TL;DR:
- DHS funding expires tonight. Senate Democrats blocked the Homeland Security bill over ICE reform demands. A partial shutdown hits Saturday. TSA workers stop getting paid, CISA cyber monitoring gets disrupted, and FEMA disaster response slows down.
- Disney just paid the largest CCPA fine in California history. $2.75 million for refusing to actually stop selling your data when you clicked "opt out." Their toggles only applied to one device at a time. The AG's office called it deliberate.
- The SAFE Act officially dropped today. Durbin and Lee's bipartisan bill would require warrants before the government searches Americans' communications under FISA 702. 66 days until the surveillance authority sunsets.
- ICE's facial recognition app can't actually identify people. Techdirt reports Mobile Fortify gave two different wrong names for the same person in one encounter. ICE and CBP deployed it anyway, without required privacy assessments.
- Apple patched a zero-day used in state-sponsored attacks. Google's Threat Analysis Group found CVE-2026-20700. If you haven't updated your iPhone, do it now.
DHS Shuts Down Tonight. Here's What That Means for Surveillance.
The Department of Homeland Security runs out of money at midnight. Congress kept DHS funded only through February 13 (a deadline set after the fatal shootings of Alex Pretti and Renee Good during ICE operations), and negotiations have collapsed.
Senate Democrats blocked the Homeland Security spending bill on February 12, demanding ICE reforms: mandatory body cameras, a ban on masked agents, third-party warrants to enter homes, and restrictions on roving metropolitan patrols. House Speaker Mike Johnson called the demands "non-starters." The White House isn't budging either.
More than 90% of DHS's 272,000 employees will keep working through a shutdown, but many won't get paid. The practical impacts: TSA agents screen travelers without paychecks (expect longer airport lines), CISA's cyber monitoring and incident reporting could face delays, FEMA's disaster response slows, and the Coast Guard suspends non-essential missions. About 56,000 Coast Guard personnel would go without pay.
The irony for this readership: a DHS shutdown doesn't stop surveillance. ICE agents are "essential personnel" who keep working. The facial recognition apps stay running. The Zignal Labs social media monitoring continues. The parts of DHS that watch you don't stop because Congress stops paying. The parts that protect you from cyber threats: those are the ones that take the hit.
Sources: Washington Post, Axios, The Hill, NBC
Disney Hit with Largest CCPA Fine Ever: $2.75 Million for Fake Opt-Outs
California Attorney General Rob Bonta announced on February 11 that Walt Disney Company will pay $2.75 million in civil penalties, the largest settlement under the California Consumer Privacy Act in the state's history.
The charges: Disney's opt-out mechanisms were designed to look functional while being deliberately fragmented. When you toggled "opt out" on your Disney+ streaming account, it only applied to that specific service on that specific device. Switch to a different device? Different streaming service? Your data kept flowing to advertisers. Disney's webform stopped sharing through its own ad platform but kept selling data through embedded third-party ad-tech. And their Global Privacy Control support? Limited to individual devices, not your account, even when you were logged in.
Translation: Disney built a privacy Potemkin village. The buttons existed. They just didn't do what the buttons said.
This is the second enforcement action from a 2024 investigative sweep of streaming services, which means more platforms are likely under investigation. Under the settlement, Disney must implement opt-out methods that actually work across all devices and services.
Sources: California AG, Deadline, The Record
SAFE Act Officially Filed: 66 Days to Force a Warrant on 702
The Security and Freedom Enhancement Act is now officially introduced. Senators Durbin and Lee filed the bill today, one day after we reported on the announcement. With Section 702 set to expire on April 20, this is the opening move in what's going to be an ugly legislative fight.
The bill's core provision: intelligence agencies would need a FISA Title I order or a warrant before accessing the contents of Americans' communications swept up in 702 collection. It also bolsters the role of FISA Court amici (the independent advocates who push back on government surveillance requests) by creating a presumption they participate in sensitive cases. A similar amici provision passed the Senate 77-19 in 2020.
