Today in Surveillance:
- Citizen Lab confirmed Pegasus infected a member of the European Parliament's PEGA Committee while it was investigating commercial spyware. Report 194 documents successful infections of former MEP Stelios Kouloglou's iPhone on October 21, 2022 and March 6-7, 2023, on iOS 15.5, using the PWNYOURHOME zero-click exploit. Forensic attribution indicates a single Pegasus operator with authorization to spy in multiple European countries; the researchers say they have no evidence the Greek government is responsible [1].
- Flock Safety's "Vehicle Fingerprint" mode identifies cars that the cameras cannot read plates on. A July 3 Schneier post cites a 2024 Flock internal presentation that surfaces the non-plate mode, which uses decals, bumper stickers, roof and rear racks, and temporary or unique state tags, with a "multi geo search" capability across jurisdictions [2].
- AI impersonators of 112 UK public figures were rated more authentic, coherent, and relevant than the people they mimicked. A PLOS One study by Steffen Herbold and colleagues trained GPT-4 Turbo on BBC Question Time transcripts and Wikipedia biographies, then asked 948 UK participants to rate real vs. generated responses [3].
- EFF and three allies urged the FTC to reject X Corp's petition to end the 2022 privacy consent decree. The coalition filings cite Grok training on user data without meaningful consent and a 2025 X user data breach as reasons the order should run through 2042 [4][5][6].
- DHS confirmed a cyber incident affecting the Homeland Security Information Network (HSIN). BleepingComputer reported the breach on July 1, citing a DHS spokesperson; the intrusion is believed to have occurred between late May and early June 2026, and DHS says there is no indication classified networks were affected [7][8].
A Member of the PEGA Committee Was Hit With Pegasus. The Timing Is the Story.
Citizen Lab Report 194, published July 3, 2026, confirms that former Greek MEP Stelios Kouloglou's iPhone was infected with NSO Group's Pegasus spyware on October 21, 2022 and March 6-7, 2023. The phone was running iOS 15.5 (build 19F77) at the time of the attacks. Citizen Lab says the exploit chain was PWNYOURHOME, a zero-click that lands via HomeKit through NSKeyedArchive, then moves through MessagesBlastDoorService [1].
The conflict of interest is the lead. Kouloglou served on the PEGA Committee, the European Parliament's Committee of Inquiry into the use of Pegasus and equivalent surveillance spyware, from March 24, 2022 to July 18, 2023. The committee was established on March 10, 2022, adopted its first report on May 8, 2023, and adopted recommendations on June 15, 2023. Citizen Lab notes Apple sent Kouloglou mercenary-spyware threat notifications on March 2, 2023, August 29, 2023, and April 10, 2024. Kouloglou first reached out to Citizen Lab in May 2026 [1].
The forensic attribution goes as far as Citizen Lab can take it without naming a government. The infections span Greece and Belgium, two jurisdictions, and the report identifies an operator overlap with the 2024 Pegasus campaign targeting Russian- and Belarusian-speaking exiled journalists and activists in Europe, a campaign Citizen Lab and Access Now documented jointly. Citizen Lab does not attribute the infections to a particular government at this time, says it has found no indications the Greek government is responsible, and adds that "a customer with authorization to spy in multiple European countries is responsible." Researchers who confirmed the infections include John Scott-Railton, Bill Marczak, Bahr Abdul Razzak, Kate Pundyk, Siena Anstis and Ron Deibert [1].
Greek MEPs are not new targets. The Citizen Lab write-up adds context the EU already had: Nikos Androulakis targeted with Predator, Diana Riba infected with Pegasus in October 2019, Jordi Solé targeted in June 2020, Carles Puigdemont targeted in October 2019 and July 2020, Clara Ponsati via associates in July 2020, Elena Yoncheva in late October 2023, Nathalie Loiseau confirmed February 2024, and Daniel Freund targeted with Candiru, an attack he announced in May 2024. The new finding is the position. Hitting a sitting member of the committee reviewing spyware abuse is an attack on the oversight itself: "the infection could have exposed strictly confidential exchanges among PEGA Committee members" [1].
Flock's "Vehicle Fingerprint" Mode IDs Cars the Camera Can't Read a Plate On
Bruce Schneier wrote on July 3, 2026, that Flock Safety's automatic license plate reader (ALPR) network has a "Vehicle Fingerprint" mode that identifies cars even when the camera does not have full plate information. A 2024 Flock internal presentation surfaces the feature [2].
The non-plate signals are documented: bumper stickers, decals, roof racks, rear racks, and temporary or unique state tags. The presentation also describes a "multi geo search" capability that locates multiple vehicles believed to be moving together. The pitch in the reporting is that the tool lets officers "build stronger cases with less information upfront" [2].
