Welcome to the CAVEAT Weekly Newsletter, where we break down some of the major developments and happenings occurring worldwide when discussing cybersecurity, privacy, digital surveillance, and technology policy.
At 1,550 words, this briefing is about a 7-minute read.
At a Glance.
- New bill aims to limit airport face scanning.
- NSO Group ordered to pay $170 million for hacking activities.
Senators aim to limit airport face scanning practice.
The news.
Last week, Senators Jeff Merkley and John Neely Kennedy shared their new bill, the Traveler Privacy Protection Act. With this law, the senators are looking to make human identification checks the default option at airports and impose restrictions on how the Transportation Security Agency (TSA) can use facial recognition technology.
Senator Merkley warned that “facial recognition creates a surveillance state” and called it a “massive threat to freedom and privacy here in America.” Senator Merkley continued emphasizing that “I don’t think we should trust any government with that power.”
Senator Kennedy echoed these concerns, stating that “the TSA subjects countless law-abiding Americans to excessive facial recognition screenings as they travel, invading passengers’ privacy without even making it clear that they can opt out of the screening.”
For context, Senator Merkley introduced a similar bill in 2023 that attempted to address this issue. However, that bill was broader in scope as it attempted to ban the use of facial recognition outright.
The knowledge.
TSA’s facial recognition program began in 2021 when the agency began testing it for people enrolled in “trusted traveler” programs, like TSA PreCheck. Since then, TSA has been expanding the scope of the rollout to include over eighty airports with active plans to expand the technology to more than 400 airports in the coming years.
According to the TSA, this technology improves both efficiency and accuracy during the identification verification process. Furthermore, TSA has emphasized that it does not store or save any of the facial scans once a match is found except in select cases to evaluate the technology’s effectiveness.
However, despite these assurances, privacy advocates remain critical. This concern has prompted the Department of Homeland Security (DHS) to launch an audit of TSA’s biometric practices. When announcing the audit, the DHS emphasized that the audit would determine the extent to which TSA’s facial recognition and identification technologies enhance security screening while still protecting passenger privacy.
With this audit, the DHS’s Inspector General stated that:
“I have long sounded the alarm about the TSA’s expanding use of facial recognition because the agency’s stated goal is to mandate this technology for all American air travelers, ending the current opt-out system.”
The privacy concerns surrounding TSA’s facial recognition software represent a growing movement within the federal government to improve national privacy standards. In 2024, lawmakers introduced the American Privacy Rights Act. For context, this law aimed to provide consumers with the right to opt out of data collection, the right to access that data, and the right to delete collected data. Although it failed to pass, the effort did represent one of the most ambitious and notable efforts to improve domestic privacy policy in two decades.
The impact.
The TSA’s facial recognition software sits at the intersection of security, technology, and civil liberties. Given the bipartisan attention and sustained public interest, federal oversight and regulation of biometric tools may become a part of a broader legislative push to address the nation’s privacy gaps.
While major policy changes will take some time, this renewed focus signals renewed momentum. American travelers should monitor these efforts to both stay informed of new developments and to also understand how their privacy rights are being impacted.
NSO ordered to pay $170 million for hacking WhatsApp accounts.
The news.
Last week, the Israeli spyware company NSO Group was ordered by a United States (US) federal court to pay WhatsApp and Meta $170 million in damages for its hostile hacking activities. This ruling came in response to the NSO Group exploiting WhatsApp’s video calling systems to send malware to around 1,400 users in 2019, many of whom worked for civil groups.
In a post following the verdict, Meta wrote: “Today’s verdict in WhatApp’s case is an important step forward for privacy and security as the first victory against the development and use of illegal spyware that threatens the safety and privacy of everyone.”
Gil Lainer, the vice president of global communications for NSO Group, responded to the ruling stating “We firmly believe that our technology plays a critical role in preventing serious crime and terrorism and is deployed responsibly by authorized government agencies.” Lainer continued that they “will examine the verdict’s details and pursue appropriate legal remedies, including further proceedings and an appeal.”
The knowledge.
