Sunday, November 30, 2025. The week between Thanksgiving and December always feels weird. But the surveillance state didn't take a holiday.

While you were shopping Black Friday deals, retailers were building your behavioral profile. While you flew home for Thanksgiving, TSA's AI was memorizing your face. While you tested ChatGPT's new features, hackers were stealing API user data.

Here's everything that went down in surveillance this week.

OpenAI's "Limited" Data Breach That Wasn't So Limited

Wednesday, November 27 - OpenAI sent breach notifications to all API users, finally admitting what happened on November 9th when hackers compromised their analytics vendor Mixpanel through a SMS phishing attack [1].

What leaked:

  • Names and email addresses
  • Approximate location (city/state)
  • Browser and OS details
  • Organization IDs
  • Referring websites

OpenAI swears ChatGPT conversations are safe. They terminated Mixpanel immediately. But here's the thing—they knew about this November 9th, Mixpanel told them November 25th, and they notified users November 27th. That's 18 days of silence.

The kicker? This "limited analytics data" is exactly what phishing campaigns need. Expect targeted attacks using your OpenAI usage patterns.

Your move: Enable 2FA everywhere. Watch for emails mentioning your specific API usage. They're coming.

TSA's Thanksgiving Face Harvest

November 25-30 - TSA screened 17.8 million travelers during Thanksgiving week. Over 3 million passed through checkpoints today alone [2]. And most had their faces scanned.

The numbers:

  • 80+ airports now have facial recognition
  • 250 airports have CAT-2 biometric units
  • 15 major hubs running PreCheck Touchless ID
  • 400 airports planned by 2026

They say it's voluntary. Try opting out during holiday rush with 500 people behind you. See how "voluntary" that feels.

DHS Inspector General is investigating after senators demanded answers about TSA's biometric expansion. Too late. The infrastructure's already built.

Reality check: Starting May 7, 2025, you need Real ID to fly domestic. That's your face in a federal database forever. The "voluntary" phase is ending.

Black Friday: The Annual Surveillance Olympics

Friday, November 29 - Record-breaking retail traffic met record-breaking surveillance. Every major retailer deployed their full tracking arsenal [3].

What tracked you:

  • Smart mirrors analyzed 1.3 billion fitting room sessions
  • Facial recognition flagged "known offenders"
  • Bluetooth beacons tracked store navigation
  • WiFi sniffers grabbed phone MAC addresses
  • AI cameras analyzed emotional states

One study found 75% of consumers won't shop where facial recognition is used for marketing. Drops to 55% if they get good discounts. That's all retailers needed to hear.

The nightmare stat: Facial biometrics can't be changed if compromised. When (not if) these retail databases leak, you can't get a new face.

The defense: Cash only. Hat and mask. No store apps. No loyalty cards. Or shop online with privacy tools.

EU's Chat Control: Encryption's Death by Compromise

Tuesday, November 26 - EU member states agreed on "Chat Control" regulation after removing mandatory message scanning. Privacy advocates aren't celebrating [4].

What survived the cuts:

  • "Voluntary" scanning frameworks
  • Pressure on platforms to monitor
  • Infrastructure for mass surveillance
  • Precedent for breaking encryption

This affects 450 million Europeans. Every WhatsApp message. Every Signal chat. Every encrypted email. The infrastructure for scanning is being built even if it's not mandatory. Yet.

European privacy groups call it "surveillance capability waiting for activation." One legislative flip and it's mandatory.

The pattern: Build the infrastructure voluntarily. Wait for crisis. Make it mandatory. We've seen this movie before.

The Week in Breaches

Iberia Airlines Joins the Club

Friday, November 29 - Spanish flag carrier Iberia disclosed a breach. Threat actors claim 596GB of data including editable booking systems [5]. That's passport numbers, payment cards, travel histories.

Israeli Nursing Homes Under Attack

Thursday, November 28 - Israel's National Cyber Directorate confirmed multiple nursing facilities compromised [6]. Medical records, medication schedules, resident information exposed.

Healthcare ransomware during wartime. There's no bottom anymore.

