Google released an AI agent that can act for you while your device is off. Google’s onboarding shows how to configure it to spend your money without asking.
PickBits Daily Signal · Wednesday, May 20, 2026
// tl;dr
Google’s Gemini Spark goes live today for Google AI Ultra subscribers. It runs 24/7 in Google’s cloud, whether your phone is on or off. The beta onboarding screen flat-out warned the agent that “may do things like share your info or make purchases without asking”; Google replaced that language at launch with the Agent Payments Protocol, a per-transaction approval framework now backed by Mastercard, PayPal, Coinbase, Intuit, and roughly 60 partners. The price of Google AI Ultra dropped from $250 to $100 a month on the same day.
A contractor for the Cybersecurity and Infrastructure Security Agency left admin keys to three AWS GovCloud servers in a public GitHub repo for six months. KrebsOnSecurity reported Monday that the repo, named “Private-CISA,” also contained a CSV file with plaintext usernames and passwords to dozens of internal systems, JFrog artifactory credentials, and internal CISA/DHS tokens. GitGuardian flagged it. The AWS keys remained valid for 48 hours after the agency was notified. The contractor had issued explicit commands to disable GitHub’s built-in secrets detection.
Maine’s statewide data center pause died on Governor Mills’s veto in April. Today, the towns are stitching their own patchwork together, and Cave City, Kentucky, holds its final vote tonight at 5 p.m. Sanford, Maine, passed a 91-day pause first. Westbrook and Brunswick have local moratoriums advancing (Brunswick public hearing June 1). At least four Maine cities are now considering it. Cave City would be the first Kentucky city to ban data center permits for a year; the first reading passed 4-1 on Monday.
The FBI issued a fresh warning Monday that AI voice clones have already cost elderly Americans about $2.3 billion in 2026. Hiya’s “State of the Call” report puts one in four Americans on the receiving end of a deepfake voice call in the past twelve months; another 24 percent are not sure they could tell. A workable voice clone now takes about 20 seconds of audio, often pulled from a voicemail, a social-media reel, or a recorded call.
This week, the consumer-AI surface visibly changes. Google’s Gemini Spark agent ships to its top-tier subscribers and runs in the cloud whether your laptop is open or asleep. The same day, Google cut the Ultra price from $250 to $100 a month to boost uptake. Two states down the coast, the Maine experiment showed what happens when a state-level data-center pause loses on a veto: the towns picked up the work. A city in Kentucky is about to make the same move tonight. In Menlo Park, Meta finally started the layoffs it announced last month, and a leaked internal memo named the unit that would be hit hardest (recruiting, the team that hires people). The FBI added a number to a story everyone already knew: AI voice clones have already taken about $2.3 billion from elderly Americans this year. And in Arlington, the federal agency whose entire job is telling US organizations how to lock down their cloud got caught leaving admin keys to three of its own GovCloud servers in a public GitHub repo for six months.
Google put an autonomous agent in the cloud for paying subscribers, four Maine towns started doing what their state legislature could not, the FBI put a $2.3 billion price tag on the calls grandparents have been getting, and CISA’s own GovCloud admin keys turned up in a public GitHub repo with secrets-detection turned off.
1. Google released an AI agent that can act for you while your device is off. Google’s own onboarding warned it might spend your money without asking.
Consumer-AI capability shift.
At Google I/O on Tuesday, May 19, Google unveiled Gemini Spark, a personal AI agent that runs on Google Cloud virtual machines around the clock, drafting your email, watching your inbox, building your documents, and (eventually) buying things on your behalf. It does not need your device to be on.
It started rolling out Google AI Ultra to subscribers in the US, and in the same announcement, it cut the price of Ultra from $250 to $100 per month.
Spark runs on the new Gemini 3.5 Flash model (Google’s claim: four times faster than comparable top-tier AI models, at less than half the cost) inside the new agentic platform Google calls Antigravity 2.0. A more powerful Gemini 3.5 Pro is expected in June.
The interesting thing is what Google said about the risk. The pre-launch onboarding screen, captured by testers two weeks ago, warned in plain text that Spark “may do things like share your info or make purchases without asking” and asked users to supervise it. By launch, the warning had been replaced with the Agent Payments Protocol (AP2), an open spec Google released with about 60 partner companies, including Mastercard, American Express, PayPal, Coinbase, Adyen, Intuit, Salesforce, ServiceNow, and Worldpay. AP2 uses cryptographically signed “mandates” to record what the user authorized; the production version of Spark requires per-transaction approval before it spends money.
