Today in Surveillance:
- The Pentagon confirmed adversaries are targeting U.S. troops with commercial location data. Ad-tech brokers sell location data harvested from phones and apps on the open market. Enemies are buying it to track soldiers overseas. Senator Wyden says it's time to treat the ad industry as a national security threat.
- The GUARD Act would require government ID or a face scan to use AI chatbots. The Senate Judiciary Committee passed it 22-0. Every American wanting to ask ChatGPT for algebra help would need to hand over their identity first.
- Illinois is racing to pass its Consumer Data Privacy Act before Saturday's deadline. SB 340 cleared the Senate 54-3 with strong data minimization rules and a ban on selling sensitive data. The House has until May 31.
- Louisiana is about to become the 22nd state with a comprehensive privacy law. SB 386 passed unanimously and is on the governor's desk.
- ShinyHunters hit 7-Eleven. 185,000 people exposed after attackers breached the company's Salesforce environment and leaked 9.4 GB of data when 7-Eleven refused to pay the ransom.
- FISA 702 expires in 13 days. Still no Senate deal. The warrant requirement remains the sticking point.
The Ad Industry Is Getting American Troops Killed
The Department of Defense confirmed on May 28 that adversaries have used commercially purchased location data to target and surveil U.S. military personnel deployed overseas. U.S. Central Command told Senator Ron Wyden it had "received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil US personnel in theater" [1].
Here's how it works: apps on your phone collect location data. Ad-tech companies buy it. Data brokers package and resell it on the open market: to advertisers, to hedge funds, to anyone with a credit card. Including hostile foreign governments. For soldiers in combat zones, that data reveals patrol routes, safe houses, staging areas, and daily patterns. It can be used to aim missiles, drones, and roadside bombs [1].
This isn't theoretical. As far back as 2016, a U.S. defense contractor used commercially available location data to track special operations forces from their bases in the United States all the way to a sensitive staging post in Syria. More recently, journalists at Wired and two German outlets used billions of coordinates from a single data broker to map the movements of personnel at 11 U.S. military and intelligence sites in Germany [1].
Senator Wyden didn't mince words: it's time to "start treating the adtech industry as a national security threat." He's right. The same data brokers that sell your gym habits to fitness apps are selling soldier locations to whoever's buying. And there is still no federal law that stops them [1].
The irony is thick: the U.S. military has itself purchased location data from brokers without warrants. The same supply chain that lets the government surveil its own citizens is now being used against its own troops.
Want to Use AI? Hand Over Your ID First.
The Senate Judiciary Committee voted 22-0 on April 30 to advance the GUARD Act (Guidelines for User Age-verification and Responsible Dialogue Act), a bill that would require every user of AI chatbot services to verify their identity through government-issued ID, facial scans, or financial records before gaining access [2][3].
Read that again: to ask an AI chatbot for homework help, recipe suggestions, or billing dispute advice, you'd first need to upload your driver's license or submit to a face scan. The bill's sponsors (Republican Josh Hawley and Democrat Richard Blumenthal) framed it as protecting children from harmful AI interactions. The EFF calls it what it is: a surveillance system disguised as child safety [3].
The privacy problems are obvious. Requiring identity-linked verification to access speech tools creates massive databases of who's saying what to AI systems. NetChoice warns these databases become "honeypots" for hackers. And millions of Americans don't have current government ID or major bank accounts: the very verification methods the bill demands [2][3].
The EFF's analysis is blunt: the narrowed "AI companion" definition is still vague enough that customer service chatbots with any emotional responsiveness could trigger the requirements. Penalties jumped from $100,000 to $250,000 per violation, incentivizing companies to block users entirely rather than risk enforcement [3].
The GUARD Act has cleared committee and awaits a full Senate vote. No floor date is scheduled yet. But the direction is clear: in the name of protecting children, Congress wants to know exactly who's talking to every AI system in America.
Illinois Has Until Saturday to Pass a Real Privacy Law
Illinois SB 340, the Consumer Data Privacy Act, passed the Senate 54-3 and is heading to the House with the clock ticking. The legislature adjourns May 31, giving lawmakers roughly 24 hours to act [4].
What makes SB 340 worth watching: it goes beyond the template that most states have copied. The bill creates strong data minimization rules, preventing companies from collecting or using sensitive data (racial or ethnic origin, religious beliefs, biometric identifiers, precise geolocation) unless it's actually necessary to provide the service you requested. It prohibits the sale of sensitive data outright, without requiring consumers to opt out first [4].
Consumer rights include the standards: access, correct, delete, opt out of targeted advertising and data sales. But the sensitive data provisions give it teeth that many state laws lack. If Illinois passes this, it joins BIPA as one of the strongest privacy law states in the country.
If it would take effect January 1, 2027, joining a growing wave of state-level privacy legislation that's accelerating precisely because Congress can't pass a federal law.
Louisiana Becomes the 22nd State with a Privacy Law
Louisiana's SB 386, the Louisiana Data Privacy Act, passed the House unanimously on May 21 and is on Governor Jeff Landry's desk awaiting signature [5].
