TL;DR:

  • Meta is adding facial recognition to Ray-Ban smart glasses. The feature, internally called "Name Tag," lets wearers identify strangers on sight. An internal memo says they picked this moment because privacy groups are too busy fighting ICE to fight Meta.
  • DHS shutdown Day 1 is here. CISA furloughed two-thirds of its cybersecurity staff. ICE agents keep working. Cyber threats don't take weekends off, but apparently America's cyber defenders do when Congress can't pass a bill.
  • Microsoft patched 6 actively exploited zero-days. February's Patch Tuesday fixed 58 flaws, including bugs that let attackers bypass Windows security with a single click. If you haven't updated, you're running a system that hackers are already inside.
  • Texas AG opens investigation into Conduent breach. Ken Paxton issued demands to Blue Cross Blue Shield of Texas and Conduent over a breach that exposed 4 million Texans' health data. Nationwide, the count is past 25 million.
  • ICE Out of My Face Act picks up momentum. The bipartisan bill to ban ICE facial recognition now has EFF, ACLU, EPIC, and a growing coalition behind it. It would force deletion of all biometric data ICE has collected.

Meta Wants Your Smart Glasses to Identify Strangers. They Chose This Week on Purpose.

TechCrunch reported on February 13 that Meta is building facial recognition directly into its Ray-Ban smart glasses. The feature, called "Name Tag" internally, would let wearers look at someone and get their name, social media profiles, and other personal information pulled up automatically through Meta AI. We broke down the full Name Tag reversal here.

That alone would be the biggest corporate surveillance story of the month. But the leaked internal documents make it worse.

Meta has been deliberating since early 2025 about how to release a feature that even its own teams acknowledge carries "safety and privacy risks." Their solution? Wait for a moment when the people who would fight back are too distracted. An internal document states: "We will launch during a dynamic political environment where many civil society groups that we would expect to attack us would have their resources focused on other concerns."

Read that again. Meta isn't ignorant of the privacy implications. They're counting on the fact that the ACLU, EFF, and other groups are spending all their bandwidth fighting ICE raids, DOGE data grabs, and government surveillance. While those organizations are distracted, Meta plans to quietly roll out a feature that turns every smart glasses wearer into a walking surveillance camera.

This isn't hypothetical. Two Harvard students demonstrated in 2024 that pairing Meta smart glasses with facial recognition could identify strangers on the street in real time. Meta saw that experiment and apparently thought, "great idea, let's productize it."

EssilorLuxottica, which manufactures the glasses with Meta, sold over 7 million units in 2025. That's 7 million potential surveillance nodes walking around in public. "This technology is ripe for abuse," said Nathan Freed Wessler of the ACLU. The pushback is building: 64 organizations have already told Congress to block the feature.

Five years ago, Facebook shut down its photo-tagging facial recognition system, citing a need to find "the right balance." Apparently, that balance is: wait until nobody's watching, then turn it back on, this time on people's faces in public, not just their Facebook photos.

Sources: TechCrunch, MacRumors, Engadget, Android Authority

DHS Shutdown Day 1: Cyber Defenders Go Home, ICE Keeps Rolling

The DHS partial shutdown took effect at 12:01 AM Saturday. As predicted in yesterday's coverage, the paradox is already playing out: the parts of DHS that surveil you are still running. The parts that protect you from cyber attacks just lost most of their workforce.

CISA (the Cybersecurity and Infrastructure Security Agency) furloughed 1,453 of its 2,341 employees. Only 888 "excepted" staff remain, enough to keep 24/7 operations centers open and monitor for imminent threats. But CISA won't develop new cybersecurity guidance, won't conduct security assessments, and won't run training exercises. "When the government shuts down, cyber threats do not," acting CISA director Madhu Gottumukkala said before the shutdown hit.

The timing is brutal. Microsoft just released patches for 6 actively exploited zero-days (more on that below). Federal agencies need to deploy those patches. The agency that helps coordinate that response just sent most of its people home.

Congress left for a weeklong recess without a deal. They aren't scheduled back until February 23, meaning at least 10 days of shutdown. The dispute centers on Democratic demands for ICE reforms: body cameras, warrant requirements for home entries, and restrictions on roving patrols. House Speaker Mike Johnson called those demands "non-starters."

