This week in surveillance: the U.S. Supreme Court ruled that short-term location tracking is a Fourth Amendment search. Citizen Lab confirmed Pegasus hit a Greek MEP who was investigating spyware abuses. India ordered WhatsApp to halt its username feature. EFF documents how Flock ALPRs are running against an ICE-populated immigration hotlist. DHS confirmed a breach of its HSIN information-sharing platform. Plus Google and the FBI dismantled a 2-million-device residential-proxy botnet, and the U.S. House passed a bipartisan children's online safety package. The week ahead: Illinois Governor Pritzker faces an HB 5511 veto decision, and the KIDS Act's Senate path looks narrow.

The Big Story: SCOTUS Extends Carpenter to Short-Term Location Tracking

On June 29, 2026, the U.S. Supreme Court ruled in Chatrie v. United States that people retain a Fourth Amendment-protected expectation of privacy in app-generated location data, and that "even short-term surveillance" can qualify as a search.[1] It is the first major digital-surveillance Fourth Amendment decision since Carpenter v. United States in 2018, and the ruling lands directly on the geofence-warrant mechanism Google has been compelled to answer.

Geofence warrants are dragnet orders that force companies (almost always Google) to hand over data on every device in a given area during a given window, without naming a suspect.[1] EFF, summarizing the ruling, notes the Court found location data can reveal "a wealth of detail about a person's familial, political, professional, religious, and sexual associations."[1] Justice Gorsuch's concurrence framed that data as the user's own, a kind of personal property entitled to constitutional protection.[1]

The procedural history makes the ruling feel overdue. A federal district court in Virginia held the warrant unconstitutional in 2022. The Fourth Circuit affirmed a "good faith" finding en banc in 2025. The Supreme Court did not reach whether this particular warrant was reasonable or whether good faith applied, and remanded for the Fourth Circuit.[1] The practical upshot: as of July 2025, mass geofence searches of Google users have been impossible.[1] Now the underlying warrant theory itself has been declared constitutionally deficient.

The ruling does not end government access to location data. Warranted, suspect-specific tracking remains available, and the good-faith defense survives for past warrants. But the categorical premise that "no one has a privacy interest in third-party records" (the third-party doctrine) just lost another big piece of ground. Expect prosecutors to test the new line in lower courts over the coming year.

Read more: SCOTUS rules on Chatrie: the EFF "victory" framing and the Gorsuch "personal property" angle.


Pegasus Hit the EU Lawmaker Investigating Spyware Abuses

Citizen Lab confirmed on July 3, 2026, that former Member of the European Parliament Stelios Kouloglou was infected with Pegasus spyware while sitting on the Parliament's PEG-A committee, the body created to investigate the use of Pegasus and equivalent surveillance spyware against EU citizens.[2] The forensic finding: high-confidence infection on October 21, 2022, with additional Apple threat notifications fired on March 2, 2023, August 29, 2023, and April 10, 2024.[2]

The attack used the PWNYOURHOME zero-click exploit against Kouloglou's iPhone. Citizen Lab observed, in their words, that "On 2022-10-21 10:16, there was a lookup for a HomeKit email address... Two minutes later, a Pegasus process used mobile data."[2] That is the kind of minute-level forensic detail that lets researchers attribute infections to specific campaigns rather than to "NSO Group generally."

Citizen Lab is not blaming any specific government yet. The report says it has "no indications that the Greek Government is responsible" and notes the campaign overlaps with a previously identified cluster targeting Russian and Belarusian-speaking exiled journalists and activists in Europe.[2] The implication is that the Pegasus customer behind these infections holds authorization to operate across multiple European countries, and that the parliamentary committee investigating Pegasus abuse was itself inside the targeting zone.

For EU digital-rights advocates the timing is brutal: the PEG-A committee was supposed to be the institutional answer to commercial spyware. The forensic confirmation that its members were under surveillance while doing the work is a stress test for both the committee's mandate and the EU's export-licensing regime for cyber-surveillance tools.


