TL;DR:

  • FBI's surveillance system hacked. The system used to manage wiretaps and FISA warrants was breached. FBI, CISA, and NSA are investigating what they call a "sophisticated" attack. Active case data and surveillance targets may have been exposed.
  • Senate passes COPPA 2.0 unanimously. Kids' privacy bill would ban collecting data from teens 13-16 without consent. Creates an "eraser button" for parents. Now heads to the House, where previous versions died.
  • Maine Democrats exempt political groups from privacy law. A sweeping data privacy bill passed the Senate 20-14, but an amendment exempting political organizations from its restrictions passed only 18-16. Democrats arguing First Amendment. Critics calling it hypocrisy.
  • Cotton pushes 18-month FISA extension. Senate Intel Chair wants to attach a "clean" Section 702 renewal to must-pass legislation. No warrant requirement. Trump reportedly on board.
  • FISA 702: 44 days until sunset.

FBI Investigating "Sophisticated" Hack on Wiretap System

The FBI confirmed this week it's investigating a cybersecurity incident targeting the system used to manage wiretapping operations and foreign intelligence surveillance warrants [1].

The Digital Collection System Network handles some of the most sensitive law enforcement data in the country. We're talking about active case information, authorized surveillance targets, intelligence collection methods, and potentially the identities of confidential informants.

What we know:

  • The FBI "identified and addressed suspicious activities on FBI networks"
  • FBI, CISA, and NSA are all investigating
  • The breach targeted FISA warrant management systems
  • Investigation is analyzing logs, access records, and network telemetry
  • Unknown whether a nation-state, insider, or criminal group is responsible

The FBI isn't saying how long the attackers had access or whether data was exfiltrated. The agency is calling it "sophisticated"—which usually means they don't want to admit how bad it was.

Why this matters: The same system the government uses to conduct surveillance on targets was just compromised. If attackers got access to active surveillance targets, they could tip off targets, compromise ongoing investigations, or identify intelligence sources. This is the surveillance apparatus surveilling itself being surveilled.

Sources: [1] TechCrunch, [2] BleepingComputer, [3] Cyber Security News

Related: Full Coverage: FBI Surveillance System Breach

Senate Unanimously Passes COPPA 2.0

The Senate passed the Children and Teens' Online Privacy Protection Act on a unanimous vote this week [4].

COPPA 2.0 would update the 1998 law that currently only protects kids under 13. The new bill extends protections to teens up to 16 and adds new requirements for platforms:

  • No data collection without consent. Platforms can't collect personal information from anyone under 17 without explicit consent.
  • Eraser button. Parents get a tool to delete their children's data.
  • Targeted ad restrictions. Limits on behavioral advertising targeting minors.
  • Privacy by default. Accounts for minors must have strongest privacy settings enabled automatically.

The catch: Previous versions of COPPA 2.0 passed the Senate before and died in the House. The House Commerce Committee just passed a Republican version of the Kids Online Safety Act (KOSA) along party lines, suggesting the bipartisan Senate approach may hit turbulence [5].

Senator Ed Markey, who championed the original 1998 COPPA law, called the unanimous vote a sign that "protecting our children from Big Tech's data harvesting machine transcends partisan politics" [6].

Sources: [4] Engadget, [5] Roll Call, [6] Sen. Markey

Maine Democrats Carve Out Privacy Exemption for Political Groups

Maine's data privacy bill passed the Senate—but not before Democrats added a controversial amendment exempting political organizations from the law's restrictions [7].

LD 1822 is one of the most comprehensive state privacy bills in the country. It includes data minimization requirements and would limit how businesses collect and use consumer data. The Senate passed it 20-14.

Then came the amendment. By a narrower 18-16 vote, Democrats added an exemption for "political organizations"—defined as any party, committee, association, or group that primarily works to influence elections.

The argument: Senator Anne Carney said political organizations are "exclusively focused on exercising First Amendment rights" and shouldn't be restricted [8].

The backlash: Not all Democrats bought it. Senator Joe Baldacci voted against the amendment: "If this is a First Amendment issue, I say let the political parties sue us" [9].

The bill now returns to the House for reconsideration. The amendment also delays the effective date to September 2027.

Why this matters: Political data collection is some of the most invasive in the industry. Campaigns buy voter files, match them with commercial data broker information, and build detailed profiles on what issues you care about, how you vote, and how to manipulate you. Maine Democrats just said that's fine—as long as it's for politics.

Sources: [7] Maine Morning Star, [8] Maine Public, [9] Bangor Daily News

Cotton Pushes 18-Month "Clean" FISA Extension

Senate Intelligence Committee Chair Tom Cotton is working to attach a "clean" Section 702 reauthorization to must-pass legislation [10].

Translation: Renew the warrantless surveillance authority without adding any privacy reforms. No warrant requirement. No changes to how the FBI searches Americans' communications in 702 databases.

Cotton's strategy:

  • 18-month extension rather than multi-year reauthorization
  • Attach it to government funding or the defense policy bill
  • Avoid a standalone vote where senators would have to go on record
  • Trump reportedly supports this approach

Privacy advocates will fight it. The SAFE Act coalition wants warrant requirements before the government can search Americans' communications. A House amendment requiring warrants failed on a 212-212 tie in 2024.

But with the US now at war with Iran, the national security establishment is pushing hard. They're using fears of "Iranian sleeper cells" to argue this isn't the time for reform [11].

Reality check: The same agencies that built ICE's surveillance web, mishandled DOGE data access, and just got their wiretap systems hacked are asking for continued warrantless access to Americans' communications. And they're using war to short-circuit debate.

Sources: [10] The Record, [11] Daily Caller

Related: Cotton's FISA Extension Plan | SAFE Act Explained

Quick Hits

  • ICE still hasn't responded to PenLink deadline. Congress gave DHS until March 5th to brief lawmakers on warrantless phone tracking. Two days later: silence. The pattern continues [12]. Previous coverage
  • OpenAI Pentagon deal faces EFF scrutiny. EFF published an analysis calling the surveillance safeguards "weasel words" that won't stop AI-powered mass surveillance. The ban on "intentional" domestic surveillance leaves massive loopholes [13]. EFF
  • Utah passes motor vehicle privacy bill. HB 357 applies privacy protections to car manufacturers. Your vehicle's data collection gets the same treatment as other personal data. Now heading to Senate floor votes [14]. Troutman
  • Virginia bans precise geolocation data sales. SB 338 passed the House unanimously. Controllers can't sell or offer to sell precise location data under the amended VCDPA. Needs Senate concurrence [15]. Troutman
  • Data broker breaches cost Americans $21 billion. Congressional investigation following CalMatters reporting found that data broker security failures lead to massive identity theft costs [16]. CalMatters

FISA 702: 44 Days

Section 702 expires April 20. Cotton wants a clean extension. The administration wants a clean extension. The national security establishment is using the Iran war to argue against reforms.

This week's FBI breach is a reminder: the agencies demanding expanded surveillance powers can't even protect their own systems. Their wiretap management database got hacked by a "sophisticated" actor they can't identify.

Should these agencies have warrantless access to Americans' communications? That's the question Congress will decide in the next 44 days.

Related: FISA 702 Warrant Fight | White House Position

What to Watch

This week: Maine House reconsideration of privacy bill. COPPA 2.0 House prospects. FBI breach investigation updates.

March 10: "Privacy's Defender" book launch (Cindy Cohn/EFF).

March 26-31: RSA Conference 2026.

March 31: Conduent breach credit monitoring enrollment deadline.

April 1: California "Delete My Data" requests open.

April 20: FISA Section 702 sunset. 44 days.

Last updated: March 7, 2026