Google Promised It Would Warn You. Then ICE Asked.
Google handed a Cornell PhD student's data to ICE without notice — voluntarily, when no law required it. Congress votes on Section 702 in three days.
In September 2024, Amandla Thomas-Johnson stood at a pro-Palestine demonstration at Cornell University for about five minutes. He's a PhD candidate, a former journalist, and a dual citizen of Britain and Trinidad and Tobago. He has not been accused of any crime.
In April 2025, Immigration and Customs Enforcement sent Google an administrative subpoena requesting his data. The next month, Google handed it over — IP addresses, physical address, session times and durations, subscriber identifiers — without telling him it was happening. He found out later, in Geneva, when he got a notification email after the fact.
"Google has already disclosed my data without telling me," he told EFF. "There was no opportunity to contest it."
Here's the part that keeps nagging at me: the law didn't require Google to stay quiet. ICE asked them not to send a notification, and Google agreed — even though ICE's request, in the words of EFF's legal team, was "not enforceable or mandated by a court."
Google made a choice. And Congress is about to make one too.
What Google's Policy Actually Says
Google has maintained a policy for close to a decade that it will "notify users before their data is handed over in response to legal processes, including administrative subpoenas." That's not buried in a terms of service. It's a specific, published commitment that the company held up as a meaningful privacy protection.
The commitment exists because it's genuinely useful. If you know the government is asking for your data before the handover happens, you have a narrow window to go to court and contest it. After the data is transferred, that window is gone. Your IP logs, your physical location on file, your session metadata — all of it now sits in a federal database, and you had no opportunity to challenge whether ICE even had legitimate grounds for the request.
What happened with Thomas-Johnson follows a pattern that ICE and other federal agencies have been exploiting for years. When an agency requests a non-disclosure order alongside a subpoena, companies often comply even when that request has no legal teeth. The incentive structure runs against users: it's easier for a tech company's legal department to say yes to a quiet handover than to pick a fight with a federal law enforcement agency over a notification policy.
In this case, ICE wanted data on someone who attended a college campus protest for five minutes and was later spotted at other political gatherings. That's the threat level that justified an administrative subpoena — not a court warrant, not probable cause finding, just an agency-generated document requesting your records.
Administrative Subpoenas: The Warrant's Quieter Cousin
A warrant requires a judge. An administrative subpoena does not.
Federal agencies — the IRS, DEA, ICE, FDA, and dozens of others — can issue administrative subpoenas on their own authority to demand records from businesses, financial institutions, and tech platforms. The target doesn't have to have committed a crime. The standard is that the information must be "relevant" to an investigation, which is a bar so low it's essentially nominal.
Tech companies receive these regularly. Most people have no idea. Unless the company has a policy of notifying affected users — and actually enforces that policy — the first time you find out is when your data is already gone.
The Thomas-Johnson case is unusual only in that EFF documented it publicly. The underlying mechanism runs constantly and quietly. Your email provider, your cloud storage, your search history — all of it is accessible through administrative subpoena with no judicial involvement and, if the government asks nicely, no notification to you.
What this means in practice: your phone's IP logs tell investigators where you were. Session metadata shows when you were active, from which networks, for how long. Subscriber identifiers tie all of that to your name and address. It's enough to reconstruct a pattern of life without ever reading a single message.
Thomas-Johnson's physical address was in the data packet. He was in Geneva when he got the notification. The ICE investigation appears to have been driven by his attendance at political demonstrations. You don't need a warrant to build a picture like that. You just need a form letter.
Section 702 Expires in Three Days
On April 20, 2026, Congress is scheduled to vote on reauthorizing Section 702 of the Foreign Intelligence Surveillance Act. That's this Sunday.
Section 702 is different from administrative subpoenas — it's a foreign intelligence collection authority, not a domestic law enforcement tool. But it works on the same fundamental premise: that surveillance infrastructure, once authorized, will be used more broadly than its stated purpose.
Here's how it works. Section 702 authorizes the NSA to collect communications from foreign persons located outside the United States. If a Chinese official sends an email, the NSA can read it. If an Iranian diplomat makes a phone call, the NSA can record it. That's the intended scope.
But Americans communicate with people overseas. When the NSA collects those foreign communications, they also collect the American side of the conversation. Those records go into databases that the FBI can then search — without a warrant — looking for communications involving people of interest. The EFF calls it "finders keepers" surveillance: the NSA collects it because there's a foreign target, and the FBI searches it because you were on the other end.
That's not a hypothetical risk. It's been documented in oversight reports, FISA court opinions, and congressional testimony. The FBI has conducted large volumes of queries against Section 702 databases, a significant portion involving US persons with no foreign intelligence connection. Declassified FISA court opinions have repeatedly documented improper searches targeting protesters, political campaigns, and journalists — people who had no business being in a foreign intelligence database.
