I'm aware that this is probably going to be the most controversial article on this site and I deliberately want it to be the most polemic one. Some misguided individuals may insist that encryption is bad because it's just used by criminals and nonces and if you have nothing to hide you have nothing to fear, that we can't protect children from harm unless VPNs are banned, that courts ordering websites to be blocked is okay because - for now - it's mostly just affecting pirate sites plundering from starving Hollywood execs, or that freedom of speech doesn't mean freedom from consequences and doubleplusungood ideas are threatening our democracy or something.
The aim of this piece is to see what restrictions and freedoms for the Internet and computing in general are in place across the world. Besides just being an interesting study, there's also real-world utility: Where can you host a website without disclosing your name and address? What country should you select for your VPN server? In which country will you not need to worry about the police kicking in your front door at 4 am because they didn't like a joke you made on social media?
What this is not is a general comparison of a country's freedom. I'm not looking at the freedom of press, at the election system, or at how libertarian a country is when it comes to guns, sex, or tax. This is purely a look at the digital realm.
I am comparing a carefully selected list of only a few countries; it would be great to compare all ~200 countries of the world but it is an impossible task. I have included the G7 countries (US, Canada, UK, Germany, France, Italy, Japan) and the BRIC countries (Brazil, Russia, India, China) and also Australia in order to honour them for being the first Western country to stop pretending they care about privacy or freedom. I also added Switzerland, Norway, and Iceland because they are European countries the EU and always come up in all those lists of what the best countries for privacy and VPNs are, as well as all those "most democratic and free countries" lists - so let's put them to the test.
Of course, there's many more countries in the world and many of them are lauded for their freedoms and protections from government overreach, for example I've heard good things about the Netherlands, Norway, Estonia, and Panama. But it's impossible to diligently compare all countries and there is no clear indication that I'm really missing out a hidden champion - a brief research shows that they all have some restrictions in this or that category. A final thought: for now, you might be able to find lots of freedom in a poor country with low Internet penetration where the government has better things to do than policing the web or isn't able to comprehensively enforce its laws. Why not host your VPS in Papua New Guinea, Transnistria, or Somaliland?
To avoid misunderstandings, I would like to clarify that while I personally do not endorse any form of e.g. hate speech or discrimination, I believe in the principle that most speech and opinions should be legal, including speech that may be considered offensive or bigoted. Such speech should be countered with more speech and with dialogue, rather than through government censorship or legal penalties. I believe that government punishment of certain speech is ultimately damaging to democratic discourse, as hate speech laws tend to be very vague and can therefore potentially be misused by authoritarian governments to suppress dissent and limit free expression.
To give some more examples:
In summary, I believe that speech is either entirely free or not at all; once exceptions are introduced, even with good intentions, free speech ceases to exist. I also believe that free speech is a good thing and that a democratic and open society cannot exist without it, even if is sometimes leads to discomfort or offense.
Source: eylenburg.github.io
Last updated: 6 March 2026
This table is best viewed on a monitor with 1920px width (Full HD) with 100% display scaling.
Click on the "▶" symbol to read more
Legal restrictions of free speech onlineExplanationNot counting as "speech" in this context are: pornography, copyright infringement, defamation, fraud, and inciting imminent targeted violence. Vague laws without clear definitions of which expressions and opinions are illegal automatically result in "red". |
Internet censorship (direct or indirect) ExplanationDirect censorship would be for example the government ordering ISPs to block certain websites, while indirect censorship can include pressuring third parties to censor without a court order, e.g. government fining social media companies which don't remove enough "harmful" material. |
Encryption bans* (incl. government backdoors or client-side scanning) |
Ban of anonymous VPNs, Tor, or I2P | Mandatory Online ID (incl. age verification or imprint obligations) |
Key disclosure laws* (obligation to decrypt data or disclose passwords) |
Ban of anonymous digital payments (e.g. Monero) |
Mandatory non-targeted metadata retention (for Internet & telecom data) |
Mandatory registration for SIM cards | No platform-agnostic Digital ID or e-Gov authExplanationIdeally, these digital services - including all digitally available high-trust actions - should be compatible with all computing platforms and not require anyone to use a specific operating system or device. Specifically, it should (a) not be smartphone-dependent, (b) not require a proprietary operating system, and (c) not require a Google, Apple, or Microsoft account. | No "fair use" of copyrighted material | |
|---|---|---|---|---|---|---|---|---|---|---|---|
| U.S. 🇺🇸 Last updated: 2026.03.06 |
Very few, but proposedThe First Amendment provides broad protection. The main unprotected categories are: obscenity (failing the Miller test), fraud, child pornography, incitement to imminent lawless action (Brandenburg test), true threats, fighting words, and perjury. Hate speech is generally protected unless it constitutes true threats or incitement. Defamation requires proof of falsity and, for public figures, actual malice.The STOP HATE Act (proposed 2025) would ban 'hate speech', antisemitism, and 'disinformation'. |
Indirect & proposedThe Algorithm Accountability Act (proposed) would hold social media platforms liable for algorithmically distributed content, incentivising over-moderation. Similarly, the Sunset Section 230 Act (proposed) would make platforms liable for user content, forcing more restrictive moderation. The Block BEARD Act (proposed 2025) would force ISPs to block piracy websites.Indirect censorship is possible already: - The government has pressured social media platforms to remove content under the pretext of fighting misinformation and hate speech. - High-profile cases such as WikiLeaks, SamouraiWallet and The Pirate Bay involve domain seizures framed as law enforcement actions against crime, which are considered legal despite First Amendment concerns. - TAKE IT DOWN Act: Aimed at combating non-consensual sharing of intimate images, this act could enable censorship by allowing platforms to remove content based solely on complaints, without proof of harm or an appeals process. - PAFACA: Commonly known as the "TikTok ban", targeting apps or websites owned by foreign entities. Proponents argue it is not censorship because a new (American) owner of TikTok would still be allowed to circulate the same content. - Stop Hiding Hate Act (New York): Forces social media platforms to report 'hate speech' incidents; while no fines for retaining legal content are imposed, it may coerce platforms into more aggressive moderation practices. |
No bansThough such laws are regularly proposed, they have so far all failed, e.g. the EARN IT Act, Lawful Access to Encrypted Data Act, and Florida's Social Media Use by Minors bill (HB 744/SB 868). |
No, but proposed VPN bans in some statesSome US states have proposed VPN bans or restrictions, but no laws have passed yet. |
Age verification in some statesAge verification laws for websites and/or social media are in place in about half of US states, but not at a federal level. The Kids Online Safety Act (proposed 2025) and SCREEN Act (proposed 2025) aim to implement restrictions federally. The proposed Kids Off Social Media Act would bar under-13s from social media, requiring adults to verify their age. App Store Accountability Acts in Texas, Utah, Louisiana and other states require app stores and developers to implement age verification; Apple and Google say compliance requires collecting personally identifiable data. California's Digital Age Assurance Act forces operating systems, device makers, and app stores to send age-related signals to apps, starting in 2027. App developers are required to modify their apps to request the age signal from the OS and honour it. For now, the age signal does not require ID checks and device admins can self-declare the ages for user accounts. Similar laws are proposed in Colorado (Colorado SB26-051) and Illinois (Illinois SB3977). A more extreme law (New York Senate Bill S8102A) is proposed in New York; it would require actual age verification (not just self-declaration) for all Internet-enabled hardware, operating systems, and app stores, in order to send an age signal to all apps and websites. |
