TL;DR:
- Google handed a Cornell Ph.D. student's personal and financial data to ICE (including bank account numbers, credit card numbers, IP addresses, and phone records) in response to an administrative subpoena. No judge signed off.
- Google broke its own decade-old promise to notify users before handing data to law enforcement. ICE asked Google not to tell him. Google complied, even though that request had no legal force.
- The student, Amandla Thomas-Johnson, attended a pro-Palestine protest at Cornell for five minutes in September 2024. ICE issued the subpoena the same day Cornell revoked his student visa.
- The EFF filed complaints with the California and New York attorneys general on April 14, 2026, alleging Google engaged in deceptive trade practices.
- Google received 28,622 subpoenas in the first half of 2025 alone. If the notification promise is meaningless for one user, it's meaningless for all of them.
Five Minutes at a Protest. A Lifetime of Data Handed Over.
In September 2024, Amandla Thomas-Johnson, a British and Trinidadian dual citizen, a published journalist with bylines in Al Jazeera and The Guardian, and a Ph.D. candidate at Cornell University, walked into a pro-Palestine protest at a campus job fair. He stayed for about five minutes [1].
That was enough.
Cornell banned him from campus. Then, in early 2025, after President Trump took office and issued executive orders targeting pro-Palestinian student protesters, the university revoked his student visa. Within hours of that revocation, ICE sent Google an administrative subpoena demanding his data [1].
Google gave them everything.
Usernames. Physical addresses. IP addresses. Phone numbers. An itemized list of every Google service he used. His credit card numbers. His bank account numbers [2]. All from a Gmail account he used for app purchases, the kind of financial data most people don't even realize Google stores.
And Google did it without telling him first.
The Promise Google Made, and Broke
For nearly a decade, Google told billions of users something specific: we will notify you before we hand your data to law enforcement. That notification is supposed to give you time to hire a lawyer, file a motion, and fight back in court before your information is gone [3].
Google's transparency policy includes exceptions: court-ordered gag orders, imminent threats to life, child exploitation cases. None of those applied here. ICE simply included a non-binding notation on the subpoena requesting that Google not notify Thomas-Johnson. No judge signed it. No court reviewed it. It was a Post-it note, not a legal order [3].
Google treated it like law.
On May 8, 2025, Google handed over the data. That same day (not before, but simultaneously) Google sent Thomas-Johnson a notification from a no-reply email address. By the time he saw it, his data was already in ICE's hands [4].
"I'd already seen the subpoena request," Thomas-Johnson told The Intercept. "I was quite surprised to see that I didn't have that opportunity" to challenge it [1].
"Quite surprised" is diplomatic. Google's notification promise was the single biggest reason many users trusted the company with sensitive data. That promise turns out to be optional. ICE figured that out.
An Administrative Subpoena Is Not a Warrant
This distinction matters. A lot.
A warrant requires a judge. A prosecutor has to show probable cause. There's judicial oversight. An administrative subpoena? ICE writes one up internally. No judge reviews it. No probable cause required. The agency just decides it wants your data and sends a letter [1].
Administrative subpoenas can't legally compel the contents of emails, search histories, or location data. But they can demand metadata: IP addresses, subscriber information, phone numbers, session times. And apparently, they can also get your bank account and credit card numbers: data Google stores because you bought a $2.99 app once.
Lindsay Nash, a professor at Cardozo School of Law, explained the core problem to The Intercept: "It doesn't allow the person whose personal information is on the line... to raise challenges" [1].
The subpoena ICE sent Google didn't even include all the legally required fields. Its only stated justification was a connection to an "investigation or inquiry relating to enforcement of U.S. immigration laws." That's not a reason. That's a category [1].
28,622 Subpoenas in Six Months
This isn't about one student. Google received 28,622 subpoenas in the first half of 2025 alone [4]. Each one potentially triggered the same notification promise. Each one potentially broke it the same way.
How many of those 28,622 included a non-binding "don't tell the user" request? How many times did Google comply? The company won't say. But the EFF's complaint makes the math uncomfortable: if Google folded on its notification promise for a British Ph.D. student with EFF lawyers, what chance does anyone else have?
