Most people assume that when a tech giant makes a formal privacy commitment, it means something. Google spent nearly a decade building exactly that assumption — and then quietly abandoned it when a federal immigration agency came knocking.
The story of how Google handed over a student journalist’s personal data to ICE without warning is not just a one-off privacy failure. It’s a window into a growing structural problem: the gap between what tech platforms promise their users and what they actually do when the government asks.
What Happened to Amandla Thomas-Johnson
In September 2024, Amandla Thomas-Johnson — a Ph.D. candidate studying in the U.S. on a student visa — briefly attended a pro-Palestinian protest at a Cornell University job fair for five minutes. That five-minute appearance triggered an ICE investigation. byteiota
On April 1, 2025, ICE sent Google an administrative subpoena with a 10-day deadline requesting comprehensive data on Thomas-Johnson. Despite having more than a month to respond, Google neither challenged the request nor notified Thomas-Johnson in advance. byteiota
On May 8, 2025, Google complied and sent a post-disclosure email from a “no-reply” address informing Thomas-Johnson that his data had already been handed over. byteiota The data disclosed was not a vague account summary. It included credit card numbers, bank account numbers, IP addresses, phone numbers, and a complete list of services Thomas-Johnson used — all in response to an administrative subpoena that had not been approved by a judge. byteiota
On April 14, 2026, the Electronic Frontier Foundation filed formal complaints with the California and New York Attorneys General, accusing Google of deceptive trade practices over its broken privacy commitments. byteiota
The Promise Google Made — and How It Broke It
Google’s transparency policy explicitly states the company “sends an email to the user account before disclosing information” to law enforcement. byteiota That policy had been in place for close to a decade. It mattered to users because it created a window — a chance to hire a lawyer, challenge the subpoena in court, and potentially block the disclosure before it happened.
Communication between EFF and Google later revealed this isn’t an isolated incident — it’s systematic. Google calls it “simultaneous notice,” a practice where the company complies with government requests and provides user notification on the same day “to save time and avoid delay.” byteiota
The policy carve-outs Google publicly acknowledged — gag orders from a court, for instance — do not apply to Thomas-Johnson’s case. There was no gag order. There was no court involved at all. Which leads directly to the second problem.
Administrative Subpoenas: Government Demands Without a Judge
Most people picture law enforcement data requests as requiring a warrant — a judge, probable cause, the usual Fourth Amendment scaffolding. Administrative subpoenas work differently.
An administrative subpoena is a piece of paper that a prosecutor or agency fills out and hands to the holder of records, with no judge involved. Unlike judicial warrants, they require no judicial oversight, no evidence of crime, and no probable cause standard. byteiota
That means ICE could demand Thomas-Johnson’s financial data, location history, and account information with no independent check on whether the request was legally justified. And because Google held those records rather than Thomas-Johnson himself, he had no automatic legal standing to contest anything before the disclosure happened.
The Department of Homeland Security has issued hundreds of these administrative subpoenas in recent months targeting users critical of ICE or posting about ICE agent locations. byteiota The pattern is not incidental — it’s a strategy for building surveillance cases on social and political activity without the friction of the court system.
Google Is Not the Only One
It would be convenient if this were a single company’s failure, but it isn’t.
Reddit, Meta, and Discord have all complied with DHS administrative subpoenas seeking to identify users who criticized ICE or pointed out locations where ICE agents are stationed. byteiota Some companies did provide advance notice, giving users a window to challenge subpoenas with ACLU assistance. In those cases, DHS withdrew the subpoenas before court rulings — deliberately avoiding legal precedent that might constrain the practice. byteiota
That detail is worth sitting with. When users were given a chance to fight back in court, the government retreated. The “simultaneous notice” approach Google adopted ensures that fight never happens.
What This Means if You Build on Google’s Infrastructure
Developers who rely on Google Cloud, Firebase, or any Google API to store user data are now in a structurally uncomfortable position. The platform you build on will comply with administrative subpoenas — without advance notice, without a judge’s sign-off, and without giving your users a meaningful opportunity to respond.
This creates concrete regulatory risk: GDPR and CCPA require user data protection, and building on infrastructure that routinely bypasses advance notice obligations may put developers in legal jeopardy alongside their platform provider. byteiota
There are technical approaches worth considering. Data minimization reduces exposure — if you don’t collect it, it can’t be subpoenaed. End-to-end encryption offers stronger protection: when user data is encrypted on the client before upload and users hold the decryption keys, platforms cannot access content even if subpoenaed. byteiota Zero-knowledge architectures, data residency in privacy-friendlier jurisdictions, and self-hosting are all levers that shift the risk profile. None of them are free or simple, but they are real options.
The question is not whether your platform will ever receive a government data request. The question is what happens to your users when it does.
Conclusion
Google’s broken promise to Amandla Thomas-Johnson reveals something bigger than one company’s policy failure. It exposes the architecture of how governments can use administrative subpoenas to extract user data from tech platforms at scale, with minimal judicial oversight, and with notification practices designed to arrive too late to be useful.
EFF’s complaints to California and New York Attorneys General seek state investigations, injunctive relief, and civil penalties up to $2,500 per violation in California. byteiota The outcome of those complaints will matter — both for Google’s policy and as precedent for every other platform that makes similar user-notification promises.
For now, the practical takeaway is uncomfortable but clear: corporate privacy promises are not enforceable contracts. They are policies that companies can quietly redefine. If you’re a developer, an activist, a journalist, or anyone whose digital footprint could become politically inconvenient, the time to think about your exposure to third-party platform data requests is before they happen — not after a no-reply email tells you it already has.