Passwords no, biometrics yesPasswords are protected by the Fifth Amendment and cannot be compelled. For biometric unlocking, courts have generally allowed police to compel biometric unlocks (e.g. forcing a suspect's finger onto a phone or holding a device to their face), as established in cases like United States v. Dionisio (1973) and subsequent rulings. |
No bans, but devs punishedThere is no ban on anonymous payment methods such as Monero, but developers of privacy-preserving cryptocurrency software have been prosecuted under anti-money laundering laws, e.g. US v. Storm and US v. Rodriguez, targeting the developers of Tornado Cash (a privacy protocol that mixes cryptocurrency transactions to obscure their origin). |
NoneNo comprehensive federal requirement for ISPs to retain connection logs or metadata for all users; any retention is voluntary, though proposals have existed (e.g. SAFETY Act 2009). The CLOUD Act requires US-based providers to hand over data stored overseas on request, but does not mandate retaining data they would not otherwise keep. PRISM is an NSA intelligence program enabling collection of internet communications from US-based tech companies (allowing for the compelled disclosure of content or metadata held by providers when targeted at non-US persons outside the US), but is not a data retention law. |
No | Platform-agnostic, can use browser + OTPGovernment services such as Login.gov or ID.me support browser-based login with password + OTP (via SMS, email, or authenticator app), and no Android/iOS smartphone is mandatory for access or authentication. |
Fair Use, but DMCA misuseBroad, flexible exceptions allowing various uses (commentary, criticism, news reporting, teaching, scholarship, research) based on four fairness factors (purpose, nature, amount, market impact). However, the Digital Millennium Copyright Act (DMCA) has been misused for censorship and takedowns of legal content, as content must be removed quickly and without proving actual copyright infringement. |
| Canada 🇨🇦 Last updated: 2025.11.21 |
RestrictedMostly relating to vaguely defined 'hate speech' and Holocaust denial under Criminal Code §318 & §319.Proposed Bill C-9 (2025) would also ban Nazi and Hamas symbols and widen the definition of 'hate speech', particularly for anti-religious offences. (+ failed laws like Bill C-36 (failed 2021) or Bill C-63 (failed 2025, which would have introduced a maximum penalty of life imprisonment for hate crime offences including non-violent 'hate propaganda')) |
Selective censorshipISPs have been ordered to block websites associated with copyright infringement, though major sites like Anna's Archive and The Pirate Bay remain available. Critics also worry that the Online Streaming Act enables state control over what Canadians see online: it extends the CRTC's regulatory authority to online platforms (YouTube, Netflix, Spotify etc.), requiring them to promote Canadian content, with critics warning of algorithm manipulation and government overreach. |
No, but proposedBill C-26, focused on cybersecurity and expanded surveillance powers, passed Parliament and reached Senate review in June 2024. The Senate found technical flaws and amended it, sending it back to the House of Commons. As of July 2025, it has not yet become law. |
No bans | No, but proposedBill S-209, aimed at mandatory age verification for access to online adult content, returned to the Senate for first reading in May 2025. Debate continues with a focus on privacy and implementation challenges. The bill has not yet been enacted. |
None | No bans, but restrictionsMonero has been delisted from most Canadian-accessible CEX due to KYC regulations, though it is not banned per se. Additionally, Trudeau's Emergencies Act was invoked to temporarily restrict cryptocurrency transactions (including Monero) to disrupt funding for the Freedom Convoy protests, but this did not constitute an outright ban. |
None | No | Platform-agnostic, can use browser + OTPGovernment services such as GCKey or Sign-In Partner support browser-based login with password + OTP (via SMS, email, or authenticator app), and no Android/iOS smartphone is mandatory for access or authentication. |
Fair DealingsUse permitted only if it falls into prescribed categories (e.g., research, private study, criticism, review, news reporting, education, parody, satire). More restrictive than US. |
| Australia 🇦🇺 Last updated: 2026.03.06 |
Severe limitations of speechMostly relating to vaguely defined 'hate speech' and display of National Socialist symbols, under the Racial Discrimination Act 1975 and the Criminal Code Amendment (Hate Crimes) Bill 2025"The laws at both federal and NSW levels aim to curb hate-fueled violence, particularly against Jewish Australians. They criminalize advocating force or violence against protected groups, toughen penalties for Nazi-related symbolism, and even impose mandatory minimum sentences for some offenses.The new laws stretched the rules in ways that might make civil liberties advocates nervous. Previously, to be charged with urging violence against a group, prosecutors had to prove intent. Now? Recklessness will do. This means you don't have to actually intend for violence to happen — just failing to consider the possibility could land you in serious trouble. The law also takes a broad approach to Nazi symbolism. Displaying a swastika was already illegal in some contexts, but now similar prohibitions apply to a range of extremist symbols, with penalties jumping from one year in prison to five. And if you're caught making a "Nazi salute?" Enjoy your 12-month mandatory minimum sentence." - Reclaim The Net. The Combatting Antisemitism, Hate and Extremism Bill 2026, passed in 01/26, significantly restricts speech in ways that are dangerous and unusual.It criminalizes public conduct or expression (including online) if it would cause a 'reasonable person' to feel intimidated or harassed, without requiring proof of actual harm, real victims, or incitement to violence. The law shifts the burden of proof onto the accused for certain offenses (like displaying prohibited hate symbols), forcing them to justify exemptions. Furthermore it empowers the government to blacklist so-called hate groups based on executive discretion, and (even retroactively) punishes mere association, membership, or support with up to 15 years in prison. This goes far beyond typical hate speech laws in other countries, which usually demand intent to incite hatred or violence and include stronger safeguards for political, academic, or journalistic expression, making this bill exceptionally broad, subjective, and restricting free speech. |
Widespread censorshipThe Australian Communications and Media Authority enforces content restrictions on Australian-hosted Internet content and maintains a blocklist of websites. The eSafety Commission can order removal of 'harmful' content and block websites, which has included archive.org and specific videos on platforms like X [1], [2]. ISPs have also been ordered to block websites for copyright infringement (e.g. Anna's Archive, The Pirate Bay). The Online Safety Act requires age verification for accessing potentially 'harmful' content, creating further indirect censorship. |
Yes (backdoor on demand)The Assistance and Access Act 2018 allows intelligence and police agencies to compel technology companies to build in backdoor access. For example, the government demanded that Signal create a backdoor, which it has so far refused. |
Not banned, but restrictionsSocial media firms are expected per eSafety guidance to block VPNs as they can be used to bypass Australia’s under-16 ban. In practice, platforms may have to blacklist VPN-associated IPs because they can't prove a VPN user isn't an Australian under 16. Alternatively, they would need to cross-check an account's historical IPs and collected location data in order to detect and block VPN use for Australians only. |
Age verificationThe Online Safety Bill 2024 mandates age verification for websites, apps and social media. Originally, it was limited to age verification for using social media, but the requirements have since been extended to online games, YouTube and search engines like Google and Bing. Since 2026, Apple requires age verification to install age-restricted apps on iOS. |
YesThe Cybercrime Act 2001 grants police (with a magistrate's order) the power to require "a specified person to provide any information or assistance that is reasonable and necessary" to access evidential computer data, understood to include mandatory decryption. Failure to comply carries a penalty of 6 months' imprisonment. |
No bans, but restrictionsHowever, Monero has been delisted from most CEX for Australian users due to KYC and other regulations, even though it's not banned per se. |
Yes (24 months)The Data Retention Act 2015 requires retention of ISP metadata (IPs, connection logs, browsing history), email and telephony metadata (including mobile phone locations) for 2 years. |
Yes, must register with official ID | Limited support, iOS/Android/AOSP requiredFor certain government tasks requiring strong authentication (e.g. ATO linkage, DIN), you either need the myID app on an Android/iOS smartphone or must handle the process in person. For now, the myID app (not to be confused with the myGov app, which enforces Play Integrity checks and is not required for authentication) seems to work on non-stock Android such as LineageOS or GrapheneOS, though it is only available on the Play Store - requiring a Google account (a possible workaround is using Aurora Store, though this is unsupported). |
