Today in Surveillance:
- ICE's iris-scanning budget just quintupled. A $25.1 million sole-source contract puts 1,570 handheld iris scanners in agents' hands, connected to a private database of 5+ million booking records from 47 states. No FedRAMP clearance. No congressional notification. No independent audit.
- Carnival Cruise confirmed ShinyHunters breached nearly 6 million passengers. Passport numbers, driver's licenses, dates of birth, stolen after a social engineering attack on a single employee. Notifications started May 28, seven weeks after discovery.
- London's Met Police are celebrating permanent facial recognition cameras. A six-month Croydon pilot scanned 470,000 faces, made 173 arrests, and cut crime 10.5%. They want to expand citywide.
- Vermont passed a comprehensive data privacy law. S.71 sailed through 29-0 in the Senate and 129-3 in the House. It bans geofencing near health facilities, prohibits selling health data without consent, and takes effect July 1.
- Disney faces a $5 million class-action lawsuit. Disneyland introduced facial recognition at park entrances in April without adequate disclosure. Now visitors (including children) are suing.
- FISA 702 expires in 14 days. Still no Senate deal. The warrant requirement remains the sticking point.
ICE's Iris-Scanning Budget Just Quintupled to $25.1 Million
Eight months ago, ICE signed its first contract with BI2 Technologies for $4.6 million. On May 22, the agency awarded the Massachusetts-based, venture capital-backed company a sole-source follow-up worth $25.1 million, more than five times the original deal [1][2].
What $25.1 million buys: 1,570 wireless handheld iris-scanning devices for field agents. Each device is multimodal. It combines iris, fingerprint, and facial recognition in one unit. They connect wirelessly to BI2's Inmate Identification and Recognition System, a private database containing over 5 million booking records from 47 states, including arrest and incarceration data [1][2].
The system is also compatible with driver's license databases, vehicle plate records, AFIS fingerprint systems, and sex offender registries. DHS justified the sole-source award by arguing that BI2's technology "has been certified by the FBI" and that the multimodal approach means the system stays operational "if one sensor, such as iris recognition, is compromised" [2].
Here's what's missing: no FedRAMP authorization, no congressional notification, no independent audit of how the data gets stored, shared, or deleted. DHS only required BI2 to submit a draft security plan. The DHS Office of Inspector General launched a probe in February examining the agency's biometric data practices, but the contract was awarded before the probe concluded [2].
House Democrats introduced legislation in January to restrict mobile biometric apps outside ports of entry. It hasn't moved. Meanwhile, 1,570 iris scanners are shipping to agents nationwide within 30 days [1].
Related: ICE's Iris Scanning Empire: 5 Million Records and Growing
Carnival Cruise Tells 6 Million Passengers Their Data Was Stolen
Carnival Corporation (the world's largest cruise operator) started notifying 5,995,277 customers on May 28 that the ShinyHunters cybercrime gang stole their personal data in an April 10 breach [3].
How it happened: a social engineering attack on a single employee. One person got tricked, and the attackers gained access to a portion of Carnival's IT systems. By the time the company's security team noticed on April 14, the damage was done. By April 22, forensic investigators confirmed data had been exfiltrated [3].
What was taken varies by victim, but the stolen data includes names, dates of birth, email addresses, phone numbers, home addresses, driver's license numbers, passport numbers, and Mariner Society loyalty program details from Carnival's Holland America subsidiary [3].
ShinyHunters (the same group behind the Canvas/Instructure breach that hit 275 million students) claims the haul is even bigger: over 8.7 million records plus terabytes of internal corporate data. Carnival hasn't confirmed or denied that number [3].
Seven weeks passed between discovery and notification. Carnival is offering affected U.S. residents two years of credit monitoring through TransUnion. Cold comfort when your passport number is already on a darknet marketplace.
Related: Carnival Corporation: ShinyHunters' 8.7 Million Record Breach
London Cops Installed Permanent Facial Recognition Cameras. They're Thrilled With the Results.
The Metropolitan Police ran a six-month pilot of permanently installed live facial recognition cameras in Croydon from October 2025 to March 2026. Unlike previous deployments using mobile vans, these cameras were bolted onto lampposts and buildings, always watching, always scanning [4].
The numbers the Met wants you to see: 173 arrests across 24 operations. One arrest every 35 minutes. Crime in the area dropped 10.5% compared to the same period a year earlier. Suspects arrested included people wanted for kidnap, rape, and serious sexual assault. Over 60% had committed offenses in Croydon [4].
The numbers they're less eager to discuss: the system scanned 470,000 faces during the pilot using NEC Corporation's Neoface algorithm. One false alert was recorded, with no wrongful arrests, but that metric only counts confirmed errors, not the chilling effect on 470,000 people who were scanned without consent [4].
Community worker Shaun Thompson was misidentified by the Met's facial recognition system in 2024 and detained. Advocacy groups describe the technology as "stop and search on steroids." An April 2026 High Court ruling allowed the Met to continue expanding the program despite legal challenges [4].
The Met's direction is clear: what started as van-mounted trials has become fixed infrastructure. Permanent cameras. Permanent surveillance. And they want more of it.
Related: Croydon's Facial Recognition Pilot | Met Police Handheld Facial Recognition Pilot
Vermont Just Passed a Real Data Privacy Law
Vermont's legislature passed S.71, "An act relating to consumer data privacy and online surveillance," with overwhelming margins: 29-0 in the Senate and 129-3 in the House on May 26 [5].
What makes this one worth watching: it actually has teeth. The bill requires businesses to collect only data that is "reasonably necessary." It mandates consumer consent for processing sensitive data. It requires clear privacy notices explaining what gets collected and how it's used. Consumers get the right to access, correct, delete, and opt out of targeted advertising and data sales [5].
The health data provisions go further than most state laws. S.71 prohibits geofencing near health facilities, meaning companies can't build invisible perimeters around hospitals, clinics, or pharmacies to harvest location data from visitors. It bans selling consumer health data without explicit consent [5].
The law takes effect July 1, 2026. That's fast. Vermont joins a growing patchwork of state privacy laws stepping into the gap left by Congress's failure to pass federal legislation. The SECURE Data Act hearings June 3-4 will test whether federal preemption (which would override state laws like this one) has enough support to move forward.
Related: Vermont's Data Broker Delete Act
Disney Gets Sued Over Biometric Scans at the Happiest Place on Earth
A class-action lawsuit filed against The Walt Disney Co. alleges that Disneyland and Disney California Adventure Park are using facial recognition at park entrances without adequate disclosure or consent [6].
Disney introduced the biometric entry system in April 2026 to verify tickets by comparing visitors' faces against photos taken when they first activated their tickets or annual passes. The lead plaintiff, Summer Christine Duffield of Riverside County, California, visited in May and is seeking at least $5 million in damages [6].
The lawsuit targets a gap in California's privacy protections. Unlike Illinois's Biometric Information Privacy Act (BIPA), which explicitly covers facial recognition and provides a private right of action, California's biometric protections are scattered across multiple statutes. The plaintiffs argue Disney should have obtained written consent before scanning adults and children at what it markets as a family destination [6].
Disney hasn't publicly responded to the lawsuit.
Related: Disney Facial Recognition: The Class Action Lawsuit | Disneyland's Biometric Entry System
FISA 702: 14 Days and Counting
Section 702 expires June 12. The Senate hasn't voted. The clock that was at 15 days yesterday is now at 14.
Nothing has changed since yesterday's briefing except the calendar. The House passed a 3-year extension 235-191 with a CBDC ban attached. The Senate rejected it. The 45-day extension from April 30 keeps running down. The warrant requirement for FBI searches of Americans' data (the core issue) remains unresolved [7][8].
EPIC, the Brennan Center, and 5Calls continue pushing the warrant requirement. The intelligence community continues insisting it would create an "operational gap." If Congress does nothing by June 12, existing surveillance orders continue until their annual renewal dates, but no new ones can be issued.
SECURE Data Act hearings are scheduled for June 3-4. The privacy debate is about to get louder.
EFF Publishes a Blueprint for Fighting Surveillance in the Americas
On May 18, the EFF released "Tackling Arbitrary Digital Surveillance in the Americas," a guide that compiles privacy and data protection guarantees from the Inter-American Human Rights System into actionable recommendations for governments across Latin America and the Caribbean [9].
The guide calls for prior judicial authorization for all digital surveillance, detailed operational records, independent civilian oversight with technical expertise, and the right to be notified when your data is accessed. It names the root problem directly: "poor accountability, feeble control mechanisms, and insufficient legal frameworks have led to systematic human rights violations in the Americas, with no consistent remedy or reparation to victims" [9].
Most Latin American states have ratified the American Convention on Human Rights, making these protections binding international obligations, not suggestions. The EFF's framing is deliberate: governments aren't being asked to adopt new standards, they're being reminded to enforce the ones they already signed.
This is the fifth major piece in what's been an unprecedented publishing blitz from the EFF in May 2026. They've also published takedowns of the SECURE Data Act, Canada's Bill C-22, age verification laws, and Meta's Instagram encryption removal. When the EFF publishes five alarms in one month, the fire is real.
What to Watch
- June 1-3: NICE Conference in National Harbor, MD: law enforcement surveillance technology showcase.
- June 3-4: House Subcommittee hearings on the SECURE Data Act. Federal privacy preemption could override state laws like Vermont's S.71.
- June 12: FISA Section 702 expires. The Senate has 14 days left.
- June 30: T-Mobile March 2026 breach credit monitoring enrollment deadline. Last chance to sign up if your data was exposed.
- July 1: Vermont's S.71 data privacy law takes effect. Virginia's facial recognition accuracy law also kicks in, requiring 98% accuracy and NIST evaluation for police use.
References
- NPR: ICE Is Spending Millions of Dollars on Iris Scanners, Expanding Its Arsenal of Tech Tools
- FedScoop: ICE to Spend $25M on Iris Recognition Technology
- BleepingComputer: Carnival Cruise Confirms Data Breach Affecting Nearly 6 Million People
- Biometric Update: Met Police Tout Arrests, Crime Drop From Permanent LFR Camera Pilot
- WCAX: Vermont Data Privacy Bill Moves Closer to Becoming Law
- Engadget: Disney Faces a Class Action Lawsuit Over Facial Recognition Tech
- Brennan Center: Section 702 of the Foreign Intelligence Surveillance Act
- EPIC: FISA Section 702: Reform or Sunset
- EFF: We Must Not Normalize Digital Surveillance Abuses