EPIC released a statement endorsing the bill, calling it "a thoughtful, compromise approach." The challenge: the last House vote on a 702 warrant amendment failed 212-212. One vote. Since then, ICE's expanded use of surveillance tools and DOGE's cross-agency data consolidation have given reformers new talking points. Whether that flips the margin remains to be seen.
Full context: Our SAFE Act deep-dive | 702 sunset explainer | the rival Wyden-Lee reform bill
Sources: Senate Judiciary Committee, EPIC, Nextgov/FCW
ICE's Facial Recognition App Gave Two Wrong Names for the Same Person. They Deployed It Anyway.
Techdirt reported on February 12 that Mobile Fortify, the NEC-built facial recognition app ICE and CBP field agents carry on their smartphones, can't reliably do the one thing it's supposed to do: identify people.
In one documented encounter, the app scanned the same woman's face twice and returned two entirely different names. Both were wrong. This isn't a one-off glitch. The app doesn't actually "verify" identities at all, a limitation ICE and CBP were reportedly aware of before deploying it to agents in May 2025.
It gets worse. Under White House guidance from the Office of Management and Budget, agencies must complete an AI impact assessment before deploying any high-impact use case. Both CBP and ICE classify Mobile Fortify as "high-impact." Neither completed the required assessment. A former Heritage Foundation lawyer assigned to oversee DHS privacy reviews reportedly dismantled the centralized review process, enabling hasty approval.
So to recap: a facial recognition app that can't correctly identify faces, deployed without legally required privacy reviews, on the phones of agents who use it to determine whether someone gets detained or deported. We've covered Mobile Fortify's growing footprint in our deep-dive on its misidentification problems and the 1.2-billion-image database it pulls from. A bill in Congress aims to stop ICE from scanning faces against it.
Sources: Techdirt, Techdirt (Feb 6)
Apple Patches Zero-Day Used in "Extremely Sophisticated" Targeted Attacks
Apple released emergency patches on February 12 for CVE-2026-20700, a memory corruption flaw in dyld, the Dynamic Link Editor that loads software on every Apple device. The vulnerability lets attackers with memory write capability execute arbitrary code.
Google's Threat Analysis Group discovered it. TAG specializes in tracking state-sponsored cyber operations, which tells you exactly what kind of attackers exploited this. Apple confirmed the flaw was used in "extremely sophisticated" attacks targeting "specific individuals" running older iOS versions.
CVE-2026-20700 was chained with two previously patched vulnerabilities (CVE-2025-14174 and CVE-2025-43529) in the same campaign. Attackers stacked multiple exploits together for maximum access. Patches are available for iOS/iPadOS 26.3, macOS Tahoe 26.3, watchOS 26.3, tvOS 26.3, and visionOS 26.3. Older OS branches (iOS 18.7.5, macOS Sequoia 15.7.4, macOS Sonoma 14.8.4) are still waiting for backports.
What to do: Update every Apple device you own. Settings > General > Software Update. Do it now.
Sources: Help Net Security, SecurityWeek, CyberScoop
DOGE Whistleblower: Staffer Signed Deal to Analyze Voter Rolls for Political Group
A court filing revealed that a DOGE employee at the Social Security Administration signed an agreement with an unnamed political advocacy group to analyze voter rolls, specifically to "find evidence of voter fraud and to overturn election results in certain states." The Department of Justice confirmed the breach involved transferring millions of sensitive records to a private Cloudflare account, bypassing federal security protocols.
This isn't a rogue employee theory. A PBS News-confirmed whistleblower responded after the DOJ acknowledged DOGE mishandled Social Security data. The broader picture: DOGE staffers copied a dataset covering more than 300 million Americans' sensitive information into a virtual database without following required security protocols. All of this happened while a federal court order barred DOGE from data access.
The surveillance angle: this is what happens when a government entity with sweeping data access has zero accountability. You can't "opt out" of Social Security. You can't delete your SSA records. When DOGE copies that data to an unsecured private server and hands it to political operatives, there's no privacy setting to toggle. Our coverage: DOGE voter data scandal.