Fair DealingsOnly allowed for specified purposes such as research, criticism, review, news reporting, parody/satire, professional advice, or education. Additional exceptions are very situation-specific and narrowly crafted. |
| U.K. 🇬🇧 Last updated: 2026.03.04 |
Severe limitations of speechIllegal speech includes vaguely defined 'hate speech', anti-immigration speech (in 2025 the government deployed a social media surveillance unit to monitor such posts), speech likely to cause 'distress', 'indecent' or 'offensive' speech, 'false' or 'misleading' information, obscenity, insults, advocating against the monarchy (treason laws prohibit advocating the abolition of the monarchy or imagining the death of the monarch), blaspheming Islam"England now has a blasphemy law" - The Spectator - There is no official blasphemy law criminalizing criticism of Islam or Muslims. However, concerns have grown over recent prosecutions for actions deemed offensive to Islam (e.g., Quran burning) under existing public order and hate crime laws. Multiple high-profile cases and political discussions suggest a de facto return to blasphemy law principles via prosecution tactics, but no explicit blasphemy legislation has been passed as of July 2025.Furthermore, anti-Islam activists such as Ryan Williams and Tommy Robinson have been asked by police to unlock their phones and charged under Schedule 7 of the Terrorism Act 2000., and more (UK defamation laws are among the strictest in the western world, imposing a high burden of proof on defendants). Key laws: Malicious Communications Act 1988Prohibits sending letters, electronic communications, or articles with the purpose to cause distress or anxiety by conveying messages that are indecent, grossly offensive, or false (known or believed to be false by sender). Covers hate speech that is racially or religiously motivated. Jurisprudence may interpret any pro-White or nationalist sentiments as incitement, even benign expressions like "Love your Nation" or "It's OK to be White" (e.g., in the case of Samuel Melia). Criminalizes any malicious communications in general, including insults. Prison sentences up to 2 years possible., the Hate Crime and Public Order (Scotland) Act (addresses stirring up hatred on grounds of race, religion, and sexual orientation; covers threatening communications and breach of the peace aggravated by hatred), and the Online Safety Act 2023 (particularly §179)Enforces investigations and regulation of harmful online content, including disinformation. Section 179 establishes offence of false communications. "Section 179 criminalizes knowingly false communications intended to cause 'non-trivial psychological or physical harm.' The wording here is as vague as it is dangerous. What qualifies as 'non-trivial psychological harm'? If the government decides that criticisms of its handling of the grooming gang scandal cause emotional distress to MPs—or, conveniently, to the public—it could label them as harmful misinformation. Knowing the penalties - up to 51 weeks in prison and unlimited fines - citizens may think twice before questioning the government on sensitive issues. And that's the goal: silence through fear.". Furthermore, police record non-crime hate incidents (NCHIs) which are classified as legal speech but remain on police records and may appear in background checks. |
Widespread censorshipISPs have been ordered to block websites associated with copyright infringement (e.g. Anna's Archive, The Pirate Bay) and Russian government propaganda (e.g. RT). Indirect censorship through the Online Safety Act, which requires removal of speech that could be illegal in the UK, as well as age verification for accessing potentially 'harmful' contentincluding: Sexually explicit content. Content which encourages, promotes or provides instructions for: suicide, deliberate self-injury, or disordered eating or behaviors associated with an eating disorder. Content which is abusive or incites hatred against people by targeting any of the following characteristics: race, religion, sex, sexual orientation, disability, or gender reassignment. Bullying content. Violent content which: encourages, promotes or provides instructions for an act of serious violence against a person, or depicts real or realistic serious violence against a person, an animal, or a fictional creature, including the graphic depiction of a serious injury. Content which encourages, promotes, or provides instructions for a challenge or stunt highly likely to result in serious injury to the person who does it or to someone else. Content which encourages a person to ingest, inject, inhale, or self-administer a physically harmful substance, or a substance in physically harmful quantity. Content that shames or otherwise stigmatises body types or physical features. Content that promotes or romanticizes depression, hopelessness and despair. Filesharing websites.. Many UK-based websites have been forced to close or have blocked UK IPs due to the OSA. |
Yes (backdoor on demand)The Investigatory Powers Amendment Act 2024 expands government powers to demand access to encrypted communications. The Online Safety Act, particularly Clause 122, allows Ofcom to compel companies to break end-to-end encryption, enabling mass surveillance - this has already been used against Apple, forcing them to stop offering iCloud E2EE in the UK. Since 2026, the OSA authorises Ofcom to require online platforms to deploy automated client-side scanning of user messages, images, and videos before encryption applies. |
Not banned, but restrictionsAdvertising VPNs as a means to bypass content restrictions can be illegal under the Online Safety Act. The House of Lords proposed in 12/25 (HL Bill 135) mandatory age verification for VPN users. The Starmer government is also looking into banning VPNs for minors. |
Age verification & imprint obligationThe Online Safety Act 2023 requires age verification for websites and apps for a variety of potentially 'harmful' contentSexually explicit content. Content which encourages, promotes or provides instructions for: suicide, deliberate self-injury, or disordered eating or behaviors associated with an eating disorder. Content which is abusive or incites hatred against people by targeting any of the following characteristics: race, religion, sex, sexual orientation, disability, or gender reassignment. Bullying content. Violent content which: encourages, promotes or provides instructions for an act of serious violence against a person, or depicts real or realistic serious violence against a person, an animal, or a fictional creature, including the graphic depiction of a serious injury. Content which encourages, promotes, or provides instructions for a challenge or stunt highly likely to result in serious injury to the person who does it or to someone else. Content which encourages a person to ingest, inject, inhale, or self-administer a physically harmful substance, or a substance in physically harmful quantity. Content that shames or otherwise stigmatises body types or physical features. Content that promotes or romanticizes depression, hopelessness and despair. (not limited to sexually explicit content). As of 12/25, the government wants to 'encourage' Google and Apple to implement mandatory client-side AI scanning of photos and videos on all smartphones, blocking nudity unless the user has verified their age. The House of Lords proposed (HL Bill 135) banning all users from social media unless age-verified as 16+. The Electronic Commerce (EC Directive) Regulations 2002 impose imprint obligations for websites, including non-commercial websites with small commercial elements such as advertising banners. |
YesThe Regulation of Investigatory Powers Act 2000 compels disclosure of encryption keys or decryption of encrypted data. Refusal carries a maximum sentence of 2 years' imprisonment, or 5 years in cases involving national security or child indecency. |
No bans, but restrictionsHowever, Monero has been delisted from most CEX for British users due to KYC and other regulations, even though it's not banned per se. |
Yes (12 months)The Investigatory Powers Act 2016 requires retention of ISP metadata (IPs, connection logs, browsing history), email and telephony metadata (including mobile phone locations) for 1 year. |
No | May need Google or Apple account & deviceGovernment services such as GOV.UK One Login, HMRC, and NHS support browser-based login with password + OTP (via SMS or authenticator app), so a smartphone is not required for normal sign-in. However, to verify your identity or register a new company, you need the GOV.UK One Login Android/iOS app, or alternatively you can verify your identity in person at a post office, or answer security questions online (dependent on Experian credit-reference data, which may not work with a sparse credit history or no UK bank account). The Android app uses Play Integrity and is only available from Google Play, requiring a Google account and stock Android (incompatible with GrapheneOS or LineageOS). The government is also planning a digital ID scheme ("Brit Card") for all citizens, which will most likely require an Android/iOS app with yet to be determined alternatives for those without a smartphone. |
