Today in Surveillance:
- Texas AG Ken Paxton sued Meta and WhatsApp for lying about encryption. A Commerce Department investigator wrote in a memo that there's "no limit" to the type of WhatsApp messages Meta can view. The lawsuit seeks $10,000 per violation of Texas consumer protection law.
- California's Assembly unanimously passed AB 2561. If signed, every app and operating system in California must default to the most privacy-protective settings. Companies can't change your settings without explicit consent.
- A Japanese hotel check-in system leaked over 1 million passports and IDs. Tabiq's facial recognition platform left passport scans, driver's licenses, and selfie verification photos in a publicly accessible Amazon S3 bucket. No password required.
- FISA Section 702 expires in 20 days. The Senate returned from recess. Neither House bill includes a warrant requirement. The reform bill with actual teeth hasn't gotten a vote.
- Six EU countries sold surveillance tech to human rights abusers. A Human Rights Watch report found Bulgaria, Czech Republic, Denmark, Finland, Poland, and at least one other member state licensed spyware exports to governments that use it against journalists and activists.
Texas Says WhatsApp Encryption Is a Lie. A Federal Memo Backs It Up.
Texas Attorney General Ken Paxton filed suit on May 21 against Meta Platforms and WhatsApp, alleging the company deceives 3 billion users by claiming their messages are end-to-end encrypted when Meta employees can actually read them [1][2].
The most damaging evidence: a federal Commerce Department investigation into WhatsApp was quietly shut down earlier this year. Before it closed, an agency investigator wrote in a memo that there was "no limit" to the type of WhatsApp messages that could be viewed by Meta. The investigation was abruptly ended without explanation [1][3].
Paxton's lawsuit, filed under the Texas Deceptive Trade Practices Act in Harrison County, seeks a permanent injunction blocking Meta from accessing user messages without consent and a $10,000 fine for every violation. Given WhatsApp's user base, the theoretical exposure is staggering [1][2].
Meta's response was predictable: "WhatsApp cannot access people's encrypted communications and any suggestion to the contrary is false." But this isn't the first time that claim has been challenged. A January 2026 class action lawsuit cited whistleblowers describing an internal tasking system that let employees read messages. Reports from Meta's subcontractor Sama in Kenya described workers viewing users' private footage, including intimate moments [2][3][4].
This is Paxton's second shot at Meta this week. On May 20, he issued a Civil Investigative Demand targeting Meta's Ray-Ban smart glasses over facial geometry collection and the planned "Name Tag" facial recognition feature. The attorney general who extracted a $1.4 billion biometric privacy settlement from Meta in 2024 is building a pattern: Meta lies about privacy, Texas sues, Meta pays [5].
Related: WhatsApp Class Action: Is the Encryption Real? | Paxton's Meta Glasses Investigation | Meta Kills Instagram DM Encryption | Meta's Name Tag Smart Glasses
California Just Passed a Bill That Forces Apps to Default to Maximum Privacy
California's Assembly unanimously passed AB 2561, a bill that would require every operating system and application to set privacy settings to the most protective option by default. If you want less privacy, you'd have to opt in, not the other way around [6][7].
The bill goes further: it prohibits apps from changing your privacy settings without your explicit consent. That means no more silent resets after updates, no more "we've updated our privacy policy" that flips your tracking back on, no more burying the opt-out three menus deep and hoping you won't find it [6].
AB 2561 defines "privacy setting" as any user-configurable option governing the app's collection, use, sharing, disclosure, retention, or processing of personal information. That's broad enough to cover everything from location tracking to ad personalization to microphone access [6].
The bill now heads to the California Senate. Given the unanimous Assembly vote, passage seems likely. If signed into law, it would build on California's existing privacy framework (the CCPA and its CPPA enforcement agency) to create something no other state has: a legal requirement that privacy be the default, not the exception.
Twenty-three states now have comprehensive privacy laws. California keeps pushing the ceiling higher.
A Hotel Check-In System Left 1 Million Passports on the Open Internet. No Password.
Tabiq, a facial recognition-based hotel check-in platform used across Japan, left over one million passport scans, driver's licenses, and selfie verification photos sitting in a publicly accessible Amazon S3 storage bucket. Anyone who knew the bucket name ("tabiq") could browse the data with a web browser. No authentication. No password. No encryption [8][9].
The platform, built by Japanese startup Reqrea, uses facial recognition and document scanning to check guests into hotels. The exposed data includes names, addresses, dates of birth, passport numbers, and photographs from guests worldwide, exactly the kind of information that makes identity theft trivial [8][9].
Independent security researcher Anurag Sen discovered the leak. Reqrea locked down the bucket after TechCrunch reached out, but the company hasn't confirmed whether anyone else accessed the data before it was secured. They're "reviewing logs," which is corporate speak for "we don't know" [9].
Amazon S3 buckets default to private. Someone at Reqrea deliberately changed this one to public. The fact that a company handling biometric data and government-issued identity documents made this choice (and apparently never audited it) is the kind of negligence that makes you want to check in to hotels with a paper form and a fake name.
20 Days Until Section 702 Expires. The Senate Just Got Back.
The 45-day FISA Section 702 extension expires June 12. Congress has 20 days. The Senate returned from recess this week, and the House is expected to bring two competing bills to the floor: the Protect Liberty and End Warrantless Surveillance Act and the FISA Reform and Reauthorization Act [10][11].