Why this matters: If you sign up for Google AI Ultra this week, an AI agent will start reading your Gmail and Calendar on a Google server you do not control. The day-to-day question is not “is it impressive?” (It is.) The day-to-day question is “what does it do when you are asleep, and what counts as approval for the next purchase?”
Action this week: If you are an individual user, visit myaccount.google.com/data-and-privacy to see which Google Workspace data Gemini is allowed to read before opting in. If you have a work Google account, open Workspace Admin and find the “AI features” policy; decide before someone on your team turns Spark on with their company calendar attached. If you are an architect for a vendor that touches a Google Workspace customer, read the AP2 spec at cloud.google.com/blog/products/ai-machine-learning/announcing-agents-to-payments-ap2-protocol; the cryptographic mandate model is going to land in your auth flow whether or not you ship a Spark integration.
2. The agency that tells you how to lock down your cloud just got caught with admin keys to three of its own GovCloud servers in a public GitHub repo. The keys stayed valid for 48 hours after Krebs called.
Cybersecurity incident, federal.
On Monday, May 18, KrebsOnSecurity reported that a contractor for the Cybersecurity and Infrastructure Security Agency (CISA), employed by Nightwing (a government contractor based in Dulles, Virginia), left a public GitHub repository named “Private-CISA” exposing administrative credentials to three AWS GovCloud servers. The repo was created on November 13, 2025. It sat public for roughly six months. Inside: a file called importantAWStokens with admin keys to three CISA AWS GovCloud servers, an AWS-Workspace-Firefox-Passwords.csv with plaintext usernames and passwords for dozens of internal systems (including the landing-zone DevSecOps environment LZ-DSO), JFrog artifactory credentials, internal CISA and DHS tokens, and logs.
The discovery came from outside. Guillaume Valadon, a researcher at GitGuardian (which scans public code repositories for exposed secrets as a service), flagged the repo to Krebs on May 15. Krebs notified CISA.
CISA’s official statement reads: “Currently, there is no indication that any sensitive data was compromised as a result of this incident.” The AWS keys inexplicably remained valid for another 48 hours after that notification. The detail that lands hardest is buried in Valadon’s quote: the repo contained “passwords stored in plain text in a CSV, backups in git, explicit commands to disable GitHub secrets detection feature.”
Someone actively turned off the default guardrail. Philippe Caturegli of Seralys validated the credentials and warned that access to the artifactory alone is a software-supply-chain risk.
Why this matters: CISA is the federal agency whose entire job is telling US organizations, including yours, how to lock down their cloud. If the contractor running CISA’s own GovCloud landing zone could leave admin keys in a public repo for six months, with the GitHub default guardrail manually disabled, and the credentials would still work 48 hours after a journalist called, the bar for “good enough” cloud hygiene at any federal-adjacent organization just got concrete.
Action this week: Open your org’s GitHub admin and confirm secret scanning push-protection is enforced at the org level, not just enabled by default, and that individual developers cannot disable it on their repos (Settings » Code security and analysis » “Push protection” » set to Enabled and enforced). Run gitguardian.com or the open-source truffleHog against your top 10 most active repos to find anything committed before push protection was enabled. If you own IAM rotation for any AWS account, write down what happens when an outside party tells you a key is public: if your answer is “an operator rotates it during business hours,” the CISA story says you have at least 48 hours of exposure on the clock. If you do federal work, the FedRAMP Continuous Monitoring guide is the artifact most directly affected by this incident; a contractor working in GovCloud is supposed to be inside its perimeter.
krebsonsecurity.com: CISA Admin Leaked AWS GovCloud Keys on Github
3. Maine’s statewide data center pause died on a veto in April. Today, the towns are stitching their own patchwork together.
Continuing 5.17 #1 and 5.15 #2 (data-center community pushback).
Governor Janet Mills vetoed Maine’s LD 307 on April 24; on April 29, the Maine House voted 72 to 65 to override, which fell short of the two-thirds needed. The bill would have been the first statewide moratorium in the country, banning data centers over 20 megawatts through November 2027. Today, the Maine Morning Star reports the workaround. Sanford passed a 91-day local pause that stalled a 1,000-acre project on the Mousam River. Brunswick set a public hearing for June 1. Westbrook‘s housing-and-development committee voted Monday to advance its own. At least four Maine towns are now in motion.
The same pattern is reaching Kentucky tonight. Cave City, population about 2,300, holds the second reading and final vote on a one-year data-center moratorium at 5 p.m. ET today. The first reading passed the city council 4 to 1 on Monday, May 18, with council member Leticia Cline leading the effort and Denny Doyle the lone no vote. If it passes, Cave City is the first Kentucky city to put a data-center ban in writing. None of these towns is large. None of them has a state legislature behind it. None of them needed one.
Why this matters: If you live in a town that anyone in the country is currently scouting for a data center, the legal playbook now exists in public, and it does not require your governor to play along. Sanford, Westbrook, Brunswick, and (probably tonight) Cave City all moved within four weeks of their state-level pause dying.
Action this week: Open datacenters.ainowinstitute.org/local and find your county. If a project is in early scoping, the four-town toolkit Maine is using (90-day pause first, ordinance second, public hearing third) is the fastest one on file. If you do business analysis or capacity planning at an enterprise with a Maine or Kentucky footprint, add “local-moratorium risk” to the 2026 site-selection list before your next vendor commit; the bigger story is that the state-vs-local axis is now a live variable.
4. The FBI says AI voice clones have already taken $2.3 billion from elderly Americans this year. One in four Americans has gotten one of those calls.
Consumer safety/fraud.
The FBI’s Monday, May 19, public service alert puts a number on a story most families already have. AI voice-clone scams have cost elderly Americans about $2.3 billion year-to-date in 2026, per FBI tracking. The mechanism: a scammer pulls 20 seconds of audio of someone’s voice (from a voicemail, an Instagram reel, a recorded call) and clones it. Then the cloned voice calls a parent or grandparent and claims to be kidnapped or in a car accident, asks for money urgently by wire, cryptocurrency, or gift cards. The “proof of life” can now be an AI-generated photo or video.
Hiya’s State of the Call 2026 report (published March 1) put the consumer exposure at scale: one in four Americans say they got a deepfake voice call in the past 12 months, and another 24 percent are not sure they could tell the difference. The FBI’s recommended workaround is mechanical and worth doing tonight: agree on a family safe word that an AI cannot guess. Then never send money on a phone call without hanging up first and calling a known number back. Those two habits are the only thing standing between the current voice-clone capability and the wire transfer that follows.
Why this matters: If you have a parent or grandparent on the phone today, the cheapest thing you can do for them this week is the family safe word; the FBI’s number says about $2.3 billion of US elder loss has already been booked this year before the scam ever sees a regulator.
Action this week: Tonight, during whatever call you already have planned, agree on a safe word with your family (anything other than your dog or your birthday). Write the rule on a sticky note for whichever family member answers most of the phone calls: “If they ask for money urgently, hang up. Call the person back at the number you already have.” If you run a support team at a bank, credit union, or wire-transfer service, the FBI alert on ic3.gov shows current case patterns; pull it into your tier-1 fraud script this week.
cnbc.com: AI-powered scam calls are getting more convincing and more common
» What to watch this week
Google AI Ultra US uptake. Cutting the price from $250 to $100 per month is a real bid for mass-market consumer AI. Watch for an early subscriber number from Google Cloud’s blog or the next Alphabet earnings call (July 22, confirmed by Alphabet IR).
Cave City, Kentucky, final reading vote today at 5 p.m. ET. Yes makes Kentucky the first state with a city-level data-center moratorium; no keeps the patchwork strictly in Maine for now. Either way, the WBKO/Spectrum News 1/WCLU local coverage is where the result lands first.
Apple WWDC 2026 keynote, Monday, June 8 at 10 a.m. PT. Multiple leaks point to a Siri overhaul plus an “Extensions” system that lets users route Siri queries into Claude, Gemini, or Grok. Today’s Spark launch raises the floor of what an iPhone agent has to do to be credible.
CISA’s incident-response timeline on the Private-CISA leak. The agency owes a public disclosure of who accessed the repo over the six months it was live, whether any of those exposed credentials were used, and what changes to Nightwing contract oversight follow. Watch CISA.gov advisories and the House Homeland Security Committee for any hearing notice.
Tomorrow’s signal lands here.