Fair DealingsPermitted uses limited to research, private study, criticism, review, news reporting, parody, caricature, pastiche, and quotation. Other uses require permission. |
| Germany 🇪🇺 🇩🇪 Last updated: 2026.01.16 |
Severe limitations of speechIllegal speech includes vaguely defined 'hate speech' (including "liking" a post, per LG Meiningen, 2022) (Penal Code §130), insulting religions (§166), Holocaust denial (§130, §189), insults (§185), insulting politicians (§188, including cases where calling politicians "imbecile", "fat", a "penis", or "Pinocchio" have led to prosecution), National Socialist symbols and phrases (§86, which extends beyond obvious symbols like swastikas to phrases such as 'Alles für Deutschland'), disparagement of the President or state symbols (§90), revealing someone's biological sex or birth name or misgendering them (Self-Determination Act, with fines up to €10,000), and more (German defamation laws are also very strict, imposing a high burden of proof on the defendant). |
Widespread censorshipISPs have been ordered to block websites associated with copyright infringement (e.g. Anna's Archive, The Pirate Bay), Russian government propaganda (e.g. RT), and far-right politics. The NetzDG requires social media platforms to remove illegal speech within strict timeframes, effectively forcing over-censorship of even legal speech. The EU's Digital Services Act (DSA) creates obligations for 'content moderation' against not just illegal content but also legal but 'harmful' content such as 'disinformation' (including truthful information, as a Berlin court ruled) or 'negative effects on civic discourse or elections', and will also require age verification from many websites. In 12/2025, the EU Commission fined X €120m for spurious 'transparency failures' under the DSA, which has been interpreted as a punishment for not censoring enough. |
Potential backdoors, and proposedeIDAS Art. 45, an EU regulation, can act as a potential backdoor by obliging browsers to trust government-designated certificate authorities, technically allowing lawful man-in-the-middle interception of HTTPS traffic. So far, no major browser has implemented Art. 45 QWAC support as envisioned, and open-source and non-EU browsers can largely ignore it.Various EU proposals aim to ban E2EE or mandate backdoors/client-side scanning, including the ProtectEU strategy (at initial policy stage; no legislation passed, but raising alarm among privacy advocates) and the HLG Recommendations on 'Access to Data for Effective Law Enforcement' (non-binding but informing future legislation). "Chat Control 2.0" was approved by the EU Council on 2025.11.26. The final version made client-side scanning 'voluntary', but companies are encouraged to scan private messages for legal certainty, a Commission review in 3 years could make it mandatory for some providers, and national authorities may force 'high-risk' services (including all E2E-encrypted services) to adopt client-side scanning. The EU Parliament still needs to approve it, with a vote expected in H1 2026. |
No bans | Age verification & imprint obligationThe EU's Digital Services Act (DSA) will require mandatory age verification for websites and apps containing 'potentially harmful' content and requires platforms to supply the government with the identity of online accounts who are publishing 'harmful' opinions (90% of such requests received by X in 2024 came from Germany). Since 12/2025, an amendment to the Youth Protection Act (JMStV) mandates that content harmful to minors must be restricted to adults, requiring age verification for websites. "Chat Control 2.0", approved by the EU Council on 2025.11.27 but not yet voted on by the EU Parliament, would also require age or ID verification for creating an email or messenger account. The EU Parliament on 2025.11.27 approved Report A10-0213/2025, proposing mandatory recurring age verification (every 3 months) for social media, video platforms and AI chatbots - a non-binding resolution but expected to significantly influence national and EU policy. §5 TMG prescribes imprint obligations for websites, including non-commercial websites with small commercial elements such as advertising banners. |
Passwords no, biometrics yesCourts have generally held that passwords are protected from compelled disclosure (right against self-incrimination), while biometric unlocks can be compelled as physical evidence. A 2025 OLG Bremen ruling (Ref. 1 ORs 26/24) confirmed forced fingerprint unlocking is legal; police may also collect fingerprints for later use to unlock a device (LG Ravensburg AZ 2 Qs 9/23). |
Partially bannedArt. 79 of the EU's Anti-Money Laundering Regulation states that, starting in 2027, financial service providers such as banks and crypto exchanges are not allowed to handle privacy-preserving cryptocurrencies such as Monero. However, it will remain legal to hold, send, and receive Monero in self-custodial wallets, and to accept Monero payments (e.g. VPN providers). |
No, but proposedDespite several attempts, mandatory data retention (Vorratsdatenspeicherung) has been declared unconstitutional. There is currently no mandatory data retention in Germany. An EU Council paper from 12/2025 (WK 16133/2025 INIT) proposed mandatory 1-year metadata retention (IP addresses and phone locations) applying to telecom operators, cloud platforms, domain hosts, payment processors, and even E2EE messengers such as WhatsApp and Signal. |
Yes, must register with official ID | Cross-platform, with open source appSome tasks requiring strong authentication require the AusweisApp, either on an Android/iOS smartphone with NFC support or on a desktop computer with a compatible USB smartcard reader. Linux is explicitly supported as a desktop OS. The AusweisApp is open source, has been ported to FreeBSD, and is available on F-Droid. While the smartcard reader requires an upfront purchase, everything can be done without a smartphone or proprietary OS. The upcoming EU Digital Wallet is still in development, but it seems that it will only be available as an app for iOS and stock Android (requiring Play Integrity and the Play Store), making an Apple or Google account mandatory. |
Narrow statutory exceptionsNo general fair use; only narrow, enumerated exceptions for uses such as quotation, research, criticism, and certain educational and private uses. The list is exhaustive and exceptions are strictly interpreted. |
| France 🇪🇺 🇫🇷 Last updated: 2026.01.16 |
RestrictedMostly relating to vaguely defined 'hate speech' (Gayssot Act 1990 & Law of 30 Dec 2004), Holocaust denial, and positive representation of drugs or incitement to their consumption (Penal Code §222-234 to §222-239). |
Widespread censorshipISPs as well as third-party DNS and VPN providers have been ordered to block websites associated with copyright infringement (e.g. The Pirate Bay), Russian government propaganda (e.g. RT), and far-right politics. The EU's Digital Services Act (DSA) creates obligations for 'content moderation' against not just illegal content but also legal but 'harmful' content such as 'disinformation' or 'negative effects on civic discourse or elections', and also requires age verification from many websites. There is strong government pressure on social media companies to censor: Rumble was forced to block French IPs (until an opposing court ruling in Oct 2025), Telegram's CEO Pavel Durov was arrested in 2024 with prosecutors alleging insufficient censorship, and a French prosecutor classified X as an 'organised crime group' in 2025. In 12/2025, the EU Commission fined X €120m for 'transparency failures' under the DSA, widely interpreted as punishment for not censoring enough. |
Potential backdoors, and proposedeIDAS Art. 45, an EU regulation, can act as a potential backdoor by obliging browsers to trust government-designated certificate authorities, technically allowing lawful man-in-the-middle interception of HTTPS traffic. So far, no major browser has implemented Art. 45 QWAC support as envisioned, and open-source and non-EU browsers can largely ignore it.Various EU proposals aim to ban E2EE or mandate backdoors/client-side scanning, including the ProtectEU strategy (at initial policy stage; no legislation passed, but raising alarm among privacy advocates) and the HLG Recommendations on 'Access to Data for Effective Law Enforcement' (non-binding but informing future legislation). "Chat Control 2.0" was approved by the EU Council on 2025.11.26. The final version made client-side scanning 'voluntary', but companies are encouraged to scan private messages for legal certainty, a Commission review in 3 years could make it mandatory for some providers, and national authorities may force 'high-risk' services (including all E2E-encrypted services) to adopt client-side scanning. The EU Parliament still needs to approve it, with a vote expected in H1 2026. |
Not banned, but restrictionsIn May 2025, a Paris court ordered several VPN providers to block access to hundreds of domains, classifying them as 'technical intermediaries' obliged to monitor and restrict user access to banned content. |
