Daily Surveillance Briefing: May 13, 2026

Close-up of a surveillance camera mounted on a concrete wall

Today in Surveillance:

Instructure paid the Canvas ransom. ShinyHunters handed over "shred logs" as proof of data destruction. CEO Steve Daly admitted they "got the balance wrong" on transparency. Security experts warn paying ransoms "creates a dangerous feedback loop." But The Register reports a double breach — and ShinyHunters had already launched a school-by-school extortion campaign before the deal closed.
Congress returned Monday — 30 days to fix FISA 702. The 45-day extension expires June 12. The American Prospect reports the entire reform fight hinges on how Congress defines "query." Brady-related FBI queries jumped tenfold. A classified court opinion may be declassified within days.
Colorado banned surveillance pricing. First state in the nation to outlaw using tracking data to set individualized prices or wages. Governor Polis also signed a complete rewrite of the state's AI Act.
EU delayed biometrics rules by 16 months. High-risk AI systems — facial recognition, law enforcement AI, border control — won't face compliance deadlines until December 2027. Industry lobbying won.
1,500+ police departments fly drones. Almost none have privacy rules. An FAA decision last year opened the floodgates. Nearly 600 new programs launched in four months. The biggest risk: "workflow convergence" between emergency response drones and biometric surveillance.

Instructure Paid the Ransom. Is It Actually Over?

Instructure confirmed on May 11 that it reached a deal with ShinyHunters, the group that stole 3.65 terabytes of data from Canvas — names, emails, student IDs, and private messages belonging to 275 million students, teachers, and staff across 8,800 institutions worldwide [1].

The company says it "received digital confirmation of data destruction (shred logs)" and assurance that "no Instructure customers will be extorted as a result of this incident, publicly or otherwise." CEO Steve Daly acknowledged they "got the balance wrong" by going silent when schools needed answers. The ransom amount was not disclosed [2].

Security experts are not celebrating. Cliff Steinhauer of the National Cybersecurity Alliance warned that paying "can create a dangerous feedback loop where attackers are effectively rewarded for successful breaches" and "risks normalizing payment as a viable incident response strategy, which law enforcement agencies consistently warn against" [2].

The breach was worse than initially reported. The Register confirmed Instructure suffered two separate intrusions — one on April 29 and a second on May 7, both exploiting the same vulnerability in Canvas's Free-for-Teacher system. During the second wave, ShinyHunters defaced login portals at roughly 330 institutions with extortion messages and launched a school-by-school ransom campaign, contacting individual institutions directly [3].

And there's the pattern to consider. ShinyHunters breached Instructure's Salesforce environment last September. They hit Vimeo through a third-party analytics vendor. They leaked 50GB of Cushman & Wakefield data last week when talks failed. "Shred logs" are a promise from criminals, not a guarantee. Class action investigations are already underway at ClassAction.org and multiple law firms [4].

Background: Full Ransom Analysis · May 12 Deadline Coverage · 275M Students Breach · What Happens Monday

Congress Is Back. 30 Days to Reform America's Warrantless Surveillance Law.

The House returned Monday. The Senate came back Sunday. The 45-day FISA Section 702 extension expires June 12. That gives lawmakers roughly 30 days to decide whether America's most powerful surveillance tool gets reformed, rubber-stamped again, or allowed to lapse [5].

The American Prospect published a deep analysis on May 11 identifying the core problem: nobody agrees on what counts as a "query." Elizabeth Goitein of the Brennan Center for Justice is pushing to define it as "any search performed for the purposes of accessing or locating U.S. person information no matter where it lives or how it's retrieved." That matters because the current ambiguity lets the FBI run searches that skirt existing restrictions [6].

The numbers back up the concern. Goitein pointed to data showing Brady-related queries — searches of Americans' communications connected to criminal cases — jumped tenfold, from 113 to 1,083 annually. Section 215 identifiers spiked 324% to 268,000 units, "the highest it's ever been for an authority that literally doesn't exist anymore" [6].

Senator Wyden secured a commitment from Senate Intelligence Committee leaders to declassify a FISA Court opinion within 15 days of the April 30 extension — meaning the classified ruling could become public any day now. The bipartisan Government Surveillance Reform Act (S. 4082) sits in committee with sponsors from both parties: Wyden, Lee, Warren, and Lummis. GovTrack gives it a 3% chance of passage [7].

Background: Congress Returns Preview · Reform Act Breakdown · 45-Day Extension Explainer

Colorado Just Banned Companies From Using Your Data to Jack Up Prices

Colorado passed a first-in-the-nation ban on "surveillance pricing" — the practice of using tracked personal data to set individualized prices for consumers or wages for workers. HB 1210 passed both chambers and heads to the governor [8].

The bill defines "surveillance data" broadly: information gathered through observation, inference, or monitoring of personal characteristics, online behaviors, or biometrics. That covers the personalized pricing algorithms that airlines, hotels, insurance companies, and e-commerce platforms use to charge you more based on your browsing history, location, device, or past spending patterns.

Colorado also passed SB 189 the same week, completely rewriting its landmark AI Act. The new version drops the broad "high-risk AI system" and "algorithmic discrimination" framework in favor of narrower rules focused on "automated decision-making technology" that processes personal data for "consequential decisions." Governor Polis confirmed he'll sign the AI bill on May 12 [9].

