Today in Surveillance:
- The Take It Down Act takes effect tomorrow, May 19. The FTC sent warning letters to Amazon, Apple, Meta, Google, Reddit, X, TikTok, and more. Platforms must remove non-consensual intimate images within 48 hours of a takedown notice, or face $53,088 per violation. Meta already stripped Instagram's end-to-end encryption in preparation. The timing isn't a coincidence.
- Trellix, a cybersecurity company protecting 200 million endpoints, got hacked. RansomHouse claimed responsibility for stealing source code from the McAfee/FireEye successor. If attackers can study how detection works, they can build tools to evade it.
- The EFF told the Fourth Circuit that border agents need warrants to search your phone. CBP conducted 55,318 device searches in fiscal year 2025. The case could set the standard for whether the Constitution applies at the airport.
- Cook County deferred a $1.12 million AI surveillance system for its jail. Eighty organizations called conditions at the facility a "human rights crisis" and said BriefCam cameras shouldn't come before basic safety.
- FISA Section 702 expires in 25 days. Congress is back from recess. The American Prospect revealed that FBI "Brady" queries of Americans' data jumped tenfold, and the real fight is over what counts as a "query" in the first place.
The Take It Down Act Goes Live Tomorrow. Meta Already Prepared by Killing Instagram Encryption.
Starting May 19, every major online platform must comply with the Take It Down Act. The law requires platforms to remove non-consensual intimate images (including AI-generated deepfakes) within 48 hours of receiving a valid takedown notice. Violations carry penalties of $53,088 each, enforced by the FTC [1].
FTC Chairman Andrew Ferguson sent letters to more than a dozen companies in May reminding them the deadline is real. Recipients included Amazon, Alphabet, Apple, Meta, Microsoft, Reddit, Snapchat, TikTok, Discord, Pinterest, and X. The message was clear: comply or face enforcement [1].
Here's the problem nobody in Congress wants to talk about: you can't scan for content inside encrypted messages. And that tension already produced its first casualty. On May 8, Meta permanently removed end-to-end encryption from Instagram direct messages, reversing a commitment Mark Zuckerberg made in 2019. The company claimed "very few people" used it. Privacy advocates see a different reason: with the Take It Down Act about to take effect, Meta needed the ability to scan messages for intimate imagery [2][3].
Five days later, on May 13, Meta launched "Incognito Chat" for its AI assistant on WhatsApp, an encrypted feature that uses hardware-isolated execution environments and strips IP addresses via a third-party relay. So Meta stripped encryption from 2 billion Instagram users' DMs while simultaneously marketing encryption as a premium feature for AI conversations [4].
The EFF called the sequence "a broken promise." Cybersecurity expert Alan Woodward warned that Incognito Chat's disappearing conversations create an "accountability vacuum": if Meta AI gives someone harmful medical or legal advice, the chat log that would support a complaint simply doesn't exist [4].
Background: Take It Down Act Enforcement Deep Dive | Instagram Encryption Removal | Meta's Incognito AI Chat
The Company That Protects 200 Million Endpoints Just Got Its Source Code Stolen
Trellix, the cybersecurity firm born from the merger of McAfee Enterprise and FireEye, disclosed on May 4 that attackers gained unauthorized access to a portion of its source code repository. The company serves over 50,000 business and government customers and protects more than 200 million endpoints worldwide [5].
On May 7, RansomHouse (a ransomware group) claimed responsibility, listing Trellix on its data leak site. According to RansomHouse, the intrusion occurred on April 17 and resulted in data encryption. Trellix says it hasn't found evidence that the code was exploited or altered, and that customer data wasn't directly compromised [6].
But the real risk is structural. When you steal source code from a security company, you're not just stealing data, you're studying how detection works. Dark Reading noted that this kind of breach can reveal "where a security product's controls are located and how detections are designed," giving attackers a road map to evade the very tools meant to catch them [7].
Trellix brought in outside forensic experts and notified law enforcement. The investigation is ongoing.
