Global Surveillance Trends 2025: Who's Watching, Who's Fighting Back

Global internet freedom has declined for 15 consecutive years. China and Myanmar score 9 out of 100. Mexico just mandated biometric ID for all citizens. Russia now fines people for using VPNs to read banned content. The EU is reviving mass data retention. India opened its 1.4 billion-person biometric database to private companies. And somewhere, your government is probably watching.

But not everywhere. Switzerland still protects privacy constitutionally. Iceland shields whistleblowers. Estonia built digital identity without centralized surveillance. The world is splitting—some countries building unprecedented surveillance infrastructure, others strengthening privacy rights. Your location determines which side you're on.

The Global Picture

15

Consecutive years of declining global internet freedom [1]

80%+

Of global population covered by some data privacy law [2]

€6.72B

GDPR fines issued since 2018 [2]

86B

Digital ID verification checks projected in 2025 [3]

According to Freedom House's 2025 report, internet freedom deteriorated in 27 countries this year. Kenya dropped 6 points. Venezuela dropped 4. Georgia dropped 4. The authoritarians are winning. [1]

The Worst: Where Privacy Goes to Die

China & Myanmar: Tied at the Bottom (Score: 9/100)

China maintains the world's largest and most sophisticated mass surveillance system. As of 2019, over 200 million CCTV cameras watched Chinese streets—four times as many as the United States. The five most surveilled cities in the world are all Chinese. [4]

China's Surveillance Arsenal

  • Facial recognition: Cameras scan crowds in real-time, matching against databases
  • Social credit system: Tracks behavior, restricts travel for low scores
  • WeChat monitoring: One app handles chat, payments, ID, government services—all logged
  • Public shaming: Jaywalkers' faces displayed on billboards in Shenzhen
  • Flight bans: 17+ million people banned from flying by 2018 due to low social credit

If you're blacklisted, you can't fly, take high-speed trains, stay in good hotels, or send your children to prestigious schools. Facial recognition projects your face on billboards when you jaywalk. [4]

Russia: Building the Digital Iron Curtain

Russia's surveillance has intensified since the 2022 Ukraine invasion. The 2019 "Sovereign Internet" law installed state-controlled hardware on all ISP networks, giving censorship agency Roskomnadzor direct power to filter, slow, and block traffic. [5]

2025 Developments:

  • VPN criminalization: New law passed July 2025 fines citizens 3,000-5,000 RUB (~$38-64) for using VPNs to access banned content—the first time Moscow penalizes consuming (not just distributing) banned material [5]
  • Search monitoring: Systems like Vepr and Oculus automatically detect requests for "extremist" content [5]
  • Cloudflare blocked: Cut off access to vast swathes of the internet [5]
  • SORM system: Since 1995, requires telecom operators to install FSB hardware for warrantless monitoring [6]

Half of Russia's population doesn't know how to use VPNs. Authorities are making sure the other half pays for trying.

Middle East: Pegasus and Beyond

Israel's NSO Group developed Pegasus spyware, which can remotely install on phones and extract everything—messages, calls, location, camera, microphone. Israel uses Pegasus licenses as diplomatic currency, approving sales to countries it wants something from. [7]

Key clients:

  • Saudi Arabia: Crown Prince MBS personally called Netanyahu to restore Pegasus access after it was revoked following Khashoggi's murder. Khashoggi's fiancée's phone was infected 4 days after his assassination. [7]
  • UAE: Used Pegasus to spy on Yemen's internationally recognized government, including the president and his family [7]
  • Bahrain, Morocco, Azerbaijan: All documented Pegasus clients with histories of surveilling dissidents [7]

The leaked Pegasus Project database contained 50,000 phone numbers concentrated in Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, and UAE. [7]

India: 1.4 Billion Biometric Records, Now Open to Business

Aadhaar is the world's largest biometric database—1.4 billion people's fingerprints, iris scans, and photos linked to a 12-digit number used for everything from banking to government benefits. [8]

January 2025: India opened Aadhaar to private companies—e-commerce, travel, hospitality, healthcare can now verify identities against the biometric database. No guardrails defined against misuse. [8]

The problems:

  • Multiple mass data breaches—850 million records leaked to dark web in October 2023 [8]
  • 49% biometric failure rate in Jharkhand state—failed matches mean denied benefits [8]
  • New data protection rules (November 2025) give government immediate powers, delay citizen rights until mid-2027 [8]
  • 50+ organizations launched "Beware of Aadhaar" campaign warning it's "not a model to emulate" [8]

Countries including Kenya, Nigeria, Uganda, and the UK are considering Aadhaar-style systems. Big Brother Watch warns Britain's "Brit Card" plan would "make Britain less free." [8]

Africa: $1 Billion/Year on Surveillance

Nigeria, Ghana, Morocco, Malawi, and Zambia alone spend over $1 billion annually on surveillance technology. Nigeria has spent at least $2.7 billion over a decade. [9]

Chinese "Safe City" systems:

  • Nairobi was Africa's first Huawei Safe City deployment (2014)—1,800 HD cameras, national police command center [9]
  • Now in Egypt, Nigeria, South Africa, and 12+ other African countries [9]
  • Kenya's Konza Data Center: $665.4 million deal with China, $172.5 million from Huawei [9]