The surveillance reading is that the camera is no longer the constraint. Plate reads were already a categorical surveillance problem because any plate can be matched against hot lists. A "fingerprint" mode pushes the same model into cars the plate cameras cannot read, which expands coverage to vehicles registered out of state, with obscured plates, with no plates at all (rural ATV/utility traffic), or with plates the OCR has rejected. Schneier adds the historical point that "anyone with broad access to cell phone location data can do the same thing," a technique he documented in his 2014 book Beyond Fear [2]. Our tracking of the Flock cancel wave covers the city-side response, and the Colorado warrant-requirement brief covers the legislative counter-move [9][10].
AI Clones of 112 UK Public Figures Beat the Originals on Authenticity
Becky Ferreira reported at 404 Media on July 1, 2026, on a PLOS One study by Steffen Herbold and colleagues at the University of Passau. The team trained GPT-4 Turbo to imitate 112 UK public figures, politicians, businesspeople, journalists, medical experts, writers, and others, using BBC Question Time transcripts and Wikipedia biographies. A system prompt instructed the model to mimic the person without naming them, in roughly 200 words of conversational prose [3].
948 UK participants then rated real versus AI-generated responses on authenticity, coherence, relevance, and content similarity. The result: more than half of the participants rated the chatbot as more authentic than the real speaker, with the AI also pulling ahead on coherence and relevance. Herbold's read is straightforward: LLMs "can be made to deceive the public regarding the nature of statements in the political domain" and "there is a dire need to inform the general public of the potential harm this can have on society." The paper flags an asymmetry in the data as a limitation: the real speakers were unscripted on Question Time, the AI was trained on polished text [3].
For an election-cycle story, the implication is functional, not theoretical. A model that produces 200-word impersonations better than the originals is now public-domain reproducible. Herbold's policy ask is a combination of regulation and education, with bans on political deepfakes as the most direct lever. Our 2026 midterm deepfake brief covers the state-law patch and the FEC coordination rule that has not been written [11].
EFF and Three Allies Tell the FTC: Don't Let X Out of the 2022 Order
Bill Budington wrote on the EFF Deeplinks blog on July 2, 2026, that EFF, joined by Demand Progress Education Fund, the National Consumers League (NCL), and the Electronic Privacy Information Center (EPIC), filed joint comments urging the FTC to reject X Corp's May 15, 2026 petition to terminate the 2022 consent decree. The 2022 order required X to report regularly to the FTC on user-data compliance, the result of a finding that X had used account-security data (phone numbers, email addresses) for targeted ads, misleading roughly 140 million users, with a $150 million fine and obligations running through 2042 [4].
X argued the order should end because the company "built an entirely new privacy and information security program staffed by new personnel operating under new leadership," and that compliance paperwork diverts engineering resources from the stated aim of "advancing American leadership in artificial intelligence." The coalition's counter is structural: X integrated its AI model Grok in 2024 and trained it on user data without meaningful consent, and a massive X user data breach occurred in 2025. The coalition filing notes that FTC orders bind the corporate entity rather than dissolving with personnel changes, and characterizes the compliance cost as "a rounding error against the $200 billion valuation of X Corp. following the xAI merger" [4].
The AI angle is the new piece. The coalition argues that prompt-engineering techniques can extract training data from frontier models, creating the same secondary-use violations that the 2022 order was written to police. Our existing X Corp FTC vessel tracks the petition and the rebrand framing, and the Grok deepfake brief covers how the AI training choice has already surfaced in complaints, with the Canada Privacy Commissioner finding Grok sexualized deepfakes violated Canadian law [5][6][12].
DHS Confirms a Breach of the HSIN Info-Sharing Platform
BleepingComputer reported on July 1, 2026, that DHS confirmed a cyber incident affecting a "specific, unclassified legacy information sharing environment" used by HSIN, the Homeland Security Information Network. HSIN is the federal-state-local-international-private threat-sharing platform. The BleepingComputer story, citing Nextgov, raised concerns that the breach could have exposed security-planning, interagency coordination, or response procedures for World Cup games hosted across the United States [7].
DHS told BleepingComputer that it is aware of a "recent cyber incident" involving an unclassified legacy system and that "there is no indication that classified networks were impacted." The intrusion is believed to have occurred between late May and early June 2026. DHS has not linked the incident to any specific threat actor or foreign government. Whether files were taken remains unclear [7].
