Daily Surveillance Briefing: May 15, 2026

Meta Took Away Instagram Encryption. Now It's Selling Privacy on WhatsApp.

Here's the timeline. In 2023, Meta introduced optional end-to-end encryption for Instagram DMs. It never turned the feature on by default. It never alerted users the option existed. Finding it required tapping into a buried per-conversation setting that most people would never discover. Then on March 2026, Meta announced it was killing the feature. On May 8, encryption disappeared entirely. Meta's explanation: not enough people used it [1].

That's like hiding a fire extinguisher behind a locked cabinet, then removing it because nobody used it during a fire.

One week later — on May 13 — Meta announced Incognito Chat for WhatsApp and the Meta AI app. The pitch: conversations processed inside "Trusted Execution Environments" that "even Meta cannot access." Messages disappear by default. Nothing gets saved. Nothing trains AI models. Meta says competing apps' incognito modes still let the company "see the questions coming in and the answers going out." Not this one, apparently [2].

The Global Encryption Coalition put it bluntly in an April statement: "Encryption is not just 'a feature.' It is fundamental to safety and the exercise of human rights." Edward Komenda, editor at Proton, flagged the obvious concern: without encryption, Instagram DMs — including photos, videos, and voice notes — become accessible to Meta for advertising, AI training, or sharing with third parties [3].

The timing matters. The Take It Down Act takes effect on May 19 — 11 days after Instagram encryption was removed. That law requires platforms to take down non-consensual intimate imagery within 48 hours. With encryption on, Meta can't scan for that content. With encryption off, it can. Whether that's the real reason or just a convenient excuse, Meta now has access to every Instagram DM on the planet [1].

Background: Instagram Encryption Removal Analysis

Google Built a Spyware Black Box Into Android. Amnesty International Helped.

Google unveiled Intrusion Logging on May 12 — an opt-in Android feature that creates forensic records of everything happening on your device, specifically designed to catch government spyware. It's part of Advanced Protection Mode, the security suite Google built to counter state-sponsored hacking and police forensic extraction tools [4].

The feature logs device unlock events, app installations, website connections, Android Debug Bridge connections (the kind forensic tools use to break in), and attempts to delete the logs themselves. All of it gets end-to-end encrypted with keys tied to your Google Account password and screen lock. Google can't read the logs. Neither can anyone else — unless you choose to share them with a security researcher investigating a compromise [5].

Amnesty International's Security Lab co-developed the feature. Their researchers have spent years analyzing spyware like Pegasus on compromised devices, and they've struggled with Android's limited logging compared to Apple's iOS. "Earlier Android logs have made it difficult to deeply analyze system logs," Amnesty's Security Lab noted, calling existing data "unreliable" for spyware detection [4].

The catch: it's Pixel-only, requires Android 16, and you have to opt in through Advanced Protection Mode. That means the people most likely to need it — journalists and activists who can't afford Pixels — may not have access. But it's the first time any phone manufacturer has shipped a feature explicitly designed to prove when a government hacked your phone. Logs are stored for 12 months, then automatically wiped [5].

The SECURE Data Act Would Kill 21 State Privacy Laws and Replace Them With Less

The EFF published its assessment of the House Republican federal privacy bill on May 5, and the headline didn't mince words: "The SECURE Data Act is Not a Serious Piece of Privacy Legislation" [6].

The bill, introduced April 22 by the House Energy & Commerce Committee, would create a single federal privacy standard — and preempt every state law that "relates to" its provisions. That's not just California's CCPA. It's all 21 state consumer privacy laws. All 50 state data breach notification laws. Potentially hundreds of sectoral protections built up over two decades [7].

What do you get in return? The EFF identified the core problem: the bill uses the phrase "data minimization" but defines it as limiting data processing to what a company "disclosed to the customer" — meaning if it's buried in the privacy policy nobody reads, it's legal. The bill also explicitly states that "nothing in this Act may be construed to restrict" companies from collecting data to "develop" or "improve" new technology. That's a blank check for AI training on user data [6].

No private right of action. Consumers can't sue. Enforcement falls entirely to the FTC and state attorneys general, which the EFF notes are chronically under-resourced. The bill doesn't ban targeted advertising. It puts the burden on consumers to opt out of invasive practices rather than requiring companies to ask permission first. "Your online privacy should not depend on whether you have the time, patience, and knowledge to navigate a website," EFF wrote [6].

The bill lacks bipartisan support and would need 60 Senate votes to survive a filibuster. But the preemption threat is real — the same framework appeared in the American Data Privacy and Protection Act in 2022 and keeps coming back.

Background: Federal Privacy Preemption Analysis

Canvas Breach: Eight Federal Lawsuits and Counting

KKR and Instructure now face at least eight federal class action lawsuits over the Canvas data breach — six filed in the U.S. District Court for the District of Utah starting May 5, one in the Southern District of New York filed May 8, and more under investigation by multiple firms [8].

The complaints allege negligence, breach of legal obligations, and unjust enrichment. ShinyHunters exploited a vulnerability in Canvas's Free-for-Teacher support ticket system to extract 3.65 terabytes of data — roughly 275 million records including names, email addresses, student IDs, course enrollments, and private messages between students and teachers. Nearly 9,000 institutions were affected, including Stanford, Yale, and Princeton [9].