Neither bill includes what the Fourth Amendment actually requires: a probable cause-based warrant before the government searches Americans' communications. The bipartisan Government Surveillance Reform Act, introduced by Senators Wyden and Lee with Representatives Lofgren and Davidson, has a warrant requirement and closes the data broker loophole. Leadership hasn't brought it to a vote [10][12].
The American Prospect reported this month that the entire debate may hinge on how Congress defines "query," a seemingly technical distinction that determines whether FBI agents need to show any justification before searching the database of intercepted American communications. The current standard is effectively "type a name and hit enter" [13].
History says Congress will punt with another clean extension. But every extension without reform means another 45 or 90 days of warrantless surveillance of Americans' communications. The clock is ticking again.
Related: FISA 702 Extension Analysis | Government Surveillance Reform Act Breakdown | The Data Broker Loophole
Six EU Countries Sold Surveillance Tech to Dictatorships. The EU's Own Rules Didn't Stop It.
Human Rights Watch published "Looking the Other Way," a 54-page report documenting how at least six EU member states (Bulgaria, Czech Republic, Denmark, Finland, Poland, and at least one other) licensed surveillance technology exports to more than two dozen countries with documented histories of using that technology to spy on journalists, activists, and opposition politicians [14][15].
Specific examples: Bulgaria licensed intrusion software and telecommunications interception systems to Azerbaijan, where authorities use surveillance tech to target journalists and civil society. Poland licensed interception systems to Rwanda, where authorities surveil political opposition members [14][15].
The EU adopted a Dual-Use Regulation in 2021 specifically to prevent this. It isn't working. The European Commission reinterpreted the regulation's transparency requirements in a way that gutted oversight. Member state reports don't provide enough detail for anyone to assess whether exports are going to abusers [14].
This is the European export pipeline that feeds the global surveillance industry. When European companies sell interception software to authoritarian governments, they're selling the tools used to identify, locate, and silence dissidents. The regulatory framework that's supposed to prevent it is, by HRW's assessment, a paper tiger.
Google Built an Anti-Spyware Tool With Amnesty International. It's Opt-In and Pixel-Only.
Google released Android Intrusion Logging, a forensic tool that stores encrypted logs of spyware-related events for 12 months. Developed in partnership with Amnesty International's Security Lab and Reporters Without Borders, it tracks when the phone was unlocked, which apps were installed or removed, what servers the phone connected to, and whether someone connected via Android Debug Bridge, the tool used by forensic devices like Cellebrite [16][17].
It also logs attempts to delete these records, which would indicate someone is trying to cover their tracks after a spyware attack [16].
The catch: it's opt-in, requires Android 16, only works on Google Pixel devices, and must be linked to a Google account with Advanced Protection Mode enabled. That limits the audience to a tiny fraction of Android's 3 billion users: primarily journalists, activists, human rights defenders, and dissidents who know to look for it [16][17].
Google designed it for people at risk of state-sponsored spyware attacks. If that's you, enable it. If it's not, consider why Google thought this tool was necessary, and what it says about the spyware industry's reach that a company with Google's resources partnered with Amnesty International to build defenses.
What to Watch
- FISA Section 702 floor votes expected in the House. The Rules Committee must set the terms. Watch whether the warrant amendment gets a standalone vote. Our coverage.
- California AB 2561 heads to the Senate. After a unanimous Assembly vote, the privacy-by-default bill could reach the governor's desk by summer. This would be the strongest default privacy law in the country.
- May 29 state legislative deadlines. New York's Biometric Privacy Act (S1422) and New Jersey's biometric protections need to clear their chambers of origin. NY BPA coverage.
- Texas vs. Meta expanding. Paxton now has both the WhatsApp encryption lawsuit and the Meta glasses CID running simultaneously. Discovery in either case could produce damaging internal documents.
- DragonForce daily leaks continue. The AdvancedHEALTH patient data drip is ongoing. 2.3 million lines of records, including minors.
Sources
- Texas Attorney General: Paxton Files Landmark Lawsuit Against Meta and WhatsApp (May 21, 2026)
- Texas Tribune: Texas sues WhatsApp, Meta over alleged privacy violations (May 21, 2026)
- KXAN: Texas AG Ken Paxton sues Meta, WhatsApp over alleged misleading encryption claims (May 2026)
- KSAT: WhatsApp, Meta can access Texans' private messages, AG Ken Paxton says (May 21, 2026)
- Texas Attorney General: Paxton Launches Investigation Into Meta Glasses (May 20, 2026)
- California Legislature: AB-2561: Operating systems and applications: privacy settings (2026)
- Troutman Pepper: Proposed State Privacy and AI Law Update: May 18, 2026
- Security Affairs: Public Amazon bucket leaks sensitive guest data from Japanese hotel platform Tabiq (May 2026)
- TechCrunch: A hotel check-in system left a million passports and driver's licenses open for anyone to see (May 15, 2026)
- Brennan Center for Justice: FISA Section 702: 2026 Resource Page
- CNBC: FISA Section 702: Congress passes short-term surveillance program extension (April 30, 2026)
- GovTrack: Government Surveillance Reform Act of 2026 (S. 4082)
- The American Prospect: Surveillance Reform Hinges on How Congress Defines 'Query' (May 11, 2026)
- Human Rights Watch: European Union: Surveillance Technology Sold to Rights Violators (May 12, 2026)
- Human Rights Watch: Looking the Other Way: EU Failure to Prevent Surveillance Exports (May 12, 2026)
- TechCrunch: Google launches new Android security feature to help uncover spyware attacks (May 12, 2026)
- CyberScoop: Google and Amnesty International teamed up to make it harder for spyware vendors to hide (May 2026)