Today in Surveillance:
- Your WiFi router can now identify you with near-perfect accuracy. Researchers at Germany's Karlsruhe Institute of Technology proved that ordinary WiFi signals bouncing off your body are enough to recognize you: no camera, no phone, no consent. Every router is a potential surveillance device.
- ICE's facial recognition app has been used over 100,000 times. Mobile Fortify lets agents point a phone at anyone in public and instantly search 200 million government images. The ACLU calls it "a marriage made in hell."
- The ACLU says retailers are secretly building a facial recognition dragnet for the government. Stores are scanning your face against "Be On the Look Out" lists, including photos submitted by law enforcement. 17 of 20 major retailers refused to say whether they do it.
- Illinois has until midnight to pass its privacy law. SB 340 cleared the Senate 54-3 with some of the strongest data minimization rules in the country. The House has hours left.
- FISA 702 expires in 12 days. No Senate deal. The warrant requirement remains the sticking point.
- The EU delayed AI surveillance rules by 16 months. High-risk biometric AI systems won't face compliance deadlines until December 2027.
Your WiFi Router Can Identify You. No Camera Needed.
Researchers at the Karlsruhe Institute of Technology (KIT) in Germany have demonstrated that ordinary WiFi signals can identify individual people with near-perfect accuracy, even when they're not carrying a phone. The technique, published at the ACM Conference on Computer and Communications Security, analyzes how radio waves bounce off a person's body to create a unique signature [1].
The system works by reading beamforming feedback information (BFI), the unencrypted signal data that WiFi devices constantly transmit to routers. AI algorithms process how waves reflect off bodies to build identification profiles. In tests with 197 participants, accuracy was nearly 100%, regardless of viewing angle or walking patterns [1].
"By observing radio wave propagation, we can create an image of surroundings and persons present," said Professor Thorsten Strufe. Researcher Julian Todt put it more bluntly: this technology "turns every router into a potential means for surveillance" [1].
Think about that. WiFi networks are in every coffee shop, airport, office building, and home. They're invisible. And now they can pick you out of a crowd without a camera, without your phone, without your knowledge or consent. The researchers warn that people could be identified at public WiFi locations and recognized later by authorities or companies, creating what amounts to "a nearly comprehensive surveillance infrastructure" that already exists [1].
The BFI data used for identification is unencrypted in current WiFi standards. There's no setting to turn it off. There's no opt-out.
ICE Has Scanned 100,000 Faces With a Phone App
Mobile Fortify is a facial recognition app that lets ICE and CBP agents photograph anyone in public and instantly search government databases containing 200 million images. Point the phone. Snap a photo. Get a name, date of birth, and immigration status back in seconds [2].
According to a lawsuit filed by Illinois and the City of Chicago in January 2026, ICE has used Mobile Fortify in the field more than 100,000 times. That's a massive expansion from its original scope: the agency had previously limited facial recognition to ports of entry and child exploitation investigations [2][3].
The databases Mobile Fortify searches include IDENT/HART (DHS's biometric system covering 270 million people), the FBI's National Crime Information Center, interstate driver's license records, travel records, banking data, social media, and license plate reader data. It's a one-stop shop for identity surveillance, accessible from any agent's pocket [2].
The ACLU's analysis is damning: ICE doesn't give people the opportunity to decline or consent to having their faces scanned. Agents treat matches as definitive despite documented accuracy problems, particularly for women and people of color. And photographs of U.S. citizens are retained regardless of whether there's a match [2].
In February 2026, a bipartisan group of lawmakers introduced the "ICE Out of Our Faces Act" to ban ICE and CBP from acquiring and using facial recognition technology. It hasn't moved since. A separate Thompson bill targets Mobile Fortify directly.
Related: ICE's $8.5 Billion Surveillance Arsenal | Wrongful Arrest: Six Months in Jail Over a Face Scan
Your Grocery Store Is Scanning Your Face for the Government
The ACLU published a May 2026 investigation revealing that major retailers are secretly using facial recognition to identify customers, and sharing that data with law enforcement. The system works through "BOLO" (Be On the Look Out) alerts: stores scan every customer's face against watchlists that include photos submitted by police [4].
Wegmans admitted it runs facial recognition "in a small fraction" of stores. Lowe's confirmed it uses the technology. Rite Aid maintained a "persons of interest" database containing tens of thousands of individuals before the FTC forced them to stop. But when the ACLU asked 20 major retailers (Walmart, Kroger, Home Depot, Target, Costco, CVS, and others) whether they scan customer faces, 17 refused to answer [4].
