Today in Surveillance:
- NPR published a detailed investigation into US government spyware use. The Trump administration lifted sanctions on people tied to the Predator spyware tool and revived an ICE contract with Paragon Solutions, then the contract was "closed out" on Inauguration Day 2026. DHS won't say if it still has access to Paragon's phone-hacking tool.
- DHS surveillance spending is surging while privacy oversight collapses. The department filed zero Privacy Impact Assessments in 2026 after filing 24 in 2024. The Inspector General says DHS "has systematically obstructed" his oversight work.
- Disney faces a $5 million class action over facial recognition at Disneyland and California Adventure entrances. The lawsuit says guests weren't properly told their faces were being scanned.
- Illinois quietly killed its biometric surveillance ban. HB 5521 would have made Illinois the most restrictive state for police facial recognition. It died after a shooting spree refocused the debate.
- The EFF told the Fourth Circuit that border agents need warrants to search phones. The case involves a US citizen whose phone was manually searched at Dulles airport.
- Louisiana passed a comprehensive data privacy law 94-0. Maryland became the first state to ban surveillance pricing on food.
NPR Mapped the US Government's Spyware Habit. The Gaps in the Map Are the Scary Part.
NPR published a detailed investigation on May 19 trying to answer a straightforward question: what spyware does the US government use, and on whom? The answers they got were anything but straightforward [1][2].
Here's what's known. ICE bought access to Paragon Solutions' Graphite spyware, a tool that can remotely hack into a phone without the owner clicking anything. The Biden administration froze the contract. Last August, the Trump administration unfroze it. Then, on January 20, 2026 (Inauguration Day), federal procurement documents show the Paragon contract was "modified" to close it out [1].
But Paragon had already been acquired by American private equity firm AE Industrial Partners and merged with another company, REDLattice. When NPR asked DHS if it still uses Paragon's tools, a spokesperson said the agency "had not entered another contract with Paragon Solutions, Inc.": a statement that technically means nothing, since that company no longer exists as a standalone entity [1].
The Trump administration also lifted Treasury sanctions on three people connected to Predator, a competing spyware tool that was caught targeting journalists and politicians across multiple countries. And WhatsApp discovered more than 90 users in various countries were targeted with Paragon's Graphite in 2025, including journalists and activists in Italy [1][2].
Congressional Democrats have demanded answers. Reps. Summer Lee, Shontel Brown, and Salma Ansari sent letters to DHS asking for documentation on spyware procurement and use. The responses have been vague at best [2].
Related: DHS's $1 Billion Palantir Shopping Spree | Paragon Graphite: The $2M Spyware ICE Uses to Hack Your Phone
DHS Is Spending Hundreds of Millions on Surveillance Tech. Its Privacy Oversight Has Dropped to Zero.
A FedScoop investigation found that DHS plans to award hundreds of millions of dollars in surveillance technology contracts in 2026, while simultaneously gutting the internal checks designed to prevent abuse [3].
The numbers tell the story. DHS filed 24 Privacy Impact Assessments in 2024. In 2025, that dropped to eight. In 2026 so far: zero. These assessments are supposed to evaluate how new surveillance tools affect civil liberties before they're deployed. The department isn't pausing deployment. It's just stopped checking [3].
The spending side is the opposite trajectory. DHS received $191 billion from the "One Big Beautiful Bill" signed July 4, 2025, nearly double its fiscal 2024 budget. Palantir has a $1 billion blanket purchase agreement. Plans include up to $50 million for mobile surveillance capability and $100 million or more for modular surveillance systems. Cellebrite and Penlink (tools for extracting data from phones and computers) remain in the toolkit [3].
DHS Inspector General Joseph Cuffari reported the agency "has systematically obstructed" his oversight work. Privacy officers have reportedly been ousted after objecting to how the department labels surveillance records. The IG launched an audit in February 2026 into biometric management and interior enforcement operations [3].
The shift is clear: DHS is moving surveillance capabilities from the border to interior operations. More tools, more money, less oversight. That's a pattern that should worry everyone, regardless of who's being targeted today.
Disney Got Sued for Scanning Your Face at the Happiest Place on Earth
A class action lawsuit filed May 18 in California federal court alleges Disney collected guests' facial biometric data at Disneyland and California Adventure entrances without adequate disclosure or consent [4][5].