The promised benefits? Unverified. Huawei claimed 46% crime reduction in Kenya from 2014-2015. Actual police data showed smaller reductions. By 2017, Nairobi's crime rates exceeded pre-installation levels. [9]

What's documented: surveillance used to "single out citizens for harassment, detention and torture for expressing opposing views." In Nigeria, a pharmacist was jailed 3 months without trial for a social media post criticizing the president. [9]

Latin America: Mexico's Biometric Dystopia

On July 18, 2025, Mexico signed mandatory biometric digital ID into law—what critics call "the most comprehensive citizen surveillance apparatus in the Western Hemisphere." [10]

What it requires:

  • Every citizen must register fingerprints, facial scans, and iris patterns
  • Data encoded into QR codes that government and private businesses can scan
  • Creates "a portable surveillance device that citizens are legally required to carry" [10]

Brazil, Argentina, and Colombia are watching closely. The World Bank and IMF praised Mexico's system as a model. If it succeeds without international consequences, expect similar systems across Latin America within five years. [10]

Brazil already has facial recognition in 40 cities. Argentina's fugitive facial recognition system was suspended after collecting biometric data on thousands of innocent people. [11]

The Best: Where Privacy Still Exists

Switzerland: Constitutional Protection

Article 13 of the Swiss constitution guarantees privacy rights. The Federal Data Protection Act (FADP) provides robust legal protections. Swiss banking secrecy, while weakened internationally, reflects a cultural commitment to privacy that extends beyond finance. [12]

Switzerland is not an EU member and maintains independent data protection standards often exceeding GDPR requirements.

Iceland: Digital Rights Hero

Iceland has made itself "a global hero for digital rights" with: [12]

  • Low surveillance
  • Strong whistleblower protections
  • The Icelandic Modern Media Initiative (IMMI)—laws creating a safe haven for freedom of information
  • Focus on keeping information out of wrong hands

Germany: GDPR Plus

Germany doesn't just follow GDPR—it often goes beyond. German courts consistently prioritize user rights. Public awareness of surveillance is high, shaped by memories of both Nazi and Stasi surveillance. [12]

Germany has historically resisted centralized digital ID systems and maintains strong restrictions on biometric data collection.

Estonia: Digital ID Done Right

Estonia proves digital identity doesn't require mass surveillance: [12]

  • Decentralized data exchange (X-Road) ensures personal data isn't stored in single locations
  • Secure digital ID enables encrypted transactions
  • Citizens can see exactly who accesses their data and when
  • Government transparency, not government surveillance

Nordic Countries

Finland: Data privacy treated as human right. GDPR strictly enforced. Clear limitations on data collection.

Norway: GDPR-equivalent protections via EEA membership, built on strong pre-existing Personal Data Act.

Sweden: BankID considered one of the world's most secure digital identification systems. Strong commitment to data privacy.

Key Global Trends in 2025

1. Data Retention Revival

European governments are reviving mass data retention after courts struck down previous laws for treating everyone as a potential suspect. [13]

New proposals include:

  • Up to 1 year retention across internet services
  • Coverage of VPN providers, hosting companies, crypto traders, gaming platforms, ridesharing, e-commerce
  • Recording device serial numbers
  • Collecting "communication connection data"—who interacts with whom, when, how

The UK's Investigatory Powers Act ("Snooper's Charter") already requires 12-month retention of Internet Connection Records—websites visited, email headers, IP addresses. [13]

2. Encryption Under Attack

The Five Eyes alliance (US, UK, Canada, Australia, New Zealand), plus Japan and India, continue demanding encryption backdoors. [14]

Status:

  • Australia passed backdoor law in 2018—the first Five Eyes nation to do so
  • UK issued Apple backdoor orders (reports suggest possible retreat)
  • No other Five Eyes member has passed similar legislation yet
  • Security experts: "It's impossible to create an encryption backdoor that only law enforcement can take advantage of" [14]

3. Digital ID Explosion

Digital ID verification checks will hit 86 billion in 2025 (up from 75 billion in 2024). The biometric tech market will reach $85 billion by 2029. [3]

The convergence problem: Digital ID systems + central bank digital currencies + online surveillance laws + anti-anonymity measures = unprecedented infrastructure for monitoring and controlling human behavior. [3]

New mandatory biometric systems (2025):

  • Mexico (July 2025)—most comprehensive in Western Hemisphere
  • Australia's Digital ID Act (December 2024)—coincides with age verification laws
  • India's expanded Aadhaar access (January 2025)

4. AI Surveillance Amplification

AI makes existing surveillance exponentially more powerful:

  • Real-time facial recognition across thousands of cameras
  • Gait recognition (identifying people by how they walk)
  • Emotion detection (claims to read feelings from faces)
  • Predictive policing (flagging "suspicious" individuals)

The EU AI Act bans some uses (real-time facial recognition in public, emotion detection at work). Most of the world has no such restrictions.