Age verification & imprint obligationThe EU's Digital Services Act (DSA) will require mandatory age verification for websites and apps containing 'potentially harmful' content, with France trialling implementation. Since 2025 (SREN Law), France requires age verification for accessing pornographic websites, likely to expand to other content deemed inappropriate for children. A proposed law would ban under-15s from social media from 09/26, requiring identity checks for all social media users. "Chat Control 2.0", approved by the EU Council on 2025.11.27 but not yet voted on by the EU Parliament, would also require age or ID verification for creating an email or messenger account. The EU Parliament on 2025.11.27 approved Report A10-0213/2025, proposing mandatory recurring age verification (every 3 months) for social media, video platforms and AI chatbots - a non-binding resolution but expected to significantly influence national and EU policy. The Loi pour la confiance dans l'économie numérique prescribes imprint obligations for websites, including non-commercial websites with a small commercial element such as advertising banners. |
YesArticle 30 of the Law No. 2001-1062 (15 Nov 2001) allows a judge or prosecutor to compel any qualified person to decrypt or surrender encryption keys. Failure to comply carries up to 3 years' imprisonment and a €45,000 fine; if compliance would have prevented a crime, the penalty increases to 5 years and €75,000. |
Partially bannedArt. 79 of the EU's Anti-Money Laundering Regulation states that, starting in 2027, financial service providers such as banks and crypto exchanges are not allowed to handle privacy-preserving cryptocurrencies such as Monero. However, it will remain legal to hold, send, and receive Monero in self-custodial wallets, and to accept Monero payments (e.g. VPN providers). |
Yes (12 months)Mandatory retention of ISP metadata (IPs, connection logs, browsing history), email and telephony metadata (including mobile phone locations) for 1 year. An EU Council paper from 12/2025 (WK 16133/2025 INIT) proposed mandatory 1-year metadata retention applying to telecom operators, cloud platforms, domain hosts, payment processors, and even E2EE messengers such as WhatsApp and Signal. |
Yes, must register with official ID | Limited support, iOS/Android/AOSP requiredFor certain government tasks requiring strong authentication (e.g. tax filings, e-signatures), a certified FranceConnect+ app for Android/iOS is required, such as France Identité or L'Identité Numérique La Poste. These apps appear to work on non-stock Android systems such as LineageOS or GrapheneOS, but require Play Services / microG and are only available on the Play Store (requiring a Google account; Aurora Store can work as an unsupported workaround). The upcoming EU Digital Wallet is still in development, but it seems that it will only be available as an app for iOS and stock Android (requiring Play Integrity and the Play Store), making an Apple or Google account mandatory. |
Narrow statutory exceptionsUses are only allowed if they fit an exhaustive list of exceptions (quotation, press review, private copy, educational use). No general fair use doctrine; exceptions are narrowly interpreted. |
| Italy 🇪🇺 🇮🇹 Last updated: 2026.03.04 |
RestrictedIllegal speech includes vaguely defined 'hate speech' (Penal Code §604), Holocaust denial (Law 16 June 2016 n. 115), insulting religions (Penal Code §403), speech offensive to public morality (§21, though enforcement is rare in practice), and insulting the President (§278). |
Widespread censorshipISPs, third-party DNS, and VPN providers have been ordered to block websites associated with copyright infringement (e.g. Anna's Archive, The Pirate Bay), Russian government propaganda (e.g. RT), and adult content. The 'Piracy Shield' framework targets piracy and sports streaming sites but has also affected innocent websites such as Google Drive. Italy fined Cloudflare for not blocking piracy access via their DNS resolver 1.1.1.1 globally. archive.today/archive.is is DNS-blocked for copyright reasons. The EU's Digital Services Act (DSA) creates obligations for 'content moderation' against not just illegal content but also legal but 'harmful' content such as 'disinformation' or 'negative effects on civic discourse or elections', and also requires age verification from many websites. In 12/2025, the EU Commission fined X €120m for 'transparency failures' under the DSA, widely interpreted as punishment for not censoring enough. |
Potential backdoors, and proposedeIDAS Art. 45, an EU regulation, can act as a potential backdoor by obliging browsers to trust government-designated certificate authorities, technically allowing lawful man-in-the-middle interception of HTTPS traffic. So far, no major browser has implemented Art. 45 QWAC support as envisioned, and open-source and non-EU browsers can largely ignore it.Various EU proposals aim to ban E2EE or mandate backdoors/client-side scanning, including the ProtectEU strategy (at initial policy stage; no legislation passed, but raising alarm among privacy advocates) and the HLG Recommendations on 'Access to Data for Effective Law Enforcement' (non-binding but informing future legislation). "Chat Control 2.0" was approved by the EU Council on 2025.11.26. The final version made client-side scanning 'voluntary', but companies are encouraged to scan private messages for legal certainty, a Commission review in 3 years could make it mandatory for some providers, and national authorities may force 'high-risk' services (including all E2E-encrypted services) to adopt client-side scanning. The EU Parliament still needs to approve it, with a vote expected in H1 2026. |
No bans, but restrictionsWebsites are not allowed to point towards VPNs as a means to avoid age verification. |
Age verificationThe EU's Digital Services Act (DSA) will require mandatory age verification for websites and apps containing 'potentially harmful' content, with Italy trialling implementation. Since 11/2025 (Caivano Decree), Italy requires age verification for accessing pornographic websites, likely to expand to other content deemed inappropriate for children. "Chat Control 2.0", approved by the EU Council on 2025.11.27 but not yet voted on by the EU Parliament, would also require age or ID verification for creating an email or messenger account. The EU Parliament on 2025.11.27 approved Report A10-0213/2025, proposing mandatory recurring age verification (every 3 months) for social media, video platforms and AI chatbots - a non-binding resolution but expected to significantly influence national and EU policy. |
None | Partially bannedArt. 79 of the EU's Anti-Money Laundering Regulation states that, starting in 2027, financial service providers such as banks and crypto exchanges are not allowed to handle privacy-preserving cryptocurrencies such as Monero. However, it will remain legal to hold, send, and receive Monero in self-custodial wallets, and to accept Monero payments (e.g. VPN providers). |
Yes (72 months)Mandatory retention of ISP metadata (IPs, connection logs, browsing history) and telephony metadata (including mobile phone locations) for 6 years. ISP metadata older than 1 year and telephony metadata older than 2 years can only be accessed for terrorism investigations. An EU Council paper from 12/2025 (WK 16133/2025 INIT) proposed mandatory 1-year metadata retention applying to telecom operators, cloud platforms, domain hosts, payment processors, and even E2EE messengers such as WhatsApp and Signal. |
Yes, must register with official ID | Cross-platform, with open source appSome tasks requiring strong authentication require either the CieID app for Android/iOS or a desktop PC with a compatible USB smartcard reader. Linux is explicitly supported as a desktop OS. While the smartcard reader requires an upfront purchase, everything can be done without a smartphone or proprietary OS. The Android app requires Play Services / microG. Other, less essential, government apps for Android, such as IO or PosteID, require Play Integrity and the Play Store (making a Google account and unmodified stock OS mandatory). The upcoming EU Digital Wallet is still in development, but it seems that it will only be available as an app for iOS and stock Android (requiring Play Integrity and the Play Store), making an Apple or Google account mandatory. |
Narrow statutory exceptionsNo fair use; only limited statutory exceptions for private copying, education, and criticism, provided specific requirements are met. |
| Switzerland 🇨🇭 Last updated: 2025.12.23 |
RestrictedPenal Code §261bis prohibits vaguely defined 'hate speech' (incitement, discrimination, racism, sexism, religious discrimination), anti-LGBT speech (ex.), and Holocaust denial or justificationThe wording of the law applies to all genocides, but in practice this is not the case: In 2015, the ECHR ruled in the case of Perinçek v. Switzerland that criminalizing the denial of the Armenian Genocide was an unnecessary restriction on freedom of expression. The ECHR made a distinction between the two, stating that Holocaust denial is "invariably seen as connoting an antidemocratic ideology and antisemitism", whereas the denial of the Armenian Genocide was deemed to be a matter of historical debate rather than a direct incitement to hatred.. |
