Rows of bound law books and government documents on dark wood library shelves, the kind of legal archive a Fourth Amendment ruling leaves behind when it reaches the appellate record
Photo via Unsplash

Today in Surveillance:

  • EFF framed the Supreme Court's June 29 ruling in Chatrie v. United States as a Fourth Amendment victory. The Court held that people retain an expectation of privacy in app-generated location data, that even short-term surveillance of those movements can be a search, and that records generated by apps on a user's phone are the user's own. Justice Gorsuch, concurring, called location data "personal property" of the kind the Fourth Amendment's text already protects [1].
  • 404 Media reported an Apple Hide My Email vulnerability that lets attackers recover a user's real email address. A security researcher disclosed the flaw to 404 Media, which independently verified it against one of its own alias addresses. Apple did not patch the vulnerability for more than a year, and the issue remained exploitable as of Monday [2].
  • EFF asked Governor Pritzker to veto Illinois HB 5511, a sweeping device-level age-gating bill. EFF's Hayley Tsukayama called the bill "well-intentioned but deeply flawed" and warned it would "effectively dismantle online anonymity, jeopardize data security," and pose an "existential threat to the open-source ecosystem." The bill is modeled on California's AB 1043 and New York's SAFE for Kids Act [3].
  • Schneier excerpted a Financial Times report on AI video surveillance that shifts search from identifiers to behavior. The FT quoted a European official calling the new capability "the holy grail of surveillance" because officers can now look for behavior, not objects, via natural-language queries on camera footage [4][5].
  • Researchers found RSA keys with many zero bits in the wild, and Schneier raised the possibility of a deliberate backdoor. The affected hosts Schneier named include Yahoo, Verizon, NetApp, and SSH hosts running CompleteFTP from EnterpriseDT. Schneier connected the finding to his prior 2013 writing on cryptographic backdoors [6].
  • EFF also continued its UK age-verification thread. The Collings and Portnoy Q&A on which UK age-verification methods expose which categories of user data remained the entry point for any reader walking through the Online Safety Act surface this week [7][8].
  • Other news today: Schneier flagged a startup, backed by NBCUniversal and Instacart, that predicts when customers will run out of groceries and pushes "Light on groceries?" ads through Papa Johns. The Anthropic "Code" client spyware allegation thread stayed in active discussion but remained unverified. EFF and 64+ civil-society groups continued to press against Meta's smart-glasses line as the Starfire launch rolled forward [9][10][11].

Chatrie's Fourth Amendment Win, and Why EFF Calls It the First Post-Carpenter Digital-Surveillance Victory

EFF posted its framing of the Supreme Court's June 29 ruling in Chatrie v. United States, with Andrew Crocker and Jennifer Lynch credited on the piece [1]. The Court held that people retain an expectation of privacy in app-generated location data, that "even short-term surveillance of these movements is a search subject to the Fourth Amendment," and that records generated by apps on a user's phone are the user's "own" in the same constitutional sense as emails, documents, photographs, and calendars [1].

Justice Gorsuch concurred in the judgment only, writing that location data is a user's "personal property" and "no different from myriad other 'effects' explicitly protected by the text of the Fourth Amendment." EFF's framing: geofence warrants are "the digital equivalent of police going person to person, home to home, without suspicion," because they compel a provider to surrender identifying information about everyone whose device was inside a target area over a target window [1].

The factual record under the warrant is what made the dissent legible. The 2019 warrant in Chatrie covered over 70,000 square meters, "several football fields," and reached homes, businesses, and a church in addition to the crime scene. The Court remanded to the Fourth Circuit without deciding whether the specific warrant was reasonable or whether the good-faith doctrine applied [1]. EFF and the rest of the digital-rights beat have been waiting on this ruling for years: the prior *Carpenter* (2018) decision covered prolonged cell-site location tracking, and the Fifth Circuit held in 2024 that geofence warrants are "categorically prohibited by the Fourth Amendment." A divided en banc Fourth Circuit in 2025 affirmed the lower court's "good faith" finding in Chatrie on different grounds, allowing the government to use the evidence even with the warrant found unconstitutional. The Supreme Court ruling sits between those poles and tilts toward geofence warrants being searches. Our oral-argument vessel and the post-ruling recap carry the architecture of the case [12][13][14].

