A close-up of a smartphone screen showing an encrypted messaging app lock icon overlaid on a blurred background of the European Parliament chamber, the visual subject of the day lead on EU mass-scanning legislation
Photo via Unsplash

Today in Surveillance:

  • The European Parliament failed to block the renewed Chat Control 1.0 mass-scanning mandate. On July 9, 2026, the rejection motion drew 314 votes against and 276 in favor with 17 abstentions, short of the 361-seat absolute majority required to kill the interim CSAR regulation. The rule, which extends suspicionless scanning of unencrypted private messages until 2028, now moves to the Council of the European Union, which has roughly three months to act. Patrick Breyer called the outcome "a farce" and said the political fight over the permanent Chat Control 2.0 is "just getting started" [1][2].
  • EFF and Mayday Health published a Texas abortion-data surveillance Q&A in Houston. The piece centers on a billboard campaign in Houston warning pregnant people that the state is tracking them. Surveillance tools discussed include automated license plate reader (ALPR) cameras, including one Texas sheriff's office search across more than 83,000 cameras, and commercial location trackers such as Locate X that can show clinic visits [3].
  • The House passed the KIDS Act 267 to 117. EFF published its Senate-focused opposition piece on July 9, arguing the package bundles a revised KOSA with other bills, study mandates, and reporting requirements, and that any reliable age check still produces the identity database that turns into the surveillance prize [4].
  • Cory Doctorow at EFF called Google's "reCAPTCHA Mobile Verification" as bad as its earlier Web Environment Integrity proposal. The July 9 piece argues the new Android scheme can block users running de-Googled operating systems like GrapheneOS or CalyxOS the same way the older integrity proposal did on the web [5].
  • Waymo called San Mateo police on two 15-year-old passengers and stopped the vehicle. Per a police Facebook post on July 7, 2026, Waymo told police the teens were "drinking and shooting from the vehicle." Police determined they were drinking beverages and shooting Orbeez water beads. The in-cabin system reported in-cabin behavior to law enforcement and halted the car [6].
  • Patreon and Cloudflare blocked AI training crawlers at the network edge. Patreon CEO Jack Conte and SVP of Product Drew Rowny framed the partnership, announced July 9, as giving creators a default block on training crawlers across all Patreon posts while keeping search crawlers working [7].
  • AssuranceAmerica disclosed a breach affecting 6,998,886 people. BleepingComputer, citing Maine's Office of the Attorney General, reported the exposed data set includes names, contact information, automobile insurance policy and account data, driver or vehicle information, claims-related information, and driver's license numbers. Malicious activity occurred March 16, 2026 and was detected March 17 [8].
  • The European Commission's DMA review declined to extend interoperability to social networking services. EFF published its critique on July 9, noting the Commission cited a lack of "clear demand" and excessive technical complexity, and announced it would "continue to monitor and assess how these services evolve" without setting a deadline [9].

Also today: The Register's July 6 Sainsbury's Facewatch reporting is now framed as part of a wider UK retail-FR expansion, with the grocer tripling from 55 stores to up to 200 by the end of 2026 [10]. Earlier in the week, KrebsOnSecurity tied Jacob Wohl and Jack Burkman, convicted in a 2022 voter-robocall case, to a freshly registered "IRIS C2" offensive-security firm, a C2-as-a-service story for the offensive-tooling beat. The Patreon-Cloudflare build is the consent-for-training counterweight to the Texas-surveillance explainer: same week, opposite direction.

EU Parliament Could Not Block Chat Control 1.0. The Rule Now Heads to the Council.

The European Parliament voted on July 9, 2026 on a motion to reject the renewed interim Child Sexual Abuse Regulation, the rule Brussels calls CSAR and critics call Chat Control 1.0. 314 MEPs voted against, 276 voted in favor, and 17 abstained. The rejection motion needed an absolute majority of 361, and it fell short [1][2].