Here's where it gets worse. If enough stores deploy this tech in enough locations, the ACLU warns it becomes "a powerful nationwide government surveillance dragnet," able to locate anyone who walks into a store anywhere in America. The precedent already exists: Flock's automatic license plate reader network, used by local police, has already been tapped by ICE for deportation efforts, prompting a wave of cities to cancel federal access [4].
At least 10 people, nearly all Black, have been wrongfully arrested based on facial recognition errors. One woman in Michigan was ejected from a roller skating rink based on a false match. No due process. No recourse. Just an algorithm that got it wrong [4].
Related: Retailers and Police: The Facial Recognition Pipeline
Illinois Has Hours Left to Pass Its Privacy Law
The Illinois legislature adjourns today, May 31. SB 340, the Consumer Data Privacy Act, passed the Senate 54-3 and needs a House vote before midnight or it dies [5].
What makes SB 340 worth watching: it goes beyond the copy-paste template most states use. The bill creates strong data minimization rules: companies can't collect or use sensitive data (racial origin, religious beliefs, biometrics, precise geolocation) unless it's actually necessary for the service you requested. It bans the sale of sensitive data outright, no opt-out needed [5].
Consumer Reports and privacy advocates are backing it. Industry groups like SIIA are opposing it, calling the data minimization provisions too restrictive. That's usually a sign the law has teeth.
If the House passes SB 340 today, Illinois joins BIPA as one of the most privacy-protective states in the country. If not, it waits until the next session, and the federal SECURE Data Act hearing on June 3 could make state-level efforts irrelevant anyway.
Ten AI-related bills are also racing through the Illinois legislature before today's deadline, including measures on AI-generated content labeling, algorithmic discrimination in hiring, and deepfake protections [6].
The Federal Bill That Could Kill 20 State Privacy Laws
On June 3 (three days from now) the House Energy and Commerce Subcommittee will hold a hearing on the SECURE Data Act (HR 8413), a federal privacy bill introduced on April 22 by Rep. Brett Guthrie (R-KY). The bill would establish a single federal privacy standard for the entire country [7].
The catch: it would preempt every state privacy law on the books. Not as a floor that states can build on, but as an absolute ceiling. Vermont's strong data broker rules? Gone. California's CCPA? Overridden. Illinois's BIPA? Gutted. All 20-plus state privacy laws replaced by one federal standard that the EFF has called "not a serious piece of privacy legislation" [7][8].
The California Privacy Protection Agency sent a letter opposing the bill, warning it would roll back protections that millions of Californians already rely on. Privacy advocates argue the bill prioritizes industry compliance simplification over actual consumer protection [7].
Tuesday's hearing will be the first major public test of whether Congress can (or should) replace the state privacy patchwork with a single federal law. The answer will shape American privacy rights for decades.
Related: Federal Privacy Preemption: The Fight Over State Laws
Google Broke Its Privacy Promise. ICE Got the Bank Records.
In September 2024, Amandla Thomas-Johnson, a Cornell University Ph.D. candidate on a student visa, briefly attended a pro-Palestinian protest. Seven months later, ICE sent Google an administrative subpoena for his data. Google handed it over without telling him, breaking a nearly decade-old promise to notify users before sharing data with law enforcement [9].
The data Google gave ICE: usernames, physical addresses, IP addresses, phone numbers, subscriber identities, credit card numbers, and bank account numbers linked to Thomas-Johnson's account. All because he attended a protest [9].
Google's own policy lists narrow exceptions to user notification: court-issued gag orders, for example. None applied here. ICE merely "requested" that Google not notify Thomas-Johnson. The request wasn't enforceable. Google complied anyway [9].
In April 2026, the EFF filed complaints with the California and New York Attorneys General, asking them to investigate Google for deceptive trade practices. The complaints argue that Google's broken promise undermines the trust of every user who relies on that commitment to challenge unlawful government demands for their data [9].
EU Delays AI Surveillance Rules by 16 Months
The European Union reached a provisional agreement on May 7 to push the AI Act's high-risk compliance deadline from August 2, 2026 to December 2, 2027. That means biometric surveillance systems, border control AI, employment screening algorithms, and law enforcement AI tools all get an extra 16 months before facing mandatory compliance [10].
The reason: the European Commission missed its own February deadline to publish guidelines on what counts as "high-risk." Without clear definitions, companies argued they couldn't comply with rules they didn't understand. The delay also includes a ban on non-consensual sexualized deepfakes [10].
Rules on general-purpose AI models (including large language models) still take effect August 2, 2026 as planned. Penalties for violations of high-risk rules reach up to EUR 15 million or 3% of global turnover [10].