The stakes are highest for people who rely on Google Workspace through institutions (universities, nonprofits, small businesses). Cornell alone has thousands of Gmail users. Every one of them trusted Google's notification promise. Every one of them was wrong to.
What the EFF Is Doing About It
On April 14, 2026, the Electronic Frontier Foundation filed formal complaints with the California and New York attorneys general. The legal argument: Google's broken notification promise constitutes deceptive trade practices under state consumer protection law [3].
F. Mario Trujillo, an EFF Senior Staff Attorney, is leading the case. The strategy is deliberate: state consumer protection law rather than federal litigation, targeting two jurisdictions known for aggressive tech enforcement [4].
The potential penalties: up to $2,500 per violation under California law. Injunctive relief and financial damages under New York law [4]. With 28,622 subpoenas in six months, the exposure adds up fast if Google broke its promise more than once.
The EFF also sent letters to Amazon, Apple, Discord, Google, Meta, Microsoft, and Reddit demanding all seven companies stop handing data to DHS in response to administrative subpoenas without court confirmation. "Your promises to protect the privacy of users are being tested," the letter read [1].
Tested, and failing.
A Pattern, Not an Incident
Thomas-Johnson's case didn't happen in a vacuum. In February 2026, The Intercept reported that Google had fulfilled a separate ICE subpoena demanding a student journalist's financial records (the same student, the same data types, but a separate legal demand) [2]. TechCrunch, NBC News, and multiple outlets confirmed the pattern: Google wasn't making a one-time exception. This was policy in practice.
The timing tells the story. Trump's executive orders targeting pro-Palestinian protesters created the political pressure. Cornell's visa revocation created the opening. ICE's subpoena arrived within hours. And Google, the company that promised to stand between your data and the government, stepped aside without a fight.
Thomas-Johnson is now living in Dakar, Senegal, after fleeing first to Geneva. A British journalist and doctoral candidate, driven out of the United States because he stood at a protest for five minutes and Google decided ICE's non-binding request outweighed a decade-old promise [1].
What You Can Do
- Don't store financial data in Google accounts. Remove saved credit cards and bank information from Google Pay and your Google account. If you need to buy apps, use prepaid cards.
- Treat corporate privacy promises as marketing. Google's notification policy sounded good. It wasn't binding. No company's voluntary privacy commitment is worth more than the paper it's printed on, or the legal pressure applied against it. The government also buys much of this data outright through the data broker loophole.
- Use end-to-end encrypted email for sensitive communication. ProtonMail, Tutanota, or self-hosted solutions don't have your data to hand over. Google does.
- If you're at a university using Google Workspace, push your institution to negotiate data protection terms that go beyond Google's default policies. Demand contractual notification guarantees, not voluntary ones.
- Support the EFF's AG complaints. The EFF's full account of the case is public. Share it. The more visibility these complaints get, the harder it is for attorneys general to ignore them.
- Know your rights with administrative subpoenas. They're weaker than warrants. Companies can, and should, push back. Demand that your service providers require judicial oversight before handing over data.
The Bottom Line
Google built a $2 trillion company partly on the promise that your data was safe with them. That if the government came knocking, they'd tell you first. They'd give you a chance to fight.
ICE knocked. Google opened the door, handed over the keys, and sent the homeowner a notification email from a no-reply address after the fact.
Every Google user should be asking the same question Thomas-Johnson is asking from Senegal: if Google broke its promise for me, who are they keeping it for?
Sources
- The Intercept: "Google Fulfilled ICE Subpoena Demanding Student Journalist's Bank and Credit Card Numbers" (February 10, 2026)
- TechCrunch: "Google sent personal and financial information of student journalist to ICE" (February 10, 2026)
- EFF: "Google Broke Its Promise to Me. Now ICE Has My Data." (April 2026)
- CyberInsider: "EFF Urges State Probe into Google Over Undisclosed Data Sharing with ICE" (April 2026)
Published: May 31, 2026