposed by the EU Commission numerous times, which would have either required or encouraged scanning of private communications, including on end‑to‑end encrypted services such as messengers. The EU Parliament has repeatedly rejected indiscriminate mass scanning and client‑side scanning of end‑to‑end encrypted services (most recently in March 2026). The file is now in so‑called trilogue talks between the EU Parliament, the Council (EU Member States), and the EU Commission, where they are trying to reconcile their very different positions, with more clarity expected later in 2026.
Not banned, but restrictions
In May 2025, a Paris court ordered several VPN providers to block access to hundreds of domains, classifying them as 'technical intermediaries' obliged to monitor and restrict user access to banned content.Age verification & imprint obligation
The Loi pour la confiance dans l'économie numérique prescribes imprint obligations for websites, including non-commercial websites with a small commercial element such as advertising banners.Since 2025 (SREN Law), France requires age verification for accessing pornographic websites, likely to expand to other content deemed inappropriate for children. A proposed law would ban under-15s from social media from 09/26, requiring identity checks for all social media users.
EU:
The EU's Digital Services Act (DSA) will require mandatory age verification for websites and apps containing 'potentially harmful' content, with France trialling implementation. Chat Control is a law package proposed by the EU Commission numerous times, which would have required or de facto enforced age verification for the creation of email or messenger accounts and could severely restrict anonymous communication. The EU Parliament has repeatedly opposed such far‑reaching measures (most recently in March 2026). The file is now in so‑called trilogue talks between the EU Parliament, the Council (EU Member States), and the EU Commission, where they are trying to reconcile their very different positions, with more clarity expected later in 2026. The EU Parliament on 2025.11.27 approved Report A10-0213/2025, proposing mandatory recurring age verification (every 3 months) for social media, video platforms and AI chatbots - a non-binding resolution but expected to significantly influence national and EU policy.
Yes
Article 30 of the Law No. 2001-1062 (15 Nov 2001) allows a judge or prosecutor to compel any qualified person to decrypt or surrender encryption keys. Failure to comply carries up to 3 years' imprisonment and a €45,000 fine; if compliance would have prevented a crime, the penalty increases to 5 years and €75,000.Partially banned
EU:Art. 79 of the EU's Anti-Money Laundering Regulation states that, starting in 2027, financial service providers such as banks and crypto exchanges are not allowed to handle privacy-preserving cryptocurrencies such as Monero. However, it will remain legal to hold, send, and receive Monero in self-custodial wallets, and to accept Monero payments (e.g. VPN providers).
Yes (12 months)
Mandatory retention of ISP metadata (IPs, connection logs, browsing history), email and telephony metadata (including mobile phone locations) for 1 year. EU:An EU Council paper from 12/2025 (WK 16133/2025 INIT) proposed mandatory 1-year metadata retention (IP addresses and phone locations) applying to telecom operators, cloud platforms, domain hosts, payment processors, and even E2EE messengers such as WhatsApp and Signal.
Limited support, iOS/Android/AOSP required
For certain government tasks requiring strong authentication (e.g. tax filings, e-signatures), a certified FranceConnect+ app for Android/iOS is required, such as France Identité or L'Identité Numérique La Poste. These apps appear to work on non-stock Android systems such as LineageOS or GrapheneOS, but require Play Services / microG and are only available on the Play Store (requiring a Google account; Aurora Store can work as an unsupported workaround). <EU:
The upcoming EU Digital Wallet is still in development, but it seems that it will only be available as an app for iOS and stock Android (requiring Play Integrity and the Play Store), making an Apple or Google account mandatory.
Last updated: 2026.03.13
Restricted
Illegal speech includes vaguely defined 'hate speech' (Penal Code §604), Holocaust denial (Law 16 June 2016 n. 115), insulting religions (Penal Code §403), speech offensive to public morality (§21, though enforcement is rare in practice), and insulting the President (§278).Widespread censorship
ISPs, third-party DNS, and VPN providers have been ordered to block websites associated with copyright infringement (e.g. Anna's Archive, The Pirate Bay), Russian government propaganda (e.g. RT), and adult content. The 'Piracy Shield' framework targets piracy and sports streaming sites but has also affected innocent websites such as Google Drive. Italy fined Cloudflare for not blocking piracy access via their DNS resolver 1.1.1.1 globally. archive.today/archive.is is DNS-blocked for copyright reasons.EU:
The EU's Digital Services Act (DSA) creates obligations for 'content moderation' against not just illegal content but also legal but 'harmful' content such as 'disinformation' (including truthful information, as a Berlin court ruled) or 'negative effects on civic discourse or elections', and will also require age verification from many websites. In 12/2025, the EU Commission fined X €120m for spurious 'transparency failures' under the DSA, which has been interpreted as a punishment for not censoring enough.
Potential backdoors, and proposed
EU:eIDAS Art. 45, an EU regulation, can act as a potential backdoor by obliging browsers to trust government-designated certificate authorities, technically allowing lawful man-in-the-middle interception of HTTPS traffic. So far, no major browser has implemented Art. 45 QWAC support as envisioned, and open-source and non-EU browsers can largely ignore it.
Various EU proposals aim to ban E2EE or mandate backdoors/client-side scanning, including the ProtectEU strategy (at initial policy stage; no legislation passed, but raising alarm among privacy advocates) and the HLG Recommendations on 'Access to Data for Effective Law Enforcement' (non-binding but informing future legislation). Chat Control is a law package proposed by the EU Commission numerous times, which would have either required or encouraged scanning of private communications, including on end‑to‑end encrypted services such as messengers. The EU Parliament has repeatedly rejected indiscriminate mass scanning and client‑side scanning of end‑to‑end encrypted services (most recently in March 2026). The file is now in so‑called trilogue talks between the EU Parliament, the Council (EU Member States), and the EU Commission, where they are trying to reconcile their very different positions, with more clarity expected later in 2026.
No bans, but restrictions
Websites are not allowed to point towards VPNs as a means to avoid age verification.Age verification
Since 11/2025 (Caivano Decree), Italy requires age verification for accessing pornographic websites, likely to expand to other content deemed inappropriate for children.EU:
The EU's Digital Services Act (DSA) will require mandatory age verification for websites and apps containing 'potentially harmful' content, with Italy trialling implementation. Chat Control is a law package proposed by the EU Commission numerous times, which would have required or de facto enforced age verification for the creation of email or messenger accounts and could severely restrict anonymous communication. The EU Parliament has repeatedly opposed such far‑reaching measures (most recently in March 2026). The file is now in so‑called trilogue talks between the EU Parliament, the Council (EU Member States), and the EU Commission, where they are trying to reconcile their very different positions, with more clarity expected later in 2026. The EU Parliament on 2025.11.27 approved Report A10-0213/2025, proposing mandatory recurring age verification (every 3 months) for social media, video platforms and AI chatbots - a non-binding resolution but expected to significantly influence national and EU policy.
Partially banned
EU:Art. 79 of the EU's Anti-Money Laundering Regulation states that, starting in 2027, financial service providers such as banks and crypto exchanges are not allowed to handle privacy-preserving cryptocurrencies such as Monero. However, it will remain legal to hold, send, and receive Monero in self-custodial wallets, and to accept Monero payments (e.g. VPN providers).
Yes (72 months)
Mandatory retention of ISP metadata (IPs, connection logs, browsing history) and telephony metadata (including mobile phone locations) for 6 years. ISP metadata older than 1 year and telephony metadata older than 2 years can only be accessed for terrorism investigations. EU:An EU Council paper from 12/2025 (WK 16133/2025 INIT) proposed mandatory 1-year metadata retention (IP addresses and phone locations) applying to telecom operators, cloud platforms, domain hosts, payment processors, and even E2EE messengers such as WhatsApp and Signal.
Cross-platform, with open source app
Some tasks requiring strong authentication require either the CieID app for Android/iOS or a desktop PC with a compatible USB smartcard reader. Linux is explicitly supported as a desktop OS. While the smartcard reader requires an upfront purchase, everything can be done without a smartphone or proprietary OS. The Android app requires Play Services / microG. Other, less essential, government apps for Android, such as IO or PosteID, require Play Integrity and the Play Store (making a Google account and unmodified stock OS mandatory).EU:
The upcoming EU Digital Wallet is still in development, but it seems that it will only be available as an app for iOS and stock Android (requiring Play Integrity and the Play Store), making an Apple or Google account mandatory.