The surveillance read is partner exposure. HSIN users are precisely the federal, state, local, international, and private-sector security personnel who would not expect to be on a breach list. A compromise of the contact and clearance metadata for that population is a recruiter's list, not just a data file. Our DHS continuous-surveillance brief covers the shutdown-era operating posture that makes these incidents harder to scope, and the DHS ICE Instagram subpoena work covers the speech-monitoring side of the same partner population [8][13].
What to Watch Next Week
The PEGA infections and EU action. The PEGA Committee's work has run through 2024. The new Citizen Lab evidence lands inside an ongoing EU push on commercial spyware export controls. The likely pressure points are the NSO Group and Intellexa/Patria export-license reviews at the EU Council, and any national follow-up in Greece or Belgium, where the infections spanned [1].
The FTC's response on X Corp. The coalition's deadline-aligned comments turn the question to whether the FTC continues to police the 2022 order into 2042 or accepts X's new-program argument and closes the file. A decision is the next hard date [4][5].
World Cup 2026 security-planning exposure. If the HSIN review confirms that World Cup planning documents were accessed, the data-protection implications for the host cities, federal coordinating bodies, and private-sector contractors are the second wave. Watch for any confirmation from DHS, the FBI, or CISA [7].
Flock warrant policy. Colorado's SB26-070 and the parallel Kentucky HB 58 retention limits target exactly the "after the fact" audit-log problem that the Vehicle Fingerprint mode makes worse. Watch the statehouse markups, and the city-level contract cancellations, over the next two weeks [10][14].
Sources
- Citizen Lab, University of Toronto, Report 194: Espionage Against the European Parliament: Member of Committee Investigating Spyware Hacked with Pegasus, July 3, 2026. https://citizenlab.ca/research/member-of-committee-investigating-spyware-hacked-with-pegasus/
- Schneier on Security, Bruce Schneier: Flock Cameras Can Surveil Cars Without License Plates, July 3, 2026. https://www.schneier.com/blog/archives/2026/07/flock-cameras-can-surveil-cars-without-license-plates.html
- 404 Media, Becky Ferreira: Scientists Asked AI to Impersonate 112 Public Figures. What Happened Next Is a 'Dire' Warning, July 1, 2026. https://www.404media.co/untitled-28/
- Electronic Frontier Foundation, Bill Budington, Deeplinks Blog: EFF and Allies: X's FTC Petition to Waive Privacy Violation Order Should be Rejected, July 2, 2026. https://www.eff.org/deeplinks/2026/06/eff-and-allies-xs-ftc-petition-waive-privacy-violation-order-should-be-rejected
- State of Surveillance: X Corp FTC Privacy Order, the existing vessel on the petition and the rebrand framing. /news/x-corp-ftc-privacy-order-petition-ai-excuse-rebrand-2026
- State of Surveillance: Grok Deepfake Crisis Coverage, the existing vessel on Grok training and the global regulatory response. /news/grok-deepfake-crisis-xai-global-crackdown-2026
- BleepingComputer, DHS confirms hackers breached HSIN info-sharing platform, July 1, 2026. https://www.bleepingcomputer.com/news/security/dhs-confirms-hackers-breached-hsin-info-sharing-platform/
- State of Surveillance: DHS Shutdown Surveillance Brief, the existing vessel on DHS operating posture and incident response. /news/dhs-shutdown-surveillance-continues-security-halted-2026
- State of Surveillance: Deflock Flock Cancel Wave, the existing vessel on city-side contract terminations. /news/deflock-flock-safety-revolt-90000-cameras-cities-cancel-2026
- State of Surveillance: Colorado SB26-070 Flock ALPR Warrant Bill, the existing vessel on the warrant-requirement proposal. /news/colorado-sb26-070-flock-alpr-warrant-bill-2026
- State of Surveillance: 2026 Midterm Election Deepfakes Wild West FEC Failure, the existing vessel on election-cycle deepfake policy. /news/2026-midterm-election-deepfakes-wild-west-fec-failure
- State of Surveillance: Canada Privacy Commissioner Grok Sexualized Deepfakes Violated Law, the existing vessel on the Grok-X training fallout. /news/canada-privacy-commissioner-grok-sexualized-deepfakes-violated-law-2026
- State of Surveillance: DHS ICE Instagram Subpoenas Anti-ICE Speech Surveillance, the existing vessel on DHS insider-speech monitoring. /news/dhs-ice-instagram-subpoenas-anti-ice-speech-surveillance-2026
- State of Surveillance: Kentucky HB 58 License Plate Reader 90-Day Limit Flock, the existing vessel on the ALPR retention limits. /news/kentucky-hb-58-license-plate-reader-90-day-limit-flock-2026