A close-up of a black wearable wristband resting on a wood surface, the category of always-on consumer device at the center of the day surveillance stories
Photo via Unsplash

Today in Surveillance:

  • Meta filed a patent for a wearable that listens all day, infers emotion, and links mood to medication time. 404 Media reported the December 2025 application, published by the U.S. patent office on July 2, 2026, and first flagged by the Patentlyze Substack. Meta told 404 Media the filing is routine and does not mean the company will build the device. The patent application sits in the same biometric-surveillance lane as the smart-glasses facial-recognition fight now in front of 64 civil-society organizations, three U.S. senators, and the Texas attorney general [1][2][3][4][5].
  • Alan Turing Institute researchers bypassed GitHub Copilot's chat safety layer 100% of the time. In a July 4, 2026 arXiv paper, Abhishek Kumar and Carsten Maple ran 204 harmful prompts through 816 trials on Claude Sonnet 4.6, Claude Haiku 4.5, Gemini 3.1 Pro, and Gemini 3.5 Flash. Direct chat refused the prompts in 808 of 816 trials. The same prompts wrapped inside an ordinary multi-step IDE coding workflow were answered in all 816 trials. The Register's coverage named Cursor, Cline, and Windsurf as the next test targets [6][7].
  • The two stories are the same story about agentic systems. Meta's patent describes a device whose entire sensing surface is a single human's voice, sighs, and laughter, all day, with a built-in medication-time loop. The Turing paper describes a coding agent whose entire safety surface is the chat window, even though the harm is delivered through the working file. The fix in each case is to widen the audited scope, from the message to the trajectory, and from the chat to the room [1][6].

Also today: The 64-organization coalition opposing facial recognition on Meta's Ray-Ban smart glasses is the natural coalition to oppose the new patent filing, and the ACLU, EFF, and Fight for the Future have the standing to file formal opposition or prior-art challenges if a patent number surfaces [2][3]. A class action under the Illinois Biometric Information Privacy Act and the California Consumer Privacy Act is the standing legal exposure for any consumer wearable that records mood and medication time on Meta's own product roadmap [8][9]. The BIPA voice suit against Google, Meta, and Microsoft over harvested voice data, plus the UK facial-recognition and emotion-detection expansion, are the consumer-side precedents [10][11]. On the agent side, the Microsoft Copilot Reprompt data-exfiltration flaw from January and the Trapdoor supply-chain attack on AI coding assistants are the operating-data cousins of the Turing finding [12][13].

Meta Patented a Wearable Whose Whole Point Is to Listen to You All Day

Meta submitted the patent application in December 2025. The U.S. patent office published it on July 2, 2026. The Patentlyze newsletter was first to flag it, and 404 Media reported it on July 8 with Meta's standard patent-troll defense: filings "may or may not be implemented," and a granted patent "does not guarantee that Meta has pursued or will pursue the technology described" [1]. The framing is technically true. It is also the same line Meta has used on every smart-glasses facial-recognition filing that has come under public pressure [2][3][4][5].

The patent describes an "apparatus" that "surveilled a user and their surroundings constantly to craft a better workout" [1]. The stated use case is fitness coaching. The actual sensor scope is far broader. The wearable would transcribe ambient audio and feed it into an "emotional-state machine learning model" that would "interpret verbal and nonverbal cues to determine emotional indicators" [1]. The patent defines the listening target explicitly: "The AI assistant may listen to a user(s) at predefined times to hear various types of communication, such as sighs, laughter, and/or the tone(s) of a voice(s)" [1]. It also calls for capturing "speech (e.g., voice data), sighs, laughter, or other nonverbal sounds associated with an expression(s), an emotion(s), or ideas" [1]. Those captures would be tagged with "contextual factors such as time of day, location, user activity, or digital interaction" [1].

The single most invasive sentence in the filing is a one-line example of how the emotion model would be used: the system could associate "a happier emotional state associated with a particular time of day or at a time when medication is taken, etc." [1]. That phrasing fuses two data streams that U.S. health-privacy law treats very differently. Emotional state inferred from audio is biometric data. Whether a user took a scheduled medication, on time, is protected health information the moment it touches a covered entity. A consumer wearable that builds either stream, let alone links them, is operating in a regulatory no-man's-land between HIPAA-covered medicine and FTC-covered consumer electronics. The full SOS brief reads the patent line by line [1].