The EFF Wants the Fourth Circuit to Say What the Constitution Already Does: Get a Warrant
The EFF, alongside the ACLU and the National Association of Criminal Defense Lawyers, filed an amicus brief in U.S. v. Belmonte Cardozo, a case before the U.S. Court of Appeals for the Fourth Circuit. The case involves a U.S. citizen whose phone was manually searched without a warrant at Dulles Airport after returning from Bolivia. Oral arguments were heard on May 8 [8].
The coalition is asking the court to require warrants supported by probable cause for all border searches of electronic devices, both manual and forensic. Their argument rests on the Supreme Court's 2014 decision in Riley v. California, which found that searching a phone is fundamentally different from searching a wallet or suitcase [8].
The numbers tell the story: in fiscal year 2025, CBP conducted 55,318 device searches. That's 55,318 times agents looked through people's photos, messages, browsing history, and apps, without a warrant, without probable cause, and often without even reasonable suspicion [8].
The Fourth Circuit's ruling could set binding precedent across Maryland, Virginia, West Virginia, and the Carolinas: states with major international airports and border checkpoints.
Background: EFF's Third Circuit Border Search Brief
Cook County Backed Off AI Jail Cameras After 80 Organizations Called It a Human Rights Crisis
The Cook County Board of Commissioners deferred a $1.12 million contract to install BriefCam, an AI-powered video surveillance system, in the Cook County Jail, the largest single-site jail in the country. Commissioner Jessica Vasquez requested the deferral, putting the vote off for at least a month [9].
Sheriff Tom Dart pushed the contract, arguing the jail generates 1.8 million hours of video footage per month and that BriefCam would help staff respond faster to medical emergencies. But BriefCam has built-in facial recognition capabilities, and more than half the people incarcerated at Cook County Jail are Black, a population that facial recognition systems consistently misidentify at higher rates [10].
The Illinois Network for Pretrial Justice and 80 community, faith, and policy organizations jointly opposed the contract. Their argument: nine people died at the jail last year, conditions amount to a "human rights crisis," and spending $1.12 million on AI cameras before addressing basic safety is backwards [9].
The sheriff's office insists it won't connect BriefCam to biometric databases, but critics note that the capability is baked into the software, and policies can change. Meanwhile, Illinois legislators are separately advancing HB 5521, which would ban police use of facial recognition statewide, even as Chicago PD credits the technology with solving murder cases.
Background: Illinois Facial Recognition Ban vs. Chicago PD
Vimeo Got Hit Through Its Analytics Vendor. ShinyHunters Dumped 106GB When Ransom Talks Collapsed.
ShinyHunters breached Vimeo by exploiting Anodot, a third-party analytics provider integrated into the platform's systems. The attackers exfiltrated 106GB of data including email addresses for 119,000 users, video titles, metadata, and technical data. When ransom negotiations collapsed, ShinyHunters dumped the lot [11].
Vimeo says no actual video content, valid login credentials, or payment card information was exposed. The company cut off the compromised integration, disabled Anodot credentials, and brought in outside security help [12].
This is ShinyHunters' third major operation this year, after Canvas/Instructure (275 million users, ransom reportedly paid) and the ongoing Cushman & Wakefield campaign. The group's playbook is consistent: find the weakest link in the supply chain, exploit it, then threaten to publish. Vimeo's breach happened through a vendor, not a direct attack on the platform itself.
25 Days Left on FISA 702. Congress Is Back. The Clock Is Loud.
Congress returned from recess last week, and the 45-day extension of Section 702 expires June 12. The House passed a three-year reauthorization 235-191 in April, without a warrant requirement. The Senate killed it over a CBDC provision. Now three bipartisan reform bills are competing for floor time: the Wyden-Lee Government Surveillance Reform Act, the Durbin-Lee SAFE Act, and Rep. Biggs' Protect Liberty Act [13].
The American Prospect published a critical investigation on May 11 showing that FBI "Brady" queries (searches of Americans' communications to find exculpatory evidence for criminal defendants) jumped from 113 to 1,083 in the latest reporting period. That's a tenfold increase. In 2023, the number was 17 [14].
The bigger problem: if a search doesn't meet Congress's definition of "query," it doesn't get counted, audited, or overseen. The real number of times Americans' communications are searched could be far higher than the official statistics suggest. Senator Wyden secured a commitment for expedited declassification of a FISA Court opinion that could reveal the full scope. Whether it drops before June 12 will determine if Congress votes informed or blind [14].
Background: FISA 702 Extension Deep Dive
Two Major Privacy Conferences Start This Week
The 47th IEEE Symposium on Security and Privacy opened today in San Francisco and runs through May 20, with workshops on May 21. It's the premier academic conference for security and privacy research, drawing peer-reviewed work on secure systems, cryptography, network security, and emerging risk areas. CMU's CyLab is presenting multiple papers [15].
Tomorrow in Brussels, CPDP 2026 (Computers, Privacy and Data Protection) kicks off its four-day run (May 19-22). This year's conference marks the tenth anniversary of the GDPR, making it a natural checkpoint for assessing whether Europe's flagship privacy law has actually delivered on its promises. Expect panels on AI governance, the EU AI Act (full enforcement August 2), and the unfinished CSAR child safety regulation [16].
Both conferences typically produce newsworthy research and policy proposals. We'll cover anything surveillance-relevant that comes out of them.
What to Watch
- Take It Down Act (tomorrow): Enforcement begins May 19. Watch for the first FTC action and whether encrypted platforms like Signal face compliance demands they can't technically meet.
- FISA 702 (25 days): The FISA Court opinion declassification review could drop any day. If it reveals what privacy advocates suspect about query manipulation, it could shift the Senate vote.
- Trellix investigation: RansomHouse's claim of data encryption suggests a ransomware payload, not just data theft. If Trellix's detection code is in the wild, the ripple effects reach 200 million endpoints.
- Cook County BriefCam: Deferred, not defeated. Sheriff Dart will push the contract again. The vote is likely coming back next month.
- Fourth Circuit border search: A ruling in Belmonte Cardozo could establish warrant requirements for device searches at airports in five states.
- CPDP Brussels: GDPR turns 10. Watch for assessments of whether Europe's privacy framework survived the AI era, and what comes next.
Sources
- Wiley: May 19 Deadline for Take It Down Act Compliance (May 2026)
- Bitdefender: Instagram Ends Encrypted DMs on May 8, 2026
- Help Net Security: Instagram Messaging Encryption Removed (May 11, 2026)
- TechTimes: Meta Launches Incognito AI Chat Days After Removing Instagram Encryption (May 15, 2026)
- BleepingComputer: Trellix Discloses Data Breach After Source Code Repository Hack (May 4, 2026)
- BleepingComputer: Trellix Source Code Breach Claimed by RansomHouse (May 7, 2026)
- Dark Reading: Trellix Source Code Breach Highlights Supply Chain Threats (May 2026)
- EFF: Electronic Device Searches at the Border Require a Warrant (May 2026)
- WBEZ Chicago: Cook County Jail Could Get a $1.1 Million AI-Powered Surveillance System (May 12, 2026)
- GovTech: Cook County Balks at AI-Powered Jail Surveillance (May 2026)
- The Register: ShinyHunters Dump Puts 119K Vimeo Emails in the Wild (May 5, 2026)
- BleepingComputer: Vimeo Data Breach Exposes Personal Information of 119,000 People (May 2026)
- CNBC: FISA Section 702, Congress Passes Short-Term Extension (April 30, 2026)
- The American Prospect: Surveillance Reform Hinges on How Congress Defines 'Query' (May 11, 2026)
- IEEE Symposium on Security and Privacy 2026 (May 18-21, San Francisco)
- CPDP 2026: Computers, Privacy & Data Protection Conference (May 19-22, Brussels)