A second wave hit May 7, when ShinyHunters defaced Canvas login portals at 330 institutions with extortion messages. Instructure eventually paid the hackers under an "agreement" that included "shred logs" — supposed proof that stolen data was destroyed. That's a promise from the same group that published 50GB of Cushman & Wakefield data when negotiations stalled, and stole 119,000 records from Vimeo through a third-party vendor [10].

U.S. lawmakers have demanded answers from Instructure. With eight suits filed in two weeks and multiple firms actively recruiting plaintiffs, this is shaping up to be one of the largest education data breach litigations in U.S. history [8].

Background: Ransom Settlement Analysis · Second Breach & May 12 Deadline

The FISA Opinion Deadline Is Here. The Opinion Isn't.

Today is the day. Senator Ron Wyden secured a commitment from Senate Intelligence Committee Chair Tom Cotton and Vice Chair Mark Warner: declassify the secret March 17 Foreign Intelligence Surveillance Court opinion within 15 days of the April 30 extension vote. That window closes May 15 [11].

The opinion is significant. The FISC judge who authorized Section 702's annual recertification found that intelligence agencies have been using "filtering tools" to process Americans' communications in ways that circumvent existing query restrictions. The problem exists "across the intelligence community" — not just at the FBI. The court ordered agencies to "re-engineer the filter tools to comply with rules for queries for Americans' information" [12].

But Cotton objected to the unanimous consent procedure, and the DNI and Justice Department could still decline the committee's declassification request. As of this morning, no declassified opinion has appeared on the Intelligence Community's public records page. If it doesn't come today, Wyden's bargaining power evaporates — and the FISA reform fight continues without the public seeing the court's own findings about how their data is being searched [11].

The June 12 expiration deadline is 28 days away. The bipartisan Government Surveillance Reform Act sits in committee with a 3% chance of passage according to GovTrack [12].

Background: Congress Returns — 32 Days Left · 45-Day Extension Explainer

Quick Hits

Green Bay renewed its Flock Safety contract for five years. Police Chief Chris Davis defended the city's 42 license plate reader cameras as Appleton, Oshkosh, and Sturgeon Bay all dropped the surveillance vendor. More than 80 U.S. cities have now ended Flock contracts, many citing concerns that local data feeds federal immigration enforcement [13].

Police drone programs are becoming permanent surveillance infrastructure. Las Vegas Metro went from 345 drone deployments in May 2025 to 2,270 in April 2026 — a seven-fold increase. Roughly 1,500 U.S. law enforcement agencies now operate drone programs, a 150% jump since 2018. No national law limits police use of facial recognition on drone footage [14].

RightsCon 2026 is dead. The world's largest digital rights conference was cancelled after Zambia caved to Chinese diplomatic pressure to exclude Taiwanese participants and censor panels on Beijing's digital authoritarianism exports. The event was set to draw 5,000 delegates. 132 digital rights organizations condemned the cancellation [15].

Voices vs. Big Tech. A group of journalists and voice actors filed proposed class actions against Google, Meta, Microsoft, Nvidia, and ElevenLabs, accusing the companies of using their voices without consent to train AI models [16].

What to Watch

FISA opinion release. If the classified FISC ruling on Section 702 filtering tools drops today or this week, it could reshape the reform debate with less than a month until the June 12 deadline.

Pallone retailer responses due May 26. Twenty-five major retailers including Walmart, Target, and Amazon were asked to explain whether they use customer data for individualized pricing. Watch for stonewalling or early disclosures.

Take It Down Act takes effect May 19. The law requiring platforms to remove non-consensual intimate imagery within 48 hours goes live. Instagram's freshly-removed encryption makes compliance possible — and sets a precedent for scanning all private messages.

Canvas class actions. With eight federal suits filed in two weeks, expect consolidation motions and the first discovery disputes soon. The breach affected every major U.S. university.

Sources

1. gHacks — Instagram Removes End-to-End Encryption From Direct Messages
2. Meta — Introducing Incognito Chat with Meta AI
3. Eastern Herald — Meta Removes Instagram Encryption and Ignites Privacy Backlash
4. TechCrunch — Google launches new Android security feature to help uncover spyware attacks
5. Amnesty International Security Lab — Android Intrusion Logging for Forensic Analysis
6. EFF — The SECURE Data Act is Not a Serious Piece of Privacy Legislation
7. Consumer Finance Monitor — SECURE Data Act Federal Privacy Framework
8. Bloomberg Law — KKR, Instructure Sued After Canvas EdTech Tool Data Breach
9. Wikipedia — 2026 Canvas Security Incident
10. Bleeping Computer — Instructure reaches agreement with ShinyHunters
11. Nextgov — FISA extension with declassification deal
12. The American Prospect — Surveillance Reform Hinges on How Congress Defines 'Query'
13. WBAY — Green Bay police chief defends Flock Safety cameras
14. Biometric Update — Police drone programs raise questions about AI, facial recognition
15. RightsCon — Statement on RightsCon 2026 Cancellation
16. Coaio — Breaking Tech News May 14, 2026