About 90% of DHS's 260,000+ employees will keep working, without pay. TSA agents still screen travelers. Coast Guard sailors still patrol. But nobody gets a paycheck until Congress acts. The Bipartisan Policy Center noted Day 1 impacts would be "minimally felt" publicly, but warned that staff attrition accelerates as the shutdown drags on.

Sources: Nextgov/FCW, NBC News, CyberScoop, Fox News

Microsoft's February Patch Tuesday: 6 Zero-Days Actively Exploited

Microsoft's February 11 Patch Tuesday fixed 58 vulnerabilities, including six zero-day flaws that attackers were already exploiting in the wild. This isn't a routine patch cycle. Security researchers are calling it an emergency-level event.

The worst of the bunch: CVE-2026-21510, a Windows Shell vulnerability where a single click on a malicious link silently bypasses Windows security protections. No warning dialog, no consent prompt: your system runs attacker-controlled content. It affects every currently supported version of Windows.

Two more bypass bugs target MSHTML (CVE-2026-21513, the engine behind Internet Explorer components still embedded in Windows) and Microsoft Word (CVE-2026-21514). The remaining three are elevation-of-privilege flaws in Remote Desktop Services and Remote Access Connection Manager, letting local attackers climb to SYSTEM-level access.

Six actively exploited zero-days in a single patch cycle is abnormal. The surveillance angle: state-sponsored actors and cybercriminals had access to these vulnerabilities before Microsoft patched them. Every day an organization delays patching is another day those doors stay open. And CISA, the federal agency that normally helps coordinate patch deployments across government, just furloughed most of its staff.

What to do: Windows Update. Now. Settings > Update & Security > Windows Update. If your employer manages updates, ask your IT department when these patches are rolling out.

Sources: BleepingComputer, Help Net Security, Krebs on Security, SecurityWeek

Texas AG Opens Investigation into Largest Data Breach in U.S. History

Texas Attorney General Ken Paxton issued Civil Investigative Demands to Blue Cross Blue Shield of Texas and Conduent Business Services on February 13, formally launching an investigation into what Paxton's office called "the largest data breach in U.S. history."

The breach hit Conduent's systems between October 21, 2024 and January 13, 2025. During that window, an unauthorized third party accessed the protected health information of Texas residents, including Medicaid recipients whose data Conduent processes as a government contractor. Roughly 4 million Texans were exposed in this breach alone. Nationally, the confirmed count now exceeds 25 million people across multiple states, with 10+ class action lawsuits filed.

Paxton's investigation is examining both Conduent's security measures and Blue Cross Blue Shield's compliance with state data protection laws. The AG wants to know what security protocols were in place, how the breach went undetected for nearly three months, and why affected individuals weren't notified faster.

If you think you might be affected: the credit monitoring enrollment deadline is March 31, 2026. We covered the breach when it first surfaced in our Conduent breach report. A detailed how-to-check guide is coming.

Sources: Texas AG Office, TechTarget, HIPAA Journal

ICE Out of My Face Act Builds Bipartisan Coalition to Ban Federal Facial Recognition

The ICE Out of Our Faces Act, introduced February 5 by Senators Markey, Merkley, and Wyden alongside Representative Jayapal, is picking up serious backing. Co-sponsors now include Senators Angela Alsobrooks (D-Md.) and Bernie Sanders (I-Vt.), and the endorsement list reads like a who's-who of digital rights: EFF, EPIC, ACLU, Fight for the Future, Access Now, Human Rights First, and the Leadership Conference's Center for Civil Rights and Technology.

The bill would ban ICE and CBP from acquiring or using facial recognition technology and other biometric identification systems, including voice recordings. The timing matters: CBP just signed a new Clearview AI deal even as Congress moves to ban the practice. But the provision that matters most: it would require the deletion of all biometric data these agencies have already collected. That's a direct shot at the 1.2-billion-image database that ICE agents currently pull from using Mobile Fortify, the same app that can't correctly identify people.