The operational effect lands on two actors at once. Google stopped responding to mass geofence warrants as of July 2025, so the company is partly out of the warrant pipeline; the ruling now puts that practice on a constitutional footing rather than a corporate-policy footing. For investigators, the win is narrow on this record: the Court left the good-faith question open and did not directly invalidate the underlying warrant. EFF's framing lands on the operational phrase from the EFF post: users reasonably expect app-generated location data to be shielded from the "inquisitive eyes" of the government, and EFF will press future courts to recognize broad Fourth Amendment protections for user data on that footing. The structural move is the Gorsuch concurrence: a textual reading that treats location data as "effects" under the Fourth Amendment is harder for a future Congress to statutorily carve around than a Katz-style reasonable-expectations test [1].

404 Media Found an Apple Hide My Email Vulnerability Unpatched for More Than a Year

404 Media reported Wednesday that a flaw in Apple's Hide My Email tool allows almost anyone to uncover the real email address hidden behind a user's alias. The disclosure was made by a security researcher, and 404 Media said it independently verified the issue against one of its own hidden email addresses as of Monday. 404 Media withheld exact technical steps because the vulnerability remained exploitable at the time of publication [2].

The consumer-tool failure sits at the intersection of privacy branding and privacy substance. Hide My Email, part of iCloud+, sells itself as a way to sign up for services without exposing the user's real address; an attacker who can read past the alias inverts the tool's purpose. Apple's response window is the news peg: more than a year without a patch, against a researcher who gave them the report. 404 Media quotes the disclosure directly: "Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses." Our prior Hide My Email coverage tracks a separate iCloud+ subdomain bug that surfaced earlier in the year; the new vulnerability is a different bug in the same product, which makes the pattern read as a privacy-tool failure mode rather than a one-off [15].

Read against the rest of Wednesday's briefing, the story sits between the EFF work and the Schneier thread. The EFF maps UK age-verification methods that capture category-of-user data the user did not intend to share; Apple's Hide My Email is the consumer-side version of the same exposure pattern, where the user actively paid for the privacy guarantee and got a year of unpatched vulnerability instead. The honest framing is not "Apple is uniquely bad" but "every privacy tool sits inside an adversarial research-and-patch loop that is asymmetric in the attacker's favor until the patch ships." [2]

EFF Asks Pritzker to Veto Illinois HB 5511

EFF published a Hayley Tsukayama essay this week asking Illinois Governor J.B. Pritzker to veto House Bill 5511, which EFF describes as a "sweeping, device-level age-gating framework across nearly all internet-enabled hardware, operating systems, and online services." The bill would require platforms to collect and share users' ages, and strip personalized content feeds and overnight notifications for young people unless they can secure verifiable parental consent [3].

EFF's framing of the bill is blunt. The piece calls HB 5511 a "well-intentioned but deeply flawed piece of legislation," a "massive privacy and free speech nightmare" that would "effectively dismantle online anonymity, jeopardize data security," "severely restrict access to constitutionally protected speech," "cut off vital lifelines for vulnerable youth in non-traditional families," and pose an "existential threat to the open-source ecosystem." The piece also calls the bill "premature, economically risky, and legally wasteful." The bill is modeled on California's AB 1043 (Digital Age Assurance Act) and New York's Stop Addictive Feeds Exploitation for Kids Act [3].

The Illinois fight is the third front in a state-level age-verification wave that already produced California's AB 1043 and New York's SAFE for Kids Act. EFF's argument runs through the same identity-cache line as its UK age-verification work: every age check requires a real-world identifier, that identifier becomes the privacy-target database, and that database is the surveillance prize. Governor Pritzker's veto window is the news peg. Our age-verification-as-infrastructure tracker covers the cumulative bill-level mechanics; the SoS Illinois biometric-surveillance ban vessels document the same state legislature's parallel privacy record [8][16][17].

Schneier on Natural-Language Video Surveillance: "The Holy Grail"

Bruce Schneier posted this week on "The Realities of AI Video Surveillance," excerpting a Financial Times piece on how AI is changing what camera networks can be queried for. Schneier references his own December 2023 essay arguing that AI enables mass spying the way computers and networks enabled mass surveillance. The new element is that natural-language queries replace preset search types, so officers no longer need a specific license plate or face to pull from a camera archive [4].