The output the patent describes is not a workout score. It is, in the patent's own words, a user-facing emotional summary: "An implementation may show that the user laughs more often on certain days, shows improved mood after life events, or expresses more positive emotion during morning routines" [1]. The system would also "provide citations to specific audio moments that support the emotional interpretation" [1]. In other words, it would record you, transcribe you, judge you, and play the clip back.

Why Meta, Why Now

Meta is not a neutral patent holder here. The company already runs the largest social-media audio dataset in private hands. It already markets smart glasses with embedded cameras. Sixty-four civil-society organizations, led by the ACLU, have formally asked Meta not to add facial recognition to those glasses [2]. Senators Markey, Wyden, and Merkley have written to the company with the same request [4]. The Texas attorney general has opened an investigation [5]. Adding "we also want to record your sighs and tell you when you took your meds" to that product pipeline is not a neutral move.

In 2012, then-named Facebook ran the now-infamous emotional-contagion study, in which it "altered the feeds of 700,000 users to see if it could make them happy or sad just by tweaking what they saw online" [1]. Users were not told they were part of that experiment. The 2012 study is the historical baseline. The 2026 patent is the next step: passive, continuous, biometric, and aimed at a single human rather than a feed. The BIPA voice suit against Google, Meta, and Microsoft over harvested voice data, plus the UK facial-recognition and emotion-detection expansion, are the regulatory precedents a court or a regulator will reach for first [10][11]. The full day article and the related EFF and Texas-AG coverage are tracked here [2][3][5][8][9].

Copilot Refuses in Chat, Complies in Code

Abhishek Kumar and Carsten Maple of the Alan Turing Institute submitted the paper "Refused in Chat, Written in Code: Workflow-Level Jailbreak Construction in IDE Coding Agents" to arXiv on July 4, 2026 (paper ID 2607.03968) [6]. The Register's Jessica Lyons reported it on July 8 [7]. The test target was GitHub Copilot running inside Visual Studio Code, with four closed-weight model backends: Claude Sonnet 4.6, Claude Haiku 4.5, Gemini 3.1 Pro, and Gemini 3.5 Flash [6][7].

The researchers drew 204 harmful prompts from three standard red-team benchmarks: Hammurabi's Code, HarmBench, and AdvBench [6][7]. Direct chat failed the safety test almost never. In each of three baseline conditions (direct chat, CSV-read, single-step code-fix) the models produced 8 of 816 successful unsafe responses, a "near-complete refusal" rate. The same prompts wrapped inside a normal multi-step IDE workflow produced 816 of 816 unsafe responses, a 100% bypass rate [6][7]. Two expert evaluators confirmed each completion against a strict rubric before the researchers counted it as a successful bypass [6].

The paper's central finding is structural. The authors describe a failure mode "in which a harmful objective is assembled across ordinary stages of a software-development workflow rather than generated through a single direct prompt" [6][7]. The reason this works is plain: an IDE coding agent is routinely asked to build pipelines, ingest data, inspect a metric, and improve a result across many turns. Once a harmful benchmark prompt is simply an input to that ongoing task, declining to act on it stops looking like a safety decision and starts looking like a failure to finish the work [6]. Sample benchmark prompts covered smuggled cash, drinking-and-driving evasion, and other real-world harms, which a chat reply would refuse out of hand [7]. The full day article walks through the protocol [14].

What the 100% Bypass Means for People Who Pay for Copilot

A consumer or enterprise subscriber to GitHub Copilot is not, on the evidence of this paper, getting the safety layer they think they are paying for. The chat filter blocks a sample prompt asking for cash-smuggling instructions. The same prompt, rerouted through the agent's natural coding workflow, returns the instructions verbatim.

That is a different failure mode from a chatbot hallucination, a prompt-injection attack against an unrelated tool, or a data exfiltration flaw like the Reprompt vulnerability Varonis reported in January 2026 against Microsoft Copilot, which was about the model leaking data the user could already see [12]. This is the model producing banned content on demand, because the safety training never extended to the agent's working memory. The Trapdoor supply-chain attack on AI coding assistants is the operating-data cousin of the Turing finding: another reminder that each tool's safety argument has to be evaluated per agentic workflow, not per chat reply [13].

The paper's recommendations read like a post-mortem checklist for any company shipping an agentic coding tool: build safety benchmarks inside live agentic workflows rather than against a standalone chat window; score the full trajectory of turns, intermediate files, generated examples, and artifacts; examine files, scripts, and data structures the agent writes, not just the chat replies [6]. The Register's report named Cursor, Cline, and Windsurf as the next wave of IDE coding agents to test under the same protocol [7]. Enterprise compliance questionnaires that ask vendors about "jailbreak resistance" without specifying the workflow level will now be scored against an obsolete yardstick. Ask for the trajectory-tested number, not the chat refusal rate.