India Orders WhatsApp to Halt Its Username Rollout

India's Ministry of Electronics and Information Technology (MeitY) has ordered Meta-owned WhatsApp to pause the global rollout of a feature that lets users communicate without sharing their phone numbers. The ministry set a three-day deadline from a July 1, 2026, letter and cited phishing and "digital arrest scams" as the justification.[3] India is WhatsApp's largest market, with more than 850 million users in the country.[3]

The Internet Freedom Foundation called the move "regulatory overreach" with no clear legal basis, framing it as the same playbook India used in 2024 to gatekeep AI deployments.[3] The pattern matters: a state turning intermediary rules against a privacy-improving product. Phone-number-free contact reduces the data WhatsApp has to share with law enforcement and the data brokers who feed them. India's complaint is that the same change makes impersonation easier to scale.

WhatsApp's response, per The Register, includes reserving high-profile usernames for legitimate entities, blocking lookalike derivatives, limiting new-contact rates, and adding warnings when strangers message users.[3] The company has roughly 3 billion users worldwide, so any compliance carve-out for India is effectively a global product decision.

The fight is a clean case study in how intermediary-liability regimes can be turned against privacy features. India's concern (impersonation) is real. Its remedy (blocking the feature entirely) is the maximum-cost option for users who wanted the privacy upgrade.


Flock Cameras Are Running Against an ICE-Populated Hotlist

EFF published on June 25, 2026, a detailed account of how local police departments using Flock Safety automated license plate readers (ALPRs) can subscribe to an FBI NCIC topic called "Immigration Violator" that is populated exclusively by ICE.[4] When a scanned plate matches, the local agency gets an alert and may contact ICE or act under 287(g) agreements, even where local policy or state law prohibits using the agency's cameras for immigration enforcement.[4]

EFF names specific departments. Blue Island PD in Illinois and Sparks PD in Nevada have the Immigration Violator hotlist enabled. Baraboo PD (Wisconsin), Boonsboro PD (Maryland), Elmira PD (New York), Franklin Township PD (New Jersey), Medford PD (Oregon), New Braunfels PD (Texas), Oro Valley PD (Arizona), Quincy PD (Massachusetts), Reno PD (Nevada), Roselle PD (Illinois), and Sterling PD (Illinois) use NCIC hotlists but have the immigration file turned off.[4] Abington PD (Massachusetts) and Akron PD (Ohio) denied EFF's records requests about the setting.[4]

Records on the hotlist can include plates tied to administrative warrants issued without judicial review. Flock states that ICE itself does not receive the alerts and that agencies add or remove plates locally, while the FBI curates the NCIC list and pushes it out.[4] EFF's point is that the procedural distance between an ALPR hit and an ICE encounter is thinner than the company suggests, and that local departments are quietly enrolling in federal immigration enforcement through a settings dropdown.

The same week, Bruce Schneier surfaced a 2024 Flock internal presentation describing a "Vehicle Fingerprint" mode that identifies cars without readable plates, using decals, bumper stickers, roof and back racks, and unique state tags, plus a "multi geo search" to find vehicles believed to be moving together.[5] The two stories together sketch the next expansion of ALPR coverage: not just more cameras, but cameras that no longer need a plate at all.

Read more: 287(g) program explosion: how local police are quietly enrolling in federal immigration enforcement.


Two Surveillance-Infrastructure Hits: DHS HSIN Breach and the NetNut Takedown

DHS confirmed on July 1, 2026, that hackers breached the Homeland Security Information Network (HSIN), the platform DHS uses to share sensitive-but-unclassified information with federal, state, local, international, and private-sector partners.[6] A DHS spokesperson said the department is "aware of a recent cyber incident involving a specific, unclassified legacy information sharing environment," and that the breach is believed to have occurred between late May and early June 2026.[6] HSIN and a SharePoint system used for collaboration were targeted. Classified networks were not impacted. The system remains operational.[6]

The number of affected users and whether documents were exfiltrated has not been disclosed.[6] What makes HSIN different from a typical enterprise breach is the user base: state and local officials, fusion-center analysts, and private-sector threat-sharing partners. A foothold in HSIN is a foothold in the homeland-security partner network, and the breach window covers the period when several federal immigration-enforcement tools were being rolled out at scale.