Selective censorshipCourts have ordered ISPs to block specific websites. A notable example is a 2007 case in the canton of Vaud, where a magistrate ordered Swiss ISPs to block three US-hosted websites for defamation of the Swiss judiciary. |
No bans | No, but proposedA proposed (2025) update to the VÜPF/OSCPT surveillance law would require VPN providers with >5,000 users to identify their users. In 12/25, it was announced that the law proposal will be revised following backlash, but no details yet on what will change. |
No, but proposedA proposed (2025) update to the VÜPF/OSCPT surveillance law would require providers of email hosting, instant messaging, and social media with >5,000 users to identify their users. In 12/25, it was announced that the law proposal will be revised following backlash, but no details yet on what will change. |
None | No bans | Yes (6 months)The SPTA and OSCPT require retention of ISP metadata (IPs, connection logs, browsing history) and telephony metadata (including mobile phone locations) for 6 months. A proposed (2025) update to the VÜPF/OSCPT surveillance law would extend this requirement to email, instant messaging, and VPN providers with >5,000 users. In 12/25, it was announced that the law proposal will be revised following backlash, but no details yet on what will change. |
Yes, must register with official ID | Platform-agnostic, but will be smartphone-onlySwissID functions fully via browser for login and e-government services, with OTP or passkeys created on a desktop PC. The mobile app is not required. A new digital ID app called Swiyu, resulting from a 2025 vote, will only run on Android and iOS. A desktop app is not planned. However, the Android app will not require Play Integrity and will be available outside of the Play Store, so it will work on open-source Android distributions and without a Google account. |
Narrow statutory exceptionsPermits limited exceptions for private use, quotation, education, and information reporting, but otherwise copyright is strictly enforced. |
| Norway 🇳🇴 Last updated: 2026.01.02 |
RestrictedPenal Code §185 prohibits 'discriminatory and hateful speech', including the use of symbols. Maximum punishment of 3 years' imprisonment. |
Selective censorshipCourts have ordered ISPs to block specific websites, such as The Pirate Bay. The EU's Digital Services Act (DSA) creates obligations for 'content moderation' against not just illegal content but also legal but 'harmful' content such as 'disinformation', and also requires age verification from many websites. Even though Norway is not an EU member, as an EEA member it is already in the process of implementing the DSA, expected to become law in mid-2026, which will lead to the same indirect censorship as in the EU. |
No bansNo current bans or mandatory backdoors. As an EEA member, Norway may in the future have to adopt anti-encryption EU proposals like Chat Control 2.0 or eiDAS Art. 45. |
No bans | No, but proposedA proposal for a 15-year age limit for social media with effective age verification (ID or biometrics) was put forward in 2024. As of January 2026, the law has not yet been formally enacted but the government has signaled strong intent. The EU's Digital Services Act (DSA) will also require mandatory age verification to access 'potentially harmful' content; Norway is in the process of implementing the DSA, expected to become law in mid-2026. |
YesThe Norwegian Criminal Procedure Act allows police to require individuals to assist in an investigation, including decryption of encrypted devices (via password or biometrics). Refusal may result in contempt of court or an obstruction of justice charge. |
No bans, but restrictionsHowever, Monero has been delisted from most CEX for Norwegian users due to KYC and other regulations, even though it's not banned per se. |
IPs only (12 months)Mandatory retention of IP allocation history for ISPs for 1 year, but no ISP connection logs or telephony metadata such as call logs and location history. |
Yes, must register with official ID | Platform-agnostic, can use browser + tokenFor e-government tasks requiring the highest security level, identification is done via BankID, Buypass ID, or Commfides. These can be used via a mobile app (Android or iOS) or, alternatively, with a USB token, smart card with card reader, or a code generator issued by a bank, depending on the chosen ID method. |
Narrow statutory exceptionsFollows European approach: no fair use, only specific exceptions for quotation, education, private use, parody, etc. Uses outside these lists aren’t permitted. |
| Iceland 🇮🇸 Last updated: 2026.01.02 |
RestrictedPenal Code §233 prohibits vaguely defined 'hate speech' (anyone who publicly mocks, defames, denigrates, or threatens a person or group based on nationality, colour, race, religion, sexual orientation, or gender identity shall be fined or imprisoned for up to 2 years). Insults are also technically illegal per §234, but the law is not applied in practice.Insults are technically illegal in Iceland, Penal Code §234 under the section on Crimes against the Sanctity of Private Life. Punishable by fines or imprisonment up to one year. In practice however, the Icelandic Constitution makes that particular law toothless, due to the free expression clause. Speech crimes in general are very difficult to convict in Iceland because the courts have to prove that restricting the speech is "necessary and in accordance with democratic traditions". The state cannot initiate a prosecution, a private individual has to report it first. In total, about 30 people have been found guilty of insults in Iceland in as many years. In every case the punishment is simply to have your insult officially declared "dead and worthless". No jail time or fines have been issued. |
Selective censorshipCourts have ordered ISPs to block specific websites, such as The Pirate Bay. The EU's Digital Services Act (DSA), which would lead to indirect censorship, has not yet been incorporated into the EEA Agreement and Iceland's implementation has not started. However, Icelandic law may have to align with the EU's censorship framework in the future. |
No bansNo current bans or mandatory backdoors. As an EEA member, Iceland may in the future have to adopt anti-encryption EU proposals like Chat Control 2.0 or eiDAS Art. 45. |
No bans | NoThe EU's Digital Services Act, which would lead to mandatory age verification to access 'potentially harmful' content, has not yet been incorporated into the EEA Agreement. Iceland's implementation process has not started, with no legislative progress or established timelines. However, Icelandic law might have to align with the EU's age verification framework in the future. |
None | No bans, but restrictionsHowever, Monero has been delisted from most CEX for Icelandic users due to KYC and other regulations, even though it's not banned per se. |
None | No | Platform-agnostic, can use browser + OTPMost people use the Auðkenni mobile app for authentication, but the SIM-based electronic ID (MobileID) serves as an alternative and works on dumbphones as well. Note that SIM e-ID requires an Icelandic phone number, which can be inconvenient and costly for people living abroad. eSIMs will not work, as authentication is SIM-based rather than SMS OTP. |
Narrow statutory exceptionsFollows European approach: no fair use, only specific exceptions for quotation, education, private copying, etc. Uses outside these lists aren’t permitted. |
| Russia 🇷🇺 Last updated: 2026.03.04 |
Severe limitations of speechIllegal speech includes vaguely defined 'hate speech', 'extremist' political positions, 'humiliation of human dignity', disseminating 'unreliable' information and 'disinformation', discrediting the Russian Army (including criticism of the invasion of Ukraine or Soviet actions in WW2), Holocaust denial and 'rehabilitating' National Socialism. Key laws: Penal Code §280, §282, and §354 (not exhaustive). |
Pervasive censorshipPervasive censorship and blocking (including deep packet inspection), especially since the 2022 invasion of Ukraine. Russians face fines for 'deliberately searching' online for 'extremist materials' (as of 09/2025, this includes more than 5,000 resources on an ever-growing Ministry of Justice blacklist, including a book by opposition leader Alexei Navalny and Ukrainian songs). Blocked websites and apps include YouTube, WhatsApp, Facebook, Instagram, Telegram, X/Twitter, Rumble, Archive.to, Signal, SimpleX, Discord, Snapchat, Roblox, and Facetime. |
Yes (banned w/o backdoor)The Yarovaya Law requires encryption backdoors. Russia restricts E2EE services that do not provide authorities with decrypted data access, making E2EE services de facto banned. Most recently, TLS 1.3, ESNI, DNS over HTTPS (DoH), and DNS over TLS (DoT) have been banned. |
Mostly blocked, use is illegalYarovaya Law (2016): VPNs must identify their users and keep logs. VPN apps have been forced off app stores. Advertising VPNs is illegal, with fines even for individuals 'promoting' them. VPN connections are actively blocked using deep packet inspection. VPN users can be fined. |
No, but proposedA proposed Russian law from 10/2025 plans to mandate the use of the state's biometric and e-government systems for mandatory age verification to access all adult or 'potentially harmful' online content; this measure broadly defines restricted content and would require users to authenticate their government identity each time, effectively eliminating online anonymity. |
