On April 14, 2026, the Electronic Frontier Foundation published the account of Amandla Thomas-Johnson, a Cornell Ph.D. candidate whose Google account data was handed to Immigration and Customs Enforcement after he attended a brief campus protest. The disclosure is notable not because a court found wrongdoing—none did—but because two ordinary, lawful mechanisms combined to strip a non-citizen of any chance to object: an administrative subpoena issued without judicial review, and a platform that quietly set aside its own promise to warn users first.
What actually happened
Thomas-Johnson, a British and Trinidadian national on a student visa, attended a roughly five-minute pro-Palestinian protest at a Cornell job fair in September 2024. In April 2025, ICE sent Google an administrative subpoena for his account data. According to EFF's account, Google complied on May 8, 2025, turning over IP addresses, his physical address, other identifiers, and session times and durations. Reporting by The Intercept noted the subpoena also reached subscriber and payment details he had attached to the account, though his lawyers say the full scope remains unclear. Crucially, Thomas-Johnson received notice only after the data was already gone—an email stating Google "has received and responded to legal process." By then, the window to challenge the demand had closed. He has not been charged with any crime.
The legal mechanism: a subpoena no judge ever saw
The document ICE used was not a search warrant. It was an administrative subpoena, a tool authorized under 8 CFR § 287.4, which lets designated immigration officers "issue a subpoena requiring the production of records and evidence for use in criminal or civil investigations." No advance court order is required to issue one. A judge enters the picture only if the recipient refuses to comply—at which point the government must ask a U.S. district court to compel production. In practice, that structure inverts the usual safeguard: the default is disclosure, and judicial scrutiny is the exception that someone has to fight for.
This is where the steelman matters. Administrative subpoenas exist for good reasons. Dozens of federal agencies use them to run investigations efficiently without clogging courts with routine records requests, and the Supreme Court has long held in Oklahoma Press Publishing Co. v. Walling (1946) that such subpoenas are constitutional so long as they are not unreasonably broad. For genuine immigration enforcement, requiring a warrant for every subscriber-record request would impose real costs. The case for the tool is not frivolous.
But proportionality is the test, and this episode fails it. An administrative subpoena is appropriate for compelling business records in a bounded inquiry. It is a poor fit for assembling what Thomas-Johnson rightly calls a "detailed surveillance profile" of a protester—IP logs that approximate location, addresses that reveal where he sleeps, session data that maps his communication patterns. When the same instrument that lets an agency audit a trucking company's logs can also reconstruct an activist's movements with no judge in the loop, the law has not kept pace with the data.
Google's broken promise
For years, Google has told users it will notify them before disclosing their data in response to legal process, giving them a chance to object in court. That promise is the entire load-bearing safeguard for non-targets of valid warrants. In this case it failed. As EFF detailed in its complaints to the California and New York attorneys general, Google's outside counsel explained that when the company cannot meet a government-imposed deadline, it sometimes complies and provides notice the same day—a practice EFF calls "simultaneous notice." Same-day notice is not notice; it is a receipt. EFF has asked both AGs to investigate the conduct as a deceptive trade practice, arguing users relied on a promise the company did not keep.
Here the pro-innovation position and the pro-accountability position point the same direction. Platforms compete partly on trust, and a notification commitment is a feature users bank on. A company that markets advance notice and then delivers contemporaneous notice under deadline pressure has degraded the product. The fix is not heavy-handed: honor the stated policy, push back on unreasonable deadlines, and litigate or seek extensions rather than fold. That is a business decision well within Google's power.
The narrow fix worth making
The instinct to demand a warrant for everything would over-correct and is unlikely to survive in Congress. A tighter, proportionate reform is available. First, a notice floor: where a provider's own policy promises pre-disclosure notice, regulators can hold it to that representation—exactly the consumer-protection theory EFF is testing. Second, judicial review proportional to sensitivity: location-revealing IP histories and session metadata are the kind of data the Supreme Court treated as constitutionally weighty in Carpenter v. United States (2018), and compelling them arguably should require more than an officer's signature. Neither reform abolishes the administrative subpoena; both restore the friction that the Fourth Amendment assumes.
The Thomas-Johnson case is a clean illustration of a system working as written and still producing an unjust result. The subpoena was lawful. Google's compliance was lawful. And a man who broke no law saw his digital life mapped and fled the country. When legality and legitimacy diverge that sharply, the answer is not to trust enforcers more—it is to put a judge back in the loop and make platforms keep the promises they sell.