TL;DR:
- Iran bought Russian facial recognition. Joint investigation reveals Iran secretly acquired NtechLab's FindFace system through intermediary companies to dodge Western sanctions. It's now being used to crush dissent.
- Paragon's LinkedIn disaster. The Israeli spyware firm's general counsel accidentally posted a screenshot showing their surveillance control panel—complete with Czech phone numbers, WhatsApp interception logs, and zero-click exploit interfaces.
- DOGE keeps accessing data illegally. Court filings confirm DOGE employees copied Social Security data to unsecured servers. 300+ million Americans' records were exposed. 11 lawsuits now filed.
- Clearview AI: 8+ wrongful arrests. New DHS numbers show at least eight people were wrongfully arrested due to false facial recognition matches. All documented cases involve Black individuals.
- PenLink deadline came and went. Congress demanded answers by March 5th. We're waiting to see if DHS actually responded.
- FISA 702: 45 days until sunset.
Iran Secretly Acquired Russian Facial Recognition System
Iranian authorities obtained the FindFace facial recognition system from Russia's NtechLab without anyone noticing—until now [1].
A joint investigation published March 4th reveals how Iran circumvented Western sanctions by routing the purchase through Iranian intermediary companies. The system is now being used to identify and track dissidents, protesters, and anyone else the regime wants to monitor.
What FindFace does:
- Real-time facial recognition across video feeds
- Matches faces against databases of known individuals
- Used extensively by Russian law enforcement since 2016
- Can identify people in crowds, on streets, in public spaces
NtechLab's technology has a track record. Russia used FindFace to identify protesters during anti-government demonstrations. Now Iran has the same capability.
The investigation found Iran's authorities are deploying live facial recognition to "crush dissent"—identifying participants at protests, tracking individuals across cities, and building surveillance profiles on perceived enemies of the state.
Why this matters: This is how surveillance tech spreads. A Russian company builds a powerful tool. Western sanctions are supposed to prevent authoritarian regimes from getting it. Shell companies and intermediaries route around those restrictions. The technology ends up where it can do the most damage.
Sources: [1] ID Tech, [2] Biometric Update
Israeli Spyware Firm Accidentally Exposed Control Panel on LinkedIn
You'd think a company that sells surveillance software to governments would have better operational security. You'd be wrong [3].
Paragon Solutions—the Israeli firm behind Graphite spyware—had an "epic OPSEC fail" on February 11th. The company's general counsel posted an image to LinkedIn that showed their surveillance control panel in the background.
What the screenshot revealed:
- A Czech phone number labeled "Valentina"
- Active interception logs dated February 10, 2026
- Interfaces for monitoring encrypted apps like WhatsApp
- Evidence of zero-click exploits in use
John Scott-Railton, senior researcher at the University of Toronto's Citizen Lab, called it exactly what it was: an embarrassing operational security failure from a company that's supposed to be in the secrecy business.
The bigger story: DHS has a contract with Paragon. The spyware can reportedly gain "full access to all information on a mobile device without the device owner's knowledge or consent." That includes encrypted messages, location data, photos, and everything else on your phone.
ICE also uses Paragon. Put that together with yesterday's NPR investigation about ICE's surveillance web, and you get a clearer picture of what tools are being deployed against immigrants and American citizens.
Sources: [3] Ahmed Eldin (Substack), [4] CyberWebSpider
DOGE's Data Access Violations Keep Piling Up
Every court filing reveals something worse [5].
The latest revelations from ongoing litigation against DOGE paint a picture of systematic disregard for privacy law. Here's what we now know:
- SSA data copied to unsecured servers. DOGE employees created copies of Social Security Administration records on "vulnerable cloud computing servers"—exposing names, Social Security numbers, dates of birth, addresses, and citizenship status for 300+ million Americans.
- Data shared without agency knowledge. SSA officials discovered DOGE employees "secretly and improperly shared sensitive personal data" only because of court filings—not because they were told.
- IT rules circumvented. DOGE workers bypassed standard security protocols to move data to external servers.
- Political activity violations. Two SSA DOGE employees were referred to a federal watchdog after they "secretly conferred with a political advocacy group" about matching Social Security data with voter rolls to "find evidence of voter fraud."
There are now 11 lawsuits filed against DOGE over access to sensitive federal data, including student loan applications, taxpayer information, and databases at the Department of Labor, FEMA, and USAID.
What you can do: Not much, unfortunately. This is government-to-government data that you can't opt out of. But you can reduce your footprint with commercial data brokers who feed the same surveillance systems.