Disney implemented facial recognition at park entrances in April 2026. Cameras scan guests' faces and compare them against images saved when the ticket or annual pass was first used. Disney says it speeds up entry and prevents ticket fraud. The lawsuit says guests weren't properly informed that it was happening [4][5].
Plaintiff Summer Christine Duffield is seeking at least $5 million on behalf of park visitors. The complaint cites California privacy and consumer protection laws, along with stricter biometric standards from Illinois, Washington, and New Jersey that require explicit opt-in consent [5][6].
Disney had signs with a crossed-out silhouette posted at four entrances, their version of disclosure. The plaintiff's attorney argues that "guests should be able to expressly opt in to this type of sensitive facial recognition" rather than having privacy obligations placed on visitors to notice and navigate an opt-out [5].
Disney hasn't commented publicly on the lawsuit. The company told Hollywood Reporter it "respects and protects guests' personal information" and disputes the claims [6].
Related: Our Full Report on Disney's Facial Recognition System
Illinois Was About to Ban Police Facial Recognition. Then a Shooting Happened.
House Bill 5521, the Biometric Surveillance Act, would have banned Illinois law enforcement from using facial recognition tools entirely, with narrow exceptions for background checks, fingerprinting after arrest, and forensic evidence collection. It also would have barred the Secretary of State from using driver's license photos for facial recognition searches [7][8].
Only Vermont and Maine have enacted similar near-total bans. HB 5521 would have made Illinois the most restrictive state in the country for government use of biometric surveillance [7].
It's dead. The bill failed to meet a March 27 committee deadline and was sent back to the House Rules Committee. NPR Illinois reported May 18 that backers aren't looking to revive it this session [8].
The timing matters. The bill's stall coincided with high-profile violent crime debates, the same dynamic playing out in Austin, Texas, where officials are using a weekend shooting spree to argue against the city's newly passed surveillance oversight law. Yesterday's briefing covered that story.
There's an irony in Illinois specifically. The state passed the nation's strongest private-sector biometric law (BIPA) unanimously in 2008, producing billions in settlements against companies like Facebook and Google. But BIPA doesn't cover government use. HB 5521 was supposed to close that gap. Now it won't, at least not this year [7].
Rep. Kelly Cassidy (D-Chicago), the bill's sponsor, and the ACLU of Illinois say they want the debate to center on privacy, accuracy, and potential misuse, not be driven by individual crime incidents [8].
The EFF Wants Warrants for Border Phone Searches. The Fourth Circuit Is Listening.
The EFF, the ACLU, and the National Association of Criminal Defense Lawyers filed an amicus brief in the Fourth Circuit urging the court to require warrants for border searches of electronic devices [9][10].
The case, U.S. v. Belmonte Cardozo, involves a US citizen whose cell phone was manually searched after arriving at Dulles International Airport from Bolivia. The Fourth Circuit heard oral arguments on May 8 [9].
The EFF's argument is simple: phones contain the most intimate details of a person's life, and the border search exception to the Fourth Amendment was designed for luggage and contraband, not the contents of someone's entire digital existence. They want the same standard for both manual and forensic device searches: a warrant supported by probable cause, issued by a judge [9][10].
The brief also argues that getting a warrant isn't a burden. If border officers have probable cause, they can hold the device and let the traveler go while they obtain a warrant. Current practice lets agents search phones on a hunch [9].
This matters beyond the Fourth Circuit. The EFF made the same argument to the Third Circuit earlier this year. Multiple circuits ruling on border device searches could push the issue toward the Supreme Court.
Louisiana Passes a Privacy Law 94-0. Maryland Bans Surveillance Pricing. States Keep Moving.
Louisiana's House voted 94-0 on Monday to pass SB-386, the Louisiana Data Privacy Act. The bill gives consumers the right to access, correct, delete, and opt out of targeted advertising. It covers businesses with over $25 million in revenue or those processing data from 75,000 or more consumers. The attorney general enforces it. It takes effect January 1, 2027 [11][12].
A 94-0 vote on data privacy in a deep-red state stands out. Privacy isn't just a blue-state issue anymore, though Louisiana's bill exempts state agencies, financial institutions, nonprofits, and higher education, which limits its reach [11].