The interim rule extends suspicionless mass scanning of private messages on unencrypted platforms, including direct messages on Instagram, Discord, Snapchat, Skype, and Xbox, plus email on Gmail and iCloud. The scanning happens server-side and does not require warrants or prior suspicion. End-to-end encrypted services like WhatsApp were exempted, though that exemption is largely symbolic: an E2EE provider cannot inspect message contents in transit in the first place [1][2].

A separate amendment to restrict scanning to judicially flagged accounts failed too. That motion drew 322 in favor and 255 against, again short of the absolute majority threshold. Patrick Breyer, the former Pirate Party MEP who has tracked the file since its first reading, said the outcome "is a farce and damages democracy," that "our children are the real losers," and that the political fight over the permanent Chat Control 2.0 is "just getting started." He also argued that finding a permanent majority for mass scanning in future negotiations is "a complete pipe dream" [1][2].

The Parliament's amended position now goes to the Council of the European Union, which has roughly three months to approve or reject the rule. If the Council approves, the interim scanning regime is valid until 2028, or until a permanent solution passes. The permanent CSAR file, Chat Control 2.0, is the one that actually tries to force client-side scanning while preserving E2EE on paper, and critics note those two goals are not compatible. Five trilogue rounds have ended without agreement. The Council's stated preference is rules that allow client-side scanning without breaking E2EE, which is the technical knot the next negotiation has to pull apart [1][2].

EFF and Mayday Health Walk Texans Through the Surveillance Layer Around Abortion

EFF published a Q&A on July 9, 2026 between the organization and Mayday Health, the post-Dobbs reproductive-rights group running a billboard campaign in Houston. The billboards warn pregnant people that Texas is tracking them, and they are designed to reach people where digital advertising cannot: Meta and Google restrict reproductive-health content algorithmically, and Mayday Health's executive director Leo Raisner framed billboards as the medium that reaches "people in the physical world without algorithmic gatekeeping" [3].

The Q&A reads the surveillance stack end to end. Automated license plate reader cameras, the ALPRs that read every plate on every street and feed searchable databases to police, are the public-facing tool. EFF cites a single Texas sheriff's office that ran a search across more than 83,000 cameras to track a woman suspected of self-managing an abortion. Commercial location-tracking products like Locate X, which can confirm visits to specific clinics, are the commercial layer. Search histories, which can indicate interest in obtaining abortion pills by mail, are the browser-data layer. EFF frames the whole stack as one continuous record: license plate plus location-history plus search history plus cycle-tracking plus purchase data, all queryable later by any investigator who knows the right vendor [3].

Mayday Health says the billboards ran for four weeks and were expected to reach more than 1,000,000 drivers. The group's privacy posture is itself a piece of the story: Mayday does not collect cookies or visitor identifying information, and it points users to the Digital Defense Fund for actual privacy tooling. Raisner emphasized that "abortion pills are FDA approved," safe, effective, and available by mail, and that the legal exposure comes not from the act itself but from the data trail the act leaves behind [3].

The House Passed the KIDS Act. EFF Says the Senate Should Kill It.

The U.S. House of Representatives passed the KIDS Act on a vote of 267 to 117. EFF published its Senate-facing opposition on July 9, 2026. The piece frames KIDS as a bundled package: a revised version of the Kids Online Safety Act, several other internet bills, study mandates, and reporting requirements, all rolled into one vehicle [4].

The substantive objection is the same one EFF raises against every age-verification mandate: any reliable age check produces an identity-verification database that links a real-world person to specific platform activity. EFF walks through the three realistic implementations. Government ID collection. Biometric scans, including facial age estimation. Algorithmic age guessing from online behavior or facial images. EFF cites data breaches at age-verification providers as the standing evidence that the database becomes a surveillance target the moment it exists [4].

The free-speech objection is that the revised KOSA language still pressures companies to police lawful speech about gambling, alcohol, or cannabis. EFF's example is a teen searching for advice about a parent's gambling problem; under the duty-of-care framing, that search becomes a flagged behavior the platform has to act on. The Senate's job, per EFF, is to slow the vehicle down and split the bundle. The Senate Commerce Committee's calendar is the next venue to watch [4].

