Today in Surveillance:
- ChatGPT was secretly sending your queries to Meta and Google. A class action lawsuit alleges OpenAI embedded Facebook Pixel and Google Analytics in ChatGPT, transmitting query topics, email addresses, and Facebook IDs to the two largest advertising companies on earth. The suit seeks $10,000 per violation under federal wiretap law.
- Meta settled the first school district social media addiction case. Breathitt County, Kentucky (the bellwether case selected from over 1,000 similar lawsuits) settled on undisclosed terms. TikTok, Snap, and YouTube settled earlier this month. Collective theoretical liability across all cases: $400 billion.
- A government-backed drone system can now ID you from a kilometer away by how you walk. FarSight fuses facial recognition, gait analysis, and 3D body-shape modeling to identify people from altitudes and distances where faces are unreadable. Built with IARPA funding.
- Europol seized First VPN, the anonymization layer for 25 ransomware groups. Operation Saffron took 33 servers across 27 countries, arrested a Ukrainian administrator, and identified 506 criminal users. The service had been running since 2014.
- FISA Section 702 expires in 19 days. The Supreme Court is separately weighing geofence warrants in Chatrie v. United States, a decision expected by July that could reshape digital surveillance law.
ChatGPT Was Sending Your Queries to Meta and Google. A Federal Lawsuit Says That's Wiretapping.
A class action filed on May 13 in the U.S. District Court for the Southern District of California alleges that OpenAI embedded Meta's Facebook Pixel and Google Analytics tracking code directly into ChatGPT.com, turning every conversation into marketing data for the world's two largest advertising platforms [1][2].
The mechanism is almost comically simple. When you type a query into ChatGPT, that query becomes the title of your browser tab. The Facebook Pixel captures that title and forwards it to Meta's servers along with three cookies: your unencrypted Facebook ID (c_user), an encrypted Facebook ID (fr), and a first-party tracking cookie (_fbp). Google Analytics, meanwhile, intercepts a hashed version of your email address, your Google profile ID, and session identifiers [1][2].
Plaintiff Amargo Couture's complaint (Case No. 3:26-cv-03000-H-GC) argues this constitutes a violation of the Electronic Communications Privacy Act (the federal wiretap statute) which provides for $10,000 per violation. The suit also cites California's Invasion of Privacy Act and state constitutional privacy rights [1][2].
Think about what people ask ChatGPT. Medical symptoms. Legal questions. Financial problems. Relationship issues. And according to this lawsuit, every one of those queries was packaged and shipped to Meta and Google with your identity attached. OpenAI hadn't responded to the complaint as of May 17 [2].
This isn't an isolated discovery. In early April, a nearly identical class action was filed against Perplexity AI for the same Facebook Pixel and Google DoubleClick instrumentation on its search interface. The ad-tech surveillance pipeline doesn't stop at social media. It's embedded in the tools people assume are private [2].
Meta Settled the First School District Social Media Addiction Case. 1,000+ Are Waiting.
Meta settled with the Breathitt County School District in Kentucky on May 21, ending the bellwether case that was supposed to test whether social media companies could be held liable for the mental health crisis in American schools. TikTok, Snap, and YouTube settled with the same district earlier this month. The terms of every settlement are sealed [3][4].
The Breathitt County case was selected as the bellwether from over 1,000 school district lawsuits, and more than 3,300 total social media addiction cases pending in California state court alone. The core allegation: social media platforms designed addictive features that created a mental health crisis, forcing schools to redirect resources from education to crisis intervention [3][4].
Bloomberg Intelligence estimates the collective theoretical liability across all pending cases at nearly $400 billion. That number is theoretical. But in March, a Los Angeles judge already ruled Meta liable in a separate bellwether involving a 20-year-old Instagram user, with a jury awarding $6 million in damages [4].
By settling rather than going to trial, Meta avoided setting a public precedent, but it also avoided a public defense. The sealed terms mean we don't know what Breathitt County got. What we do know: a trial was scheduled within weeks, the companies blinked first, and a thousand more districts are watching.
A New Drone System Identifies People From a Kilometer Away: By How They Walk
Researchers backed by IARPA (the U.S. intelligence community's research arm) have built a drone-based biometric system called FarSight that identifies people from distances greater than 1,000 meters and pitch angles above 20 degrees. At those distances and altitudes, faces are barely visible. FarSight doesn't care [5][6].
The system fuses three identification methods: facial recognition using AI-enhanced image restoration, gait analysis through a model called GlobalGait that reads walking patterns, and 3D body-shape reconstruction that strips away clothing and posture to estimate a person's underlying physical form. When all three signals are combined, identification accuracy jumps significantly over any single method alone [5][6].
FarSight was evaluated against IARPA's BRIAR benchmark dataset: 350,000 images and 1,300 hours of video from 1,055 outdoor subjects. The system processes video through detection, tracking, atmospheric distortion correction, and multimodal feature fusion before comparing against a gallery of known identities [5][6].
The intended applications are exactly what you'd expect: law enforcement, border security, and surveillance operations. The paper describes this as "whole-body biometric recognition", a category where you can be identified even when your face is covered, obscured, or too far away to resolve. A hoodie and sunglasses won't help when a drone can recognize you by the way you shift your weight between steps.
Europol Seized the VPN That 25 Ransomware Groups Used to Hide
On May 19-20, authorities across 16 countries executed Operation Saffron, seizing 33 servers in 27 countries, arresting a Ukrainian administrator, and dismantling First VPN, a "bulletproof" VPN service that had been the anonymization layer for the cybercrime ecosystem since 2014 [7][8].
The FBI confirmed that at least 25 distinct ransomware groups used First VPN to hide reconnaissance, intrusions, and command-and-control infrastructure. French and Dutch authorities led the investigation, which began in December 2021 and resulted in a joint investigation team formed in November 2023. The investigation generated 83 intelligence packages and identified 506 criminal users whose information was shared with international law enforcement [7][8].
First VPN marketed itself directly to criminals seeking to obscure their locations while conducting ransomware attacks, fraud campaigns, and credential theft. The service came up in "almost every major cybercrime investigation," according to Europol. Related domains (1vpns.com, .net, and .org) were all seized [7][8].
This is the latest in a pattern of law enforcement quietly infiltrating criminal infrastructure before taking it down. The investigation ran for over three years before the servers were pulled. Every user who thought they were invisible now has to wonder what the investigators saw while they were watching.
19 Days Until Section 702 Expires. The Supreme Court Is Separately Rewriting Surveillance Law.
The 45-day FISA Section 702 extension expires June 12. Congress has 19 days. The House is expected to bring competing reauthorization bills to the floor, but neither includes the warrant requirement that reform advocates (the ACLU, EFF, EPIC, and the Brennan Center) say the Fourth Amendment demands [9][10].
Meanwhile, the Supreme Court is weighing a case that could reshape digital surveillance independent of what Congress does. In Chatrie v. United States, argued April 27, the court is considering whether geofence warrants (orders that compel companies to hand over data on every device in a geographic area during a time window) violate the Fourth Amendment. EFF, ACLU, and Georgetown's Center on Privacy & Technology filed briefs calling geofence warrants "the digital version of the exploratory rummaging that the drafters of the Fourth Amendment specifically intended to prevent" [11][12].
The Chatrie case involves a 2019 geofence warrant that forced Google to search the accounts of hundreds of millions of users to find anyone near a Northern Virginia crime scene. A decision is expected by July [11][12].
Two parallel tracks, same question: does the government need to name a suspect before searching Americans' data, or can it vacuum up everything and sort through it later? Congress will probably punt on 702 again. The Supreme Court might not.
Related: FISA 702 Extension Analysis | Government Surveillance Reform Act Breakdown
What to Watch
- FISA Section 702 floor votes. The House could bring competing bills next week. Watch whether the warrant amendment gets a standalone vote or gets buried in procedural maneuvering. Our coverage.
- Chatrie v. United States. The Supreme Court's geofence warrant ruling, expected by July, could make warrantless location dragnet searches unconstitutional, a bigger deal than anything Congress is debating on 702.
- Meta social media addiction litigation. The bellwether settlement opens the floodgates. Watch for the next batch of cases to seek trial dates now that the test case has settled.
- OpenAI's response to the ChatGPT tracking lawsuit. No response filed yet. If OpenAI argues the tracking was disclosed in its privacy policy, expect a discovery fight over whether anyone actually reads those policies.
- DragonForce daily leaks continue. The AdvancedHEALTH patient data drip is ongoing: 2.3 million lines of records, including minors.
Sources
- GBlock: ChatGPT.com Has Meta's Facebook Pixel Embedded, May 14 Class Action (May 2026)
- PPC Land: OpenAI's ChatGPT Secretly Sent Your Queries to Meta and Google, Lawsuit Claims (May 17, 2026)
- NBC News: Meta Settles Social Media Addiction Case Brought by Rural Kentucky School District (May 21, 2026)
- Gizmodo: Meta Settles Lawsuit That Claimed Social Media Addiction Screwed Up Schools (May 2026)
- Biometric Update: Researchers Develop Biometric System That Identifies People Beyond the Face (May 2026)
- arXiv: FarSight: A Physics-Driven Whole-Body Biometric System at Large Distance and Altitude
- BleepingComputer: Police Seize First VPN Service Used in Ransomware, Data Theft Attacks (May 2026)
- Hackread: Europol Seizes First VPN Used by Ransomware Gangs, Arrests Administrator (May 2026)
- Brennan Center for Justice: FISA Section 702: 2026 Resource Page
- The American Prospect: Surveillance Reform Hinges on How Congress Defines 'Query' (May 11, 2026)
- EFF: EFF to Supreme Court: Shut Down Unconstitutional Geofence Searches (March 2026)
- NPR: Supreme Court Considers Constitutionality of Geofence Warrants (April 27, 2026)