Multiple surveillance cameras mounted on a lamp post overlooking a residential area

Today in Surveillance:

  • Philadelphia police are tracking AI critics as potential domestic violent extremists. A confidential fusion center bulletin obtained by The Intercept shows cops monitoring social media posts critical of AI data centers, and listing "disruptive First Amendment activity" as a threat indicator. Complaining about your electric bill going up because of a data center? That's a red flag now.
  • 63.6% of AI-powered business software hides its AI subprocessors. DataGrail's 2026 report coins "shadow AI", your employer's software is routing data to AI models without disclosing it. 32.8% of AI systems handle high-risk activities like automated decision-making.
  • FISA Section 702 expires in 10 days. No Senate deal. The warrant requirement is still the sticking point. Four swing Democrats will decide the outcome.
  • The SECURE Data Act hearing is tomorrow. Wednesday's hearing could advance a federal privacy bill that would override every state privacy law in America. The EFF calls it inadequate.
  • Vermont's comprehensive privacy bill heads to the governor. S.71 includes a geofencing ban near health facilities and mandatory Global Privacy Control support.
  • Connecticut just signed a major data broker crackdown. SB 4 creates a public data broker registry, bans surveillance pricing, and regulates direct-to-consumer genetic testing.

Philadelphia Cops Are Tracking People Who Criticize AI on Social Media

If you've posted anything critical about AI data centers online, Philadelphia police might be watching you. The Intercept published a June 1 investigation revealing that the Delaware Valley Intelligence Center (DVIC), a fusion center housed inside the Philadelphia Police Department, has been combing social media for criticism of AI data centers and flagging it as a potential domestic violent extremism threat [1].

A confidential December bulletin from the DVIC warned that "Domestic violent extremists (DVEs) are likely interested in targeting artificial intelligence (AI) data centers, posing a physical and cyber threat to infrastructure." The fusion center's list of threat indicators includes "disruptive First Amendment activity in opposition to AI data centers, small acts of vandalism, online calls for action to boycott and or protest local AI data centers" [1].

Read that again. Boycotting. Protesting. Using your First Amendment rights. Those are now listed alongside violent extremism indicators.

The bulletin tracked specific social media activity: an unnamed user who "indicated a desire to 'burn down' data centers," a Philly Anti-Capitalist blog post titled "Butlerian Jihad Against AI," and a Facebook meme about being "morally obligated to sabotage AI data center infrastructure." The fusion center lumped together white supremacists, anarchist collectives, and people griping about electricity bills, all under one umbrella threat assessment [1].

Philadelphia lawyer Paul Hetznecker called the report "a very dangerous attempt to characterize that protected First Amendment activity...as something other, something more dangerous" [1].

This follows a well-documented pattern. Fusion centers, there are about 80 of them nationwide, have a track record of doing little to stop actual terror while subjecting lawful protesters to surveillance. They've previously flagged Black Lives Matter activists, pipeline opponents, and environmental protesters as potential threats. Now AI critics get added to the list [1].

The timing isn't subtle. Data center construction is booming, communities are pushing back against the noise, water use, and electricity demands, and the tech industry needs that resistance squashed. Having police label critics as potential extremists is a convenient way to chill dissent.

Related: Philly Cops Are Tracking People Who Criticize AI Data Centers Online

Shadow AI: Two-Thirds of Business Software Sends Your Data to AI Models You Never Approved

DataGrail released its fifth annual Privacy and AI Trends Report on June 1, and the headline finding is alarming: 63.6% of the 2,400 AI-capable business applications they tracked don't disclose third-party AI subprocessors in their legal documentation [2][3].

That means nearly two-thirds of the software your employer uses could be routing data, your data, customer data, employee data, to AI models run by companies you've never heard of. DataGrail calls this "shadow AI," and it's the corporate surveillance threat nobody's talking about [2].

The numbers get worse. 32.8% of AI systems participate in at least one high-risk activity, including sensitive data processing and automated decision-making. State legislatures passed 145 AI-related laws in 2025, with over 1,000 additional bills introduced or revised. Privacy teams are drowning: data deletion requests surged 567% since 2021, hitting a fifth consecutive all-time high. 87% of all data subject requests are now deletion requests [2][3].

For a mid-sized company with 5 million annual web visitors, manually processing those deletion requests costs an estimated $1.5 million per year. Meanwhile, 63% of websites still fail to honor Global Privacy Control and universal opt-out mechanisms [2].

"The privacy programs that will thrive in 2026 aren't the biggest, they are the ones investing in privacy-first AI tools to scale their programs intelligently," DataGrail CEO Daniel Barber said [2]. Translation: the compliance burden is now so massive that only AI can manage it, creating a neat loop where AI creates privacy problems that require more AI to solve.

If your company uses AI-powered HR software, CRM tools, or analytics platforms, ask one question: where does the data go? If the vendor can't answer clearly, you've got shadow AI.

FISA Section 702: 10 Days Until Warrantless Surveillance Expires (Or Doesn't)

The clock is ticking. Section 702 of the Foreign Intelligence Surveillance Act, the authority that lets the government collect Americans' communications without a warrant, expires on June 12. That's 10 days from now, and the Senate still hasn't voted [4][5].

