A view of Earth from space at night with glowing city grids across multiple continents, the global reach of the EU-and-Israeli surveillance export pipeline HRW and Citizen Lab have been documenting
Photo via Unsplash

Today in Surveillance:

  • Human Rights Watch documented at least six EU member states exporting surveillance technology to 24+ authoritarian buyers. A 54-page report published May 12, 2026 finds that Bulgaria, Poland, the Czech Republic, Denmark, Finland, and Estonia granted export licenses for intrusion software and telecom-interception gear to countries with documented records of targeting journalists, activists, and political opposition. Bulgaria alone exported to more than 20 destinations. Twelve of 27 member states refused to share their export records with HRW [1][2][3].
  • NSO told the Ninth Circuit that the WhatsApp injunction will force it out of business. The Israeli spyware vendor's appellate brief frames the May 2025 verdict as catastrophic and warns that being locked out of WhatsApp infrastructure will end NSO, regardless of the dollar damages figure. Meta is cross-appealing to extend the injunction to Facebook, Instagram, and Threads [4][5][6].
  • ACLU data puts 77.2 million Americans in counties with 287(g) agreements. ACLU analysis from February 26, 2026 calculates roughly 32% of the U.S. population now lives in a county whose local police can enforce immigration law during routine traffic stops. NPR reported May 5, 2026 that ICE is on track to spend up to $2 billion in 2026 reimbursing local police through the program [7][8].
  • Apple is moving Hide My Email to a blockable subdomain. A June 15, 2026 developer note will shift every new alias from @icloud.com to @private.icloud.com, a string any service can fingerprint and refuse. Existing aliases keep forwarding. The change is Apple's third privacy-product narrowing in two weeks [9][10].
  • PayoutsKing claims 435 GB of Eyemart Express data. Ransomware group PayoutsKing posted on its leak site March 10, 2026 that it had stolen Social Security numbers, medical records, health insurance details, driver license numbers, and payroll data from the 250-store optical retailer. The company filed its Texas AG disclosure 38 days later and as of early May had not notified affected customers [11][12].
  • The Israeli surveillance export pipeline is the structural context for the rest. A handful of Israeli companies (NSO Group, Cellebrite, Paragon, Candiru, QuaDream, the Intellexa orbit) sit at the center of the global commercial spyware industry, documented by Citizen Lab, Amnesty Tech, the Israeli State Comptroller, and U.S. Commerce Department sanctions [13][14][15].

Also today: Two tax-funded export agencies in the EU kept issuing licenses, the same week the EU is preparing to review the regulation in September that was supposed to stop this. NSO's January 2026 ownership change, with David Friedman as executive chairman and U.S. investors holding a stake, is running on the same track as the appeal [16]. The Israeli Defense Export Controls Agency announced at its November 2025 annual conference that it would "reduce policy constraints and streamline licensing timeframes" for cyber exports, the opposite direction of the EU's stated intent [17]. And the Apple Private Cloud Compute developer-page restriction from June 14 and the UK Apple ADP "secret order" reissue frame the Hide My Email subdomain move as a pattern, not an isolated product change [18][19].

Human Rights Watch: The EU Is the Spyware Factory Floor

Human Rights Watch published a 54-page investigation on May 12, 2026 titled "Looking the Other Way: EU Failure to Prevent Surveillance Exports to Rights Violators." The report found that at least six EU member states (Bulgaria, Poland, the Czech Republic, Denmark, Finland, and Estonia) granted export licenses for intrusion software and telecom-interception gear to 24 or more countries with documented histories of targeting journalists, activists, and political opposition [1][2].

Bulgaria is the worst offender in the report. Between 2020 and 2023, it exported surveillance technology to more than 20 destinations, including Azerbaijan, the UAE, Mexico, the Philippines, Uganda, and Vietnam. Bulgaria is home to Circles, an affiliate of NSO Group that builds products exploiting telecommunications-infrastructure vulnerabilities. When NSO faced export bans from Israel, the EU supply chain picked up the slack. Poland approved phone-monitoring system exports to Rwanda, where authorities have been documented using Pegasus against journalists and political dissidents since 2017 [1].