Meanwhile, Maryland became the first state to ban surveillance pricing on food. Governor Wes Moore signed the Protection From Predatory Pricing Act on April 28. Starting October 1, large food retailers (over 15,000 square feet) and delivery services can't use your personal data to charge you more for the same groceries. First offense: up to $10,000. Repeat violations: $25,000. California, New York, and Illinois are considering similar laws [13][14].
The concept of "surveillance pricing" (using data brokers, browsing history, and location data to set individual prices) is drawing attention from the House Oversight Committee, which launched a formal investigation in March. The FTC is also examining whether food delivery platforms disclose personalized pricing to consumers [14][15].
The World's Privacy Regulators Are Meeting in Brussels. The GDPR Turns 10.
CPDP (Computers, Privacy and Data Protection) kicked off in Brussels on May 19 and runs through May 22. This year's theme: "Competing Visions, Shared Futures." The conference is marking the 10th anniversary of the General Data Protection Regulation, which went into force in May 2018 [16].
A decade of GDPR deserves honest stock-taking. The regulation changed the global conversation about data protection and gave regulators real enforcement teeth. Ireland's DPC fined Meta €1.2 billion in 2023 for illegal data transfers. But enforcement remains wildly uneven across member states, and the regulation's "consent fatigue" problem (those cookie banners you click through without reading) is well documented [16].
This year's agenda includes tracks on digital youth futures, IT security, and engineering privacy into systems. Data protection authorities, academics, civil society groups, and industry representatives are all in the room, which tends to produce more interesting disagreements than consensus [16].
The timing is pointed. As US surveillance spending surges and privacy oversight declines, European regulators are debating whether the GDPR model is working well enough, or whether it needs its own reform to stay relevant against AI, LLMs, and the sheer scale of modern data collection.
What to Watch
- FISA Section 702 expires June 12, 23 days out. Senator Wyden and a bipartisan group introduced the Government Surveillance Reform Act to add warrant requirements and ban the government from buying Americans' data from brokers. The White House wants a clean reauthorization with no reforms. Our full Section 702 coverage.
- The Take It Down Act is in its second day of enforcement. The FTC can now fine platforms up to $53,088 per violation for failing to remove non-consensual intimate images within 48 hours. Yesterday's briefing covered the launch.
- The EFF published a new guide on fighting digital surveillance in the Americas. "Tackling Arbitrary Digital Surveillance in the Americas" compiles privacy and data protection guarantees across the hemisphere into actionable guidance for governments [17].
- Fourth Circuit ruling in Belmonte Cardozo could establish whether border agents need warrants to search phones, with potential Supreme Court implications.
Sources
- NPR: What we know about how the U.S. government uses spyware (and what we don't) (May 19, 2026)
- Rep. Summer Lee: Reps. Lee, Brown, Ansari Demand Answers from DHS on Use of Foreign Spyware by ICE
- FedScoop: DHS-built surveillance apparatus to surge in year ahead, documents show (2026)
- Engadget: Disney faces a class action lawsuit over facial recognition tech (May 2026)
- WDW News Today: Class Action Lawsuit Over Facial Recognition Technology Filed Against Disney (May 2026)
- Hollywood Reporter: Disney Hit With Class Action Over Facial Recognition at Park Entrances (May 2026)
- ACLU of Illinois: HB 5521: Biometric Surveillance Act
- NPR Illinois: Stalled surveillance bill highlights tension between privacy and public safety (May 18, 2026)
- EFF: EFF to Fourth Circuit: Electronic Device Searches at the Border Require a Warrant (May 2026)
- Hacker News: EFF to 4th Circuit: Electronic Device Searches at the Border Require a Warrant
- FastDemocracy: Louisiana SB 386: Data Privacy Act (2026)
- LegiScan: Louisiana SB386 (2026 Regular Session)
- MultiState: Maryland Bans Surveillance Pricing for Food Retailers (April 30, 2026)
- NPR: Maryland could become the first state to ban 'surveillance pricing' for groceries (April 23, 2026)
- FTC: Seeks Public Comment on Unfair Fee Practices in Online Food and Grocery Delivery (April 2026)
- CPDP Conference 2026: Competing Visions, Shared Futures
- EFF: We Must Not Normalize Digital Surveillance Abuses (May 2026)