The Wyden Siren: Senator's Cryptic CIA Warning Follows a Pattern That's Never Been Wrong
Senator Ron Wyden, the longest-serving member of the Senate Intelligence Committee, sent a two-sentence classified letter to CIA Director John Ratcliffe on February 6 expressing "deep concerns about CIA activities." He can't say more. That's the point.
Wyden is cleared to read highly classified intelligence but legally barred from disclosing details publicly. Over the past decade, he's developed a pattern: cryptic public warnings that later prove prescient. He flagged NSA mass surveillance before Snowden. He warned about location data purchases before that scandal broke. He hinted at domestic spying programs that were later confirmed. The track record is why security reporters call it the "Wyden Siren."
Senate Intelligence Committee Vice Chair Mark Warner said he shares "many of the concerns." The CIA responded by calling Wyden's alarm a "badge of honor," which tells you exactly how seriously they're taking congressional oversight. Our full analysis of the Wyden Siren.
Sources: TechCrunch, Techdirt, Common Dreams
Quick Hits
DHS Inspector General launches biometric audit: The DHS IG is reviewing how ICE collects, stores, and shares biometric data and personally identifiable information during immigration enforcement. The audit will determine whether data management meets federal requirements. Given the Mobile Fortify mess, don't hold your breath. [Federal News Network]
Flickr breach exposed 3.5 million users: A third-party email vendor hack on February 5 exposed Flickr usernames, email addresses, IP addresses, location data, and account activity. No passwords or financial data. Flickr shut down the affected system within hours but the damage was done. Watch for phishing emails referencing your Flickr account. [BleepingComputer]
Substack breach confirmed, 663K accounts: Substack disclosed on February 5 that an October 2025 breach went undetected for four months. Email addresses, phone numbers, and internal metadata were accessed. A dark web listing claims 697,313 records including Stripe payment IDs. If you run a Substack newsletter, check your exposure on Have I Been Pwned. [TechCrunch]
What to Watch
- DHS shutdown fallout: If Congress doesn't reach a deal by midnight, watch CISA's cyber operations and TSA staffing. The surveillance apparatus keeps running. The security infrastructure takes the hit.
- SAFE Act markup: Now that the bill is filed, watch for Senate Judiciary Committee scheduling. The 66-day countdown to the April 20 sunset makes this urgent.
- DOGE court orders: Federal courts have blocked DOGE's data access repeatedly. DOGE keeps finding workarounds. The voter roll revelation makes the next judicial response critical.
- Disney CCPA ripple effects: This was the second streaming platform investigation. More settlements likely incoming. If you use any major streaming service, check your privacy settings. The opt-out buttons might not be doing what you think.
- Apple zero-day backports: If you're still on iOS 18 or macOS Sequoia/Sonoma, patches haven't landed yet. Update to the latest OS or wait, but know you're exposed until the backports ship.
References
- Washington Post - Partial Government Shutdown Looms as ICE Negotiations Stall
- Axios - DHS Shutdown: Impact on TSA, Cybersecurity
- The Hill - Senate Democrats Block Homeland Security Bill
- California AG - Disney $2.75 Million CCPA Settlement
- Deadline - Disney Settles Data Suit
- The Record - California Fines Disney
- Senate Judiciary Committee - SAFE Act Introduction
- EPIC - Statement on SAFE Act
- Nextgov/FCW - FISA 702 Reform Revival
- Techdirt - Mobile Fortify Can't Identify People
- Help Net Security - Apple CVE-2026-20700 Fix
- SecurityWeek - Apple Zero-Day Patch
- CyberScoop - Apple Zero-Day Disclosure
- PBS News - DOGE SSA Whistleblower
- Brookings - DOGE Privacy Under Siege
- TechCrunch - Wyden CIA Warning
- Techdirt - The Wyden Siren
- Federal News Network - DHS IG Biometric Audit
- BleepingComputer - Flickr Data Breach
- TechCrunch - Substack Data Breach