The EU adopted the Dual-Use Regulation (2021/821) on September 9, 2021 specifically to prevent this. MEP Markéta Gregorová promised it would ensure "powerful European cyber-surveillance technology does not end up in the hands of dictators and authoritarians." Three years later, the European Commission issued implementation guidelines that gutted the transparency requirements by separating technology-type data from destination-country data, so the public reports show what kinds of tech were exported and which countries received surveillance tools, but never which country got which technology. The justification was "commercial confidentiality" [3]. Twelve of 27 member states denied HRW's freedom-of-information requests for their export records or ignored them entirely. France, Germany, Italy, Spain, and Greece, five of the EU's six largest economies, refused to share anything [1].

The structural finding: Europe isn't just failing to stop the spyware trade. It is the factory floor. A 2024 Google Threat Analysis Group report on the commercial surveillance industry profiled vendors that are almost entirely based in the EU, all but two of those named. The EU is required to evaluate the regulation in September 2026. HRW published the raw export data on GitHub so researchers and journalists can follow the supply chains themselves [20]. Our full brief lays out the country-by-country supply chain [2].

NSO's Ninth Circuit Brief: The Injunction Will Put Us Out of Business

NSO Group's appellate fight against the WhatsApp verdict was formally moved to the U.S. Court of Appeals for the Ninth Circuit on November 19, 2025. The brief asks the court to throw out the May 2025 jury finding that it owes Meta $167.25 million in punitive damages for using Pegasus to target 1,400 WhatsApp users in 2019, plus the permanent injunction barring it from ever touching WhatsApp infrastructure again. NSO is calling the outcome "catastrophic" and warning the court that the injunction alone will "force NSO out of business" [4][5].

The damages have already been cut. Judge Phyllis Hamilton reduced the $167.25 million jury verdict to roughly $4 million in October 2025, applying a 9-to-1 ratio she said was justified because, in her words, "there have simply not yet been enough cases involving unlawful electronic surveillance in the smartphone era" to call NSO's conduct "particularly egregious" by precedent. NSO is now asking the Ninth Circuit to cap punitive damages at $1.77 million, applying a 4-to-1 constitutional ratio it argues controls. Meta is cross-appealing to get the full $167.25 million restored [6][4].

The real fight is the injunction. The October 17, 2025 order permanently bars NSO from using or accessing WhatsApp servers, accounts, or infrastructure for any reason. Hamilton found NSO had repeatedly redesigned Pegasus to evade WhatsApp's defenses even after the lawsuit was filed, and ruled the harm was "ongoing." Meta wants the appellate court to extend the injunction to Facebook, Instagram, and Threads. If the Ninth Circuit agrees, NSO is not just locked out of WhatsApp, it is locked out of essentially all of Meta's communication infrastructure [5][6].

NSO can probably absorb a few million in punitive damages. It cannot absorb being kept off WhatsApp. The damages fight is the headline. The injunction fight is what determines whether NSO still exists in 2028. Our full brief walks through the November 2025 filing, the Lawfare analysis, and the Apple-versus-Meta resource disparity [21].

287(g) Hits 77.2 Million Americans. ICE Is Sending $2 Billion to Local Cops.

The ACLU's analysis from February 26, 2026 puts at least 77.2 million Americans, roughly 32% of the U.S. population, in a county whose local law enforcement agency holds a 287(g) agreement. DHS said it had trained or was training more than 10,000 officers under the program's street-level enforcement model as of September 2025. Under that model, local police can question anyone about immigration status during routine traffic stops, make immigration arrests, and turn county traffic enforcement into federal deportation infrastructure [7].

Section 287(g) of the Immigration and Nationality Act allows ICE to delegate immigration enforcement authority to state and local police. The street-level enforcement model was largely discontinued under the Obama administration over racial-profiling concerns. It is back. The Texas Attorney General's office signed a 287(g) agreement in January 2025 granting statewide immigration enforcement authority to a state AG for the first time. Florida legislation now mandates that any law enforcement agency operating a detention facility must enter a 287(g) agreement with ICE [7].

NPR and Georgia Public Broadcasting reported on May 5, 2026 that ICE is on track to spend up to $2 billion in 2026 reimbursing local police through the program, with the money going to vehicles, fingerprint scanners, real-time Spanish-translation AirPods, and per-arrest bonuses. The ACLU's Naureen Shah told NPR that "Congress never intended for ICE to be swooping in to these local jurisdictions and offering them money in exchange to participate." Per-arrest bonuses are the structural problem: police departments get paid for finding people ICE wants [8]. New Mexico, Maine, and Maryland have all enacted 287(g) bans in 2025-2026, and Illinois and Washington have been pursuing bans this session [7][8].

The beat is no longer "ICE arrests immigrants." It is "your local police are part of the ICE pipeline," with Flock ALPRs, mobile fingerprint scanners, and now real-time translation AirPods converting traffic stops into deportation triggers. Our full brief covers the ACLU analysis, the per-arrest incentives, and the state-level resistance map [22].

Apple Moves Hide My Email to a Subdomain Any Service Can Block

TechCrunch security editor Zack Whittaker reported on June 16, 2026 that Apple told developers in a June 15 note it will move every new iCloud+ Hide My Email alias from the @icloud.com domain to a new @private.icloud.com subdomain "in the coming weeks." Existing aliases continue to forward mail without interruption. Apple did not respond to TechCrunch's request for comment and did not explain why the change was made [9].

The reason the aliases work today is that they share the @icloud.com domain with tens of millions of regular Apple Mail users and cannot be told apart from them. Banning @icloud.com wholesale would cost the service real customers. The @private.icloud.com subdomain has no such cost. Any service that wants to block the feature can now do it with a single string match, the same way they already block mailinator.com and guerrillamail.com. Developer Arseniy Shestakov flagged the change in a widely-shared post on June 16, framing it as the end of plausible deniability for the aliases [10].

The move is Apple's third privacy-product change in two weeks. The Apple Private Cloud Compute developer page was restricted to first-party Apple Intelligence features and a narrow App Store Small Business Program lane on June 14. The UK Apple Advanced Data Protection "secret order" coverage continued to develop in the same window. iCloud+ subscribers get no compensation, no opt-out, and no advance notice beyond the developer note. Earlier in 2026, TechCrunch reported that Apple had already turned over the real account of one Hide My Email user to a subpoena tied to the girlfriend of FBI director Kash Patel [9][18][19].

Shestakov's workaround: the rate limit for creating aliases on @icloud.com is at least 30 per hour, and the aliases generated before the switch stay on the old domain. iCloud+ subscribers who want to bank @icloud.com aliases have a window that is still open. Our full brief walks through the TechCrunch and Shestakov reporting, the unmasking precedent, and the third-privacy-product-move-in-two-weeks framing [23].

PayoutsKing Claims 435 GB of Eyemart Express Data, Including SSNs and Medical Records

Ransomware group PayoutsKing posted a claim on its dark web leak site on March 10, 2026 saying it had exfiltrated 435 gigabytes of internal data from Eyemart Express, a 250-store optical retailer with locations in 42 states under multiple brands including Eyemart Express, Vision4Less, Visionmart Express, and Eyewear Express. The group's message was blunt: "The full data set will be released if Eyemart Express fails to negotiate. Contact us immediately" [11].