The House passed a three-year extension in April by a 261-111 vote. But the Senate is stuck on the same issue that's stalled every reform attempt: whether to require a warrant before searching Americans' data collected under 702. President Trump wants a clean reauthorization with no reforms. A bipartisan group of lawmakers, including Sen. Ron Wyden and Sen. Mike Lee, introduced the Government Surveillance Reform Act demanding warrant requirements and a ban on buying Americans' data from brokers [4][5].

The Intercept has identified four swing Democrats who will likely decide the outcome. The FISA Court itself found in March 2026 that the FBI's compliance problems extend "across the intelligence community," with agents routinely misusing the tool that searches Americans' data [4].

If Section 702 expires without renewal, the government loses the legal authority to compel companies to provide data under the program. Existing collection orders would continue through their certification period, but no new ones could be issued. That's the scenario intelligence officials say would create a dangerous gap. Reform advocates say it's the only leverage Congress has to force real oversight [5].

Related: FISA 702: 45-Day Extension, Reform Dead on Arrival | The FISA 702 Reauthorization Fight

Tomorrow's Hearing Could Kill 20 State Privacy Laws

The House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade holds a hearing tomorrow, June 3 at 10:15 AM, on the SECURE Data Act, a bill that would create a federal privacy framework and preempt every state privacy law in the country [6].

That's 20-plus state laws, from California's CCPA to Colorado's CPA to Connecticut's freshly signed data broker registry, potentially wiped out by a single federal standard. The bill would make the FTC the primary enforcer, require consent before processing sensitive data (race, health, biometrics, precise geolocation, children's data), and apply to any business processing data of U.S. residents above certain thresholds [6].

What it wouldn't do: create a private right of action. If a company violates your privacy rights, you can't sue them directly. You have to wait for the FTC or your state attorney general to act on your behalf. The EFF and EPIC have both published major critiques calling the bill inadequate [6].

We published a deep-dive on the SECURE Data Act last week. If you want to understand what's at stake tomorrow, start there.

Related: SECURE Data Act: Federal Privacy or State Law Extinction?

State Privacy Roundup: Vermont and Connecticut Make Moves

Vermont S.71 Heads to the Governor

Vermont's legislature passed the Vermont Data Privacy and Online Surveillance Act (S.71), and it's now sitting on Governor Phil Scott's desk. This is Vermont's second attempt at a comprehensive privacy law, the first was vetoed in 2024. This version is more business-friendly but still packs notable protections [7].

The standout provisions: a ban on geofencing within 1,750 feet of health facilities (no more tracking who visits Planned Parenthood), mandatory support for Global Privacy Control browser signals, and explicit consent requirements for sensitive data including health, biometrics, and sexual orientation. It takes effect July 1, 2026, if signed [7].

Related: Vermont S.71: Health Geofencing Ban and Federal Preemption Risk

Connecticut Signs Data Broker Crackdown

Connecticut Governor signed SB 4 on May 27, creating one of the country's first public data broker registries. The law requires data brokers to register annually, disclose what data they collect, and face an accessible deletion mechanism built by the state Department of Consumer Protection [8].

SB 4 also takes on surveillance pricing, the practice of charging customers different prices based on their personal data, and creates new rules for direct-to-consumer genetic testing companies. The privacy provisions take effect October 1, 2026, with data broker registration starting January 1, 2027 [8].

The irony here: if the SECURE Data Act passes, both of these state laws could be preempted before they're even fully implemented.

What to Watch

  • Tomorrow, June 3: SECURE Data Act hearing at 10:15 AM EDT. This is the big one for anyone who cares about whether privacy law stays local or goes federal.
  • June 12: FISA Section 702 expires. Expect daily escalation as the deadline approaches. Watch for Senate floor action this week.
  • Vermont: Governor Scott hasn't signaled whether he'll sign S.71. His 2024 veto of the previous version was based on economic concerns. This version is lighter, but the preemption question looms, why sign a state law that Congress might override next month?
  • Shadow AI enforcement: With 145 AI laws passed in 2025 and DataGrail's report showing massive noncompliance, expect state AGs to start asking vendors about undisclosed AI subprocessors. California's $4.3 million in CCPA consent settlements last year was just the opening act.

References

  1. The Intercept, "Philly Cops Admit That They're Tracking 'First Amendment Activity' Critical of AI" (June 1, 2026)
  2. DataGrail, "Privacy and AI Trends Report 2026: Shadow AI Emerges as a Growing Threat" (June 1, 2026)
  3. Help Net Security, "145 AI laws passed in 2025 and privacy teams aren't catching a break" (June 1, 2026)
  4. Brennan Center for Justice, "Section 702 of FISA: 2026 Resource Page"
  5. CNBC, "FISA Section 702: Congress passes short-term surveillance program extension" (April 30, 2026)
  6. House Energy & Commerce Committee, "Hearing on Establishing a Federal Comprehensive Privacy Law"
  7. MediaPost, "Vermont Passes Opt-Out Privacy Bill" (June 1, 2026)
  8. Inside Privacy, "Connecticut Enacts Omnibus Privacy Law"