Google had 30 days to warn this PhD student. ICE got his...

Amandla Thomas-Johnson spent exactly five minutes at a pro-Palestinian protest on the Cornell University campus in September 2024. He is a Ph.D. candidate, a dual British and Trinidadian citizen on a student visa. He is not accused of any crime. But in April 2025, Immigration and Customs Enforcement sent Google an administrative subpoena — a government demand for records that bypasses judicial review, requiring no judge's approval — requesting his subscriber name, home address, IP addresses, personal identifiers, and session times. Google had more than 30 days to warn him. It didn't.

In May 2025, Thomas-Johnson received an email from Google — not a warning, but a notification that arrived after the fact. It told him his account data had already been handed to the Department of Homeland Security. He was in Geneva, Switzerland. Federal agents had already visited his home searching for him. A friend had been detained at Tampa International Airport and interrogated about his whereabouts.

The Promise Google Made — and Quietly Broke

For nearly a decade, Google has maintained a clear public commitment printed in its transparency materials: "When we receive a request from a government agency, we send an email to the user account before disclosing information."

That promise exists for a specific reason. Advance notice is the only meaningful protection a user has against an overbroad or invalid government request. With warning, they can hire a lawyer, file a motion to quash (a legal challenge asking a court to invalidate the subpoena as unconstitutional or too broad), or alert civil liberties organizations like the Electronic Frontier Foundation (EFF — a nonprofit that defends digital privacy rights in court) who can intervene on their behalf. