Today in Surveillance:
- The UK is preparing to bundle three surveillance interventions into one push. Reporting by The Times, The Guardian, and The Independent between June 14 and June 15 confirmed that Keir Starmer's government will unveil a package banning under-16s from social media and restricting their access to AI chatbots, modeled on Australia's under-16 ban. The Register reported the same week that Signal warned the UK's separate plan to scan encrypted devices for CSAM "endangers us all" [1][2][3][4].
- Austin's month-old surveillance oversight law is under fire. A May 17 to 18 weekend shooting spree (twelve incidents, four people injured, three suspects arrested) gave Police Chief Lisa Davis and Mayor Kirk Watson the opening to argue the TRUST Act needs to be loosened, even though all three suspects were caught without license plate readers [5][6][7].
- Fifty-plus cities have now canceled, suspended, or refused to renew Flock Safety contracts. The EFF's June 2 report titled "We're Fighting Mass Surveillance Tech and Winning" documented the breadth of the cancel wave. The same report surfaced more than 80 law enforcement agencies using anti-Romani slurs in Flock searches [8][9][10][11].
- California approved hidden border ALPR permits and then said the data was not its problem. The EFF mapped more than 40 hidden license plate readers along Southern California's border highways. Caltrans issued eight permits to Border Patrol and the DEA to install cameras on state road rights of way, then told reporters it does not operate the cameras or have access to the data they collect [12][13][14].
- California privacy enforcement hit a new record. A May 8, 2026 settlement with General Motors and OnStar over driver-data sales to Verisk and LexisNexis imposed a $12.75 million penalty and a five-year ban on selling driver data to consumer reporting agencies. The Tractor Supply $1.35 million fine from September 2025 is now the fourth-largest CCPA penalty on record [15][16].
- AI chatbots continue to train on user data by default. A Stanford study cited by SOS warns that sensitive information shared in a ChatGPT or Gemini dialogue "may be collected and used for training, even if it's in a separate file that you uploaded during the conversation" [17][18].
Also today: The July 9 European Parliament vote on the renewed interim Chat Control 1.0 mandate (314 against, 276 in favor, 17 abstentions) fell short of the 361 seats needed to kill it, and the rule now heads to the Council of the EU with roughly three months to decide [19][20]. Maryland layered the Data Privacy Act (HB 711) on top of MODPA in April, banning state agencies and data brokers from handing Marylanders' records to federal immigration enforcement without a warrant [21].
The UK Is Bundling Three Surveillance Mandates Into One Push
The Times broke the story on June 14, 2026: Keir Starmer is preparing to unveil a UK package that bans under-16s from social media and restricts their access to AI chatbots, modeled on Australia's under-16 social media ban [1]. The Guardian confirmed the package the next day and named the framing: "Australia plus," a label that explicitly extends the Australian template with the new AI-chatbot restriction that does not exist in the Australian model [2]. The Independent confirmed the AI chatbot component the same day [3]. The package is expected in the autumn King's Speech, with implementation over the following 12 to 18 months.
The "plus" is only part of the surveillance story. The Register reported on June 14 that Signal had published a parallel warning on the UK's separate plan to scan encrypted devices for child-sexual-abuse material under the CSAR component of the Online Safety Act. Signal's framing: client-side scanning "endangers us all" [4]. The technical point is structural. Client-side scanning, the only known way to detect CSAM in end-to-end-encrypted messages without breaking the encryption, requires the device to inspect message contents before encryption. Either the message is inspected on the device, in which case the platform is no longer end-to-end encrypted, or the message is not inspected, in which case the platform fails the compliance test. There is no third option. Signal has said it will withdraw from the UK market rather than break end-to-end encryption.
The Starmer package is the first time a major Western government has bundled age-gating, AI chatbot restrictions, and device-level scanning into a single policy push. The components are technically distinct, but they share an underlying infrastructure logic. The infrastructure to verify ages is the infrastructure to identify users. The infrastructure to inspect messages is the infrastructure to scan content. The infrastructure to gate chatbots is the infrastructure to gate AI. The political coalition for the CSAR component is the coalition for the under-16 social media ban. The two are now bundled. Our Day-3 brief on the Starmer package covers the regulatory architecture [22].
Austin's Month-Old Surveillance Law Met Its First Test
A weekend shooting spree across Austin on May 17 to 18 left four people injured. Twelve incidents. At least four vehicles stolen. Three suspects arrested: two teenagers, ages 15 and 17, and one adult. All three were caught without license plate readers. Every suspect was arrested within roughly 24 hours of the spree ending, two in a traffic stop on a stolen vehicle, one at an H-E-B fuel station [5].
Police Chief Lisa Davis told Spectrum News the quiet part out loud: "When we think about cameras, could that have helped? Yes, it absolutely could have" [6]. Mayor Kirk Watson backed her up, saying leaders should ensure law enforcement has the "necessary tools" for public safety and that license plate readers "would have been helpful under these circumstances" [6]. The framing is "would have been helpful." Not "we could not have solved this without them." Helpful. That is the opening line of a campaign to reopen a fight the Austin community already won.
The Transparent and Responsible Use of Surveillance Technology Act passed Austin's city council on April 23, 2026, less than a month before the shooting spree. The law does not ban surveillance technology. It requires the city to tell people what it is buying, how it works, what data it collects, and who it shares that data with, before spending the money. Council approval is required before any city department deploys tech that collects resident data. Privacy impact assessments must be published before any vote. Draft contracts must be available to council a full month ahead [7]. The officials now calling the law too restrictive are the same department that, eight months after Austin killed its Flock Safety contract in June 2025, was still accessing neighboring agencies' Flock cameras without telling city council, the loophole KUT Radio exposed in February 2026. Our Austin TRUST Act brief carries the loophole timeline [7].
Fifty-Plus Cities Have Pulled the Plug on Flock
Flock Safety, the Atlanta-based company whose automated license plate readers scan roughly 20 billion plates per month across more than 5,000 communities, is losing cities faster than it can sign new ones. Since late 2024, at least 50 cities and agencies have canceled, suspended, or refused to renew contracts [8]. Denver removed all 110 cameras when its contract expired on March 31, 2026 [9]. Oshkosh rescinded its contract on April 23, 2026, less than 24 hours after approving it, when Police Chief Dean Smith confirmed that a Flock representative had lied to the council about the system's heat map capability [10]. Mountain View disabled all 30 of its cameras on February 3, 2026 after an audit revealed the ATF, Air Force, and GSA Inspector General had access to local data through the network.
On June 2, 2026 the EFF published "We're Fighting Mass Surveillance Tech and Winning," a comprehensive accounting of its multi-year investigation. The report documented more than 80 law enforcement agencies using anti-Romani slurs (terms like "g*psy vehicle," "possible g*psy," "roma traveler") in Flock searches, often with no underlying crime mentioned. Another 400-plus searches targeted Irish Traveller communities. The same report found that more than 50 agencies had used Flock to track protesters [11]. The cancel wave is not a single policy decision. It is the cumulative effect of FOIA requests, public records litigation, and local press investigations surfacing what audit logs revealed only after the queries had already run. Our DeFlock brief traces the cancel wave back to Will Freeman's crowdsourced camera map [23].
California Approved Hidden Border ALPRs. The State Says They Are Not Its Problem.
James Cordero was driving a cracked two-lane road in eastern San Diego County when he spotted a trailer on the shoulder that looked abandoned. He pulled over. Inside: surveillance equipment and a hidden camera. The discovery led CalMatters and KPBS reporters to map a covert network of license plate readers along Southern California's border highways [12][13]. The Electronic Frontier Foundation published the map: more than 40 hidden ALPRs across San Diego and Imperial counties, locations including Old Highway 80 near Jacumba Hot Springs, outside the Golden Acorn Casino in Campo, and along Interstate 8 toward In-Ko-Pah Gorge. Caltrans issued eight permits to Border Patrol and the DEA to install the cameras on state highway land, with fourteen permit applications submitted between 2015 and 2024 (eight approved, four canceled, two inactive).
The cameras log every car that passes: citizens, residents, tourists, humanitarian workers. According to a Homeland Security report described by KPBS, each ALPR capture includes license plate numbers, vehicle make and model, registration state, GPS coordinates, timestamps, camera owner and type information, and "surrounding environment" imagery, which can include photos of drivers and passengers [13]. One grandmother with legal status told CalMatters she was questioned by Border Patrol about her casino visits. They deemed the frequency "suspicious."
California's 2016 ALPR law restricts state and local agencies from sharing plate data with out-of-state entities, including federal agencies involved in immigration enforcement. The California Attorney General has sent enforcement letters to 18 law enforcement agencies for violating these provisions. Border Patrol and the DEA bypassed the restriction by getting Caltrans permits to install their own cameras. Caltrans told KPBS: "Caltrans does not operate, manage, or determine the specific use of technology or equipment installed by permit holders, nor does it have access to any of the collected data" [13]. The state agency that approved the permits says the cameras are not its problem. EFF's Dave Maass framed the loophole for CalMatters: "By allowing Border Patrol and the DEA to put license plate readers along the border, they're essentially bypassing protections under California law" [13]. Our border-trailers brief covers the permit timeline and the humanitarian-worker chilling effect [14].
California Privacy Enforcement: GM Settlement Overtakes the Tractor Supply Record
The CPPA enforcement landscape shifted on May 8, 2026. California Attorney General Rob Bonta, joined by CalPrivacy, the San Francisco, Los Angeles, Napa, and Sonoma District Attorneys, announced a $12.75 million settlement with General Motors and OnStar. The action is now the largest CCPA penalty in California history, and the California Department of Justice's first data-minimization case [15]. According to the settlement, GM sold names, contact info, geolocation, and driving-behavior data of hundreds of thousands of Californians to Verisk Analytics and LexisNexis Risk Solutions via OnStar between 2020 and 2024, in violation of the CCPA's purpose-limitation and data-minimization rules and the company's own privacy representations. The settlement includes a five-year ban on selling driver data to consumer reporting agencies.
The GM action brings total CCPA enforcement settlements to at least eight (Sephora, DoorDash, Disney, Jam City, Sling TV, Healthline, Tilting Point, GM), with the September 30, 2025 $1.35 million Tractor Supply fine, the first CPPA enforcement action targeting job applicant data rights, now ranking fourth-largest [16]. On June 2, 2026 CalPrivacy reported that 300,000-plus Californians had signed up for its Delete Request and Opt-Out Platform (DROP). On June 3, 2026 the agency formally opposed federal legislation that would preempt state privacy protections. The GM settlement, the DROP volume, and the preemption opposition are the same thread: California is using its enforcement and rulemaking capacity to push privacy protections upward, while Washington preemption proposals push them downward. Our Tractor Supply brief tracks the original job-applicant-data enforcement [16].
AI Chatbots Still Train on Your Data by Default
The Stanford study cited by SOS warns plainly: "If you share sensitive information in a dialogue with ChatGPT, Gemini, or other frontier models, it may be collected and used for training, even if it's in a separate file that you uploaded during the conversation" [17]. ChatGPT, Claude, and Gemini all default to using conversation data for model training. The opt-out exists, but it sits several menus deep in settings most users never open. LinkedIn's published Privacy Policy, stamped "Effective November 3, 2025," explicitly lists "develop and train artificial intelligence (AI) models" as a permitted use of member personal data in Section 2 [18]. Once a profile feeds a model's weights, the knowledge extracted from it is part of the system permanently.
The pattern repeats across providers. Frontier model providers default to opt-in for AI training on user data, then bury the opt-out in privacy settings they know most users will never touch. The data extraction is a one-way operation: opt out today and the model still has what you shared yesterday. The aggregation across providers compounds the problem: a professional profile on LinkedIn, a conversation history in ChatGPT, a search history in Gemini, and a coding session in Claude can be stitched together by anyone who buys the right data-broker package. The Stanford warning on uploaded files is the most consequential detail. A file you upload into a chat session for analysis becomes training input in a way most users do not expect. Our AI chatbot data collection brief covers the per-provider scorecard [18].
What to Watch This Week
Council of the EU, within roughly three months. The Parliament's July 9 amended position on Chat Control 1.0 went to the Council, which has the next move. If the Council approves, the interim scanning rule is valid until 2028 [19][20]. The Starmer package is a separate UK track, but the two CSAR regimes are now running in parallel, and trilogue outcomes on either side will reshape the other.
King's Speech, autumn 2026. Watch for the specific text of the UK under-16 social media ban, the AI chatbot restriction, and the CSAR "accredited technology" rules under the existing Online Safety Act. Signal has set its UK-exit red line. The first on-the-record statement from WhatsApp, Apple's iMessage team, or another major encrypted provider on whether the CSAR rules trigger a UK exit will determine whether the Starmer package is UK-specific or a template for the next EU and Canada round [4].
Austin's next city council session. The TRUST Act is one month old. The most dangerous version of the post-shooting fight is not a dramatic repeal but a "minor clarification" that creates an exception for "public safety emergencies" defined broadly enough to cover anything. That is how San Francisco's 2019 facial recognition ban got hollowed out by 2022. Watch the council member lookup at austintexas.gov and the public-comment signups [7].
The next CPPA enforcement action. CalPrivacy's DROP platform crossed 300,000 signups by June 2, 2026 and the agency is formally opposing federal preemption. The GM/OnStar $12.75 million settlement is the new ceiling. The next test is whether the next enforcement target is a connected-vehicle maker, an adtech firm, or a data broker. The Tractor Supply job-applicant track suggests HR data is the second wave [15][16].