Doctorow: Google's New Android Attestation Scheme Is as Bad as the Last One

Cory Doctorow wrote on EFF's Deeplinks on July 9, 2026 that Google's new "reCAPTCHA Mobile Verification" is just as bad as the company's earlier Web Environment Integrity (WEI) proposal. The structural complaint is the same: a server-side check can decide whether a given device is "allowed" to use a given app, and the answer can be a function of the operating system the device runs [5].

EFF's concrete worry is users running de-Googled Android distributions such as GrapheneOS or CalyxOS. If a server can refuse traffic from a device whose operating system fails the attestation check, the de-Googled option goes from "harder" to "blocked." That is exactly the failure mode EFF predicted for WEI in 2023 and is now predicting for the mobile successor. The architecture does not care what the user did; it cares what the device is [5].

Waymo Called San Mateo Police on Two Teens for Drinking and Shooting Orbeez

404 Media reported on a San Mateo police Facebook post from Monday, July 7, 2026. Waymo, the autonomous-vehicle operator, contacted police about two 15-year-old passengers in one of its driverless vehicles and stopped the car, allowing officers to detain the teens. Waymo told police the teens were "drinking and shooting from the vehicle." Police determined they were actually drinking beverages and shooting Orbeez, the absorbent water beads sold as toy ammunition [6].

The story is small in the abstract, and it is large in pattern. An in-cabin sensor stack in a privately operated vehicle made a behavioral judgment, called a law-enforcement channel, and physically halted the vehicle so police could act on that judgment. The system did not have to be right. It had to be confident enough to call. A "toy gun" call against a "real gun" possibility is exactly the input distribution that generates false-positive police stops [6].

Patreon and Cloudflare Block AI Training Crawlers at the Network Edge

404 Media reported on July 9, 2026 that Patreon and Cloudflare have partnered to block AI training crawlers at the network layer across all Patreon posts. The block happens before a crawler reaches the platform's origin servers, which is what makes it a network-edge intervention rather than a robots.txt opt-out. Search crawlers that help with discovery are kept working; only training crawlers are dropped [7].

Patreon SVP of Product Drew Rowny framed the move as giving creators "a meaningful say" in how AI companies use their work, noting that on most of the internet "creators have to accept AI training on their work just to reach and grow an audience." Patreon CEO Jack Conte announced the partnership on Instagram, saying creators deserve "credit, compensation, and consent," and that without those, "the crawlers can stay the fuck off Patreon." The build layers on top of Cloudflare's earlier default-block policy, under which new domains onboarding to Cloudflare have training and agent bots blocked by default on ad-displaying pages as of September [7].

AssuranceAmerica Breach Hits Nearly 7 Million Drivers

BleepingComputer reported on July 9, 2026 that AssuranceAmerica, an auto-insurance carrier, disclosed a breach affecting 6,998,886 people. The disclosure was filed with Maine's Office of the Attorney General. The exposed data set, per the report, includes names, contact information, automobile insurance policy and account information, driver or vehicle information, claims-related information, and driver's license numbers. Malicious activity occurred March 16, 2026, was detected March 17, and file review completed June 15, with notifications going out the same week [8].

The data set is the kind that turns a routine breach into a long-tail identity-theft exposure. Driver's license number plus name plus policy and claims history is enough to walk into a carrier call center and impersonate the customer, enough to populate a synthetic-identity file, and enough to feed the downstream market in driver-data profiles that ALPR vendors and towing companies already use. The breach also lands inside the biometric-adjacent lane: insurance carriers hold driver images for some products, and the Maine filing does not enumerate which policy lines those records came from [8].

The EU Commission Declined to Force Social-Networking Interoperability Under DMA

EFF's Karen Gullo published a July 9, 2026 critique of the European Commission's first Digital Markets Act review, completed in April 2026. The Commission declined to extend DMA interoperability obligations to social-networking services, citing a lack of "clear demand" from users and businesses and excessive technical complexity. The Commission also declined to set a deadline or timeline for enforcement, saying instead that it would "continue to monitor and assess how these services evolve" [9].

EFF calls the outcome "a huge disappointment and a missed opportunity" and notes that interoperability solutions like ActivityPub, the protocol behind the Fediverse and Mastodon, already exist. The argument is that the Commission could require meaningful interoperability outcomes without mandating a specific protocol, and that refusing to even start the clock leaves EU users "locked up behind Big Tech's gates" [9].

What to Watch This Week

Council of the EU, within roughly three months. The Parliament's amended Chat Control 1.0 position goes to the Council, which has the next move. If the Council approves, the interim scanning rule is valid until 2028 [1][2].

Senate on the KIDS Act. EFF's July 9 piece notes only that "it now heads to the Senate, where its fate remains uncertain." Watch whether the Senate moves the bundled vehicle, splits it, or lets it stall [4].

Google's reCAPTCHA Mobile Verification rollout. Watch the developer documentation for which apps start requiring the new attestation, and whether GrapheneOS and CalyxOS see breakage in the wild [5].

Chat Control 2.0 trilogue. The permanent file is the one that tries to mandate client-side scanning while preserving E2EE on paper. Five trilogue rounds have ended without agreement. The next round is the venue where the technical knot either pulls apart or gets cut [1][2].

Sources

  1. Patrick Breyer: EU Parliament greenlights Chat Control 1.0: "Our children lose out," July 9, 2026. https://www.patrick-breyer.de/en/eu-parliament-greenlights-chat-control-1-0-breyer-our-children-lose-out/
  2. The Register: MEPs fail to prevent Chat Control snoopfest revival, July 9, 2026. https://www.theregister.com/security/2026/07/09/meps-fail-to-prevent-chat-control-snoopfest-revival/5269379
  3. EFF Deeplinks, Kenyatta Thomas: We want Texans to know their rights: a Q&A with Mayday Health on the impact of surveillance on abortion, July 9, 2026. https://www.eff.org/deeplinks/2026/07/we-want-texans-know-their-rights-qa-mayday-health-impact-surveillance-abortion
  4. EFF Deeplinks: The House passed the KIDS Act: the Senate should reject it, July 9, 2026. https://www.eff.org/deeplinks/2026/07/house-passed-kids-act-senate-should-reject-it
  5. EFF Deeplinks, Cory Doctorow: Google's new remote-attestation scheme is every bit as terrible as its old remote-attestation scheme, July 9, 2026. https://www.eff.org/deeplinks/2026/07/googles-new-remote-attestation-scheme-every-bit-terrible-its-old-remote
  6. 404 Media: Waymo called San Mateo police on teens, July 7, 2026. https://www.404media.co/waymo-called-police-on-teens-san-mateo/
  7. 404 Media: Patreon and Cloudflare partnership blocks AI training crawlers at the network edge, July 9, 2026. https://www.404media.co/patreon-cloudflare-partnership-ai-crawlers/
  8. BleepingComputer: AssuranceAmerica data breach exposes records of 6.9 million drivers, July 9, 2026. https://www.bleepingcomputer.com/news/security/assuranceamerica-data-breach-exposes-records-of-69-million-drivers/
  9. EFF Deeplinks, Karen Gullo: European Commission chooses to keep EU users locked up behind Big Tech's gates, July 9, 2026. https://www.eff.org/deeplinks/2026/07/european-commission-chooses-keep-eu-users-locked-behind-big-techs-gates
  10. The Register: Brit supermarket giant triples down on facial recognition to nab shoplifters, July 6, 2026. https://www.theregister.com/security/2026/07/06/brit-supermarket-giant-triples-down-on-facial-recog-to-nab-shoplifters/5266935