Today's Headlines:
- 27 days until Section 702 expires. Congressional Progressive Caucus formally opposes clean renewal. 98 members. That's a wall Speaker Johnson can't climb over.
- RSA Conference Day 2. Global InfoSec Awards handed out. Quantum-safe cryptography dominates. Federal officials still absent.
- Crunchyroll joins ShinyHunters victim list. 100GB of data including IP addresses, credit cards, customer analytics. Third-party vendor Telus was the entry point.
- Seattle's surveillance pause begins. Mayor Wilson's ALPR shutdown takes effect. Cameras stay dark pending audit.
- Minnesota ALPR bill stalls on party-line vote. 7-7 tie. No privacy protections this session.
27 Days: FISA Section 702 Countdown
The clock keeps ticking. Section 702—the warrantless surveillance authority that lets the NSA, FBI, and CIA vacuum up communications between Americans and foreign targets—expires April 20. Congress still has no plan.
Yesterday's big development: the Congressional Progressive Caucus voted to formally oppose reauthorization without reforms. That's 98 House members who won't vote for a clean extension. Rep. Greg Casar (D-TX), the caucus chair, called for Democrats to "unite in opposing Section 702 renewal without dramatic reforms."
Speaker Johnson already can't pass a clean bill with Republicans alone—about a dozen GOP members want warrant requirements before they'll vote yes. Now he needs Democratic votes he's not going to get.
The Government Surveillance Reform Act, introduced by Senators Wyden (D-OR) and Lee (R-UT) along with Reps. Davidson (R-OH) and Lofgren (D-CA), remains the only bipartisan reform bill on the table. It would require warrants for accessing Americans' communications, close the data broker loophole, and add meaningful oversight.
Trump administration officials held classified briefings last week trying to win over skeptics. They failed. The data broker loophole—which lets agencies buy your location data and browsing history from commercial brokers without a warrant—keeps killing support.
RSA Conference Day 2: Awards, AI, No Feds
Day 2 at the Moscone Center. 44,000 badge holders. AI vendors wall-to-wall. The federal government still boycotting.
The Global InfoSec Awards recognized the usual suspects. Lattice Semiconductor won for post-quantum cryptography work—timely, given the quantum computing race. Graylog picked up awards for SIEM and log management. AppViewX took three awards for certificate lifecycle management.
New product launches: Sacumen unveiled ConnectX, billing it as "a unified AI platform for all connector needs" in security operations. OmniTrust launched what they're calling the industry's first unified trust lifecycle management platform. Translation: more tools to manage the sprawl of security tools.
The ghost in the room: Jen Easterly, former CISA director, now running the conference. FBI, NSA, and CISA officials remain absent. The official line from CISA's Marci McCarthy cited "good stewardship of taxpayer dollars." Nobody believes it.
ShinyHunters Hits Crunchyroll: 100GB Data Stolen
Sony's anime streaming platform Crunchyroll is the latest ShinyHunters victim. The March 12 breach—not yet officially confirmed by the company—reportedly exposed 100GB of data from analytics and support systems.
What's in it: IP addresses, email addresses, credit card details, and customer analytics containing personally identifiable information. The attack vector: compromised credentials from third-party vendor Telus, the same company at the center of the massive 1PB breach we covered earlier this month.
Crunchyroll has not publicly acknowledged the breach. The data surfaced through the same ShinyHunters channels that dumped the Telus FBI background check data. Same pattern: vendor compromise, lateral movement, data exfiltration, ransom demand, public leak.
Full Crunchyroll breach coverage | Our Telus breach coverage
Seattle Surveillance Pause Takes Effect
Mayor Katie Wilson's surveillance pause is now in effect. Seattle Police Department's Automatic License Plate Readers are off. The planned Real Time Crime Center expansion to Capitol Hill and the Central District is on hold.
Wilson announced the decision March 19 after pressure from community groups worried about data flowing to ICE. The ALPR suspension lasts "until practices are consistent with new state law and reflect best safety and security policies." She ordered a full privacy and data governance audit.
What's still running: the existing pilot cameras and traffic camera access feeding the Real Time Crime Center. What's not: the expansion, and the license plate readers that capture every car that drives by.
The Stadium District gets a carve-out. Those expansion cameras will be installed but stay dark unless there's a "credible threat." Whatever that means.
Minnesota ALPR Privacy Bill Stalls: 7-7 Tie
Minnesota's attempt to regulate license plate readers died in committee. HF 4205 failed on a 7-7 party-line vote in the House Judiciary Finance and Civil Law Committee.
What the bill would have done: required warrants for out-of-state data access, mandated 48-hour deletion of data not tied to active investigations, required law enforcement to post signage warning drivers they're being scanned, and centralized data storage with the Bureau of Criminal Apprehension.
Rep. Brad Tabke (D-Shakopee) framed it as "an effort to redraw the boundaries" of surveillance technology in a digital age. Republicans weren't convinced. The 7-7 split means no action this session.
The ACLU of Minnesota pushed hard for the bill, citing concerns about data retention and sharing with out-of-state agencies—including federal immigration enforcement.
ICE's Surveillance Web: NPR Investigation Update
NPR's ongoing investigation into ICE surveillance tools keeps turning up new details. The Department of Homeland Security is using license plate readers, facial recognition, social media monitoring, and drone surveillance to track both immigrants and U.S. citizens who criticize its policies.
Sherman Austin's case made news this week: DHS subpoenaed his Instagram account information after he posted anti-ICE content. Meta informed him law enforcement was seeking his data with less than ten days to respond.
The ACLU's deputy director says we don't yet know the full scope of surveillance technology being deployed against protesters. Federal agents may be running license plates to pull DMV records, identifying protesters by their cars. Facial recognition use remains unconfirmed but suspected.
More than 300 anti-ICE protests have been held nationwide. At a Vermont standoff on March 11, about 150 demonstrators formed a human chain before state police tactical teams moved in.
DOGE Social Security Data: New Whistleblower Claims
Congress and the Social Security Administration's inspector general are investigating new whistleblower allegations about DOGE's data access. Claims include: DOGE staffers circumvented IT security rules, shared private records on outside servers, sent data to other DOGE employees outside the agency, and maintained access even after a judge temporarily blocked it.
The Trump administration admitted in January that DOGE team members have "read-access" to Americans' data across the SSA, HHS, Education, Veterans Affairs, and more. The Treasury Department blocked access to taxpayer data. Seven other agencies did not.
DOGE has asked OPM to pay for 20 full-time employees at the highest federal pay grade to "modernize" information systems—with terms requiring advance monthly payment and full data access.
What to Watch
- Section 702: 27 days. Speaker Johnson needs a plan that doesn't exist. April vote looking likely—if he can get one.
- RSA Conference: Day 3 tomorrow. Watch for major vendor announcements and any federal surprise appearances.
- Meta smart glasses: Senator Markey's April 6 deadline for facial recognition answers approaches.
- IAPP Global Privacy Summit: Opens March 30 in Washington DC. 60+ sessions on AI governance and the state privacy patchwork.