Sources
- The Times: "Starmer to unveil social media ban for under 16s" (June 14, 2026). https://www.thetimes.com/uk/politics/article/starmer-to-unveil-social-media-ban-for-under-16s
- The Guardian: "Starmer to unveil 'Australia plus' under-16 social media ban" (June 15, 2026). https://www.theguardian.com/politics/2026/jun/15/keir-starmer-australia-plus-under-16-social-media-ban
- The Independent: "Starmer to unveil social media and chatbot ban for under 16s" (June 14, 2026). https://www.independent.co.uk/news/uk/politics/starmer-social-media-chatbot-ban-under-16-b2967421.html
- The Register: "Signal warns UK CSAR encrypted device scanning 'endangers us all'" (June 14, 2026). https://www.theregister.com/2026/06/14/signal_warns_uk_csar_encrypted_device_scanning/
- Deseret News: "Robbery-shooting spree in Texas adds to debate over surveillance technology" (May 18, 2026). https://www.deseret.com/politics/2026/05/18/shootings-in-texas-add-to-debate-over-surveillance-tech/
- Spectrum News: "Austin license plate readers: Shooting spree reignites surveillance debate" (May 18, 2026). https://spectrumlocalnews.com/tx/south-texas-el-paso/news/2026/05/18/austin-license-plate-readers
- State of Surveillance: "Austin's TRUST Act Under Fire After Shooting Spree," the brief on the April 23 ordinance and the KUT loophole. /news/austin-trust-act-surveillance-shooting-license-plate-readers-2026
- NPR: "Why some cities are canceling Flock license plate reader contracts" (February 17, 2026). https://www.npr.org/2026/02/17/nx-s1-5612825/flock-contracts-canceled-immigration-survillance-concerns
- 9News: "Denver removes all 110 Flock license plate reader cameras as contract expires" (March 2026). https://www.9news.com/article/news/local/denver-removes-flock-license-plate-reader-cameras/73-eaf91d0a-3b90-45f5-8338-dbb9f79a8712
- WBAY: "Oshkosh council rescinds Flock camera contract after 'false statements'" (April 23, 2026). https://www.wbay.com/2026/04/23/oshkosh-council-rescinds-flock-camera-contract-after-false-statements/
- EFF: "We're Fighting Mass Surveillance Tech and Winning" (June 2, 2026). https://www.eff.org/deeplinks/2026/06/get-flock-out-here
- CalMatters: "The hidden surveillance network sending Californians' license plates to Border Patrol" (February 26, 2026). https://calmatters.org/justice/2026/02/alpr-border-patrol-caltrans/
- KPBS: "He saw an abandoned trailer. Then, he uncovered a surveillance network on California's border" (February 26, 2026). https://www.kpbs.org/news/politics/2026/02/26/he-saw-an-abandoned-trailer-then-he-uncovered-a-surveillance-network-on-californias-border
- State of Surveillance: "Hidden Cameras in Trailers Track California Drivers for Border Patrol," the EFF mapping and Caltrans permit brief. /news/california-border-hidden-surveillance-trailers-alpr-caltrans-2026
- California Attorney General Rob Bonta, CalPrivacy, SF DA Brooke Jenkins, LA DA Nathan J. Hochman, Napa DA Allison Haley, Sonoma DA Carla Rodriguez: "When It Comes to Data Privacy, Consumers Must Be in the Driver's Seat: Attorney General Bonta, Partners Secure $12.75 Million General Motors Privacy Settlement" (May 8, 2026). https://oag.ca.gov/news/press-releases/when-it-comes-data-privacy-consumers-must-be-driver%E2%80%99s-seat-attorney-general-bonta
- State of Surveillance: "CPPA $1.35M Fine: Job Applicant Privacy Violation," the Tractor Supply enforcement brief with the GM/OnStar update. /news/california-cppa-tractor-supply-fine
- Stanford Report: Study exposes privacy risks of AI chatbot conversations (October 2025). https://cyber.fsi.stanford.edu/news/stanford-study-exposes-privacy-risks-ai-chatbot-conversations
- State of Surveillance: "AI Chatbot Data Collection 2025: What They Store," the per-provider scorecard brief. /news/ai-chatbot-privacy-what-they-collect
- Patrick Breyer: "EU Parliament greenlights Chat Control 1.0: 'Our children lose out'" (July 9, 2026). https://www.patrick-breyer.de/en/eu-parliament-greenlights-chat-control-1-0-breyer-our-children-lose-out/
- The Register: "MEPs fail to prevent Chat Control snoopfest revival" (July 9, 2026). https://www.theregister.com/security/2026/07/09/meps-fail-to-prevent-chat-control-snoopfest-revival/5269379
- State of Surveillance: "Maryland MODPA 2025: Nation's Strictest Privacy Law," the brief on MODPA and the HB 711 ICE-warrant law. /news/maryland-modpa-privacy-law
- State of Surveillance: "UK's 'Australia Plus' Ban: Under-16 Social Media, Chatbots, Encrypted Phone Scans," the Starmer package brief. /news/uk-starmer-australia-plus-under-16-social-media-chatbot-ban-csar-2026
- State of Surveillance: "DeFlock: How One Guy Mapped 90,000 Cameras and Sparked a Revolt," the Will Freeman and EFF cancel-wave brief. /news/deflock-flock-safety-revolt-90000-cameras-cities-cancel-2026