Multiple CCTV surveillance cameras mounted on a pole against an overcast sky

Today's Headlines:

  • 22 days until Section 702 expires. SAVE Act drama continues. Reform coalition hits 130+ organizations demanding Congress close data broker loophole.
  • Norfolk Police scan 50,000 faces. UK's first Norwich deployment catches one warrant failure and one upskirting suspect.
  • FBI confirms buying location data. Director Kash Patel told lawmakers the FBI purchases data broker information to track Americans.
  • Denver drones beat cops 84% of the time. Flock and Skydio programs running simultaneously with minimal public notice.
  • IAPP Summit starts tomorrow. 5,000+ privacy professionals gather in DC. Section 702 and AI governance dominate agenda.

22 Days: FISA Section 702 Countdown Continues

The April 20 sunset is three weeks away. The politics remain chaotic.[1]

Trump now backs a "clean" 18-month extension—reversing his 2024 "KILL FISA" stance—but insists Congress must also pass the SAVE Act voter ID bill. Rep. Anna Paulina Luna (R-FL) is trying to attach the SAVE Act to FISA reauthorization as a poison pill. Senate Democrats won't vote for it. The EFF says Congress is "dropping the ball" by not using this moment to add warrant requirements or close the data broker loophole.[2]

Meanwhile, a coalition of 130+ civil rights organizations sent Congress a letter demanding action on data broker purchases before reauthorization. The Government Surveillance Reform Act—requiring warrants for American queries and banning data broker purchases—sits untouched in committee. Senator Wyden keeps pushing. Nothing moves.[3]

The Brennan Center is tracking developments daily. Three weeks to go. The administration that's already shown enthusiasm for domestic surveillance is about to get its powers renewed with minimal debate.

Our Section 702 explainer | SAVE Act confrontation analysis

UK Police Scan 50,000 Faces in Norwich: First Live Deployment Results

Norfolk Constabulary released results from their first live facial recognition deployment. The numbers: 50,000 faces scanned in three and a half hours. Two positive matches.[4]

On March 22, two surveillance vans borrowed from Bedfordshire Police parked in Norwich city center. The system compared every passing face against a police watchlist. One hit: a man wanted for failing to appear in court. Officers stopped him and found cannabis. The second "catch" wasn't even from the cameras—a member of the public reported a man taking photos of women in a shop. He was arrested for upskirting.[5]

That's it. 50,000 people scanned to catch one warrant failure. The ratio speaks for itself.

Norfolk deployed the tech again on March 28, the second trial in a planned expansion. Police say faces that don't match are "deleted immediately and permanently." They also say the watchlist gets deleted after each deployment. Whether that's true, and whether future deployments will follow the same rules, remains to be seen.[4]

This follows Merseyside Police making their first arrests using live facial recognition in Birkenhead earlier this month. Home Secretary Shabana Mahmood announced plans to expand the UK's facial recognition van fleet from 10 to 50+. The surveillance infrastructure is scaling fast.[6]

Our UK facial recognition coverage

FBI Director Confirms: We're Buying Your Location Data

FBI Director Kash Patel told the Senate Intelligence Committee that the bureau is actively purchasing commercially available location data to track Americans. No warrant required.[7]

When Senator Ron Wyden asked if Patel would pledge to stop, the answer was no. "The FBI uses all tools... to do our mission," Patel said. "We do purchase commercially available information that's consistent with the Constitution and the laws under the Electronic Communications Privacy Act."[8]

This is the first confirmation since 2023 that the FBI is buying this data. Under former Director Christopher Wray, the bureau had paused purchases. Patel brought them back.

Wyden called it "an outrageous end run around the Fourth Amendment." He noted the practice is "particularly dangerous, given the use of artificial intelligence, to comb through massive amounts of private information."[9]

The data broker loophole works like this: apps on your phone collect location data and sell it to brokers. Brokers sell it to advertisers. The same brokers also sell to federal agencies—FBI, ICE, CBP, DHS—who can track anyone's movements without ever going before a judge. It's the surveillance state via Terms of Service.[10]

The EFF published a detailed breakdown this week showing how CBP uses advertising data for border enforcement. Same pipeline, different agency. All legal. All warrantless.[11]

Data broker loophole explainer | ICE ad-tech surveillance

Denver Drones Beat Officers to 84% of Calls

Denver Police Department is running two competing drone programs. The drones arrive first at 84% of calls. Most residents had no idea.[12]

Here's the setup: Skydio provided two X10 drones for free, operated from the police headquarters roof with a two-nautical-mile range. Contract runs through March 2026. Flock Safety's Aerodome system—also provided for "free" during a one-year trial—can launch automatically and reach 53 mph. Both systems are active simultaneously.[13]

The Flock drones have 400x zoom, thermal imaging, night vision, and can "capture audio, video, image, and recording data." Through February 12, drones deployed to 622 calls. In 36% of those calls, drone pilots determined no patrol response was needed—meaning the drone made the assessment, not officers on the ground.[12]

Denver Councilmember Serena Gonzalez-Gutierrez, a member of the city's surveillance task force, told Denver7 this was the first she'd heard about the program. Community input? Zero.[14]

The EFF flagged Denver's dual-vendor approach in their ongoing coverage of police drone expansion. Flock Safety—the same company behind the license plate reader network that ICE uses—now has eyes in the sky. This is the drone-as-first-responder model spreading nationwide, with surveillance companies offering "free" trials to lock in contracts.

