A wall-mounted security camera in a dim hallway, the kind of perimeter surveillance behind the retail facial-recognition, spyware, and plate-reader stories of the day
Photo via Unsplash

Today in Surveillance:

  • Sainsbury's is expanding live facial recognition to up to 200 UK stores by the end of 2026. The Register reported the supermarket is scaling up its Facewatch deployment from more than 55 stores, one of the widest commercial uses of the technology in British retail. Big Brother Watch called it a decision that treats customers like suspects [1].
  • Citizen Lab confirmed Pegasus on the phone of a former MEP who investigated spyware. Stelios Kouloglou, a substitute member of the European Parliament's PEGA inquiry, was infected in October 2022 and again in March 2023, the second time as PEGA hearings were underway [2].
  • Eight Predator victims filed suit against Intellexa and 13 named people. Each plaintiff, including journalist Thanasis Koukakis, is asking for 1 million euros in moral damages over hacks between 2020 and 2021, according to their lawyer [3].
  • Body-camera footage showed a Florida deputy using plate-reader tools to chase a woman he met on a TV set. 404 Media reported the deputy ran her through the state DAVID database and put her plate on an ALPR hotlist, then pursued her at high speed [4].
  • The DOJ used a Windows anti-piracy identifier to help finger a Scattered Spider suspect. An affidavit describes the Windows Global Device Identifier, a persistent device-level ID, tying a device to alleged member Peter Stokes [5].
  • Waymo reported two 15-year-olds to police in San Mateo. The car's operator flagged the teens for drinking and firing a toy gel-bead gun from inside the vehicle, and San Mateo police detained them [6].

The thread running through the day: systems sold as narrow tools for catching thieves, criminals, or bad actors quietly turn every ordinary person in front of them into a data point, and the record only surfaces the misuse after the fact.

Sainsbury's Takes Live Facial Recognition to Up to 200 Stores

The Register reported on July 6 that Sainsbury's plans to expand live facial recognition to up to 200 stores by the end of 2026, scaling up from the more than 55 shops where it already runs the technology. The supplier is Facewatch, the same vendor used by Budgens, Costcutter, Southern Co-op, Spar, B&M, and Sports Direct. Trials began in Sydenham and Bath Oldfield Park in September 2025, then reached London stores in early 2026 [1].

Sainsbury's says 90 percent of people identified through the system did not return to the store. That framing is the whole argument: the system is sold as a way to deter shoplifters. The mechanism is broader. Live facial recognition scans every shopper who walks past the camera, matches each face against a watchlist, and decides in the moment who is a suspect. The paying customer is enrolled in the scan whether or not they are on any list.

Silkie Carlo of Big Brother Watch called it a "shameful decision that treats customers like suspects, putting millions of law-abiding people at serious risk of privacy intrusions and humiliating false shoplifting accusations." The risk is not hypothetical. The Register cited the case of Warren Rajah, wrongly ejected from a store at Elephant and Castle, who asked whether he was "supposed to walk around fearful that I might be misidentified as a criminal." Sainsbury's said that incident "was not an issue with the facial recognition technology in use but a case of the wrong person being approached in store" [1]. That distinction is thin comfort to anyone stopped over a false match.

Pegasus Turned Up on the Phone of the MEP Who Investigated Pegasus

Citizen Lab confirmed that Pegasus spyware infected the iPhone of Stelios Kouloglou, a Greek MEP from 2014 to 2023 and a substitute member of the European Parliament's PEGA committee, the body set up to investigate Pegasus and equivalent spyware. The forensic analysis, published Friday, found two infections: one in October 2022 and a second in March 2023, while PEGA hearings on formal recommendations were underway [2]. Citizen Lab could not definitively name the NSO Group customer behind the attack, found no indications that Greece was responsible, and linked the operator to earlier attacks on exiled activists and journalists.

Elina Castillo Jimenez of Amnesty International's Security Lab said the infection of a device "with an intrusive form of spyware that only governments can procure" raises "serious concerns about the integrity of independent oversight at the highest levels in Europe." Civil-liberties groups called for the Parliament's own DG ITEC to open an investigation, for the EU to finally respond to the PEGA committee's May 2023 recommendations, and for reform of the 2021 Dual-Use Regulation [2]. The detail that stings: the person targeted was inside the institution meant to stop exactly this.

Eight Predator Victims Sue Intellexa for 1 Million Euros Each

Eight people whose phones were hacked with Predator spyware filed a lawsuit in Greece against Intellexa SA and 13 individuals connected to it, including founder Tal Dilian. Their lawyer Zacharias Kesses said each plaintiff is asking for 1 million euros in moral damages over hacks that took place between 2020 and 2021. The named plaintiffs include journalist Thanasis Koukakis, alongside lawyers, intelligence officials, and law-enforcement workers, according to reporting relayed by the Greek newspaper Kathimerini [3].

The suit is a civil escalation of a scandal that first surfaced in 2022, when a probe found that at least 87 high-profile Greeks were targeted through hundreds of SMS messages exploiting Chrome and Android zero-days. Earlier in 2026, an Athens court found Dilian and three others guilty in a misdemeanors case. Kesses framed the new filing as "the next institutional step towards full accountability of all those involved and redress for victims, both at national and European levels" [3]. Read alongside the Kouloglou finding, the two Greek spyware stories bracket the same problem from opposite ends: one still waiting for accountability, one still waiting for the operator to be named.

A Florida Deputy Used Police Plate Readers to Chase a Woman He Met on a TV Set

404 Media published body-camera footage showing a Monroe County deputy, Lamar Roman, using law-enforcement surveillance tools to pursue a woman he had met while working a security detail on the set of the AppleTV+ show Bad Monkey. After catcalling her and asking for her full name and Instagram, Roman looked up her vehicle in DAVID, Florida's DMV database for law enforcement, then added her license plate to an ALPR hotlist so he would get real-time alerts from AI-powered plate-reader cameras. He used a plate-tracking database to locate her and gave chase in his cruiser [4].

The pursuit was reckless on its own terms: 404 Media reported that Roman hit 70 mph on a two-lane highway, passed trucks in no-passing zones, and nearly caused a head-on collision when an oncoming truck had to veer off the road. Roman told investigators he saw the woman "as a 'shiny thing'" and admitted he knew the lookups were illegal. This is the recurring failure mode of plate-reader networks: the infrastructure built for public safety has no gate that stops an officer from turning it on a single private citizen, and the abuse is visible only because someone later pulled the footage.

Windows Anti-Piracy Telemetry Became Criminal-Forensics Evidence

The Register reported that a DOJ affidavit in the Scattered Spider case leaned on the Windows Global Device Identifier, described in the filing as "a persistent, device-level identifier designed to uniquely identify an installation of a Windows operating system on a device." The identifier, provisioned through Microsoft account infrastructure that dates back to Windows 10, was used to connect a specific device to Peter Stokes, arrested in Finland and extradited, whom prosecutors accuse of targeting more than 100 corporate networks and obtaining over 100 million dollars in ransom payments [5].

The investigative trail ran from a Microsoft criminal referral through IP records from the tunneling service ngrok and a VPN provider, to a device whose Global Device Identifier matched activity on the ngrok signup page, and finally to an IP address in Estonia where Stokes lived [5]. What makes it a surveillance story is the crossover. A device fingerprint built into every modern Windows install, originally an anti-piracy and account-management feature, is now cited as forensic identity evidence in a federal case. The telemetry was always there. The question is what else it can be pointed at.

A Waymo Reported Its Own Passengers to the Police

404 Media reported that in San Mateo, California, a Waymo robotaxi reported two 15-year-old passengers to police after determining they were drinking and firing projectiles from inside the moving car. Officers stopped the vehicle and detained the teens, who turned out to be shooting Orbeez water beads from a SplatRBall gel-bead toy gun. The San Mateo Police Department posted about it on Facebook: "Parents do you know where your teens are? @waymo does!" [6]

The teens were doing something they should not have been. That is not the point. The point is that a consumer service packed with interior cameras and microphones watched its passengers, judged their behavior, and called the cops, and it can do so on any ride. Waymo's own support page notes that its team "may review video under certain circumstances" and, "in more urgent circumstances," can "access live video during a trip." Waymo did not respond to 404 Media's request for comment [6]. A car that can report you is a car that is always watching you.

What to Watch

Facewatch and the ICO. Sainsbury's scaling to up to 200 stores puts the largest commercial facial-recognition deployment in Britain in front of regulators. Watch whether the Information Commissioner's Office revisits Facewatch, and whether any of the retailers named alongside Sainsbury's expand or pause their own rollouts [1].

The EU's spyware reckoning. The Kouloglou finding and the Predator lawsuit land together. Watch whether the European Parliament acts on the calls to investigate the targeting of one of its own members, and whether the 1-million-euro-per-plaintiff suit in Greece moves toward Intellexa and the 13 named individuals [2][3].

Device identity as evidence. The Windows Global Device Identifier surfacing in a federal affidavit is worth tracking. Watch whether defense lawyers challenge how the identifier was obtained, and whether the same telemetry appears in other prosecutions [5].

Sources

  1. The Register, Connor Jones: Brit supermarket giant triples down on facial recog to nab shoplifters, July 6, 2026. https://www.theregister.com/security/2026/07/06/brit-supermarket-giant-triples-down-on-facial-recog-to-nab-shoplifters/5266935
  2. The Register: EU's latest spyware scandal prompts calls for urgent action, July 6, 2026. https://www.theregister.com/security/2026/07/06/eus-latest-spyware-scandal-prompts-calls-for-urgent-action/5267054
  3. The Register: Predatorgate victims launch 8M sueball at spyware maker, July 7, 2026. https://www.theregister.com/security/2026/07/07/predatorgate-victims-launch-8m-sueball-at-spyware-maker/5267766
  4. 404 Media, Jason Koebler: Footage Shows Cop Stalking Woman He Met on a TV Set After Surveilling Her With a License Plate Reader, July 6, 2026. https://www.404media.co/footage-shows-cop-stalking-woman-he-met-on-a-tv-set-after-surveilling-her-with-a-license-plate-reader/
  5. The Register, Thomas Claburn: Windows is watching, anti-piracy tool fingers Scattered Spider suspect, July 7, 2026. https://www.theregister.com/cyber-crime/2026/07/07/windows-is-watching-anti-piracy-tool-fingers-scattered-spider-suspect/5267953
  6. 404 Media, Samantha Cole: Waymo Called Police on Teens in San Mateo, July 7, 2026. https://www.404media.co/waymo-called-police-on-teens-san-mateo/