Daily Surveillance Briefing: May 16, 2026

The Take It Down Act Goes Live Monday. Platforms Have 48 Hours to Remove Content They Can't Scan.

On May 19, the Take It Down Act's platform compliance deadline arrives. Every website, app, and messaging service that hosts user content must have a process for removing non-consensual intimate imagery — including AI-generated deepfakes — within 48 hours of a takedown request. The FTC can levy $53,088 in civil penalties per violation [1].

FTC Chairman Andrew Ferguson didn't wait for the deadline. He sent letters to Amazon, Alphabet, Apple, Automattic, Bumble, Discord, Match Group, Meta, Microsoft, Pinterest, Reddit, SmugMug, Snapchat, TikTok, and X, reminding them to comply. "The FTC will use every tool at its disposal," the letters warned [2].

The law passed the House 409 to 2 and the Senate unanimously. Nobody voted against protecting revenge porn victims. But the implementation has holes you could drive a surveillance van through. There's no requirement for takedown filers to make claims under penalty of perjury. There's no counter-notice process — if someone files a false claim against your content, you have no formal right to object. There's no penalty for filing fake requests. Platforms must delete first, ask questions never [3].

Then there's the encryption problem. The Internet Society warned Congress before the vote: the Act "does not exclude private messaging services" from compliance. Encrypted platforms like Signal and WhatsApp can't scan messages for intimate imagery without breaking their own security model. Complying with the law could mean introducing client-side scanning — the exact kind of backdoor that privacy advocates have fought against for years. Not complying means fines [4].

The timing with Meta's encryption moves is impossible to ignore. Meta removed Instagram DM encryption on May 8, then launched "Incognito Chat" on WhatsApp on May 13. The Take It Down Act arrives 11 days later. Whether that's cause or convenient correlation, Meta is now fully equipped to scan Instagram DMs for the FTC — because it just eliminated the one thing that would have prevented it.

Background: Meta Encryption Whiplash Analysis | Take It Down Act Explainer

They Built a Billion-Dollar Industry on Stolen Voices. Now the Lawsuits Are Here.

On May 14, seven plaintiffs — broadcast journalists Carol Marin and Phil Rogers, investigative audio journalist Robin Amer, podcaster Yohance Lacour, reporter Alison Flowers, and audiobook narrators Lindsay Dorcus and Victoria Nassif — filed class action lawsuits against ten of the biggest technology companies in the world [5].

The defendants: Adobe, Alphabet/Google, Apple, Amazon, ElevenLabs, Meta, Microsoft, NVIDIA, and Samsung. The claim: these companies scraped voices from the internet — podcasts, news broadcasts, audiobooks, public talks — and used them to create biometric voiceprints without consent, notice, or the data retention policies required by Illinois law [5].

Illinois' Biometric Information Privacy Act (BIPA) is the sharpest weapon privacy plaintiffs have in America. It's the same law that forced Meta to pay $650 million over Facebook's face-scanning and Google to pay $100 million for photo grouping. BIPA requires explicit written consent before collecting biometric data — and the tech industry's AI voice training programs collect first and ask never [6].

"They've built a billion-dollar industry on stolen voices because they thought no one would make them pay for it," said attorney Ross Kimbarovsky of Loevy + Loevy, which filed the suits [5].

The irony is sharp. Google's Text-to-Speech is now used by audiobook publishers as an alternative to human narration. Google's NotebookLM Audio Overviews generates podcasts. These products compete directly with the people whose voices were used to train them. The AI didn't just learn from the plaintiffs' work — it replaced them [6].

Congress Wants to Know If Your Grocery Store Is Charging You Extra Based on Your Data

Rep. Frank Pallone, the ranking Democrat on the House Energy and Commerce Committee, launched an investigation on May 11 into "surveillance pricing" — the practice of using personal data like browsing history, inferred health conditions, income, and location to set individualized prices for consumers [7].

Pallone sent letters to 25 food retailers including Amazon, Walmart, Target, Costco, CVS, Walgreens, Whole Foods, Albertsons, Stop & Shop, and Wegmans. The letters demand companies disclose all customer data "elements" used to set prices, whether AI or machine learning algorithms determine pricing, whether they buy data from third parties for pricing decisions, and whether customers can opt out [7].

The FTC has already documented the practice: businesses charge customers more "based on insights gleaned from their consumer data and behaviors — including geolocation, demographics, shopping habits or even how an individual moves their mouse on a webpage." After New York required disclosure last November, Target started posting pop-up notices saying a given price was "set by an algorithm using your personal data" [8].

Meanwhile, Colorado just passed HB 1210 — the first-in-nation ban on surveillance pricing. The bill prohibits using "surveillance data" including information gathered through "observation, inference, or monitoring of personal characteristics, online behaviors, or biometrics" to set individualized prices or wages. Violations are treated as deceptive trade practices under Colorado's Consumer Protection Act, with civil penalties up to $10,000 per violation and a private right of action enabling class-action litigation [9].

The bill passed the Colorado Senate 19-15 on May 6 and the House concurred 41-23 on May 7. It's now awaiting Governor Polis' signature. Consumer Reports and the American Economic Liberties Project have both called on him to sign [9].

Background: Pallone Surveillance Pricing Inquiry | Colorado Surveillance Pricing Ban

ShinyHunters Got Paid. Again. And Again. And Again.