Chicago Mercantile Exchange "Cooling Failure"

Thursday, November 28 - As gold hit $4,186 and silver approached $54, CME's data center had a "cooling system failure" [7]. Trading continued but systems went dark for hours.

Cooling failure during the biggest commodity moves in years. Sure. Nothing suspicious there.

Government AI Expansion

IRS Gets Salesforce AI Agents

Sunday, November 24 - IRS deploying Agentforce across Chief Counsel, Taxpayer Advocate, and Appeals divisions [8]. This comes after cutting 25% of human workforce.

AI reviewing your tax appeals. AI handling taxpayer advocacy. AI making audit decisions. What could go wrong?

India's Data Protection Rules Go Live

Monday, November 25 - India activated Digital Personal Data Protection Rules affecting 1.4 billion people [9]. Sounds good until you read the government exemptions.

National security exemption. Law enforcement exemption. "Public order" exemption. It's privacy theater with backdoors wide enough to drive a truck through.

Airport Surveillance Escalation

London Heathrow's New Toys

British Transport Police confirmed they're testing:

  • Gait recognition (identifies you by walking pattern)
  • Behavioral analytics (flags "suspicious" movement)
  • Emotion detection (scans for anxiety/stress)
  • Crowd density prediction

All this for a "6-month pilot." Pilots that never end.

Pre-Crime Shopping Detection

Major retailers are now using AI to detect "theft intent" before anything happens:

  • Body language analysis
  • Path prediction algorithms
  • Group behavior monitoring
  • "Suspicious" product interaction

You looked at expensive items too long? Flagged. Walked an "unusual" path? Flagged. Shopping with friends? Group threat assessment initiated.

This Week's Resistance Wins

Privacy Groups Force Disclosure

EFF and ACLU FOIA requests revealed:

  • ICE has been using Mobile Fortify at protests (confirmed)
  • FBI drone program details (partially released)
  • Local police Stingray usage logs (fighting release)

Bipartisan Pushback on TSA

Senators from both parties demanded TSA biometric audit. Won't stop deployment but forces transparency.

Illinois BIPA Lawsuits Expand

Three more retailers hit with Biometric Information Privacy Act suits. Settlements forcing policy changes nationwide.

What's Coming Next Week

December 1-7 Preview:

  • Congress returns Monday - surveillance bills pending
  • UK digital ID framework announcement expected
  • Meta's privacy settlement distribution begins
  • Real ID enforcement updates likely
  • Holiday shopping surveillance ramps up

Immediate Actions

Do this week:

  1. Audit your AI accounts - Check what you've shared with ChatGPT, Claude, Gemini
  2. Black Friday cleanup - Delete store apps you downloaded for deals
  3. Travel data request - File FOIA with TSA for your biometric records
  4. Enable 2FA - Especially on accounts linked to breached services
  5. Cash December - Try one week of cash-only purchases. See what breaks.

The Pattern

Every week it's the same trajectory:

  • New surveillance capability announced
  • Data breach proves why it's dangerous
  • Government expands collection anyway
  • Retailers monetize the technology
  • Privacy groups document abuse
  • Nothing changes except the scale

We're not sliding toward surveillance state. We're already there. The question is what we do about it.

This week proved again: They're not asking permission. They're building infrastructure. By the time you notice, it's too late to opt out.

Your face at the airport. Your conversations with AI. Your shopping patterns. Your location history. All collected, correlated, monetized, and weaponized.

The surveillance state took Thanksgiving off?

No. It spent the holiday scanning 17.8 million faces and calling it convenience.


References

  1. OpenAI Mixpanel Breach Notification, November 27, 2025
  2. TSA Thanksgiving Travel Statistics, November 30, 2025
  3. "Facial Recognition in Retail Security," Multiple sources, November 2025
  4. EU Chat Control Regulation Agreement, November 26, 2025
  5. Iberia Airlines Breach Disclosure, November 29, 2025
  6. Israeli National Cyber Directorate Alert, November 28, 2025
  7. CME Data Center Incident Report, November 28, 2025
  8. IRS Agentforce Implementation, Axios, November 24, 2025
  9. India Digital Personal Data Protection Rules, November 25, 2025