Today in Surveillance:
- Canada's Bill C-22 would force VPNs and messaging apps to build surveillance backdoors. Signal says it will leave Canada. Windscribe, which is headquartered in Toronto, says it will relocate. NordVPN won't comply either. The EFF calls it "a repackaged version of last year's surveillance nightmare." Even U.S. Congress members are warning Canada this would compromise American services.
- London used live facial recognition to police a protest, a first. The Met deployed cameras in Camden during Saturday's Unite the Kingdom march. 4,000 officers, two rival protests, and the FA Cup final. The Biometrics Commissioner warned forces could face legal challenges.
- Dane County, Wisconsin killed its Flock Safety contract. The county board voted 32-1 to strip funding. Cameras come down May 31. The sheriff had been sharing data with 140+ agencies outside Wisconsin, and some of those share with ICE.
- The GUARD Act wants your government ID before you can use an AI chatbot. The Senate Judiciary Committee advanced the bill. The EFF says it would require identity verification for "almost every modern LLM." Congress narrowed it but serious privacy problems remain.
- FISA Section 702 expires in 26 days. The American Prospect reported that FBI "Brady" queries of Americans' communications increased tenfold (from 113 to 1,083), and the real fight now is over how Congress defines a "query" in the first place.
Canada's Surveillance Bill Is So Bad That Signal, Windscribe, and NordVPN Would Rather Leave the Country
Bill C-22, Canada's proposed Lawful Access Act, would give the Minister of Public Safety the power to compel any electronic service provider to build technical surveillance capabilities and retain user metadata for up to a year. The bill demands companies create backdoors for law enforcement access, while insisting this won't create a "systemic vulnerability." Privacy experts say that's a contradiction in terms [1].
Signal fired first on May 14, saying it "would rather pull out of the country" than comply with a law that undermines encrypted communications. Windscribe followed within hours. "Not happening. We'll move HQ and take our taxes elsewhere," the Toronto-based VPN provider wrote. NordVPN joined the chorus: they won't comply either [2][3].
The EFF published a detailed breakdown on May 15 calling C-22 "a repackaged version of last year's surveillance nightmare," referring to the Online Harms Act, which died before passing. Legal scholar Michael Geist wrote that the government is running "the disastrous Online News Act playbook" by dismissing opposition from Apple, Meta, and the U.S. Congress [4][5].
That's not hyperbole. The chairs of the U.S. House Judiciary and Foreign Affairs committees warned that C-22 would "compel American companies to build backdoors into their encrypted systems, thereby introducing systemic vulnerabilities that could be exploited by hackers, foreign adversaries, and cybercriminals" [5].
Windscribe's situation is uniquely dangerous. Signal operates outside Canada and could shut off its Canadian servers. Windscribe was founded in Toronto. Its core operations fall under Canadian jurisdiction. If C-22 passes, the company either logs its users (destroying its product) or relocates entirely [2].
Canada's National Observer ran an opinion piece titled "Kiss your online privacy goodbye with Bill C-22." The publication noted that VPN providers would "almost certainly" be required to log identifying user data under the bill's current language [6].
Background: Signal Would Rather Leave the UK and Sweden Than Break Encryption | EU Chat Control: The Plan to Scan Every Private Message
London Used Facial Recognition to Police a Protest for the First Time. It Won't Be the Last.
On Saturday, May 16, the Metropolitan Police deployed live facial recognition (LFR) cameras during the policing of a protest for the first time in British history. The technology was set up in Camden, north London, in an area likely to be used by those attending the Unite the Kingdom rally organized by Tommy Robinson [7].
The operation was massive: 4,000 officers deployed across London to manage two rival demonstrations: the Unite the Kingdom march (police estimated 50,000 attendees) and a pro-Palestine Nakba Day rally (organizers claimed 250,000). The FA Cup final was happening simultaneously at Wembley. Police made 43 arrests across both protests and 22 at the football [8].
The Met said LFR was "not deployed within the assembly or rally points of either protest or on the route itself," only in areas where attendees might transit. Cameras compared faces of passersby against a watchlist, with biometrics deleted in seconds if no match was found [7].
But the precedent is set. Professor William Webster, the Biometrics and Surveillance Camera Commissioner, warned that police forces using the technology "could find themselves taken to court," saying it is not "foolproof." Greater Manchester Police separately reported 64 arrests from LFR vans operating in neighbourhood policing, a separate ongoing deployment [9][10].