The bill also lets individuals and state attorneys general seek civil penalties for violations, creating enforcement mechanisms beyond just congressional oversight. EFF published a full endorsement: "Yes to the ICE Out of Our Faces Act."

Full coverage: Our ICE Out of My Face Act deep-dive

Sources: Sen. Markey Press Release, Rep. Jayapal Press Release, EPIC

Quick Hits

TikTok won't say whether ICE is accessing user data: The New Republic published a deep investigation on February 10 into how TikTok's new U.S. ownership under Oracle creates a pipeline for ICE surveillance. Oracle's infrastructure hosts both TikTok's American data and multiple DHS contracts. TikTok "pointedly declined" to confirm or deny whether ICE can access user data. Data brokers like Venntel already harvest TikTok location data for DHS. We covered the Oracle-ICE connection in our TikTok surveillance backdoor analysis. [The New Republic]

Apple lawsuit dismissed: judge says tracking users after opt-out isn't illegal: A federal judge in Northern California dismissed a class action alleging Apple collected user data through its apps even after users disabled "Share Device Analytics." The court ruled the claims failed under the California Invasion of Privacy Act, Pennsylvania's wiretapping laws, and other privacy statutes. Translation: turning off analytics doesn't mean what you think it means. [Law360]

Roblox dodges privacy class action via arbitration clause: A California federal judge ruled that Roblox users who sued over alleged secret data harvesting must go through arbitration, not court. The judge found that Roblox's terms of use provided "conspicuous notice" of the arbitration clause. Another privacy case killed before discovery. [Law360]

20 states now have comprehensive privacy laws: Indiana, Kentucky, and Rhode Island's consumer privacy laws took effect January 1, 2026, bringing the nationwide total to 20 states with comprehensive privacy legislation. The patchwork keeps growing, but there's still no federal privacy law in sight. [Wiley]

What to Watch

  • Meta "Name Tag" rollout timeline: The internal documents say "as soon as this year." Watch for a quiet feature announcement buried during a news cycle about ICE raids or DOGE scandals. That's literally their strategy.
  • DHS shutdown duration: Congress returns February 23 at the earliest. 10+ days with CISA running at one-third capacity, during a month with 6 Microsoft zero-days and an Apple state-sponsored exploit. The math doesn't add up.
  • Conduent credit monitoring deadline: March 31 is the enrollment cutoff. If you received healthcare through a state Medicaid program or any Conduent-processed plan, check your exposure. A step-by-step guide is coming from us soon.
  • ICE Out of My Face Act markup: With Congress on recess, no movement until late February. The growing endorsement coalition is encouraging, but this bill faces an uphill battle in a House that rejected a 702 warrant amendment by a single vote.
  • Microsoft patch deployment: If your organization hasn't deployed Tuesday's patches, every hour counts. Six exploited zero-days means attackers are already using these vulnerabilities. Don't wait for Monday.

References

  1. TechCrunch - Meta Plans to Add Facial Recognition to Smart Glasses
  2. MacRumors - Meta Plans 'Name Tag' Facial Recognition
  3. Engadget - Meta Working on Facial Recognition for Smart Glasses
  4. Nextgov/FCW - CISA to Furlough Most Workforce Under DHS Shutdown
  5. NBC News - What to Know About the DHS Shutdown
  6. CyberScoop - CISA Shutdown Impact
  7. BleepingComputer - Microsoft February 2026 Patch Tuesday
  8. Krebs on Security - Patch Tuesday, February 2026
  9. SecurityWeek - 6 Zero-Days Patched by Microsoft
  10. Texas AG - Investigation into Conduent/BCBS Data Breach
  11. TechTarget - Texas AG Launches Conduent Investigation
  12. Sen. Markey - ICE Out of Our Faces Act
  13. EPIC - Endorses ICE Facial Recognition Ban
  14. EFF - Yes to the ICE Out of My Face Act
  15. The New Republic - How TikTok 2.0 Became a Weapon for ICE
  16. Help Net Security - February 2026 Patch Tuesday
  17. Wiley - Five Privacy Checkpoints to Start 2026

Next: Daily Briefing: February 15, 2026. School cameras feed ICE, CBP signs Clearview AI deal, DHS shutdown Day 2