The stolen data reportedly includes Social Security numbers, medical records, health insurance information (policy numbers, group IDs, plan details), driver license numbers, dates of birth, financial documents, payroll reports, and corporate contracts. Optical retailers process medical exams (HIPAA-protected health information), run insurance claims, verify identity, and handle payments, all in one system. Healthcare-adjacent retailers like optical chains, dental offices, and urgent care clinics often lack the security budgets of major hospital systems but hold the same categories of sensitive data [11][12].

Eyemart Express filed a breach disclosure with the Texas Attorney General on April 17, 2026, which is 38 days after the attackers publicly announced the breach, not 38 days after the breach itself. As of early May, the company had not notified affected individuals, had not disclosed how many customers are impacted, and had not announced credit monitoring or identity protection services. At least three law firms have launched class action investigations [12][24][25]. Our full brief covers the PayoutsKing double-extortion pattern, the timeline gap, and the consumer-protection steps for anyone who has visited an Eyemart Express, Vision4Less, Visionmart Express, or Eyewear Express location [26].

The Israeli Pipeline: Why the Surveillance Trade Clusters in One Country

Six names do most of the work. NSO Group makes Pegasus, the zero-click smartphone implant whose leaked 2021 target list included roughly 180 journalists across 20 countries. NSO was placed on the U.S. Commerce Department's Entity List in November 2021 and lost the May 2025 jury verdict to WhatsApp that is now on appeal. Cellebrite sells the Universal Forensic Extraction Device (UFED) law enforcement uses to crack smartphones, with ICE and Homeland Security Investigations pursuing a five-year contract with a $100 million ceiling. Paragon Solutions makes Graphite, a Pegasus competitor that Citizen Lab confirmed was used against journalists including Italy's Ciro Pellegrino. Candiru is another Israeli zero-day vendor sanctioned alongside NSO in 2021. QuaDream sold the REIGN spyware until Citizen Lab and Microsoft Threat Intelligence reports forced its closure in April 2023. Intellexa, Cytrox, and Passitora form a "surveillance alliance" founded by former Israeli military intelligence commander Tal Dilian, selling the Predator spyware through Cyprus and other jurisdictions [13][14].

The clustering is structural. Unit 8200 is the Israeli military's signals-intelligence corps, sitting inside a country with mandatory military service. Engineers serve three to five years, then exit with a security clearance, a peer network, and zero student debt, and most of the companies above were founded by people who walked that path. NSO's Shalev Hulio. Cellebrite's earliest engineering benches. Candiru's founding team. The Intellexa orbit. The companies are Israeli. The export licenses are issued by the Israeli Defense Export Controls Agency, which means the Israeli government is the licensor of the global spyware trade for these vendors [13].

The Israeli State Comptroller's 2023 audit called the Israeli police's own use of Pegasus between 2015 and 2021 "prohibited, serious, and offensive." Haaretz reported in February 2022 that NSO license approvals tracked (sometimes nearly one-for-one) with countries Israel was trying to warm relations with. The Association for Civil Rights in Israel and the +972 Magazine / Local Call reporting on the Lavender system are Israeli civil society pushing against Israeli government decisions. Our pipeline brief walks the Unit 8200-to-private-sector path, the DECA licensing lever, and the distinction between criticizing a government and smearing a population [13][15][27].

What to Watch This Week

Monday July 6 to Sunday July 12. The Ninth Circuit will set NSO's appellate oral-argument schedule, typically 6 to 12 months after the opening brief lands. Expect arguments in late 2026 or early 2027. Microsoft, Google, GitHub, Cisco, LinkedIn, and the Internet Association already filed an amicus brief at the immunity stage; expect another wave on the merits, particularly on the CFAA scope question [4][21].

Wednesday July 8. Anthropic's identity-verification requirement takes effect. The first wave of users who fail verification would be locked out of the top Claude models, making the Persona data-retention and law-enforcement-access questions concrete. The Apple Hide My Email subdomain move lands in the same window, so the same week will see two different identity-verification moves, one a feature, one a removal of cover for a feature [9].

September 2026. The European Commission is required to review the Dual-Use Regulation. HRW is demanding the Commission close the transparency loopholes, require real human-rights due diligence, and establish remedy mechanisms for victims. Twelve of 27 member states not even sharing export records is the baseline the review has to beat [1][3].

December 2026. State-level 287(g) bans are still advancing. Watch the Illinois and Washington bans, plus the Texas and Florida counter-pressure, for whether the street-level enforcement model becomes the new floor of ICE's distributed workforce. The NPR $2 billion reimbursement number is on track to land before the next budget cycle [7][8].

Sources

  1. Human Rights Watch: Looking the Other Way: EU Failure to Prevent Surveillance Exports to Rights Violators (May 12, 2026)
  2. State of Surveillance: European Countries Are Selling Spyware to Dictators, the brief on the 54-page HRW report and the Dual-Use Regulation gap
  3. Human Rights Watch: European Union: Surveillance Technology Sold to Rights Violators (May 12, 2026)
  4. The Record (Recorded Future News): NSO appeals WhatsApp decision, says it can't pay $168 million in 'unlawful' damages
  5. Al Jazeera: US court bars Israeli spyware firm from targeting WhatsApp users (October 18, 2025)
  6. CyberScoop: NSO Group argues WhatsApp injunction threatens existence, future U.S. government work
  7. ACLU: ICE Is Expanding 287(g) Agreements With Police (February 26, 2026)
  8. NPR: ICE is paying incentives to local police to help reach Trump's deportation goals (May 5, 2026)
  9. TechCrunch: Apple plans to change its Hide My Email privacy feature that could make it less effective (Zack Whittaker, June 16, 2026)
  10. Arseniy Shestakov: Apple is about to make Hide My Email useless (June 16, 2026)
  11. DeXpose: PayoutsKing Strikes Optical Retailer Eyemart Express (April 30, 2026)
  12. ClassAction.org: Eyemart Express Data Breach Reported; Lawyers Investigating (April 2026)
  13. State of Surveillance: Why Israel Is So Entangled With Surveillance Tech, the pipeline brief covering NSO, Cellebrite, Paragon, Candiru, QuaDream, Intellexa, Unit 8200, DECA, and the IHRA / Jerusalem Declaration framing
  14. Citizen Lab: Graphite Caught: First Forensic Confirmation of Paragon's iOS Mercenary Spyware (June 2025)
  15. CTech: Comptroller confirms Calcalist's findings on police use of spyware without approval ("prohibited, serious, and offensive")
  16. TechCrunch: NSO Group confirms acquisition by US investors (October 10, 2025)
  17. Defence Industry Europe: Israel sets defence export priorities and licensing reforms at DECA (November 2025)
  18. State of Surveillance: Apple's Private Cloud Compute Is Severely Limited for Apps, the June 14, 2026 developer-page restriction
  19. State of Surveillance: UK Apple ADP Secret Order: Inside the Global Encryption Fight
  20. GitHub: Human Rights Watch EU Surveillance Export Data
  21. State of Surveillance: NSO Group Calls $167M WhatsApp Verdict 'Catastrophic.' Appeal Drags On., the Ninth Circuit brief and the Lawfare analysis
  22. State of Surveillance: 287(g) Explodes: 1,000+ Local Police Agencies Now Enforce Immigration Law, the ACLU / NPR / state-ban map
  23. State of Surveillance: Apple's iOS 19 Update Makes Hide My Email Useless, the TechCrunch and Shestakov analysis and the unmasking precedent
  24. Migliaccio & Rathod LLP: Eyemart Express Data Breach Investigation (May 1, 2026)
  25. Barnow and Associates: Eyemart Express Data Breach Investigation (2026)
  26. State of Surveillance: Eyemart Express Hit by Ransomware: 435 GB of Data Stolen, the PayoutsKing double-extortion and the Texas AG 38-day disclosure gap
  27. Haaretz: Netanyahu used NSO's Pegasus for diplomacy (February 2022)