On the offensive side, a joint operation involving Google, the FBI, Lumen Technologies, The Shadowserver Foundation, and Mandiant disrupted NetNut, a paid residential-proxy service that routed malicious traffic through hijacked home IP addresses.[7] At least 2 million devices globally (Android devices, smart TVs, streaming boxes) were infected, often through pre-installed malware or trojanized apps associated with the Badbox 2.0 operation.[7] In one week of observation last month, Google's Threat Intelligence Group logged 316 distinct threat clusters using NetNut exit nodes.[7]

The disruption also targets NetNut's reseller program, which supplies capacity to many competing proxy services.[7] It is the second takedown in Google's 2026 residential-proxy campaign, following IPIDEA earlier in the year.[7] For users, the message is concrete: the "smart" device on your living-room shelf may already be a paid node in someone else's cyberattack.


Age Verification Week: Illinois HB 5511 and the House KIDS Act

EFF asked Illinois Governor J.B. Pritzker on June 29, 2026, to veto HB 5511, a device-level age-gating bill modeled on California's AB 1043 and New York's Stop Addictive Feeds Exploitation (SAFE) for Kids Act.[8] The bill would require platforms to collect and share users' ages and would require "verifiable parental consent" for features like personalized feeds and overnight notifications for youth.[8] EFF argues the bill would dismantle online anonymity, jeopardize data security, restrict protected speech for young people and adults, cut off lifelines for vulnerable youth in non-traditional families, and pose an existential threat to the open-source ecosystem.[8]

EFF's sharpest line: Illinois is copying California and New York "before either law has even gone into effect, been tested in court, or proven functional," which EFF calls "premature, economically risky, and legally wasteful."[8] Pritzker's veto window is the next inflection point.

On the federal side, the U.S. House passed the Kids Internet and Digital Safety (KIDS) Act, H.R. 7757, on June 30, 2026, by a 267-117 vote.[9] The package bundles the SCREEN Act (age verification for sites with majority pornographic content), KOSA (design codes and platform safety duties), the SPY Kids Act (product research on minors), the Safer GAMING Act, the SAFE BOTs Act (chatbot-specific rules), the Safe Social Media Act, the No Fentanyl on Social Media Act, COPPA 2.0, and a Data Broker Disclosures title that requires brokers holding minors' data to register with the FTC.[9]

Tech Policy Press reports the Senate outlook is "dim." August recess and the 2026 midterms leave little legislative time, and the White House is working with Senator Marsha Blackburn on a separate Senate package that may pair KOSA with the NO FAKES Act and the App Store Accountability Act.[9] Watch for floor scheduling moves before recess.

On the technology side, Google open-sourced a Zero-Knowledge Proof (ZKP) age-assurance library on July 3, 2025 (the post was re-surfaced this week), building on its partnership with Sparkasse to support EU age assurance, with EU member states able to plug the library into EUDI Wallets under eIDAS 2026.[10] ZKP lets a user prove they are over 18 without disclosing additional personal data.[10] It is the privacy-preserving alternative the age-verification debate has been missing.


Consumer Privacy Fights: EFF Asks FTC to Keep the X Consent Decree

EFF, Demand Progress Education Fund, the National Consumers League, and EPIC filed a joint petition on July 2, 2026, asking the FTC to reject X Corp.'s bid to set aside the 2022 consent decree that arose from the platform's earlier privacy violations.[11] The coalition cited two specific developments: X integrated its Grok AI model in 2024 and trained it on user data without meaningful consent, and a massive X user data breach occurred in 2025.[11] Their legal argument: FTC orders bind the corporate entity and do not dissolve with personnel changes or rebrands.[11]

The X case sits at the intersection of two recurring beats on this site: AI training data and breach accountability. A successful waiver would let a company treat an FTC consent decree as a one-time reputational hit rather than an enforceable compliance regime.

On a lighter (but instructive) note, Bruce Schneier surfaced a Papa Johns pilot with NBCUniversal and Instacart that builds a custom audience predicting when customers will run out of groceries and pushes "Light on groceries?" ad creative.[12] The platforms deliberately mis-predict, Schneier notes, to avoid being "too creepy."[12] Surveillance-based advertising is now a normal product decision in consumer marketing; the only open question is how visibly to disclose it.