Instructure confirmed on May 11 that it "reached an agreement with the unauthorized actor" responsible for the Canvas breach — corporate-speak for paying the ransom. Unconfirmed reports peg the number at $10 million. ShinyHunters had stolen 3.65 terabytes of data from approximately 275 million users at 8,809 institutions worldwide, including Stanford, Yale, and Princeton. Instructure says the stolen data was returned with "digital confirmation of data destruction" [10].

That phrase — "digital confirmation of data destruction" — is doing extraordinary work. ShinyHunters is a criminal extortion operation. Their confirmation that they destroyed the data is worth exactly as much as any other promise from an extortion gang. The 275 million users affected have no way to verify it.

And Instructure isn't the only one writing checks. Vimeo confirmed on May 5 that ShinyHunters stole personal information from 119,000 users by exploiting third-party analytics provider Anodot. When ransom negotiations collapsed, ShinyHunters dumped 106GB of data. The breach followed the same Snowflake-integration attack vector that ShinyHunters has been exploiting across dozens of companies [11].

Then there's Trellix. The cybersecurity company — formed from the merger of McAfee Enterprise and FireEye, tasked with protecting 50,000 business and government customers — disclosed on May 1 that attackers accessed its source code repository. On May 8, the RansomHouse threat group claimed responsibility and posted screenshots as proof. Source code for security tools is about the most dangerous thing an attacker can steal — it's a blueprint for finding vulnerabilities in every network those tools protect [12].

The pattern is clear. ShinyHunters and affiliated groups are running an industrial-scale extortion operation in 2026, hitting education, healthcare (Medtronic's 9 million records), video platforms, and now cybersecurity companies themselves. Paying ransoms demonstrably does not make the problem go away — it funds the next attack.

Background: Trellix Source Code Breach

Congress Is Back. They Have 27 Days to Fix America's Warrantless Surveillance Law.

Congress returned from recess this week with the clock running on FISA Section 702 — the warrantless surveillance authority that expires June 12. The 45-day extension Congress passed on April 29 bought time. It didn't buy progress [13].

The Wyden-Lee Government Surveillance Reform Act, introduced in March by Senators Ron Wyden (D-OR) and Mike Lee (R-UT) with Representatives Warren Davidson (R-OH) and Zoe Lofgren (D-CA), remains the only bipartisan, bicameral reform bill on the table. It would require a warrant for all access to Americans' communications in the 702 database, close the data broker surveillance loophole, and force the FISA Court to publish redacted opinions [14].

Cosponsors include Elizabeth Warren, Cynthia Lummis, Sara Jacobs, and Pramila Jayapal — a left-right coalition that doesn't agree on much else. EPIC has endorsed the bill. So has the Brennan Center. The EFF is running a "We Need You" action campaign pushing constituents to call their senators [14].

The alternative: another clean extension with no reforms. That's what happened in April, and it's what intelligence agencies prefer. The NSA currently queries the Section 702 database using identifiers linked to roughly 350,000 targets per year. Some of those targets communicate with Americans — and when they do, American citizens' calls, texts, and emails end up in a government database that the FBI can search without a warrant [13].

Twenty-seven days isn't much time. But it's the only window reformers will get before the June 12 deadline forces another extension-or-expire vote.

Background: FISA 702 Extension Analysis | Wyden-Lee Reform Bill Explainer

What to Watch

• May 19: Take It Down Act enforcement begins. Watch for platform compliance announcements — and whether any encrypted messaging services push back publicly.
• May 19: IEEE Symposium on Security and Privacy begins in San Francisco. Surveillance-relevant research papers expected.
• Canvas class actions: At least eight federal lawsuits against Instructure and KKR are pending in Utah and New York. The ransom payment doesn't make those go away.
• Colorado HB 1210: Awaiting Governor Polis' signature. If signed, it becomes the first state ban on surveillance pricing in the country.
• FISA 702: Senate negotiations are the bottleneck. Watch for whether the Wyden-Lee bill gets a committee hearing or dies in procedural limbo.

Sources

1. FTC — Complying With the Take It Down Act
2. FTC — Chairman Ferguson Advises Companies to Comply with the Take It Down Act (May 2026)
3. Reclaim The Net — Take It Down Act Starts May 19 With No Abuse Safeguards (May 14, 2026)
4. Internet Society — Fix the TAKE IT DOWN Act to Protect Encryption
5. Common Dreams — Journalists, Audiobook Narrators Sue AI Giants Under Illinois Biometric Privacy Law (May 14, 2026)
6. Biometric Update — Tech Giants Sued Under BIPA Over Voiceprints Used to Train AI (May 2026)
7. The Record — Congressman Launches Inquiry Into How Food Retailers Use Surveillance Pricing (May 11, 2026)
8. 710 WOR — Pallone Investigates Surveillance Pricing (May 13, 2026)
9. JD Supra — Colorado Pioneers First-in-Nation Ban on Surveillance Pricing (May 12, 2026)
10. The Hacker News — Instructure Reaches Ransom Agreement with ShinyHunters (May 12, 2026)
11. The Register — ShinyHunters Claims Dump Puts 119K Vimeo Emails in the Wild (May 5, 2026)
12. Bleeping Computer — Trellix Source Code Breach Claimed by RansomHouse Hackers (May 8, 2026)
13. CNBC — FISA Section 702: Congress Passes Short-Term Extension (April 30, 2026)
14. Sen. Wyden — Government Surveillance Reform Act of 2026