The question isn't whether facial recognition will be used at future protests. It's whether anyone will successfully challenge it before it becomes routine.
Background: UK Met Police Facial Recognition Expansion | Biometrics Commissioner Criticism
Wisconsin Is Ripping Flock Safety Cameras Out of the Ground
The Dane County Board of Supervisors voted 32-1 in April to strip $80,000 in funding for Flock Safety license plate reader cameras. The 24 cameras will be removed by May 31, when the county's contract expires [11].
The decision came after revelations about data sharing. The Dane County Sheriff's Office had granted access to Flock camera data to more than 140 law enforcement agencies outside Wisconsin. County officials noted that while they don't share data directly with ICE, they share it with Wisconsin counties that do, creating a one-hop pipeline to immigration enforcement [12].
Dane County joins a growing wave of Wisconsin communities canceling Flock contracts. The Verona Police Department, Village of Maple Bluff Police Department, and State Capitol Police Department have all separated from the company. The Wisconsin Watch investigation published this week called it a statewide "AI surveillance backlash," though officials acknowledged they "fear they're playing Whack-A-Mole" as new deployments pop up elsewhere [13].
The ACLU of Wisconsin backed the decision, publishing a piece titled "Wisconsinites Are Fighting Back Against Flock." Dane County's sheriff pushed back, saying losing the cameras would "significantly impact" crime investigations [14].
Nationwide, at least 30 jurisdictions have canceled Flock Safety contracts in the last 15 months. Wisconsin is now one of the epicenters of the backlash.
Background: States Blocking ALPR Transparency | Home Depot Flock Safety Class Action
The Senate Wants Your ID Before You Can Talk to an AI Chatbot
The Senate Judiciary Committee unanimously advanced the GUARD Act, a bill that would require AI companies to verify the identity of every American who wants to use a large language model. The legislation requires "reasonable age verification" using government IDs, financial records, or biometric identifiers. Senator Josh Hawley introduced it as a child safety measure [15].
The EFF isn't buying it. In two separate analyses (one in April and a follow-up this month), the organization explained that by labeling any system generating non-pre-written responses as an "AI chatbot," the bill captures "almost every modern LLM implementation." That includes search engines that use AI. The bill would require age gates and identity verification for tools millions of Americans use daily [16].
Congress narrowed the GUARD Act after initial backlash, but the EFF's May analysis found "serious problems remain." The core issue: to keep minors from certain chatbots, every adult must prove who they are. The bill mandates constant reverification of identity, creating databases of verified users tied to their real-world identities, exactly the kind of surveillance infrastructure privacy advocates have spent decades trying to prevent [17].
NetChoice, the tech industry trade group, formally opposed the bill. But it passed committee unanimously. Child safety remains the one argument that consistently overrides privacy concerns in Congress, regardless of whether the proposed solution actually protects children or just surveils adults [18].
26 Days Left: The Fight Over America's Warrantless Surveillance Law Comes Down to a Single Word
The American Prospect published a critical piece on May 11 revealing that the entire Section 702 reform debate hinges on how Congress defines the word "query." FBI queries of Americans' communications performed for "Brady purposes" (to find exculpatory evidence for defendants) increased tenfold, jumping from 113 to 1,083 in the latest reporting period. It was 17 in 2023 [19].
Why does a tenfold increase in one query category matter? Because the government has been conducting searches outside of official reporting mechanisms. If a search doesn't meet Congress's definition of "query," it doesn't get counted. It doesn't get audited. It doesn't require oversight. The real number of times Americans' communications get searched could be far higher than official statistics suggest [19].
The 45-day extension expires June 12. The House passed a three-year reauthorization 235-191 on April 29, without a warrant requirement. The Senate rejected it over a CBDC provision. Now the clock is ticking on the Wyden-Lummis Government Surveillance Reform Act, the Durbin-Lee SAFE Act, and Rep. Biggs' Protect Liberty Act: the three bipartisan bills that would actually require warrants [20].
Senator Wyden secured a commitment for expedited declassification review of the FISA Court opinion that could reveal the full scope of warrantless querying. Whether that review happens before June 12 will determine whether Congress votes on reform with the full picture or in the dark, as usual [19].