For surveillance tech companies selling facial recognition and biometric systems in Europe, this is a 16-month reprieve. For civil liberties groups, it's 16 more months of unregulated deployment of the same systems they've been fighting to restrict.
FISA 702: 12 Days Left
Section 702 expires June 12. The Senate still hasn't voted. The clock drops to 12 days.
The House passed a 3-year extension 235-191 with a CBDC ban rider. The Senate rejected it. The 45-day extension from April 30 keeps ticking down. Bipartisan reform bills requiring a warrant for FBI searches of Americans' data exist in both chambers, but it's unclear whether congressional leadership will allow them to reach a vote [11][12].
AI is adding new urgency. Lawmakers are reconsidering Section 702's scope as AI makes it dramatically easier to sift through the massive amounts of data collected under the program. The concern: surveillance capabilities that were manageable with human analysts become something else entirely when you point a large language model at them [13].
EPIC, the Brennan Center, and 5Calls continue pushing for the warrant requirement. If Congress does nothing by June 12, existing surveillance orders stay active until their annual renewal dates, but no new ones can be issued.
EFF Publishes Anti-Surveillance Playbook for the Americas
The EFF released "Tackling Arbitrary Digital Surveillance in the Americas" in May 2026, a concrete guide for governments across North and South America to curb state surveillance abuses. The document compiles privacy and data protection standards from the Inter-American Human Rights System into actionable policy recommendations [14].
The EFF's argument: "No actual protection can arise from arbitrary surveillance." When security agencies surveil citizens without legal safeguards, they become the threat they claim to fight. Poor accountability, feeble oversight, and insufficient legal frameworks have led to systematic human rights violations across the Americas [14].
The guide is part of what amounts to an EFF publishing blitz in May 2026: the organization also released analyses of the SECURE Data Act, Canada's Bill C-22 encryption backdoor, age verification as a privacy threat, and a free Signal security guide. Five major privacy publications in a single month [14][15].
New York Passes Facial Recognition Study Act
The New York State Senate passed S3699, the Facial Recognition Technology Study Act, creating a task force to study how facial recognition is used across the state and recommend regulatory frameworks. Senator James Sanders Jr. sponsored the bill, which now heads to the Assembly [16].
The task force will examine privacy concerns, how other jurisdictions regulate the technology, potential for misuse, and how to prepare for future developments. It's not a ban. It's a study. But given that the NYPD updated its facial recognition policy as recently as February 2026, and over 20 jurisdictions nationwide have already banned police use of the technology, the fact that New York is still at the "let's study it" stage says a lot about the gap between surveillance deployment and oversight [16].
Related: The States Are Moving: New York, Virginia, and the Race to Regulate Facial Recognition
What to Watch
- Today, May 31: Illinois legislature adjourns. SB 340 and 10 AI bills either pass the House today or die.
- June 3: House Subcommittee hearing on the SECURE Data Act (HR 8413). Federal privacy preemption could override every state privacy law in America.
- June 12: FISA Section 702 expires. The Senate has 12 days left to act.
- June 30: T-Mobile breach monitoring enrollment deadline.
- July 1: Virginia's facial recognition law takes effect. Connecticut, Arkansas, and Utah privacy law amendments kick in.
- August 2: EU AI Act general-purpose AI rules apply. High-risk rules now delayed to December 2027.
References
- ScienceDaily: Ordinary WiFi Can Now Identify People With Near Perfect Accuracy
- ACLU: Face Recognition and the 'Trump Terror': A Marriage Made in Hell
- NPR: ICE Has Spun a Massive Surveillance Web
- ACLU: Retailers Secretively Using Face Recognition to Spot "Persons of Interest": Including For the Government
- Consumer Reports: Consumer Reports Supports the Illinois Consumer Data Privacy Act
- Transparency Coalition: Ten AI Bills Advancing in Illinois as Adjournment Looms
- Congress.gov: H.R.8413: SECURE Data Act
- EFF: The SECURE Data Act is Not a Serious Piece of Privacy Legislation
- EFF: Google Broke Its Promise to Me. Now ICE Has My Data.
- Biometric Update: EU Pushes AI Act Deadlines for High-Risk Systems, Including Biometrics
- Brennan Center: Section 702 of FISA: 2026 Resource Page
- EPIC: FISA Section 702: Reform or Sunset
- NBC News: AI Is Making It Very Easy for the Government to Spy on You
- EFF: We Must Not Normalize Digital Surveillance Abuses
- EFF: Free Signal Guide
- NYSenate.gov: Passage of Facial Recognition Technology Study Act