De jure no, de facto maybeThere is no specific, publicly documented Russian law. However, since 2019 all smartphones and computers sold in Russia must come with pre-installed Russian software, which most likely facilitates government access to these devices anyway. In practice, Russian authorities operate with significant leeway, and refusal to unlock a device or decrypt data can lead to serious consequences, even without an explicit legal mandate. Authorities may interpret refusal as suspicious behaviour, leading to prolonged detention or charges under vague laws like "obstructing law enforcement" or "extremism". While you may not be legally required to decrypt your data, the question is: do you feel lucky? A training manual for investigators approves of physical violence against suspects who refuse to unlock their device. |
Banned commerciallySince 2022, it is prohibited to transfer or accept cryptocurrencies as payment for goods or services. It remains technically legal to own cryptocurrencies or use them in non-commercial contexts. |
Yes (36 months)The Yarovaya Law 2016 requires retention of ISP metadata (IPs, connection logs, browsing history), email and telephony metadata (including mobile phone locations) and even VPN logs for 3 years. |
Yes, must register with official ID | Platform-agnostic, can use browser + OTPBrowser login to Gosuslugi works with password + OTP, and no Android/iOS app is required for authentication. |
Narrow statutory exceptionsUses must fall within a strictly defined list of statutory exceptions, such as quotation, news reporting, and personal use. No general fair use principle. |
| Brazil 🇧🇷 Last updated: 2026.03.04 |
Severe limitations of speechIllegal speech includes loosely defined 'hate speech' (which includes racism, sexism, transphobia etc., and not just incitement but also slurs and jokes, which can result in prison sentences, e.g. 8 years for comedian Leo Lins) (Penal Code §20), insulting or mocking a religion (§208), justifying a crime (§287), and insulting a public official (§331). |
Widespread censorshipCourts have ordered ISPs to block specific websites, mainly for political censorship. Social media websites must swiftly remove posts containing 'hate speech', inciting violence, or promoting 'anti-democratic acts' as soon as flagged, without requiring a court order. Rumble was forced to block Brazilian users due to censorship demands; X/Twitter was blocked by Brazilian ISPs in 2024 (with fines threatened for VPN-using Brazilians) until X complied with censorship demands. WhatsApp and Telegram were previously banned for similar reasons. |
No bans | Not currently, but bans possibleIn 2024, VPN apps were banned from the Apple App Store and Play Store and people found using a VPN to access X could be prosecuted and fined. These restrictions have since been lifted. This ban was enacted by Supreme Court Justice Alexandre de Moraes rather than through legislation, meaning such a VPN ban can happen again at any time. |
Age verificationThe Law No. 15,211/2025 ("ECA Digital" or "Felca Law") requires mandatory age verification for all digital platforms (including websites, apps, app stores, operating systems) with regard to 'inappropriate' content (e.g. sexual content, harassment, violence, self-harm, gambling). Since 2026, Apple requires age verification to install age-restricted apps on iOS. Platforms must use reliable methods such as government-issued ID or biometric verification to verify the age; self-declaration of age is explicitly prohibited. |
None | No bans | Yes (12 months)Mandatory retention of ISP metadata (IPs, connection logs, browsing history) and telephony metadata (call records, SMS metadata, location history) for 1 year. |
Yes, must register with official ID | May need Google or Apple account & deviceBrowser login to gov.br works with password + OTP, but for many sensitive tasks including digital signatures and tax filings a "Gold" status on gov.br is needed. This is usually attained through the gov.br Android/iOS app. An alternative is purchasing a digital certificate stored on a computer or smartcard, but these cost R$50–300/year, expire after 1–3 years, and require an in-person or video call identity validation appointment, making them very inconvenient compared to the smartphone app. The gov.br Android app uses Play Integrity and is only available from Google Play, requiring a Google account and unmodified Android (incompatible with GrapheneOS or LineageOS, which fail Play Integrity). |
Narrow statutory exceptionsExceptions are limited to those expressly listed in statute (quotation, private copying for personal use, etc.), with interpretation strictly applied. |
| India 🇮🇳 Last updated: 2026.01.02 |
Severe limitations of speechIllegal speech includes vaguely defined 'hate speech' (Penal Code §153A, Karnataka Hate Speech and Hate Crimes (Prevention) Bill 2025), insulting religions (Penal Code §295A & §298), contempt or exciting disaffection against the government (Penal Code §124A), damaging public order or friendly relations with foreign states, damaging 'decency or morality', incitement to an offense (all Constitution §19(2)), and activities that threaten the sovereignty or integrity of India (Unlawful Activities (Prevention) Act). |
Widespread censorship§69A of the Information Technology Act 2000 allows the government to block public access to any information in the interest of sovereignty, integrity, national security, friendly relations with foreign states, or public order. The IT Ministry can make content-blocking orders to social media companies (e.g. X was ordered to block thousands of accounts in 2025) and ISPs are frequently ordered to block websites (e.g. a court ordered the blocking of Protonmail in 2025). In September 2025, Karnataka High Court held that X, as a foreign entity, cannot claim protection under India's constitutional guarantee of free speech, reinforcing the state's authority to compel online platforms to remove speech. |
Yes (backdoor on demand)§69 of the Information Technology Act 2000 and Constitution Article 19(2) have been interpreted by courts to empower the government to order decryption and interception of any message. In 2023, 14 apps offering E2EE messaging were banned, though the government has not provided a clear legal framework or blocking orders. WhatsApp and other companies have so far resisted backdoor demands. |
Not banned, but restrictionsVPN servers located in India must collect and retain user data, but there is no ban on VPN use otherwise. |
No | Yes§69 of the Information Technology Act 2000 empowers the government to compel assistance in decrypting information from "any subscriber or intermediary or any person in charge of the computer resource". Failure to comply is punishable by up to 7 years' imprisonment and/or a fine. |
No bans | Yes (12 months)Mandatory retention of ISP metadata (IPs, connection logs, browsing history) and telephony metadata (including mobile phone locations) for 1 year. |
Yes, must register with official ID | Platform-agnostic, can use browser + OTPBrowser login to DigiLocker or Aadhaar works with password + SMS OTP, and no Android/iOS app is required for authentication. However, a mobile phone is required to receive SMS OTPs. |
Fair DealingsNumerous prescribed purposes (research, criticism, review, news reporting, education, judicial proceedings) are allowed, but uses outside these are not: more flexible than in Europe but not as broad as US fair use. |
| China (P.R.) 🇨🇳 Last updated: 2025.10 |
Severe limitations of speechIllegal speech includes vaguely defined 'hate speech' (inciting hatred or discrimination among nationalities or harming national unity), injuring the reputation of state organs (effectively capturing any criticism of the government), 'harming national unification' (e.g. arguing for the independence of Taiwan, Hong Kong, Macao, Tibet, or Xinjiang), disinformation or 'distorting the truth', 'destroying the order of society', and criticising socialism. |
Pervasive censorshipThe Great Firewall of China blocks a large amount of websites and apps, including Google, Youtube, Whatsapp, Facebook, Instagram, X, Snapchat, Pinterest, Wikipedia, Dropbox, and Signal. Content on the Chinese Internet is highly regulated and subject to a strict censorship regime. The government employs various methods, such as IP blocking, keyword filtering, and deep packet inspection, to enforce these restrictions. |
Yes (banned w/o backdoor)China has no explicit law outright banning E2EE, but authorities have banned encrypted apps and expressed disapproval of encryption that limits data access. International E2EE apps such as WhatsApp and Signal are blocked. The Cryptography Law 2020 grants state agencies full access to cryptographic systems and decryption keys, effectively nullifying private encryption. E2EE services without government decryption access are essentially banned or heavily restricted. |
Mostly blocked, use is illegalVPNs must be government-approved and must identify users and keep logs. VPN apps have been forced off app stores. High fines and prison terms can be imposed on VPN users. VPN connections are actively blocked using deep packet inspection. |