The FT, as quoted by Schneier, captures the shift with a single line from a European official: "This is the holy grail of surveillance. We are able to look for behaviour, not objects ­ it has created a world of new possibilities." The FT also reports that the new tools "allow an almost unlimited range of enquiries by enabling language-based searches on video." Schneier does not name vendors in the excerpt, but the post's examples are exactly the kind of behaviors the AI video-surveillance systems now match on: "two men handing a bag to each other," "a person who has changed their appearance, or has changed clothes multiple times in a day," and "a vehicle that has recently been painted over, or has driven past the same spot several times in a short period" [4].

The categorical move is the piece's load-bearing argument. The identifier-vs-behavior shift changes the surveillance unit. A camera archive searched on license plates returns "every car with plate ABC-1234," which is bounded by the targeted identifier set. The same archive searched on "a person who has changed clothes multiple times in a day" returns every plausible match in the field of view, and the analyst decides after the fact which is the suspect. The warrant question, the probable-cause question, and the false-positive cost question follow from the unit: searches bounded by identifier can be evaluated against the identifier; searches bounded by description cannot. Our prior AI-video and ICE-tracking coverage tracks the convergence of these two threads into commercial camera networks [5][18].

Weak RSA Keys With Lots of Zeros, and Schneier's "Deliberately Designed Backdoor" Question

Schneier posted Monday on "Factoring RSA Keys with Many Zeros," pointing at research identifying a new class of weak RSA keys with many zero bits in the wild. Schneier's framing: "Interesting research on a new class of weak RSA keys: keys with lots of zeros," in which "both patterns include several regularly spaced blocks of all zeros interleaved with seemingly random data." He also writes that "these vulnerabilities affect a small minority of hosts on the internet," which contains both the affected population and the practical scope [6].

The hosts and vendors named in Schneier's post: Yahoo, Verizon, NetApp, and SSH hosts running CompleteFTP from EnterpriseDT. Schneier's closing line: "This could be a deliberately designed backdoor, of the sort I wrote about back in 2013." That is the editorial hook, since it raises the prospect that the all-zeros pattern is intentional rather than incidental [6].

The news here is the open cryptographic research thread, not a confirmed exploit. Keys-with-lots-of-zeros are not the same as broken keys: a small minority of hosts means a small minority of hosts, and most RSA traffic is unaffected. The story is the second-order question of whether a class of weak keys found across CT logs, TLS, SSH, and PGP could be the result of an intentional weakening rather than implementation drift. Schneier raising the backdoor hypothesis in print is the moment the question shifts from "interesting bug" to "interesting bug, with an editorially credible candidate explanation." Our ongoing cryptanalysis-policy tracker covers the "deliberate weakening" through-line [19][20].

What to Watch This Week

Chatrie remand and the next geofence-warrant round. The Court left the warrant's reasonableness and the good-faith doctrine to the Fourth Circuit. Watch the Fourth Circuit's remand order, and watch whether state investigators move cases around it while it re-decides the case below [1].

Illinois HB 5511 veto window. EFF's veto letter to Governor Pritzker is the campaign's anchor. The bill's veto or signature will reshape the cumulative state-level age-verification map, with AB 1043 and the SAFE for Kids Act as comparators [3].

Apple Hide My Email patch timeline. 404 Media independently verified the vulnerability as of Monday. Watch whether Apple issues a Hide My Email advisory before the next iOS point release cycle, and whether the researcher publishes technical details after a fix [2].

The AI video-surveillance procurement round. The FT excerpted by Schneier cites a European official. Watch whether US police departments and ICE-adjacent procurement offices move on natural-language camera search in the second half of 2026, and whether any state passes a warrant-requirement bill aligned with the camera-archive query rules [4].

The weak-RSA research thread. Read the underlying research once it lands in print, and watch whether any vendor issues a CVE. The "deliberate backdoor" framing is the load-bearing editorial hypothesis on Schneier's blog; the cryptanalytic community will be the deciding audience [6].

