jonathanwestmoreland.com

Signals & Safeguards Issue 3

Written by

Jonathan Westmoreland

in

Issue 3 • Wednesday, April 1, 2026

Signals & Safeguards newsletter masthead

Signals & Safeguards

A concise weekly scan of surveillance, privacy, cybersecurity, and the safeguards public officials should keep in view.

At a Glance

  • ICE courthouse and airport tactics show how opaque rules and selective friction can make legal process itself part of the pressure.
  • Section 702 remains a live leverage point: Congress still has a chance to demand stronger safeguards before renewal.
  • Washington’s new ALPR law shows lawmakers can translate privacy concerns into concrete limits on collection, sharing, and access.

ICE Courthouse Arrests Rested on Authority That Did Not Actually Apply

Federal prosecutors said ICE had relied on 2025 guidance to justify immigration-court arrests even though the memo does not and never did apply there. That matters because the controversy is no longer only about an aggressive enforcement tactic. It is also a warning about what happens when coercive tactics move faster than their legal basis.

Why it matters: when agencies act first and clarify authority later, public trust in courts and legal process erodes. Local officials should pay attention to enforcement systems pushing people into formal settings and then using those settings against them.

Section 702 Renewal Is Becoming a Test of Whether Congress Will Demand Safeguards

House leaders delayed action on Section 702, but the core fight remains the same: whether to extend a powerful surveillance authority without adding stronger protections such as a warrant requirement for searches involving Americans. The most important question is no longer whether the tool continues, but whether Congress will use rare leverage to insist on meaningful friction first.

Why it matters: federal surveillance rules shape the broader privacy environment that local governments inherit. Weak guardrails at the top tend to normalize weaker oversight everywhere else.

A Common Privacy Tool May Push Americans Into a Weaker Surveillance Category

Lawmakers asked DNI Tulsi Gabbard to warn Americans that commercial VPN use may affect how intelligence agencies classify them. That is an unusually stark warning. A tool many people use for privacy may interact with surveillance rules in ways that leave an American outside the category of protections they thought they were gaining.

Why it matters: rights become fragile when ordinary people cannot tell whether a protective behavior actually helps them or quietly pushes them into a weaker legal status.

ICE Testimony in Oregon Describes Arrest Quotas and an “Elite” Targeting App

In rare court testimony, ICE officers described verbal expectations of roughly eight arrests a day and the use of an app called Elite to identify places with a high “immigration nexus.” The combination matters as much as the tool itself: opaque data targeting paired with pressure to produce arrests can turn whole communities into enforcement targets.

Why it matters: data-driven targeting and output pressure are not just federal concerns. They are warning signs any local official should notice when evaluating data-sharing, vendor tools, or joint enforcement relationships.

Washington Puts Real Guardrails on License Plate Readers

Washington enacted statewide ALPR rules that limit collection near sensitive locations, restrict sharing, require audits and transparency, and in some cases require warrants for access to private data. It is a useful reminder that oversight does not have to stay abstract.

Why it matters: the most helpful surveillance stories are not always the most alarming ones. This one shows lawmakers can translate privacy concerns into actual rules on collection, retention, sharing, and access.

Commercial Tracking Can Help Police Identify “Anonymous” Users

Forbes reports investigators used Google cookie and account-linkage data to connect an anonymous account to another account used on the same device. The broader warning is that advertising and convenience infrastructure can quietly become investigative infrastructure.

Why it matters: government surveillance capacity does not depend only on government-built tools. Commercial identifiers often do the linking work first, leaving police to obtain the results later.

A Law in Arizona Would Require Public Approval Before Mass Surveillance Expands

Arizona lawmakers are considering a bill that would require public approval before governments establish mass-surveillance networks and would impose tighter limits on retention and use. Even if it does not pass, it is a useful model because it treats surveillance expansion as something that should need democratic permission up front.

Why it matters: it shows safeguards do not have to remain abstract. Public notice, voter approval, shorter retention, and bright-line limits are all concrete governance choices.

Signals section header

Signals

Early indicators worth tracking

These items are included because they point toward where surveillance systems, data practices, and governance fights may be heading next.

  • Systems sold as safety or convenience can quietly become search tools.
  • Official approvals only matter if they are real, legible, and enforced.