Background: FISA 702 Extension Deep Dive | Wyden-Lee Government Surveillance Reform Act
Canvas Update: Instructure Confirmed Paying Ransom. Legal Fallout Is Accelerating.
The Canvas/Instructure story continues to develop in the wake of the May 12 ransom deadline. Instructure publicly confirmed on May 11 that it reached an agreement with ShinyHunters, paying an undisclosed ransom (reportedly $10 million) to stop the release of 3.65TB of data from 275 million users across 8,809 institutions worldwide [21].
As part of the deal, ShinyHunters supposedly provided "digital confirmation" that all exfiltrated data was destroyed, including "shred logs." They also agreed not to individually extort affected institutions. Whether a criminal hacking group's promise means anything is an open question [22].
The legal response is mounting fast. At least six federal class action lawsuits have been filed. Schubert Jonckheer & Kolbe, the firm behind several high-profile data breach class actions, launched its investigation on May 6. Law firm Bond Schoeneck & King published a client advisory titled "Canvas (Instructure) Pays Ransom to ShinyHunters: What's Next?", a question 275 million users are asking [23].
Background: Canvas Second Breach & May 12 Deadline | Full Canvas Breach Analysis
What to Watch
- Canada Bill C-22: Committee hearings continue. Watch for Apple and Meta's formal submissions. The U.S. Congress letters could escalate this into a diplomatic incident.
- FISA 702: 26 days until expiration. The declassification review Wyden secured could drop any time. If the FISA Court opinion reveals what privacy advocates suspect, it could shift the Senate vote.
- Dane County cameras: May 31 removal deadline. Expect the sheriff to make a public push to restore funding before then.
- Canvas class actions: Discovery phase will reveal exactly what Instructure paid and what "shred logs" actually mean. First hearings expected in weeks.
- Take It Down Act: Enforcement begins Monday, May 19. Watch for the first FTC action and how encrypted platforms respond.
- UK facial recognition: Legal challenges from civil liberties groups are likely. Saturday's deployment at a protest sets the precedent that either holds or breaks.
Sources
- EFF: Canada's Bill C-22 Is a Repackaged Version of Last Year's Surveillance Nightmare (May 2026)
- TechRadar: Windscribe Joins Signal in Threatening Canada Exit (May 2026)
- iPhone in Canada: NordVPN and Windscribe Say They'll Leave Canada (May 15, 2026)
- Michael Geist: The Lawful Access Two-Headed Surveillance Monster (May 2026)
- Michael Geist: Bill C-22's Groundhog Day (May 2026)
- Canada's National Observer: Kiss Your Online Privacy Goodbye (May 14, 2026)
- ITV News: Facial Recognition to Be Used in Policing Operation of Protests and FA Cup Final (May 15, 2026)
- ITV News: Dozens Arrested at Rival London Protests (May 16, 2026)
- Greater Manchester Police: Live Facial Recognition Continues to Support Officers (May 2026)
- GB News: Met Police to Deploy Facial Recognition at Tommy Robinson Rally (May 2026)
- WPR: Dane County Pulls Funding for Flock License Plate Cameras (2026)
- Capital Times: Dane County Board Ends Flock Contract Citing Privacy Alarms (2026)
- Wisconsin Watch: Foes of AI Surveillance Get Wins in Wisconsin (May 2026)
- ACLU Wisconsin: Wisconsinites Are Fighting Back Against Flock (2026)
- Reclaim the Net: Senate Panel Backs GUARD Act (May 2026)
- EFF: The GUARD Act Isn't Targeting Dangerous AI: It's Blocking Everyday Internet Use (April 2026)
- EFF: Congress Narrowed the GUARD Act, But Serious Problems Remain (May 2026)
- NetChoice: Letter of Opposition to the GUARD Act (2026)
- The American Prospect: Surveillance Reform Hinges on How Congress Defines 'Query' (May 11, 2026)
- CNBC: FISA Section 702: Congress Passes Short-Term Extension (April 30, 2026)
- Inside Higher Ed: Instructure Pays Ransom to Canvas Hackers (May 11, 2026)
- The Hacker News: Instructure Reaches Ransom Agreement with ShinyHunters (May 2026)
- Bond Schoeneck & King: Canvas Pays Ransom: What's Next? (May 2026)