Sources: [5] NPR, [6] CNN, [7] Democracy Forward
Related: DOGE Social Security Breach Coverage | 19 States Suing DOGE
Clearview AI Tied to At Least 8 Wrongful Arrests
The Department of Homeland Security now acknowledges at least eight people have been wrongfully arrested due to false positives from Clearview AI's facial recognition [8].
That number is almost certainly an undercount. Most wrongful arrests from facial recognition never get reported as such—defendants accept plea deals, cases get dismissed without investigation, or nobody ever traces the misidentification back to the algorithm.
What the documented cases show:
- All known wrongful arrests from facial recognition involve Black individuals
- Physical descriptions often don't match—but the algorithm "says" there's a face match
- Victims spend days to weeks in jail before anyone realizes the mistake
- Legal costs devastate innocent people even when charges are dropped
One recent case: Trevis Williams was jailed despite cell phone data proving he was miles away from the crime. The victim's physical description of the perpetrator didn't match Williams. But Clearview said his face did, and that was enough for an arrest.
Meanwhile, Clearview continues expanding. The U.S. Army just renewed its contract through 2030. CBP paid $225,000 for access to a database of 60 billion faces.
Sources: [8] ABC7 NY, [9] Biometric Update
Related: Army Clearview Contract | CBP's Face Database
PenLink Deadline: What Happened?
Yesterday was March 5th—the deadline Congress gave DHS to brief lawmakers on ICE's warrantless phone tracking capabilities [10].
At time of writing, there's no public confirmation DHS delivered the requested briefing. Given that ICE cancelled its last scheduled briefing without explanation, the pattern suggests stonewalling.
The 70+ lawmakers who demanded an Inspector General probe into ICE's "illegal" location data purchases now have more evidence that the agency isn't operating in good faith.
We'll update when there's confirmation either way.
Related: PenLink Deadline Coverage | Yesterday's Briefing
State Privacy Laws: Bills Moving This Week
While federal privacy legislation remains stuck, states keep advancing protections [11]:
- Connecticut SB 4: Yesterday's hearing covered Delete Act provisions, algorithmic pricing disclosure, and facial recognition amendments. Bill moves to committee vote.
- Kentucky HB 692: New protections against automatic content recognition (ACR) data collection by smart TVs.
- Minnesota HF 2700: Amendments to consumer health data protections under debate.
- Utah motor vehicle privacy: Bill applying privacy law to car manufacturers passed the House, headed to Senate floor.
- Virginia geolocation: Bill prohibiting sale of precise location data passed House, needs Senate concurrence.
- Alaska HB 367: Consumer data privacy bill introduced—Alaska joining the state privacy wave.
IAB updates privacy framework: The advertising industry's Multi-State Privacy Agreement got its biggest update since 2023. Changes "simplify compliance" and "reduce partner contracting friction"—industry speak for making it easier to share your data across ad networks [12].
Quick Hits
- Meta smart glasses vs. courtroom. A Los Angeles judge ordered Meta employees to remove their Ray-Ban smart glasses in court, warning "there must be no facial recognition of the jury." EPIC is asking the FTC to investigate Meta's planned "Name Tag" feature [13]. Biometric Update
- Milwaukee County says no to facial recognition. Sheriff Denita Ball announced February 27 that her department won't implement facial recognition technology "at this time" [14]. Milwaukee NNS
- London police getting handheld facial recognition. The Met will give 100 officers handheld devices to match faces against watchlists during a six-month pilot [15]. Biometric Update
- Government Surveillance Transparency Act reintroduced. Sen. Mike Lee's bill would require public reporting of the hundreds of thousands of surveillance orders issued by courts each year—orders that are typically sealed indefinitely [16]. Sen. Lee
FISA 702: 45 Days
Section 702 expires April 20th. The White House still hasn't taken a public position on whether it supports reauthorization or wants reforms.
The most contentious issue: warrant requirements before searching Americans' communications in 702 databases. A House amendment requiring warrants failed on a 212-212 tie in 2024. It'll be back.
With everything we've learned about ICE surveillance, DOGE data access, and Clearview misidentifications—do you trust these agencies to use warrantless surveillance responsibly?
Related: FISA 702 Coverage | SAFE Act Warrant Requirements
What to Watch
This week: PenLink briefing confirmation (or continued silence). Connecticut SB 4 committee vote.
March 10: "Privacy's Defender" book launch (Cindy Cohn/EFF).
March 26-31: RSA Conference 2026.
March 31: Conduent breach credit monitoring enrollment deadline.
April 1: California "Delete My Data" requests open.
April 20: FISA Section 702 sunset. 45 days.
Last updated: March 6, 2026