FedRAMP Only Helps if “Authorized” Still Means Secure

ProPublica reports federal reviewers had major doubts about Microsoft’s GCC High cloud service but FedRAMP approved it anyway. The broader concern is not just Microsoft. It is whether approval systems are too weak or too deferential to mean what officials imply they mean.

A Facial-Recognition Lead Can Take on the Weight of Certainty

CNN’s reporting on Angela Lipps’s months-long jail ordeal shows what can happen when an AI-linked identification lead enters a criminal case and institutions fail to slow down. The harm is not only the match itself, but the confidence the system seems to generate around it.

The Pentagon’s Press Fight Is Really About Controlling Unsanctioned Inquiry

A federal judge rejected earlier Pentagon restrictions, but the administration is still pressing a theory that trying to obtain “unauthorized” information can itself be a problem. That is a warning about governments trying to confine all inquiry to officially managed channels.

Health Websites Can Become Disclosure Systems

A federal judge allowed a privacy suit against Baystate Health to proceed after allegations that the hospital’s site shared health-related activity with Meta and Google. The story is a reminder that routine tracking code can become a sensitive-data leak when institutions treat analytics as harmless by default.

AI Is Expanding the Afterlife of Digital Meetings

404 Media’s reporting on WebinarTV suggests some Zoom calls have been recorded and repackaged as AI-generated podcasts. Even when a meeting is technically reachable online, that does not mean participants expect it to be harvested, transformed, and redistributed at scale.

Voter-Registration Data May Be Moving Into the Federal Enforcement Pipeline

NPR reports that Justice Department lawyers told a federal court they plan to share voter-registration data obtained from states with Homeland Security for criminal, immigration, and national-security uses. That is a warning about mission creep: records collected for one civic purpose can become part of a broader enforcement system once they are centralized.

Editorial note: these items are included as forward-looking indicators rather than settled policy conclusions.

Taken together, they suggest a common direction of travel: more hidden linkage, more secondary uses, and more pressure to treat convenience, safety, or administrative efficiency as sufficient justification for collecting and connecting sensitive data.

Safeguards section header

Safeguards

Practical habits that lower risk

The most useful safeguards this week share a common principle: reduce what systems can expose before someone else decides to search them.

  • Carry less sensitive data and assume travel devices can become exposure zones.
  • Use friction on purpose when it reduces the harm from seizure, compromise, or misuse.

Treat Travel Devices Like Temporary Exposure Zones

Travel with as little sensitive data as possible. Use travel-only devices or accounts when you can, disable biometrics, switch to a strong alphanumeric passcode, and power devices fully off before checkpoints. The simplest device-rights lesson is still the strongest one: a device cannot expose what it does not contain.

Recent Cases Show Why That Matters

The Verge reported that travelers returning from a Cuba aid trip had phones seized after secondary inspection. A U.S. consular alert also warns Hong Kong now criminalizes refusal to provide passwords or decryption assistance in some national-security investigations. The practical lesson is simple: device-rights expectations do not travel evenly across borders, airports, or jurisdictions.

Use Higher-Friction Defenses on Purpose

Apple says it is not aware of any successful mercenary-spyware compromise of a device using Lockdown Mode. That does not mean the feature is magic. It does suggest that extra friction can be worth it for high-risk users, and that policy terms like friction, separation, and deliberate limits on access are often safeguards, not inefficiencies.

Harden Personal Accounts Too

The breach of FBI Director Kash Patel’s personal email is a reminder that personal accounts used by senior officials still create public risk. Old emails, photos, and contact trails can carry leverage, targeting value, and reputational damage even when no official material is exposed.

Keep Patching and Inventorying on Purpose

Security leaders warned at RSA that AI is accelerating vulnerability discovery and may widen the gap between attackers and defenders. That makes asset visibility, software inventory, and timely patching more important — not less — in public institutions.

Make Purpose and Retention Rules Visible

Washington’s new ALPR law is a reminder that privacy protection is not only technical. Institutions should publish what they collect, how long they keep it, who can search it, and what activities are off-limits by rule rather than left to assumption.

Bottom Line

The strongest safeguards in this issue all reduce exposure before the moment of search — less data on devices, more friction around access, clearer legal boundaries, and fewer hidden assumptions about what systems can safely collect or connect.

Signals & Safeguards is a living newsletter focused on surveillance, privacy, cybersecurity, and the safeguards public officials should keep in view.

Signals & Safeguards footer graphic with privacy and security tagline

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts