Seriously Risky Business Newsletter
July 09, 2026
Srsly Risky Biz: Supreme Court Undermines Section 702
Written by
Policy & Intelligence
Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Amberleigh Jack. This week's edition is sponsored by Sublime Security.
You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

A new US Supreme Court decision could undermine the flow of Section 702 intelligence collection from Europe.
Section 702 allows the US government to collect intelligence on people outside the US with compelled help from communication service providers and is regarded as the crown jewel of American foreign intelligence collection.
Since 2000, successive data sharing agreements have facilitated transatlantic commerce by allowing the legal transfer of personal data from the EU to the US. Section 702 collection from Europe relies on these data flows and the intelligence program has been at the heart of legal challenges to the data sharing agreements.
The underlying principle on the EU side is that European companies should only be able to transfer data overseas if the recipient country has "essentially equivalent" privacy protections. More than 3,600 US businesses are active in the current data sharing program.
Enter the US Supreme Court which, late last month, ruled that President Donald Trump acted legally when he fired Commissioner Rebecca Slaughter without cause from the notionally independent Federal Trade Commission (FTC).
The court decided that a law that stated commissioners could only be removed for "inefficiency, neglect of duty, or malfeasance in office" was unconstitutional.
As a result of this decision, Austrian privacy advocate Max Schrems, whose legal challenges have resulted in two previous EU-US data sharing agreements being kiboshed, has taken aim at the current agreement, the EU-US Data Privacy Framework (DPF).
Schrems argues that the Supreme Court's decision means "any independent executive authorities in the US are unconstitutional". We never went to law school, but being able to fire people willy-nilly does seem to undermine the idea of an independent body.
The ramifications of the decision for EU-US data transfers are potentially far-reaching.
One underlying requirement of the European Charter of Fundamental Rights is that personal data protections are "subject to control by an independent authority".
The European Commission implementing decision, which effectively endorses the DPF, specifically names the FTC and the US Department of Transport as notional independent authorities.
We'd be hard-pressed to argue that federal US privacy protection law is as strong as Europe's, but since the 2000s the European Commission and the US Government have bent over backwards to devise schemes that facilitate data flows.
This is illustrated by the two governments’ consistent efforts to create new schemes after previous iterations are struck down by European courts. It's a flat circle:
- The US Government and European Commission develop and implement a new data transfer agreement
- Max Schrems challenges the agreement in the Court of Justice for the European Union (CJEU)
- He wins
- The scheme is invalidated, and
- Proceed to step 1
The CJEU invalidated Safe Harbor, the first such scheme, in 2015 and the second, Privacy Shield, in 2020.
The court is particularly concerned about protecting European citizens from US intelligence collection activities. In the Schrems II decision that struck down Privacy Shield, the court noted that European citizens had no way to appeal US Section 702 foreign intelligence collection in an "actionable" way before an independent court.
From the perspective of an American intelligence professional, this is ridiculous. Why should intelligence collection targets have judicial rights of appeal?
Even so, President Joe Biden's administration tried to balance US Signals Intelligence (SIGINT) collection against European human rights protections.
In 2022, President Biden issued Executive Order 14086 on "Enhancing Safeguards For United States Signals Intelligence Activities". The EO defined permitted national security objectives, explicitly ruled out some activities, required that everyone's privacy and civil liberties rights be taken into account, including foreigners, and mandated that intelligence collection be necessary and proportionate to meet a validated intelligence priority.
The EO also set up a review and redress mechanism, the Data Protection Review Court. Although classification issues meant the court was unlikely to provide a complainant with a substantive response, its rulings were binding on the intelligence community.
The latest annual report of the US intelligence community's Office of Civil Liberties, Privacy and Transparency recorded just a single European complaint being made per this EO in 2024
At the time the EO was issued we called it "Kafkaesque, but good". In our view, it wouldn't materially change US intelligence collection practices, but it reinforced that the US and EU had similar underlying principles of what constituted acceptable intelligence collection. From our article on the EO:
The EO explicitly prohibits certain SIGINT activities including suppressing legitimate privacy interests, suppressing dissent or free expression, and disadvantaging persons based on their "ethnicity, race, gender, gender identity, sexual orientation, or religion". It also rules out collection of "foreign private commercial information or trade secrets to afford a competitive advantage to United States companies and United States business sectors commercially."
So much of what is normal for Chinese APTs is explicitly banned! What would their APT crews do if they were banned from targeting Uyghurs, the Hong Kong protest movement and companies for intellectual property theft? They'd have to get new jobs!
We don't think US intelligence collection practices have changed all that much in recent years, but there are good reasons to doubt the Trump administration's commitment to independent oversight.
When it comes to intelligence oversight, President Trump dismissed three Democrat members of the Privacy and Civil Liberties Board (PCLOB) in January 2025, leaving it with just a single Republican member and consequently without a quorum. The PCLOB oversees the Data Protection Review Court and is one of the *ahem* 'independent bodies' that the European Commission cited in its decision to approve the DPF.
Couple the Trump administration's actions with the Supreme Court's recent decision and we can see there might be reasons for concern. Schrems will also argue that this is a constitutional clash: EU treaty law demands independent supervisory authorities but the US constitution now prohibits them.
Not everyone agrees with Schrems' argument, however. Austin Mooney, international privacy and cybersecurity partner at the law firm Dechert in Washington DC, told Seriously Risky Business that he thought that it "seems like a stretch". Mooney says that the FTC's independence was not a central feature of the DFP or even of past efforts to challenge data transfers.
Mooney added that Schrems "has a strong track record" challenging these frameworks, so both European and US companies will be watching closely to see if current data transfer arrangements are once again thrown into disarray.
Another round in the on-again, off-again EU-US data transfer agreement merry-go-round is kicking off.
CSE Tiptoes Out of the Cyber Closet
Canada's signals intelligence agency has taken another step forward in normalising its use of offensive cyber capabilities by making more comprehensive disclosures than ever before in its latest annual report.
According to legislation that defines Communications Security Establishment Canada's (CSE) functions, active cyber operations "degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security". These are also known variously in the Five Eyes as offensive cyber operations or cyber effects.
In this year's annual report CSE details three such operations.
In the first operation, CSE worked with Five Eyes partners and law enforcement against a "notorious" Ransomware-as-a-Service group. Its operation disabled the group's infrastructure and deleted a large amount of stolen data advertised for sale on the dark web.
CSE also conducted operations to disrupt the trade in fentanyl precursors into Canada. The organisation used its foreign intelligence capabilities to locate cybercriminals outside the country who were brokering the sale of precursor chemicals. It then used active cyber operations that "disrupted and diminished their ability to operate".
The report implied that CSE collected intelligence to identify key points of leverage so that this cyber operation could get the most bang for its buck.
In the final case study, CSE tackled a foreign extremist group spreading violent ideology and seeking to recruit Canadians to its cause. CSE says it used its SIGINT capabilities to analyse the group for weaknesses that could be used to disrupt its operations. It says that its cyber operation "successfully undermined the group’s credibility and limited their ability to radicalise and recruit new members".
These case studies sound similar in many ways to other Five Eyes operations. Last year Australia revealed a similar action targeting Russian bulletproof hosting company Zservers. Like CSE's various efforts, Australia's operation involved meticulous research and planning to get the biggest bang for its buck… it wiped Zservers' computers while its employees were out drinking so that the company's incident response would be impeded.
But while the operations themselves appear to share the same meticulous approach, how they are revealed to the public could not be more different.
Starting with its 2023-24 report, the CSE began describing active cyber operations, increasing the level of detail in each subsequent report. That first report noted the organisation had carried out a series of active operations that "helped to tackle cybercrime at its roots".
The sky didn’t fall in, so the 2024-25 report included a bit more information. It said the organisation used active cyber operations to counter a violent extremist organisation, including by "damag[ing] the credibility and influence of key group leaders, reducing their ability to inspire and lead".
By contrast, Australian disclosures have been a bit more colourful, coming to light either in speeches or through the media via feature reports or documentaries. We do love the insights these types of disclosures provide.
But… why can't we have both? The media features that paint a striking picture of impressive, carefully orchestrated takedowns and annual reports that make the operations seem just another part of the daily grind?
Watch James Wilson and Tom Uren discuss this edition of the newsletter:
Three Reasons to Be Cheerful This Week:
- ClickFix protection comes to the Opera browser: Opera announced it has rolled out protections against ClickFix attacks that compromise users by convincing them to execute malicious code on their own computers by pasting it from the clipboard into a terminal window. Opera's browser will intercept malicious commands and stop them ending up in the clipboard. The uBlock origin ad blocker has also added some rules to stop ClickFix popups.
- CISA gets Mythos: The US cybersecurity agency is using Anthropic's Mythos model to audit government software for vulnerabilities, as reported by Reuters. These audits have already uncovered many vulnerabilities, per Reuters sources. Welcome to the bugpocalyse, CISA!
- Restaffing CISA may be on the cards: Over the last couple of weeks there have been a number of stories indicating that maybe the Trump administration will increase staffing levels at CISA. It's almost as if a once in a lifetime avalanche of AI-discovered vulnerabilities may require more, not fewer, personnel to address.
Sponsor Section
In this Risky Business sponsor interview, Catalin Cimpanu talks with Alex Orleans, Head of Threat Intelligence at Sublime Security, about the increase in email attacks leveraging Zoom invites and other video conferencing tools.
Risky Biz Talks
You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).
In our last "Between Two Nerds" discussion Tom Uren and The Grugq discuss the growing delta between bugs lots and lots of bugs being discovered and the number of devastating hacks.
Or watch it on YouTube!
From Risky Bulletin:
All new cars to include a camera aimed at the driver's face: All new cars manufactured and sold in the EU and US will have to include a mandatory infrared camera aimed at the driver's face, alarming some privacy groups.
The infrared camera tracks the driver's head position and eye movements and provides an alert when it registers the eyes going off the road.
The new regulation came into effect in the EU on Monday and will start next year in the US. In the EU, the new camera requirement is part of the bloc's second General Safety Regulation (GSR2), a broader swath of new safety rules introduced for the auto industry and designed to improve road safety.
[more on Risky Bulletin]
Android drops PIN guessing limit from 1,800 attempts to 20: Android 17, released last month, has shipped with stricter protections against lockscreen PIN and password guessing attacks.
Google has reduced the maximum number of failed attempts from 1,800 to 20, and the timeouts between failed attempts are now considerably more aggressive.
[more on Risky Bulletin]
FatFs bugs enable physical access attacks on a load of devices: The developers of a lot of industrial gear and smart devices will have their work cut out for them over the coming months and years to deploy protections against a set of newly discovered and unpatched bugs in the FatFs filesystem driver.
The seven bugs, discovered by security firm runZero, can allow an attacker to use a crafted filesystem image to cause a memory corruption that runs malicious code to jailbreak a targeted device.
Devices that use FatFs for their filesystem are all impacted.
[more on Risky Bulletin]