Sources

  1. EFF Deeplinks, Andrew Crocker et al.: Victory! Supreme Court Says Constitution Protects People's Location Data, June 29, 2026. https://www.eff.org/deeplinks/2026/06/victory-supreme-court-says-constitution-protects-peoples-location-data
  2. 404 Media: Apple "Hide My Email" Vulnerability Reveals Peoples' Real Email Addresses, July 1, 2026. https://www.404media.co/apple-hide-my-email-vulnerability-reveals-peoples-real-email-addresses/
  3. EFF Deeplinks, Hayley Tsukayama: EFF to Gov. Pritzker: Veto Illinois HB 5511, June 29, 2026. https://www.eff.org/deeplinks/2026/06/eff-gov-pritzker-veto-illinois-hb-5511
  4. Schneier on Security: The Realities of AI Video Surveillance, June 30, 2026. https://www.schneier.com/blog/archives/2026/06/the-realities-of-ai-video-surveillance.html
  5. State of Surveillance: Anthropic Mythos Project Glasswing Zero-Day AI Surveillance, the broader AI-cyber-policy tracker that frames the AI-video-surveillance through-line. /news/anthropic-mythos-project-glasswing-zero-day-ai-surveillance-2026
  6. Schneier on Security: Factoring RSA Keys with Many Zeros, June 29, 2026. https://www.schneier.com/blog/archives/2026/06/factoring-rsa-keys-with-many-zeros.html
  7. EFF Deeplinks, Paige Collings and Erica Portnoy: LGBT Q&A: What Data Are Companies in the UK Collecting When Verifying My Age?, June 30, 2026. https://www.eff.org/deeplinks/2026/06/lgbt-qa-what-data-are-companies-uk-collecting-when-verifying-my-age
  8. State of Surveillance: Age Verification Surveillance Infrastructure ID System, the structural brief on the identity-cache argument. /news/age-verification-surveillance-infrastructure-id-system-2026
  9. Schneier on Security: Papa John's Surveillance-Based Advertising, July 1, 2026. https://www.schneier.com/blog/archives/2026/07/papa-johns-surveillance-based-advertising.html
  10. State of Surveillance: ICE Confirms Graphite Spyware Active Use Congressional Letter, the SoS spyware-policy vessel that frames the unverified AI-client spyware allegations. /news/ice-confirms-graphite-spyware-active-use-congressional-letter-2026
  11. State of Surveillance: 64 Groups Oppose Meta Smart Glasses Facial Recognition Congress, the coalition-letter vessel. /news/64-groups-oppose-meta-smart-glasses-facial-recognition-congress-2026
  12. State of Surveillance: Supreme Court Geofence Warrants Chatrie Fourth Amendment, the pre-ruling explainer. /news/supreme-court-geofence-warrants-chatrie-fourth-amendment-2026
  13. State of Surveillance: Chatrie Oral Arguments Geofence Warrant Supreme Court April, the oral-argument vessel. /news/chatrie-oral-arguments-geofence-warrant-supreme-court-april-2026
  14. State of Surveillance: Chatrie Supreme Court Ruling Geofence Warrant Fourth Amendment Search, the post-ruling recap. /news/chatrie-supreme-court-ruling-geofence-warrant-fourth-amendment-search-2026
  15. State of Surveillance: Apple Hide My Email Useless iCloud+ Subdomain, the prior vessel on a separate iCloud+ alias bug. /news/apple-hide-my-email-useless-private-icloud-subdomain-2026
  16. State of Surveillance: Illinois Biometric Surveillance Act Police Facial Recognition Ban, the SoS Illinois biometric-surveillance vessel. /news/illinois-biometric-surveillance-act-police-facial-recognition-ban-2026
  17. State of Surveillance: Illinois Facial Recognition Ban Chicago Police HB5521 Cassidy, the parallel HB 5521 vessel. /news/illinois-facial-recognition-ban-chicago-police-hb5521-cassidy-2026
  18. State of Surveillance: Anthropic Mythos Project Glasswing Zero-Day AI Surveillance, the broader AI-cyber-policy tracker. /news/anthropic-mythos-project-glasswing-zero-day-ai-surveillance-2026
  19. State of Surveillance: UK Apple ADP Secret Order Global Encryption Fight, the encryption-policy tracker. /news/uk-apple-adp-secret-order-global-encryption-fight-2026
  20. State of Surveillance: Anthropic Fable 5 Silent Guardrails Apology AWS Bedrock Data 30 Day, the AI-policy structural vessel. /news/anthropic-fable-5-silent-guardrails-apology-aws-bedrock-data-30-day-2026