5. Surveillance Technology Export

Countries with large defense sectors export surveillance tech worldwide, including to authoritarian regimes. Major exporters: China, Israel, US, Russia, European nations. [15]

China's role in Africa:

  • Huawei Safe City systems in 12+ countries
  • ZTE providing CCTV with facial recognition
  • Chinese loans funding surveillance infrastructure

Israel's role in authoritarian surveillance:

  • NSO Group's Pegasus sold to Saudi Arabia, UAE, Bahrain, Morocco
  • Used against journalists, activists, dissidents
  • Israeli Ministry of Defense approves sales as diplomatic tool

US State Privacy Progress

With no federal privacy law, US states are creating a patchwork. Eight new state privacy laws took effect in 2025, doubling the number in force. [2]

As of October 2025, 20 state-level comprehensive data privacy laws exist. States with laws effective in 2025: Iowa, Delaware, New Hampshire, Nebraska, New Jersey. Coming later: Tennessee, Minnesota, Maryland. [2]

Illinois's BIPA produced $650M Facebook settlement and $1.4B+ Texas settlements against Google and Meta. That's what happens when laws have teeth.

What's Actually Working

Laws That Produce Results

  • Private right of action: Citizens can sue directly (Illinois BIPA)
  • Meaningful fines: €6.72 billion GDPR fines since 2018
  • Clear prohibitions: EU AI Act banning real-time facial recognition
  • Constitutional protections: Switzerland's Article 13
  • Decentralized design: Estonia's X-Road preventing single points of failure

Laws That Don't

  • Guidance without enforcement: UK's facial recognition "guidelines"
  • Fines foreign companies ignore: Clearview AI's €100M+ unpaid European fines
  • Self-regulation: Voluntary compliance produces 11% CCPA compliance [2]
  • Rules on paper only: China's consent requirements with "national security" exceptions

Region-by-Region Summary

Region Privacy Trend Key Developments 2025
China Total surveillance 200M+ cameras, social credit, WeChat monitoring
Russia Rapidly deteriorating VPN fines, search monitoring, Cloudflare blocked
Middle East Authoritarian surveillance Pegasus expansion, no meaningful restrictions
India Expanding surveillance Aadhaar opened to private sector, delayed privacy rights
Africa Chinese-funded expansion $1B+/year spending, Safe City systems spreading
Latin America Biometric mandates Mexico mandatory ID, Brazil facial recognition in 40 cities
UK Expanding surveillance No FR law, 7M faces scanned, consultation to expand
EU Strongest protections AI Act bans, €6.72B GDPR fines, but data retention revival
US State-by-state chaos 20 state laws, no federal law, billion-dollar settlements
Switzerland/Iceland/Nordics Privacy leaders Constitutional protections, GDPR+, whistleblower haven

What You Can Do

Know Your Location's Laws

Protection depends on where you are. Research your country's data protection laws, biometric rules, and surveillance powers.

Use Encryption

End-to-end encrypted messaging (Signal), encrypted email (ProtonMail), VPNs where legal. Make surveillance harder.

Support Privacy Organizations

EFF (US)
noyb (Europe)
Privacy International (Global)
Freedom House (Global)

Political Pressure

Privacy laws exist where citizens demanded them. The EU didn't accidentally get GDPR. Contact legislators. Vote on privacy.

The Bottom Line

The world is splitting. On one side: China's social credit, Russia's VPN fines, Saudi Arabia's Pegasus, Mexico's mandatory biometrics, Africa's Chinese-funded Safe Cities. On the other: Switzerland's constitutional privacy, Iceland's whistleblower protections, Germany's court-enforced data rights, Estonia's transparent digital ID.

Global internet freedom has declined 15 straight years. The surveillance infrastructure being built today—biometric databases, AI-powered cameras, mandatory digital ID—will be extremely difficult to dismantle later. The choices made now determine whether privacy survives as a right or becomes a historical curiosity.

Your protection depends on your passport. For now. But borders are porous for data, and surveillance technology exports faster than privacy rights. The fight isn't just local anymore.

References

  1. Freedom House - 15th Consecutive Year of Decline in Global Internet Freedom
  2. Help Net Security - What 35 years of privacy law say about the state of data protection
  3. MyPrivacy Blog - Global Digital ID Systems Status Report 2025
  4. Wikipedia - Mass surveillance in China
  5. Human Rights Watch - Russia: Internet Blocking, Disruptions and Increasing Isolation
  6. Zona Media - New Russian law targets VPN usage
  7. Wikipedia - Pegasus (spyware)
  8. TechCrunch - India expands Aadhaar authentication for businesses
  9. IDS - African nations spending $1bn a year on surveillance
  10. MyPrivacy Blog - Mexico's Biometric Dystopia
  11. AlSur - Facial recognition and surveillance technologies in Latin America
  12. Privacy HQ - Data Privacy Rankings: Top 5 and Bottom 5 Countries
  13. Reclaim The Net - EU Revives Plan for Year-Long Data Retention
  14. HiveLife - Five Eyes, Japan & India Demand Encryption Backdoor
  15. EPIC - The Rise of Chinese Surveillance Technology in Africa
  16. Human Rights Watch - Azerbaijan's Surveillance Platform
  17. IDR Online - India's new data rules put the state above citizens