Facial Recognition Expands as Data Liabilities Harden
Yesterday did not bring a sweeping new privacy rule, but it did bring several concrete moves with real operating consequences. Police use of biometric tools moved further into ordinary public-order policing in the UK, Alberta pushed its voter-data leak fight deeper into court, and breach fallout kept turning into settlement dollars and new security work.
What moved most was surveillance governance. The Metropolitan Police said live facial recognition used during major London protest policing led to three arrests of people wanted for failing to appear in court. In the U.S., Troy, New York moved ahead with a proposal to limit automated license-plate reader use, restrict sharing, require 48-hour deletion in most cases, and publish annual reports. These tools are becoming more routine, and local governments are increasingly trying to add retention and accountability rules after deployment.
Alberta also kept exposing a weak point in political-data governance. Elections Alberta obtained an injunction ordering the removal of an online database that authorities said matched a voter list previously provided to the Republican Party, and it is seeking permanent destruction of copied records. Other provinces said they are watching the case and reviewing their own approaches, which gives this dispute significance beyond one leak.
On the commercial side, Fidelity agreed to a $2.5 million class settlement over its 2024 breach, with court approval still pending, a reminder that incidents involving Social Security numbers, driver's license data, and bank information keep generating costs long after disclosure. Separately, researchers said the Tycoon2FA phishing kit has returned with a device-code method that can capture valid Microsoft 365 OAuth tokens even when users complete MFA, putting renewed pressure on identity teams to review device-code settings and sign-in monitoring.
Key Points
- Met Police said live facial recognition at London protests produced three arrests of people wanted for failing to appear in court.
- Troy, New York is considering ALPR limits including restricted sharing, 48-hour deletion, annual reporting, and query logs.
- Elections Alberta won an injunction to remove an online voter database and is seeking destruction of copied voter-list records.
- Fidelity agreed to a $2.5 million settlement over its 2024 breach, pending court approval.
- Tycoon2FA resumed device-code phishing against Microsoft 365, using OAuth tokens to sidestep normal MFA expectations.
Implications
Biometric and vehicle-tracking systems are becoming harder to treat as exceptional policing tools, raising the importance of retention limits, access controls, and audit trails.
The Alberta case increases pressure to tighten privacy rules around political-party data, which still sits outside many of the controls applied to commercial organizations.
For Microsoft 365 users, identity workflows themselves remain a material privacy and breach exposure point, not just password or MFA settings.
Things to watch
Watch
Whether Alberta's investigations lead to narrower political-party access to province-wide voter lists or other legislative changes.
Watch
Whether Troy passes its ALPR restrictions and whether similar retention and transparency rules spread to other cities using Flock systems.
Watch
How widely enterprises respond to device-code phishing by disabling or restricting the OAuth device authorization flow.