The law grants consumers the right to access, correct, delete, and port their personal data. They can opt out of targeted advertising, data sales, and profiling. Controllers get 45 days to respond to requests. Enforcement goes to the state Attorney General: no private right of action [5].
Louisiana's bill is largely based on Texas's law but with a distinct $25 million applicability threshold. It takes effect January 1, 2027. It's not the strongest privacy law in the country, but it adds Louisiana to a list that now covers nearly half the U.S. population under some form of state data privacy protection [5].
The federal SECURE Data Act hearing on June 3 will test whether Congress can preempt this patchwork. Until then, states keep filling the gap.
ShinyHunters Hit 7-Eleven: 185,000 People Exposed
7-Eleven confirmed a data breach after ShinyHunters (the same gang behind the Carnival Cruise and Canvas/Instructure breaches) broke into the company's Salesforce environment on April 8 and stole franchisee documents [6].
ShinyHunters claimed 600,000 records. Have I Been Pwned's analysis puts the confirmed number at 185,300 people whose names, dates of birth, email addresses, phone numbers, and physical addresses were exposed. When 7-Eleven refused to pay the ransom, ShinyHunters dumped a 9.4 GB archive on their dark web leak site [6].
This is part of a pattern. ShinyHunters has been systematically targeting Salesforce instances across major organizations since mid-2025, using phishing, third-party integration abuse, and misconfigurations to break in. The FBI advises companies not to pay, warning that payment provides "no guarantee threat actors won't resell stolen data or conduct future extortion" [6].
The ShinyHunters tally for 2026 alone now includes Carnival (6 million), Canvas/Instructure (275 million students), Canada Life (5.6 million), 7-Eleven, and counting. They're not slowing down.
Related: Carnival's 6 Million Passenger Breach | Canada Life: 5.6 Million Records
FISA 702: 13 Days and Counting
Section 702 expires June 12. The Senate still hasn't voted. The clock that was at 14 days yesterday is now at 13.
Nothing has changed since yesterday's briefing. The House passed a 3-year extension 235-191 with a CBDC ban attached. The Senate rejected it. The 45-day extension from April 30 keeps running down. The warrant requirement for FBI searches of Americans' data remains the sticking point [7][8].
EPIC, the Brennan Center, and 5Calls continue pushing for the warrant requirement. The intelligence community continues insisting it would create an "operational gap." If Congress does nothing by June 12, existing surveillance orders stay active until their annual renewal dates, but no new ones can be issued.
New HIPAA Rules: Encryption Mandatory, MFA Required, No More Excuses
The 2026 HIPAA Security Rule update is expected to be finalized this month, and it eliminates the loophole that let healthcare organizations dodge encryption for decades. The "addressable" designation (which let hospitals document why they chose not to encrypt patient data instead of actually encrypting it) is gone. Encryption at rest and in transit is now mandatory [9].
Multi-factor authentication is required for all systems that create, receive, or transmit electronic protected health information. Annual security risk assessments become mandatory. Vulnerability scanning gets specific requirements. The compliance window is 180 to 240 days after publication, putting enforcement deadlines in late 2026 or early 2027 [9].
The timing is pointed. Healthcare breaches have exposed over 301 million records in 2026 alone. NYC Health + Hospitals lost 1.8 million patients' data (including fingerprints and palm prints) after hackers spent three months in their network before anyone noticed. Tampa Bay Dental lost 6,400 records to ransomware. The list goes on [10].
The new rules are overdue. Whether most hospitals can actually meet them is another question entirely.
Related: HIPAA's Breach Epidemic: 301 Million Records | NYC Health + Hospitals: 1.8 Million Patients' Biometrics Stolen
What to Watch
- May 31: Illinois legislature adjournment deadline. SB 340 (the Consumer Data Privacy Act) either passes the House today or dies.
- June 1-3: NICE Conference in National Harbor, MD: law enforcement surveillance technology showcase.
- June 3-4: House Subcommittee hearings on the SECURE Data Act. Federal privacy preemption could override state laws like Vermont's S.71 and Illinois's SB 340.
- June 12: FISA Section 702 expires. The Senate has 13 days left.
- August 1: California's DROP system requires data brokers to process deletion requests every 45 days. Enforcement begins.
References
- TechCrunch: U.S. Says Troops Were Targeted with Location Data, as Senator Warns Ad Industry Is a 'National Security Threat'
- IBTimes: US Senate Advances GUARD Act: AI Chatbot Age Verification
- EFF: Congress Narrowed the GUARD Act, But Serious Problems Remain
- Consumer Reports: Consumer Reports Supports the Illinois Consumer Data Privacy Act
- Lexology: Louisiana to Join US States with Comprehensive Privacy Legislation
- BleepingComputer: 7-Eleven Data Breach Exposes Personal Information of 185,000 People
- Brennan Center: Section 702 of FISA: 2026 Resource Page
- EPIC: FISA Section 702: Reform or Sunset
- Medcurity: 2026 HIPAA Security Rule Update: New Requirements to Prepare For
- TechCrunch: NYC Health + Hospitals Says Hackers Stole Medical Data and Fingerprints During Breach Affecting at Least 1.8 Million People