Connecticut's SB-4, which also bans surveillance pricing, is still sitting on Governor Lamont's desk after passing 141-6. Two states moving on this issue simultaneously signals that the era of unregulated algorithmic pricing may be ending — at the state level, at least.

Background: Connecticut SB-4 Analysis · State AI Legislation Tracker

EU Gives Biometric Surveillance a 16-Month Reprieve

The European Parliament and Council reached a provisional agreement to push back compliance deadlines for high-risk AI systems under the EU AI Act — from August 2026 to December 2, 2027. That's a 16-month delay for some of the most sensitive surveillance technologies in existence [10].

The affected systems: facial recognition, law enforcement AI, border control automation, migration and asylum processing, and critical infrastructure monitoring. The delay also covers AI used in education, employment decisions, and access to essential services. A separate deadline for AI embedded in regulated products (medical devices, machinery) slides to August 2028 [10].

Industry lobbying drove the change. The official justification: technical standards aren't ready. The practical result: companies deploying facial recognition and predictive policing tools across the EU just got an extra year and a half before any compliance requirements kick in. The agreement still needs formal endorsement from both the Council and Parliament.

The delay contrasts sharply with what states are doing in the US. While Colorado rewrites its AI Act and Connecticut pushes through biometric restrictions, the EU — which positioned itself as the global leader on AI regulation — hit snooze.

1,500 Police Departments Fly Drones. The Rules Haven't Caught Up.

More than 1,500 law enforcement agencies now operate drone programs across the United States, a number that surged after the FAA streamlined drone first-responder approval in 2025. Nearly 600 new programs launched in just four months after that decision [11].

The drones are moving from disaster response into everyday policing — and the privacy framework hasn't followed. In Milwaukee, police use drones as first responders; critics cite surveillance concerns. In Philadelphia, the police department expanded drone use with little oversight. In St. Charles County, Missouri, rooftop-docked drones arrive at scenes in seconds, streaming live video to dispatchers [12].

The biggest risk isn't the drones themselves — it's what experts call "workflow convergence." Programs approved for emergency response become tools for biometric identification. Drone footage gets fed into facial recognition systems. Data retention policies, where they exist at all, are the weakest link. Many cities have rules limiting facial recognition but those laws often don't cover drone footage unless they're written broadly enough [11].

The ACLU has documented at least 14 known wrongful arrests caused by facial recognition errors. One client spent six months in jail. As drones put cameras in the sky at scale, the question is who's watching what — and whether anyone's asking permission first.

Quick Hits

FTC warns Big Tech on Take It Down Act compliance. The commission reminded Meta, Amazon, Apple, and a dozen other companies of a looming deadline to set up deepfake revenge porn removal systems. FTC Chairman called it a "top priority" and signaled aggressive enforcement. The law, signed by Trump in 2025, requires platforms to remove nonconsensual intimate images — including AI-generated deepfakes — upon victim request [13].
AP wins Pulitzer for surveillance investigation. Journalists Dake Kang, Garance Burke, Byron Tau, and Aniruddha Ghosal won the Pulitzer for International Reporting for exposing how US tech firms helped China build surveillance tools — and how the Border Patrol secretly used license plate data to track drivers' travel patterns. The AP said reporters faced harassment and pressure to kill the project [14].
Meta NM trial enters Week 2. Phase 2 of New Mexico's $3.7 billion lawsuit against Meta continues in Santa Fe. The AG wants court-ordered algorithm changes — banning infinite scroll, push notifications, and default like-tally displays for children. If Judge Biedscheid orders redesign, it sets national precedent. Day one coverage.
Connecticut SB-4 still on the governor's desk. The data broker kill-switch bill passed 141-6 in the House and 31-4 in the Senate. Creates a one-stop deletion portal, bans surveillance pricing, restricts facial recognition. No word from Governor Lamont yet, but a veto would be overridable. Full analysis.
RightsCon cancellation aftermath. 132 digital rights organizations condemned Zambia's decision to cancel the world's largest digital rights conference under pressure from China. The government demanded organizers exclude Taiwanese participants and censor panels about Beijing's export of digital authoritarianism. Full coverage.

What to Watch

This week — FISA Court opinion declassification. Wyden's 15-day window from April 30 means the classified FISA Court ruling could become public any day. Whatever's in it, both sides of the 702 debate want it out before the June push.
Through May 22 — Meta NM Phase 2 testimony. If Judge Biedscheid orders algorithm changes, it's the first time a US court has mandated platform design modifications. Every state AG in the country is watching this one.
May 18-20 — IEEE Symposium on Security and Privacy (San Francisco). Watch for papers on ad-tech surveillance, facial recognition error rates, and AI-assisted policing.
May 19 — CPDP 2026 Brussels / GDPR 10th anniversary discussions. European Data Protection Board expected to address the AI Act delay and biometrics enforcement timeline.
June 12 — FISA Section 702 extension expires. 30 days. Either Congress reforms, extends again, or the program lapses. Reform advocates call this the last window before midterm politics take over.