Real-name systemChina mandates online real-name registration whereby users must provide official ID credentials to access most Internet services. The 2025 national Internet ID system builds on this by introducing a government-issued digital credential that centralises authentication across platforms, linking government databases with online activity. |
De jure no, de facto maybeDe jure there is no key disclosure requirement, however China gives law enforcement significant powers and prioritizes its ability to compel decryption and access to data even if this means compelled disclosure of passwords or encryption keys in practice. Refusal to unlock a device or decrypt data is likely to be met with significant pressure, including detention, interrogation, accusations of obstructing justice, or charges under laws like the Anti-Terrorism Law or National Security Law. |
BannedThe People's Bank of China issued a ban on all crypto activities, including trading, mining, and individual ownership, effective from June 2025. The Chinese government aims to centralise financial control through its state-backed digital yuan (CBDC) and eliminate decentralised crypto assets. |
Yes (6 months)Mandatory retention of ISP metadata (such as IPs, connection logs, or browsing history), email and telephony metadata (including mobile phone locations) and even VPN logs for 6 months. |
Yes, must register with official ID | Cross-platform, but mobile OS onlyFor government tasks requiring strong authentication, a smartphone is effectively mandatory because the primary methods rely on smartphone apps such as NNIA, CTID, WeChat, AliPay with no straightforward alternatives for desktop PCs or dumbphones. While some government portals have web interfaces, strong authentication often requires scanning a QR code with a mobile app like WeChat or Alipay, or using facial recognition/biometrics tied to a phone. Despite all this, Android phones sold in China are "degoogled" and you don't need Play Store or a Google account to download the apps; it is likely to work on FOSS Android distributions such as GrapheneOS or LineageOS. HarmonyOS phones are also supported and, while proprietary, can be used without a Huawei account. |
Narrow statutory exceptionsVery limited statutory exceptions; general fair use does not exist. Use usually only allowed for research, personal use, or narrow educational purposes. |
| Japan 🇯🇵 Last updated: 2025.12.02 |
Strict defamation lawsNominally there are very few restrictions on speech, however defamation laws are very strict and insults and damaging someone's reputation can be prosecuted (Japanese defamation laws do not require the statement to be false; even true statements that harm someone's reputation can lead to legal consequences - unless disclosing the statement is in the public interest). |
Selective censorshipCourt-ordered site blocks mainly targets piracy websites, especially those relating to manga and anime. However, this is usually applied to high-profile sites, not as a blanket censorship policy. A court ruling from 11/2025 held CDN providers liable for indirectly hosting copyrighted material, setting a dangerous precedent. |
No bans | No bans | No | None | No bans, but restrictionsHowever, Monero has been delisted from most CEX for Japanese users due to KYC and other regulations, even though it's not banned per se. |
No, but proposedAs of March 2025, Japan’s data protection laws are under review. However, the legislative outcome is unclear. |
Yes, except data-only SIMs | Cross-platform, but proprietary OS onlySome tasks requiring strong authentication require either the mobile Mynaportal app for Android/iOS/Windows/macOS, or a compatible USB card reader for the desktop app. While the smartcard reader requires an upfront purchase, everything can be done without a smartphone. However, on Linux only browser access is offered, making some tasks such as digital signing impossible; a proprietary OS or smartphone is therefore required. The Mynaportal Android app appears to work on non-stock Android systems such as LineageOS or GrapheneOS, but it requires Play Services / microG and is only available on the Play Store (requiring a Google account; Aurora Store can work as an unsupported workaround). |
Very restrictive copyright lawUse allowed only for narrowly defined statutory exceptions such as quotation, certain educational use, and news reporting. No general fair use exception and generally very strict jurisprudence: people have been jailed for transcribing a film to text, distributing modified game save data, or using or creating software that can bypass DRM (Digital Restrictions Management). |
*^ In many countries, law enforcement is explicitly permitted to install malware ("state trojan", "equipment interference") in order to remotely access a suspect's devices, circumventing the need to break encryption or force disclosure of passwords. This is legal in at least the USA, Australia, UK, Germany, France, Italy, Switzerland, Russia, and China; possibly most countries in practice. In most countries police is even allowed to secretly enter a suspect's home in order to physically install malware.
Colour guide:
No, not restricted, as good as it gets
No, not restricted for now but such laws are being planned at the moment
Restrictions only apply partially or indirectly; "No, but..."
Yes, restrictions apply but are limited in scope; "Yes, but..."
Yes, restrictions apply
Yes, restrictions apply and are very severe or wide in scope
Of course I'd love to compare as many countries as possible, but it's a lot of work. Not only the initial research but especially keeping everything up to date and being aware of new developments and law proposals. Therefore, I do not currently plan to add any more countries myself. However, if you want to add another country, I'd be happy to include your contribution:
Despite the ever-present moaning about the US allegedly slipping into tyranny or the (merited) worries that every byte of data on American servers can be accessed by the NSA and CIA, the legal protections in the US are still strongest of all the countries I looked at and probably worldwide. There's always some ifs and buts, for example the age verification that's now mandatory in many US states (but not federally), but overall the US does quite well, with the biggest relative strength being free speech. Other countries with a high degree of freedom in the digital realm are Canada, Iceland, and Japan. Unsurprisingly, China is the least free. But it's also very disappointing to see how "red" many Western countries appear, especially when you consider all the further restrictions that are currently proposed or in preparation. Interestingly, censorship in Western countries happens indirectly, by forcing private companies to do the censoring and blocking (cf. NetzDG, OSA) so that the lawmakers can keep pretending that it's not real censorship.
It's hard to quantify the table above, but I have attempted it.
Methodology
Step 1: Assign the colours from the table to the following values:
Step 2: Weigh the columns. This is also subjective but I went with these percentages:
Step 3: Calculate the index as a sumproduct of the columns weight and colour values.
Step 4: Normalise the index so that China has an oppression index of 1.
The result - excluding proposed laws - looks like this:
| Country | Oppression Index |
| Mostly free (for now) | |
| USA | 0.10 |
| Decent (but at risk) | |
| USA - states with age verification laws | 0.21 |
| Japan | 0.22 |
| Canada | 0.31 |
| Iceland | 0.31 |
| Switzerland* | 0.34 |
| Norway | 0.42 |
| Restricted (and getting worse) | |
| Brazil | 0.58 |
| Italy | 0.60 |
| India | 0.63 |
| Germany | 0.64 |
| France | 0.68 |
| Unfree (avoid if you can) | |
| UK | 0.77 |
| Australia | 0.78 |
| Russia | 0.83 |
| Totalitarian (the frog has been boiled) | |
| PR China | 1.00 |
*would increase to 0.36 with the planned smartphone-only digital ID
There is not much we can do as individuals, ultimately. Maybe those of us who are lucky enough to live in a democracy need to vote harder next time or sign another petition :^) Even when the noose gets tightened more and more, we should always try to opt out of government and corporate overreach wherever we still can. And make no mistake: even though Big Tech companies sometimes make a stand against the most malicious laws, that doesn't automatically make them the "good guys" either.
I will block all ads
I will block all trackers
I will reject all cookies
I will not subscribe to your newsletter
I will not download your app
I will not sign up or sign in
I will not enable DRM
I will bypass your paywall
I will not share my location
I will not hand out my phone number
I will not verify my identity or confirm my age
I will not solve your captcha
I will not turn off my VPN
I will disable telemetry
I will refuse remote attestation Why?
I will only use free software
I will not make a Google, Apple or Microsoft account
I will encrypt everything
I will pay in cash or Monero wherever possible
I will strive to have as little of the fruits of my labour stolen through taxation as is legally possible
And finally, I will exercise my God-given right to unrestricted free speech to speak boldly and truthfully against tyrannical governments and other authoritarian powers.
Simple as.