Last updated: 2026.05.15
Restricted
Penal Code §261bis prohibits vaguely defined 'hate speech' (incitement, discrimination, racism, sexism, religious discrimination), anti-LGBT speech (ex.), and Holocaust denial or justificationThe wording of the law applies to all genocides, but in practice this is not the case: In 2015, the ECHR ruled in the case of Perinçek v. Switzerland that criminalizing the denial of the Armenian Genocide was an unnecessary restriction on freedom of expression. The ECHR made a distinction between the two, stating that Holocaust denial is "invariably seen as connoting an antidemocratic ideology and antisemitism", whereas the denial of the Armenian Genocide was deemed to be a matter of historical debate rather than a direct incitement to hatred..Selective censorship
Courts have ordered ISPs to block specific websites. A notable example is a 2007 case in the canton of Vaud, where a magistrate ordered Swiss ISPs to block three US-hosted websites for defamation of the Swiss judiciary.No, but proposed
A proposed (2025) update to the VÜPF/OSCPT surveillance law would require VPN providers with >5,000 users to identify their users. In 12/25, it was announced that the law proposal will be revised following backlash, but no details yet on what will change.No, but proposed
A proposed (2025) update to the VÜPF/OSCPT surveillance law would require providers of email hosting, instant messaging, and social media with >5,000 users to identify their users. In 12/25, it was announced that the law proposal will be revised following backlash, but no details yet on what will change.Yes (6 months)
The SPTA and OSCPT require retention of ISP metadata (IPs, connection logs, browsing history) and telephony metadata (including mobile phone locations) for 6 months. A proposed (2025) update to the VÜPF/OSCPT surveillance law would extend this requirement to email, instant messaging, and VPN providers with >5,000 users. In 12/25, it was announced that the law proposal will be revised following backlash, but no details yet on what will change.Platform-agnostic, can use browser + OTP
SwissID functions fully via browser for login and e-government services, with OTP or passkeys created on a desktop PC. The mobile app is not required. A new digital ID app called Swiyu, resulting from a 2025 vote, will only run on Android and iOS. A desktop app is not planned. However, the Android app will not require Play Integrity and will be available outside of the Play Store, so it will work on open-source Android distributions and without a Google account. As of May 2026, use of the app is not yet mandatory for any tasks.Last updated: 2026.01.02
Restricted
Penal Code §185 prohibits 'discriminatory and hateful speech', including the use of symbols. Maximum punishment of 3 years' imprisonment.Selective censorship
Courts have ordered ISPs to block specific websites, such as The Pirate Bay. The EU's Digital Services Act (DSA) creates obligations for 'content moderation' against not just illegal content but also legal but 'harmful' content such as 'disinformation', and also requires age verification from many websites. Even though Norway is not an EU member, as an EEA member it is already in the process of implementing the DSA, expected to become law in mid-2026, which will lead to the same indirect censorship as in the EU.No bans
No current bans or mandatory backdoors. As an EEA member, Norway may in the future have to adopt anti-encryption EU proposals like Chat Control 2.0 or eiDAS Art. 45.No, but proposed
A proposal for a 15-year age limit for social media with effective age verification (ID or biometrics) was put forward in 2024. As of January 2026, the law has not yet been formally enacted but the government has signaled strong intent. The EU's Digital Services Act (DSA) will also require mandatory age verification to access 'potentially harmful' content; Norway is in the process of implementing the DSA, expected to become law in mid-2026.Yes
The Norwegian Criminal Procedure Act allows police to require individuals to assist in an investigation, including decryption of encrypted devices (via password or biometrics). Refusal may result in contempt of court or an obstruction of justice charge.No bans, but restrictions
However, Monero has been delisted from most CEX for Norwegian users due to KYC and other regulations, even though it's not banned per se.IPs only (12 months)
Mandatory retention of IP allocation history for ISPs for 1 year, but no ISP connection logs or telephony metadata such as call logs and location history.Platform-agnostic, can use browser + token
For e-government tasks requiring the highest security level, identification is done via BankID, Buypass ID, or Commfides. These can be used via a mobile app (Android or iOS) or, alternatively, with a USB token, smart card with card reader, or a code generator issued by a bank, depending on the chosen ID method.Last updated: 2026.01.02
Restricted
Penal Code §233 prohibits vaguely defined 'hate speech' (anyone who publicly mocks, defames, denigrates, or threatens a person or group based on nationality, colour, race, religion, sexual orientation, or gender identity shall be fined or imprisoned for up to 2 years). Insults are also technically illegal per §234, but the law is not applied in practice.Insults are technically illegal in Iceland, Penal Code §234 under the section on Crimes against the Sanctity of Private Life. Punishable by fines or imprisonment up to one year. In practice however, the Icelandic Constitution makes that particular law toothless, due to the free expression clause. Speech crimes in general are very difficult to convict in Iceland because the courts have to prove that restricting the speech is "necessary and in accordance with democratic traditions". The state cannot initiate a prosecution, a private individual has to report it first. In total, about 30 people have been found guilty of insults in Iceland in as many years. In every case the punishment is simply to have your insult officially declared "dead and worthless". No jail time or fines have been issued.Selective censorship
Courts have ordered ISPs to block specific websites, such as The Pirate Bay. The EU's Digital Services Act (DSA), which would lead to indirect censorship, has not yet been incorporated into the EEA Agreement and Iceland's implementation has not started. However, Icelandic law may have to align with the EU's censorship framework in the future.No bans
No current bans or mandatory backdoors. As an EEA member, Iceland may in the future have to adopt anti-encryption EU proposals like Chat Control 2.0 or eiDAS Art. 45.No
The EU's Digital Services Act, which would lead to mandatory age verification to access 'potentially harmful' content, has not yet been incorporated into the EEA Agreement. Iceland's implementation process has not started, with no legislative progress or established timelines. However, Icelandic law might have to align with the EU's age verification framework in the future.No bans, but restrictions
However, Monero has been delisted from most CEX for Icelandic users due to KYC and other regulations, even though it's not banned per se.Platform-agnostic, can use browser + OTP
Most people use the Auðkenni mobile app for authentication, but the SIM-based electronic ID (MobileID) serves as an alternative and works on dumbphones as well. Note that SIM e-ID requires an Icelandic phone number, which can be inconvenient and costly for people living abroad. eSIMs will not work, as authentication is SIM-based rather than SMS OTP.Last updated: 2026.05.05
Severe limitations of speech
Illegal speech includes vaguely defined 'hate speech', 'extremist' political positions, 'humiliation of human dignity', disseminating 'unreliable' information and 'disinformation', discrediting the Russian Army (including criticism of the invasion of Ukraine or Soviet actions in WW2), Holocaust denial and 'rehabilitating' National Socialism. Key laws: Penal Code §280, §282, and §354 (not exhaustive).Pervasive censorship
Pervasive censorship and blocking (including deep packet inspection), especially since the 2022 invasion of Ukraine. Russians face fines for 'deliberately searching' online for 'extremist materials' (as of 09/2025, this includes more than 5,000 resources on an ever-growing Ministry of Justice blacklist, including a book by opposition leader Alexei Navalny and Ukrainian songs). Blocked websites and apps include YouTube, WhatsApp, Facebook, Instagram, Telegram, X/Twitter, Rumble, Archive.to, Signal, SimpleX, Discord, Snapchat, Roblox, and Facetime.Yes (banned w/o backdoor)
The Yarovaya Law requires encryption backdoors. Russia restricts E2EE services that do not provide authorities with decrypted data access, making E2EE services de facto banned. Most recently, TLS 1.3, ESNI, DNS over HTTPS (DoH), and DNS over TLS (DoT) have been banned.Mostly blocked, use is illegal
Yarovaya Law (2016): VPNs must identify their users and keep logs. VPN apps have been forced off app stores. Advertising VPNs is illegal, with fines even for individuals 'promoting' them. VPN connections are actively blocked using deep packet inspection. VPN users can be fined. Russia ordered major domestic internet platforms to block users who use VPNs, starting 2026-04-15, including blocking users from accessing their mobile apps if those apps can detect that the user may be running a VPN on their device. Companies must implement detection systems and report new circumvention methods, with penalties including loss of IT accreditation and removal from official registers for non-compliance. Russia's Digital Development Minister Maksut Shadayev has directed mobile operators to implement surcharges (~$1.80 USD per GB) for international data traffic exceeding 15 GB per month, effective from May 2026; this measure is designed to increase the cost of using VPNs, as they route connections through foreign servers to bypass domestic censorship. Since 2026, Russian authorities have reportedly begun stopping individuals to check their phones for banned apps and VPNs.No, but proposed
A proposed Russian law from 10/2025 plans to mandate the use of the state's biometric and e-government systems for mandatory age verification to access all adult or 'potentially harmful' online content; this measure broadly defines restricted content and would require users to authenticate their government identity each time, effectively eliminating online anonymity.De jure no, de facto maybe
There is no specific, publicly documented Russian law. However, since 2019 all smartphones and computers sold in Russia must come with pre-installed Russian software, which most likely facilitates government access to these devices anyway. In practice, Russian authorities operate with significant leeway, and refusal to unlock a device or decrypt data can lead to serious consequences, even without an explicit legal mandate. Authorities may interpret refusal as suspicious behaviour, leading to prolonged detention or charges under vague laws like "obstructing law enforcement" or "extremism". While you may not be legally required to decrypt your data, the question is: do you feel lucky? A training manual for investigators approves of physical violence against suspects who refuse to unlock their device.Banned commercially
Since 2022, it is prohibited to transfer or accept cryptocurrencies as payment for goods or services. It remains technically legal to own cryptocurrencies or use them in non-commercial contexts.Yes (36 months)
The Yarovaya Law 2016 requires retention of ISP metadata (IPs, connection logs, browsing history), email and telephony metadata (including mobile phone locations) and even VPN logs for 3 years.Platform-agnostic, can use browser + OTP
Browser login to Gosuslugi works with password + OTP, and no Android/iOS app is required for authentication.Last updated: 2026.03.27
Severe limitations of speech
Illegal speech includes loosely defined 'hate speech' (which includes racism, sexism, transphobia etc., and not just incitement but also slurs and jokes, which can result in prison sentences, e.g. 8 years for comedian Leo Lins) (Penal Code §20), insulting or mocking a religion (§208), justifying a crime (§287), and insulting a public official (§331). The Senate approved the Law Project 896/2023 in 2025, which would amend existing racism laws to include misogyny (defined as hatred or aversion toward women) and make it an offense punishable with prison; however, the Chamber of Deputies has not approved it yet.Widespread censorship
Courts have ordered ISPs to block specific websites, mainly for political censorship. Social media websites must swiftly remove posts containing 'hate speech', inciting violence, or promoting 'anti-democratic acts' as soon as flagged, without requiring a court order. Rumble was forced to block Brazilian users due to censorship demands; X/Twitter was blocked by Brazilian ISPs in 2024 (with fines threatened for VPN-using Brazilians) until X complied with censorship demands. WhatsApp and Telegram were previously banned for similar reasons.Not currently, but bans possible
In 2024, VPN apps were banned from the Apple App Store and Play Store and people found using a VPN to access X could be prosecuted and fined. These restrictions have since been lifted. This ban was enacted by Supreme Court Justice Alexandre de Moraes rather than through legislation, meaning such a VPN ban can happen again at any time.Age verification
The Law No. 15,211/2025 ("ECA Digital" or "Felca Law") requires mandatory age verification for all digital platforms (including websites, apps, app stores, operating systems) with regard to 'inappropriate' content (e.g. sexual content, harassment, violence, self-harm, gambling). Since 2026, Apple requires age verification to install age-restricted apps on iOS. Platforms must use reliable methods such as government-issued ID or biometric verification to verify the age; self-declaration of age is explicitly prohibited.Yes (12 months)
Mandatory retention of ISP metadata (IPs, connection logs, browsing history) and telephony metadata (call records, SMS metadata, location history) for 1 year.May need Google or Apple account & device
Browser login to gov.br works with password + OTP, but for many sensitive tasks including digital signatures and tax filings a "Gold" status on gov.br is needed. This is usually attained through the gov.br Android/iOS app. An alternative is purchasing a digital certificate stored on a computer or smartcard, but these cost R$50–300/year, expire after 1–3 years, and require an in-person or video call identity validation appointment, making them very inconvenient compared to the smartphone app. The gov.br Android app uses Play Integrity and is only available from Google Play, requiring a Google account and unmodified Android (incompatible with GrapheneOS or LineageOS, which fail Play Integrity).Last updated: 2026.01.02
Severe limitations of speech
Illegal speech includes vaguely defined 'hate speech' (Penal Code §153A, Karnataka Hate Speech and Hate Crimes (Prevention) Bill 2025), insulting religions (Penal Code §295A & §298), contempt or exciting disaffection against the government (Penal Code §124A), damaging public order or friendly relations with foreign states, damaging 'decency or morality', incitement to an offense (all Constitution §19(2)), and activities that threaten the sovereignty or integrity of India (Unlawful Activities (Prevention) Act).Widespread censorship
§69A of the Information Technology Act 2000 allows the government to block public access to any information in the interest of sovereignty, integrity, national security, friendly relations with foreign states, or public order. The IT Ministry can make content-blocking orders to social media companies (e.g. X was ordered to block thousands of accounts in 2025) and ISPs are frequently ordered to block websites (e.g. a court ordered the blocking of Protonmail in 2025). In September 2025, Karnataka High Court held that X, as a foreign entity, cannot claim protection under India's constitutional guarantee of free speech, reinforcing the state's authority to compel online platforms to remove speech.Yes (backdoor on demand)
§69 of the Information Technology Act 2000 and Constitution Article 19(2) have been interpreted by courts to empower the government to order decryption and interception of any message. In 2023, 14 apps offering E2EE messaging were banned, though the government has not provided a clear legal framework or blocking orders. WhatsApp and other companies have so far resisted backdoor demands.Not banned, but restrictions
VPN servers located in India must collect and retain user data, but there is no ban on VPN use otherwise.Yes
§69 of the Information Technology Act 2000 empowers the government to compel assistance in decrypting information from "any subscriber or intermediary or any person in charge of the computer resource". Failure to comply is punishable by up to 7 years' imprisonment and/or a fine.Yes (12 months)
Mandatory retention of ISP metadata (IPs, connection logs, browsing history) and telephony metadata (including mobile phone locations) for 1 year.Platform-agnostic, can use browser + OTP
Browser login to DigiLocker or Aadhaar works with password + SMS OTP, and no Android/iOS app is required for authentication. However, a mobile phone is required to receive SMS OTPs.Last updated: 2026.05.15
Severe limitations of speech
Illegal speech includes vaguely defined 'hate speech' (inciting hatred or discrimination among nationalities or harming national unity), injuring the reputation of state organs (effectively capturing any criticism of the government), 'harming national unification' (e.g. arguing for the independence of Taiwan, Hong Kong, Macao, Tibet, or Xinjiang), disinformation or 'distorting the truth', 'destroying the order of society', and criticising socialism.Pervasive censorship
The Great Firewall of China blocks a large amount of websites and apps, including Google, Youtube, Whatsapp, Facebook, Instagram, X, Snapchat, Pinterest, Wikipedia, Dropbox, and Signal. Content on the Chinese Internet is highly regulated and subject to a strict censorship regime. The government employs various methods, such as IP blocking, keyword filtering, and deep packet inspection, to enforce these restrictions.Yes (banned w/o backdoor)
China has no explicit law outright banning E2EE, but authorities have banned encrypted apps and expressed disapproval of encryption that limits data access. International E2EE apps such as WhatsApp and Signal are blocked. The Cryptography Law 2020 grants state agencies full access to cryptographic systems and decryption keys, effectively nullifying private encryption. E2EE services without government decryption access are essentially banned or heavily restricted.Mostly blocked, use is illegal
VPNs must be government-approved and must identify users and keep logs. VPN apps have been forced off app stores. High fines and prison terms can be imposed on VPN users. VPN connections are actively blocked using deep packet inspection. In early 2026, the Law on the Prevention and Control of Cybercrime was proposed, which would explicitly define the use of anti-censorship tools as illegal (such as VPNs or other means to bypass the Great Firewall), with a denunciation bonus up to 0.5m CNY paid to individuals who report others for bypassing the firewall. The Great Firewall itself is explicitly affirmed as legal under this framework. However, the final version of the law has not yet been officially enacted as of May 2026.Real-name system
China mandates online real-name registration whereby users must provide official ID credentials to access most Internet services. The 2025 national Internet ID system builds on this by introducing a government-issued digital credential that centralises authentication across platforms, linking government databases with online activity. In 01/2026, the Cybercrime Prevention and Control Law was proposed, which lays out punishments for individuals attempting to bypass the Internet real-name system, including the usage of fake IDs or shared accounts.De jure no, de facto maybe
De jure there is no key disclosure requirement, however China gives law enforcement significant powers and prioritizes its ability to compel decryption and access to data even if this means compelled disclosure of passwords or encryption keys in practice. Refusal to unlock a device or decrypt data is likely to be met with significant pressure, including detention, interrogation, accusations of obstructing justice, or charges under laws like the Anti-Terrorism Law or National Security Law.Banned
The People's Bank of China issued a ban on all crypto activities, including trading, mining, and individual ownership, effective from June 2025. The Chinese government aims to centralise financial control through its state-backed digital yuan (CBDC) and eliminate decentralised crypto assets.Yes (6 months)
Mandatory retention of ISP metadata (such as IPs, connection logs, or browsing history), email and telephony metadata (including mobile phone locations) and even VPN logs for 6 months.Cross-platform, but mobile OS only
For government tasks requiring strong authentication, a smartphone is effectively mandatory because the primary methods rely on smartphone apps such as NNIA, CTID, WeChat, AliPay with no straightforward alternatives for desktop PCs or dumbphones. While some government portals have web interfaces, strong authentication often requires scanning a QR code with a mobile app like WeChat or Alipay, or using facial recognition/biometrics tied to a phone. Despite all this, Android phones sold in China are "degoogled" and you don't need Play Store or a Google account to download the apps; it is likely to work on FOSS Android distributions such as GrapheneOS or LineageOS. HarmonyOS phones are also supported and, while proprietary, can be used without a Huawei account.Last updated: 2026.04.24
Strict defamation and copyright laws
Nominally there are very few restrictions on speech.However defamation laws are very strict and insults and damaging someone's reputation can be prosecuted (Japanese defamation laws do not require the statement to be false; even true statements that harm someone's reputation can lead to legal consequences - unless disclosing the statement is in the public interest).
Copyright law in Japan is very restrictive, with no general fair use exception and very strict copyright jurisprudence: people have been jailed for transcribing a film to text, distributing modified game save data, publishing movie spoilers, or using or creating software that can bypass DRM (Digital Restrictions Management).
Selective censorship
Court-ordered site blocks mainly targets piracy websites, especially those relating to manga and anime. However, this is usually applied to high-profile sites, not as a blanket censorship policy. A court ruling from 11/2025 held CDN providers liable for indirectly hosting copyrighted material, setting a dangerous precedent.No, but proposed
In April 2026, Japan's Ministry of Internal Affairs and Communications has begun considering a plan to impose age restrictions on social media platforms. Media outlets report that some form of legal regulation could be enacted as early as 2027. If this comes to pass, it is highly likely that Japan will implement a system similar to the age verification laws already in place in other countries.No bans, but restrictions
However, Monero has been delisted from most CEX for Japanese users due to KYC and other regulations, even though it's not banned per se.No, but proposed
As of March 2025, Japan’s data protection laws are under review. However, the legislative outcome is unclear.Yes, must register with official ID
Data-only SIMs were exempt in the past but will also require KYC from April 2027 onwards.Cross-platform, but proprietary OS only
Some tasks requiring strong authentication require either the mobile Mynaportal app for Android/iOS/Windows/macOS, or a compatible USB card reader for the desktop app. While the smartcard reader requires an upfront purchase, everything can be done without a smartphone. However, on Linux only browser access is offered, making some tasks such as digital signing impossible; a proprietary OS or smartphone is therefore required. The Mynaportal Android app appears to work on non-stock Android systems such as LineageOS or GrapheneOS, but it requires Play Services / microG and is only available on the Play Store (requiring a Google account; Aurora Store can work as an unsupported workaround).Last updated: 2026.05.09