Waikiki drone program | Flock Safety network explainer

IAPP Global Privacy Summit Starts Tomorrow

Five thousand privacy professionals descend on Washington DC starting March 30. The timing couldn't be sharper.[15]

The IAPP Global Privacy Summit runs March 30-31 at the Walter E. Washington Convention Center. Keynotes include author Salman Rushdie and cognitive scientist Maya Shankar. The agenda: AI governance, global legislative updates, international data transfers, and children's privacy.[16]

But the shadow topic is Section 702. With 22 days until sunset, privacy professionals will be debating surveillance reform while Congress stalls. Multiple sessions address government data access and the data broker loophole. Whether any of that translates into action is another question.

125+ exhibitors will be there, including the usual privacy tech vendors. This is the world's largest annual gathering of people who care about this stuff. If solutions exist, they'll be discussed here. If not, we'll know that too.

State Legislation Watch: Biometrics and Workplace AI

While federal privacy bills stall, states keep moving.

New Jersey A3929 passed the Assembly 56-16 on March 23. The bill prohibits retailers from using facial recognition on customers unless they provide clear notice and use it for a "lawful purpose." If you get kicked out because a facial recognition system flagged you, the store must explain why and what criteria they used. It's not a ban—it's disclosure plus accountability.[17]

California AB-1898 advanced through committee March 25. The workplace AI surveillance bill would require employers to give 90 days written notice before deploying AI monitoring tools, maintain an annual inventory of all workplace AI, and obtain signed acknowledgments from workers. Penalties for noncompliance run up to $25,000 per violation.[18]

Neither bill is law yet. But they represent the state-level approach while Congress does nothing: regulate around the edges, require disclosure, create paper trails. Better than silence. Not as good as actual protection.

NJ A3929 analysis | CA AB-1898 analysis

Breach Update: ShinyHunters Campaign Continues

The ShinyHunters hacking group isn't slowing down. This week's confirmed hits:

  • Woflow: AI workflow platform breached on or before March 3. Data dumped on dark web. Class action filed.[19]
  • Crunchyroll (via TELUS): 100GB stolen through a compromised TELUS employee. IP addresses, emails, credit card details exposed. ShinyHunters taking credit.[20]
  • Navia Benefit Solutions: 2.7 million people affected. SSNs, addresses, benefit plan data accessed between December 2025 and January 2026.[21]

ShinyHunters has been on a tear since late 2025, hitting third-party service providers to reach bigger targets. The TELUS-Crunchyroll chain is textbook: compromise an employee at a contractor, pivot to the real prize. Expect more.

What to Watch

  • IAPP Global Privacy Summit (March 30-31): Privacy professionals in DC. AI governance and Section 702 dominate.
  • Meta smart glasses deadline (April 6): Senators demanded answers about facial recognition "Name Tag" feature. 8 days left.
  • Section 702 (April 20): 22 days. SAVE Act poison pill drama continues. Reform bills stalled.
  • Norfolk facial recognition: Second deployment completed March 28. Third expected soon as UK expands LFR infrastructure.
  • Denver drones: Skydio contract expires March 2026. Will the city pay for permanent surveillance?

Sources

  1. Brennan Center - Section 702 Resource Page (March 2026)
  2. EFF - "Congress Is Dropping the Ball with a Clean Extension of FISA" (March 2026)
  3. American Prospect - "Warrantless Spying Reform Just Got a Whole Lot More Interesting" (March 23, 2026)
  4. Norfolk Constabulary - "50,000 faces scanned during first deployment of Live Facial Recognition" (March 2026)
  5. Boring News - "Police Scan 50,000 Faces in First Norwich Facial Recognition Trial"
  6. ID Tech - "Merseyside Police Make First Arrests Using Live Facial Recognition"
  7. TechCrunch - "FBI is buying location data to track US citizens, director confirms" (March 18, 2026)
  8. Gizmodo - "Kash Patel Admits the FBI is Buying Private Data on Americans"
  9. New Republic - "Kash Patel Brags That the FBI Is Buying Your Location Data"
  10. NPR - "Your data is everywhere. The government is buying it without a warrant" (March 25, 2026)
  11. EFF - "The Government Uses Targeted Advertising to Track Your Location" (March 2026)
  12. Denver7 - "Denver police quietly launch drones as first-responders"
  13. 9News - "Denver quietly signs contract with Flock to fly AI drones for police calls"
  14. Colorado Sun - "Denverites want Flock license plate cameras out of town. Air surveillance should be next"
  15. IAPP - Global Privacy Summit 2026
  16. IAPP - Global Privacy Summit 2026 Agenda
  17. LegiScan - New Jersey A3929 (2026)
  18. California Legislature - AB-1898 Workplace artificial intelligence tools
  19. ClassAction.org - "Woflow Hit With Class Action Over March 2026 Data Breach"
  20. Cybernews - "Sony anime streamer Crunchyroll was breached"
  21. HIPAA Journal - "Navia Benefit Solutions Discloses Data Breach Affecting 2.7 Million"