This ruling marks another major step in addressing the NSO’s influence and controversial use of spyware. Previously, in 2021, the NSO Group came under international criticism after reports detailed how the company targeted over 50,000 phone numbers of people who were of interest to its clients. With these reports, investigators found that the company was installing its spyware onto the devices of politicians, business executives, activists, and journalists. Drawing international attention and concern, the NSO Group was added to the Commerce Department’s Entity List, which restricted the company’s exports, reexports, and in-country transfer of items.
Since then, the US has become increasingly more involved in controlling the use of spyware. Outside of sanctioning multiple spyware vendors, former President Biden also signed a joint statement with twenty-two other countries that emphasized the threats posed by misusing commercial spyware and their commitment to countering its usage. More specifically, the statement emphasized each nation's commitment to the following:
- Working to establish robust guardrails and procedures to ensure that any commercial spyware used by governments is consistent with universally accepted human rights.
- Preventing the export of spyware to those who would use it for malicious purposes.
- Improving information sharing on spyware proliferation and misuse.
- Working with industry leaders and civil society groups to inform decisions, raise awareness, and set relevant standards.
- Engage with other governments to better align policies and enforce stronger export controls.
Alongside growing international pressures, privacy advocates have also heavily criticized the NSO Group. John Scott-Railton, a senior researcher for Citizen Lab, commented on the company’s activities, stating that “NSO makes millions hacking mostly American tech companies…so that dictators can hack dissidents.”
The impact.
This case’s ruling reflects the global reckoning regarding the unchecked proliferation of commercial spyware. While the judgment does not directly compensate individual victims of NSO Group’s spyware, it does reinforce the precedent that emphasizes holding spyware vendors accountable for violating digital rights.
For tech companies, this decision strengthens future efforts to combat spyware misuse. Given how spyware vendors have routinely targeted US tech companies, organizations should be aware of these threats and their associated impacts. By understanding spyware’s impacts, organizations can better insulate themselves from illegal hacking efforts and have established processes in place to pursue legal accountability.
For the broader public, this ruling serves as a reminder of how vulnerable digital infrastructure is, even for companies that have strong encryption technology. Given how NSO Group targets both politicians and civic workers alike, people should remain vigilant against these groups and continue to take precautions by updating software, using secure applications when possible, and monitoring for potential phishing attacks.
Highlighting key conversations.
In this week’s Caveat Podcast, our team held its fifth Policy Deep Dive conversation. During this conversation, we looked at the US’s critical infrastructure policies and discussed how these policies were developed, evolved, and changed over the years. We also discussed how these policies are changing under the new administration and the impacts these changes could have on the nation.
Like what you read, and curious about the conversation? Head over to the Caveat Podcast for the full scoop and additional compelling insights. Our Caveat Podcast is a weekly show where we discuss topics related to surveillance, digital privacy, cybersecurity law, and policy. Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com. Hope to hear from you.
Other noteworthy stories.
New Hampshire creates a crypto reserve.
What: New Hampshire established a crypto reserve.
Why: Last week, New Hampshire became the first state to establish a state crypto reserve. After signing H.B. 302, the state treasurer is now allowed to invest up to five percent of the state’s funds into both precious metals and digital assets. Notably, the metals and assets must have a market cap of more than $500 billion.
Other states that have actively pursued establishing a crypto reserve include Arizona, Florida, North Dakota, South Dakota, Montana, Oklahoma, Pennsylvania, and Wyoming. However, none of these states has passed any legislation.
FTC backs DOJ proposal on Google antitrust case.
What: The Federal Trade Commission (FTC) has announced its support for the Department of Justice’s (DOJ) proposal regarding Google’s antitrust search engine case.
Why: On Friday, the FTC stated that the DOJ’s proposal includes adequate safeguards to protect users’ privacy. Furthermore, the FTC stated that increasing competition would also put more pressure on Google to improve its privacy practices. For context, the DOJ’s proposal is part of a range of measures that the agency is proposing to open up the online search market.
Outside of these efforts, the DOJ is also proposing that Google be forced to divest from its Chrome browser and end its multi-billion-dollar payments to companies to ensure Chrome was used as the default search engine.