Separately, EFF published on July 2, 2026, a step-by-step Q&A for LGBTQ+ users on how to wipe online data that points to queer identity.[13] The guide covers Privacy Badger, password managers and two-factor authentication, phone advertising ID removal on Android and iPhone, the California Privacy Protection Agency's deletion tool, EasyOptOuts and Optery for data-broker opt-outs, and Google's "Results about you" page (with the caveat that it removes from Google search results, not the underlying internet).[13] Categories of data to review include names, nicknames, handles, avatars, addresses, phone numbers, emails, photos showing home or workplace, and family-member details held by data brokers.[13]


AI Deepfakes Beat the Real Thing on Authenticity

A study published in PLOS One and reported by 404 Media on July 1, 2026, found that AI-generated impersonations of 112 UK public figures were rated by 948 participants as more authentic, coherent, and relevant than the actual responses the figures gave on BBC's Question Time.[14] The study used GPT-4 Turbo, prompted to mimic individuals based on their Wikipedia biographies and transcripts from the show.[14]

The result is text-only (no voice cloning, no avatar synthesis), but the implication is broader. If a generic large language model prompted from public sources can already beat a real politician's answer on perceived authenticity, the cost of producing "more believable than reality" content at scale is approaching zero. The relevant policy fights are no longer about single viral deepfakes; they are about the default credibility floor of political communication.


The Week Ahead

Several inflection points land in the next seven days:

  • Illinois HB 5511 veto decision. Governor Pritzker faces a window to sign or veto the device-level age-gating bill. EFF has formally urged a veto.[8]
  • KIDS Act in the Senate. The House-passed children's-online-safety package heads to a Senate where the August recess and 2026 midterms leave little legislative time.[9] Floor scheduling moves before recess will signal whether the package has any realistic path.
  • FTC response to the X Corp. waiver petition. The EFF coalition's July 2 filing asks the FTC to keep the 2022 consent decree in force through 2042.[11] Watch for FTC procedural action (a scheduling order, a public comment extension, or a denial).
  • Citizen Lab PEG-A follow-ups. The forensic confirmation that Pegasus hit a sitting PEG-A committee member will pressure the European Parliament's response. Expect formal committee statements or requests for government attribution evidence.
  • HSIN breach disclosure updates. DHS has confirmed the incident but not the scale or the data accessed.[6] Congressional oversight and inspector-general reviews are the likely next steps.
  • Local records requests on Flock NCIC topics. EFF's records-request template gives readers a concrete way to ask their local police department whether the "Immigration Violator" hotlist is enabled.[4] New departments confirming or denying the setting are worth tracking.

Sources

  1. EFF Deeplinks: "Victory! Supreme Court Says Constitution Protects People's Location Data" (June 29, 2026)
  2. Citizen Lab: "Member of Committee Investigating Spyware Hacked with Pegasus" (July 3, 2026)
  3. The Register: "India gives WhatsApp three days to defend username rollout amid security fears" (July 2, 2026)
  4. EFF Deeplinks: "Are Your Local Police Using Flock Safety ALPRs to Scan for Immigrants?" (June 25, 2026)
  5. Schneier on Security: "Flock Cameras Can Surveil Cars Without License Plates" (July 3, 2026)
  6. BleepingComputer: "DHS confirms hackers breached HSIN info-sharing platform" (July 1, 2026)
  7. BleepingComputer: "NetNut proxy network disrupted, 2 million infected devices cut off" (July 3, 2026)
  8. EFF Deeplinks: "EFF to Gov. Pritzker: Veto Illinois HB 5511" (June 29, 2026)
  9. Tech Policy Press: "Bipartisan Smorgasbord of Children's Online Safety Legislation Passes the House" (June 30, 2026)
  10. Google Blog: "Opening up zero-knowledge proof technology to promote privacy in age assurance" (July 3, 2025)
  11. EFF Deeplinks: "EFF and Allies: X's FTC Petition to Waive Privacy Violation Order Should Be Rejected" (July 2, 2026)
  12. Schneier on Security: "Papa Johns Surveillance-Based Advertising" (July 4, 2026)
  13. EFF Deeplinks: "LGBT Q&A: How Can I Wipe Online Data That Points To My Queer Identity?" (July 2, 2026)
  14. 404 Media: "AI Impersonations of UK Public Figures Rated More Authentic Than the Originals" (July 1, 2026)