Section 702 was sold as a targeted foreign intelligence program. It became a domestic surveillance database with a foreign-origin wrapper.
The Reform Congress Won't Pass
The fix that privacy advocates have been pushing for years is simple to describe and apparently impossible to implement: require the FBI to get a warrant before searching Section 702 databases for Americans' communications.
That's it. The NSA can still collect foreign intelligence under 702. The FBI can still investigate national security threats. They just have to convince a judge they have probable cause before reading an American's conversations. That's the same standard that applies to every other search of private communications. It's called the Fourth Amendment.
Congress has never required it. Instead, Section 702 has been reauthorized in 2012, 2018, and 2024 with largely unchanged search authorities. The intelligence community argues that requiring a warrant would slow investigations, reduce effectiveness, and create gaps in coverage. Those are real operational arguments. They're also the same arguments that have justified every surveillance expansion for the last 25 years.
What's on the table this week is a "clean" reauthorization — extending 702 as-is, without warrant requirements or meaningful new restrictions. If that passes, the current system continues for another several years. The FBI can query your communications without a warrant. You have no way of knowing. And if a tech company hands over your account data to ICE without telling you, there's no legal mechanism requiring them to do otherwise, just a policy they choose whether to honor.
Why These Two Things Connect
The Thomas-Johnson case and Section 702 are different legal mechanisms, but they're expressions of the same dynamic: surveillance infrastructure gets used beyond its original purpose, and the only things standing between that infrastructure and ordinary people are company policies and congressional votes.
Google's notification policy was a company policy. It didn't require legislation to exist. It also didn't require legislation for Google to abandon it when a federal agency asked.
Section 702's warrant-free FBI searches are a congressional policy choice. They exist because Congress keeps choosing not to require a warrant. That choice is being made again this week.
Japan recently amended its Personal Information Protection Act to remove opt-in consent requirements for sharing certain categories of data — including health data and facial scans — specifically to make AI development easier. The government framed this as a competitive advantage. The EU has pushed back on similar pressures for years. The United States never had a federal privacy baseline to push back with.
The infrastructure of surveillance isn't built at once. It accumulates, reauthorization by reauthorization, policy exception by policy exception, quiet subpoena by quiet subpoena.
What You Can Actually Do
1. Contact your representative about Section 702 before April 20. The EFF has an action tool at eff.org that lets you send a message in a few minutes. The vote is this Sunday. "Clean reauthorization" votes are harder to justify when constituents are paying attention.
2. Shrink your Google account footprint. IP addresses and subscriber metadata are often more revealing than message content, because they're rarely encrypted and they don't require any inference to read. If you're signed into Google across every device and service, your movement history is essentially in their subscriber database. Consider a separate account for sensitive activity, or switching to services that retain less metadata.
3. Understand the difference between a warrant and a subpoena. A warrant requires judicial approval and probable cause. An administrative subpoena requires neither. Most people assume that government access to their data requires some kind of court involvement. It often doesn't. Every major tech platform receives subpoenas regularly; many comply without notification.
4. Check your notification settings. Some platforms let you set up security notifications for legal process requests. They won't always trigger — as Thomas-Johnson's case shows, companies can and do skip them — but they create a paper trail and at least give you a chance.
5. Push notification metadata is also accessible. Apple and Google route push notifications from every app through their servers. Law enforcement has subpoenaed this data to identify which apps someone uses and when. If privacy matters to you, consider which apps you allow to send push notifications, and look into tools that minimize this metadata footprint.
The Part Nobody Wants to Say Out Loud
Google's promise to notify users before handing over data wasn't empty when they made it. The company has fought government data requests in court before. The commitment was real, maintained for years, and broken in this case without any legal compulsion.
That's not a reason to conclude that company privacy policies are worthless. It's a reason to understand exactly what they are: commitments that hold until the moment they're inconvenient. When a federal agency makes a request and quietly asks for no notification, some companies will push back. Others will go along. You don't find out which is which until it's too late to matter.
The only reliable protection is law. The only way to get law is through the people who write it.
Thomas-Johnson attended a protest for five minutes. He wasn't charged. He wasn't suspected of terrorism. He was a PhD student with opinions about foreign policy who used Google. His data ended up in an ICE database because no rule required otherwise.
Section 702 isn't the same case. But it's the same question: whether the people who write surveillance law think you need a warrant before the government reads your private communications. On Sunday, Congress will answer it again.
Sources: Electronic Frontier Foundation — Google/ICE data handover, EFF — Section 702 reauthorization, The Register — Japan privacy law changes