Today in Surveillance:
- The Take It Down Act is enforceable starting today. Platforms must remove non-consensual intimate images within 48 hours or face FTC penalties up to $51,744 per violation. Yesterday's briefing covered the law and Meta's encryption rollback in detail.
- Austin's police chief and mayor want to roll back the city's new surveillance limits after a weekend shooting spree. They say license plate readers would have caught the suspects faster. The TRUST Act is barely a month old. Other cities are moving the opposite direction, pulling the plug on license plate surveillance.
- The DOJ subpoenaed NYU Langone for medical records of trans youth patients: the first known criminal grand jury subpoena targeting gender-affirming care at a hospital. New York law says those records are protected.
- The DOJ wants Apple, Google, and Amazon to identify 100,000+ users of a diesel truck tuning app. The government says it's about emissions. Privacy advocates say it's a fishing expedition.
- Signal says it will leave Canada rather than comply with Bill C-22, which would force tech companies to retain user metadata for a year. Windscribe says the same.
- Google and Amnesty International built a spyware detector for Android. Intrusion Logging ships on Pixel phones with Android 16, creating encrypted forensic logs that only you can access.
Austin Officials Want to Weaken Surveillance Limits. The Ink on the TRUST Act Isn't Even Dry.
A string of 12 shootings and robberies tore through Austin, Texas over the weekend. Four people were shot (one seriously) and police arrested three suspects, including two teenagers aged 15 and 17. The suspects stole at least four vehicles while fleeing across the city [1].
Austin Police Chief Lisa Davis didn't waste time making her pitch. At a Sunday press conference, she said automated license plate readers "absolutely could have" sped up the investigation. Mayor Kirk Watson backed her up: "We need to make sure that our law enforcement has the tools that they need so they can keep people safe" [1][2].
The problem? Austin's City Council passed the Transparent and Responsible Use of Surveillance Technology Act (the TRUST Act) just last month. The ordinance requires council approval before the city deploys data-collection technologies like cameras, drones, and automated license plate readers. It limits how long data can be stored and how it's used [3].
Davis said she's "open to having conversations" about revisiting the TRUST Act. Translation: law enforcement wants to roll back civilian oversight of surveillance before the oversight has even had a chance to function.
There's an irony here that the officials aren't mentioning. The Manor Police Department, east of Austin, located one of the stolen vehicles using its own license plate readers. The suspects were ultimately caught the old-fashioned way: a traffic stop and a tip at a gas station. The system worked without gutting privacy protections [1].
This is a pattern. Every time a crime captures public attention, police use the moment to argue for more surveillance tools with fewer restrictions. The TRUST Act exists because Austin residents demanded it after years of unchecked police technology expansion. One weekend doesn't erase those concerns.
The DOJ Wants Trans Kids' Medical Records. New York Says No.
NYU Langone hospitals received a grand jury subpoena on May 7 from the U.S. Attorney's Office in the Northern District of Texas. The demand: hand over medical records of young patients who received gender-affirming care over the past six years, plus the names of hospital employees who provided that care [4][5].
This is the first known criminal grand jury subpoena targeting a hospital over gender-affirming care for minors. The DOJ had previously sent more than 20 civil subpoenas to doctors and clinics last summer, but multiple federal judges blocked those efforts after hospitals fought back [4][6].
NYU Langone isn't the only target. The hospital said it's "one of several institutions" that received subpoenas. It notified affected patients and is evaluating its legal options [5].
Here's where it gets interesting: New York law explicitly prohibits disclosure of medical records related to gender-affirming care except in narrow circumstances. The state also bars law enforcement from cooperating with out-of-state investigations into such care. A federal subpoena from Texas demanding records from a New York hospital sets up a direct collision between federal power and state medical privacy protections [4].
The privacy implications extend beyond one patient population. If the DOJ can compel hospitals to hand over protected medical records by routing subpoenas through friendly jurisdictions, that mechanism works for any care the federal government decides to target.
The DOJ Wants to Identify 100,000 People Who Downloaded a Car App
The Justice Department subpoenaed Apple, Google, Amazon, and Walmart in March and April 2026, demanding they identify every person who downloaded or purchased EZ Lynk's Auto Agent app and hardware. The total: more than 100,000 people [7][8].
The app connects to a vehicle's onboard diagnostic port and lets users monitor performance, run diagnostics, and (the DOJ alleges) disable emissions controls. The government first sued EZ Lynk in 2021 for selling "defeat devices" that violate the Clean Air Act. Now it wants the customer list to find witnesses [7].
EZ Lynk's lawyers called it what it is: "These requests for potentially hundreds of thousands of people's PII go well beyond the needs of this case and create serious privacy concerns." The app has legitimate uses beyond emissions tampering (monitoring engine performance, running software updates) and most users probably never touched emissions settings [8].
Apple and Google reportedly plan to challenge the requests. But the fact that the DOJ feels comfortable demanding mass user identification from tech companies over a regulatory dispute tells you something about the state of digital privacy expectations in 2026 [7].
Signal Will Leave Canada Before It Builds a Backdoor
Canada's Bill C-22, introduced in March 2026, would force electronic service providers to build surveillance capabilities into their systems and retain user metadata for up to a year. The Lawful Access Act is pitched as a tool for investigating "severe crimes." Privacy advocates see a repackaged version of surveillance proposals that have failed in Canada before [9][10].
Signal isn't playing along. The encrypted messaging app said it would pull out of Canada rather than compromise its architecture. The company warned that the bill "could potentially allow hackers" to exploit weaknesses built into communications systems on the government's behalf [9]. Signal has made the same stand in Europe, threatening to leave the UK and Sweden rather than break encryption.
