Google Broke Its 10 Year Promise to Warn Users Before Handing Data to Police—Then ICE Got a Student Journalist's Entire Account

The Subpoena Google Did Not Warn About

Amandla Thomas-Johnson is a British and Trinidadian Ph.D. student, a former journalist, and until recently a student visa holder at Cornell University. In September 2024, he spent about five minutes at a pro Palestinian protest at a Cornell job fair. The action got him banned from campus. It also, unknown to him at the time, triggered a federal surveillance file.

In April 2025, Immigration and Customs Enforcement sent Google an administrative subpoena demanding Thomas-Johnson's account data. On May 8, 2025, Google complied. The same day, the company sent him a short message: "Google has received and responded to legal process from a law enforcement authority compelling the release of information." The data had already left the building.

Administrative subpoenas are not warrants. They are not signed by a judge. They do not require probable cause, and they can be challenged in court. Thomas-Johnson had every right to contest the request, and according to his EFF lawyers he almost certainly would have won. He never got the chance.

What ICE Actually Received

The full scope of Google's disclosure, documented by The Intercept and confirmed through the subpoena text, is far broader than the bare "subscriber information" Google publicly describes as its standard compliance package:

• Full name and physical address
• All phone numbers linked to the account
• IP address history, including session times and durations
• An itemized list of every Google service used with the account
• Subscriber numbers and identities associated with the account
• Credit card and bank account numbers tied to paid Google services

That package is not a narrow identity confirmation. It is a financial and behavioral surveillance profile. Combined, the fields reveal where Thomas-Johnson slept, when he checked his phone, which services he paid for, which bank he used, and how his device moved through the world for years before the subpoena was issued.

The Broken Promise

For nearly a decade, Google has told users in its Transparency Report and public policy pages that it notifies account holders before complying with government data requests, with limited exceptions: court ordered gag orders, emergencies involving imminent harm, or cases involving child sexual abuse material.

None of those exceptions applied to Thomas-Johnson. The ICE subpoena included a non binding request asking Google not to notify the user, but it was not a court order, not a gag, and not legally enforceable. Google could have pushed back. Google could have sent the standard advance notice. Google did neither.

The EFF argues this is not an isolated slip. In complaints filed on April 14, 2026 with the California and New York Attorneys General, the organization accuses Google of "deceptive trade practices" and alleges the company has been systematically handing over data in response to non gag administrative subpoenas without honoring its own notification commitment, likely for years.

Why This Goes Beyond One Student

Google operates Gmail, Google Drive, Google Photos, YouTube, Calendar, Maps history, and Android itself. A single Google account contains more of a person's life than almost any other record: years of personal correspondence, location history, contacts, photos, search queries, and payment methods. When ICE or any other agency asks for "everything associated with this account," the answer is effectively a biographical dossier.

The notification promise was the one mechanism that gave users a chance to fight back. Advance notice is not just a courtesy. It triggers the right to retain counsel, quash an invalid subpoena, or file a motion to limit the scope of disclosure. Without it, the process happens entirely between the government and the company, with the subject of the investigation cut out of their own case.

This is the same structural problem that drove the EFF's February 2026 open letter, co signed with the ACLU of Northern California and addressed to Google, Amazon, Apple, Discord, Meta, Microsoft, and Reddit. The letter asks every major platform to refuse administrative subpoenas from DHS unless accompanied by court intervention, and to restore meaningful advance notice for everyone else. Earlier reporting already documented that Apple, Google, and Meta combined handed over roughly 3 million user accounts to U.S. authorities over recent years, most of it without notifying the affected users.

How to Tell If Google Has Shared Your Data

Google does not retroactively alert users when it complies with a request. There is no dashboard field that says "we have shared your data with a federal agency." What you can do is audit what Google holds and limit future exposure.

• Run Google Takeout. Download a full export of every Google service tied to your account. The archive will show the surface area of what a subpoena could touch: mail, photos, location history, payments, YouTube, Maps, and more.
• Check the Security Activity log. At myaccount.google.com/security-history, review recent sign ins and third party access. Unusual entries may indicate account activity that law enforcement later asked about.
• Turn off Location History and Web and App Activity. These two settings control the single largest volume of behavioral data Google stores. Under "Data and privacy," set all three activity controls to auto delete at three or eighteen months rather than "keep forever."
• Remove stored payment methods you do not need. The ICE subpoena returned the card and bank numbers Thomas-Johnson had saved for Google Workspace and Play Store purchases. If you do not actively need a payment method on file, delete it.
• Move sensitive communications off Gmail. For journalists, activists, and anyone with a non zero threat model, use end to end encrypted services where the provider does not hold the keys. Advance notice becomes irrelevant when the provider cannot decrypt what law enforcement receives.

What This Means for Journalists and Activists

If you attended a protest, reported on immigration enforcement, communicated with a source inside the federal government, or published anything an agency might regard as hostile, the Thomas-Johnson case sets a clear precedent. An administrative subpoena, sent by an officer without a judge, is enough to get Google to surrender everything. A non binding request to stay silent is enough to keep you from knowing.

This is not hypothetical. ICE has already admitted it uses zero click spyware like Graphite to read encrypted messages, and Apple's Hide My Email service gave the FBI a user's real identity plus 134 anonymous linked accounts. The infrastructure to compile a detailed surveillance file on anyone the government finds interesting already exists inside the consumer tech stack. What broke in the Thomas-Johnson case was the last procedural check that let the subject of that file even know it existed.

Practical countermeasures for anyone in an elevated threat category include compartmentalizing identities across services, using hardware security keys on all accounts, moving primary communications to Signal or other end to end encrypted platforms, and keeping a separate email address, funded with a prepaid card, for any activity that might draw government attention.

What Happens Next

The EFF's complaints to California and New York Attorneys General ask state regulators to investigate Google for deceptive trade practices, with potential penalties running into the hundreds of millions if the pattern is confirmed across the company's user base. Google has not commented publicly on the specific case and has not said whether it will reinstate its notification policy for non gag subpoenas.

The larger policy fight is over Section 702 of the Foreign Intelligence Surveillance Act, which expires in 2026 and which EFF wants renewed only with meaningful privacy safeguards. But the Thomas-Johnson case is a reminder that the most consequential surveillance is not the exotic FISA query. It is the routine administrative subpoena, sent on a plain piece of letterhead, quietly honored by a company that swore it would tell you first.