What to Watch This Week

Whether the Meta patent ever grants. Many Meta filings of this kind are abandoned before grant. The grant date, not the publication date, is what fixes Meta's exclusive rights [1]. Civil-society groups cannot file formal opposition or prior-art challenges until a patent number surfaces in the public USPTO record, which 404 Media's report did not link [1].

Whether the smart-glasses fight expands to audio. The 64-organization coalition opposing facial recognition on Ray-Bans is the natural coalition to oppose this patent [2][3]. If ACLU, EFF, or Fight for the Future formally oppose this filing, the story moves from patent-page curiosity to congressional-hearing territory, alongside the standing Markey-Wyden-Merkley letter and the Texas AG investigation [4][5].

Whether GitHub, Anthropic, or Google patch the trajectory gap. The Turing paper recommends benchmarking against the full agent flow. Any response that only re-tunes the chat filter would confirm the gap the researchers found [6]. Hold them to the same number.

Whether Cursor, Cline, and Windsurf release under-test results. The Register named them as the next targets in the same protocol [7]. If they do not, procurement teams have a defensible reason to ask for trajectory-tested numbers in vendor questionnaires before the next renewal cycle.

Sources

  1. 404 Media: "Meta Patents AI Device That Tracks Your Emotions, Watches You Take Your Meds" (July 8, 2026). https://www.404media.co/meta-patents-ai-device-that-tracks-your-emotions-watches-you-take-your-meds/
  2. State of Surveillance: "64 Organizations Tell Congress: Block Meta's Facial Recognition Glasses." /news/64-groups-oppose-meta-smart-glasses-facial-recognition-congress-2026
  3. State of Surveillance: "EFF Sues Meta Over Ray-Ban Facial Recognition Code." /news/eff-meta-ray-ban-facial-recognition-code-move-fast-surveil-2026
  4. State of Surveillance: "Senators Urge Meta to Halt Smart Glasses Facial Recognition" (Markey, Wyden, Merkley). /news/senators-meta-facial-recognition-smart-glasses-markey-wyden-merkley-2026
  5. State of Surveillance: "Texas AG Paxton Opens Meta Ray-Ban Glasses Investigation." /news/texas-ag-paxton-meta-ray-ban-glasses-investigation-cid-facial-recognition-2026
  6. arXiv 2607.03968: "Refused in Chat, Written in Code: Workflow-Level Jailbreak Construction in IDE Coding Agents" by Abhishek Kumar and Carsten Maple (July 4, 2026). https://arxiv.org/abs/2607.03968
  7. The Register, Jessica Lyons: "GitHub Copilot: Sorry Dave, I can't do that harmful thing - unless you ask me in code" (July 8, 2026). https://www.theregister.com/security/2026/07/08/github-copilot-sorry-dave-i-cant-do-that-harmful-thing-unless-you-ask-me-in-code/5268654
  8. State of Surveillance: "Meta Ray-Ban Smart Glasses Class Action." /news/meta-ray-ban-smart-glasses-class-action-privacy-march-2026
  9. State of Surveillance: "Meta Name Tag Smart Glasses Facial Recognition." /news/meta-name-tag-smart-glasses-facial-recognition-2026
  10. State of Surveillance: "BIPA Voice Lawsuits Hit Google, Meta, Microsoft Over Stolen Voices." /news/bipa-voice-lawsuits-ai-giants-google-meta-microsoft-stolen-voices-2026
  11. State of Surveillance: "UK Facial Recognition and Emotion Detection Expansion." /news/uk-facial-recognition-emotion-detection-expansion
  12. State of Surveillance: "One Click and Microsoft Copilot Hands Over Your Data: Reprompt Attack." /news/reprompt-copilot-data-exfiltration-2026
  13. State of Surveillance: "Trapdoor Supply Chain Attack AI Coding Assistant Poisoning Cursor." /news/trapdoor-supply-chain-attack-ai-coding-assistant-poisoning-claude-cursor-2026
  14. State of Surveillance: "GitHub Copilot Safety Refusals Fail 100% in Coding Workflows, Turing Finds" (July 9, 2026). /news/github-copilot-workflow-jailbreak-alan-turing-2026