Windscribe, a Canadian-born VPN provider headquartered in Toronto, made the same threat, but faces a harder exit. Signal can shut off Canadian servers and walk. Windscribe would have to relocate its entire corporate structure [10].
Meta and Apple have also raised concerns publicly. The bill passed second reading on April 20 and is now before the House of Commons Standing Committee on Public Safety and National Security [11].
The EFF called Bill C-22 "a repackaged version of last year's surveillance nightmare." Professor Michael Geist, Canada's leading digital policy scholar, wrote that the government is running the same playbook it used with the disastrous Online News Act, dismissing tech companies' warnings until the consequences land [11][12].
Google and Amnesty Built a Spyware Alarm for Your Phone
Google started rolling out Intrusion Logging on Pixel devices running Android 16 this month. The feature, developed with Amnesty International's Security Lab and Reporters Without Borders, creates forensic logs that document device activity (app behavior, network connections, unlock events) designed to help investigators detect spyware infections [13][14].
The logs are encrypted so only the device owner can access them. Google can't read them. Users opt in through Android's Advanced Protection Mode, then export the logs to share with security researchers if they suspect their phone has been compromised [13].
Amnesty called it "the first time a major device vendor has released a feature specifically to enhance the ability to forensically detect and respond to advanced digital threats." The target users: journalists, activists, dissidents, and human rights defenders, the same people governments have been targeting with commercial spyware like Pegasus [14].
Limitations exist. Only Pixel devices support it so far. The feature requires Android 16 and a linked Google account. Logs may contain sensitive data like browsing history. And an attacker with root access could potentially delete the logs. But it's a meaningful step, the phone equivalent of a security camera watching the security cameras [13].
Six EU Countries Sold Spy Tools to Dictatorships. The EU Watched It Happen.
Human Rights Watch published a 54-page report on May 12 titled "Looking the Other Way" that documents how at least six EU member states (Bulgaria, Czech Republic, Denmark, Finland, Poland, and one unnamed) exported surveillance technology to more than two dozen countries with documented records of using such tools against activists, journalists, and political opponents [15][16].
Bulgaria was the worst offender, shipping "intrusion software" and "telecommunications interception" tools to authorities in Azerbaijan, the UAE, Vietnam, Uganda, Jordan, and others [15].
The EU adopted the Dual-Use Regulation in 2021 specifically to prevent this. Five years later, the report finds the European Commission has "reinterpreted" the regulation's transparency requirements in ways that gutted its enforcement. The commission's own reports don't provide enough detail for anyone to assess whether exports are being properly vetted [16].
HRW is calling for tighter human rights due diligence, blocked exports to high-risk countries, and actual enforcement of transparency provisions. The regulation exists. The political will to enforce it doesn't [15].
Background: DHS's Own Surveillance Shopping Spree
What to Watch
- FISA Section 702 expires June 12, 24 days out. Congress passed a short-term extension in April. The real fight: whether the reauthorization includes warrant requirements for searching Americans' communications. The American Prospect reported that FBI "Brady" queries jumped tenfold. Yesterday's briefing has the full rundown.
- New York's Biometric Identifier Privacy Act (S1422) is moving through the Senate Consumer Protection Committee. If passed, it would require written retention policies and give individuals a private right of action: $1,000 for negligent violations, $5,000 for reckless ones [17].
- California's AB 2561 would require operating systems and apps to default to the most privacy-protective settings and bar them from changing those settings without explicit user consent. It passed the Assembly unanimously [18].
- The Canvas/ShinyHunters breach affecting 275 million education records is still developing. ShinyHunters claims data from 8,809 school districts and universities [19].
Sources
- Deseret News: Robbery-shooting spree in Texas adds to debate over surveillance technology (May 18, 2026)
- Spectrum News: Austin mayor, police chief say license plate readers could have helped (May 18, 2026)
- Community Impact: Austin adopts stricter oversight of city surveillance technology use (May 1, 2026)
- The 19th: NYU Langone faces first known criminal investigation over gender-affirming care (May 2026)
- CBS News: NYU Langone says it was subpoenaed over teen patients (May 2026)
- The Intercept: NYU Langone Slapped With Criminal Subpoenas on Trans Care (May 14, 2026)
- Gizmodo: DOJ Is Asking Apple and Google to Hand Over Data on 100,000 Users of a Car App (May 2026)
- The Drive: DOJ Orders Apple, Google to Hand Over OBDII App User Data (May 2026)
- Crypto News: Signal warns Canada exit may follow lawful access bill (May 2026)
- TechRadar: Windscribe joins Signal in threatening Canada exit (May 2026)
- EFF: Canada's Bill C-22 Is a Repackaged Version of Last Year's Surveillance Nightmare (May 2026)
- Michael Geist: Bill C-22's Groundhog Day (May 2026)
- CyberScoop: Google and Amnesty International teamed up to make it harder for spyware vendors to hide (May 2026)
- TechCrunch: Google launches new Android security feature to help uncover spyware attacks (May 12, 2026)
- Human Rights Watch: EU Surveillance Technology Sold to Rights Violators (May 12, 2026)
- HRW Report: Looking the Other Way: EU Failure to Prevent Surveillance Exports (May 12, 2026)
- NY Senate: S1422 Biometric Privacy Act
- California Legislature: AB 2561 Privacy Settings
- SharkStriker: May 2026 Data Breaches (May 2026)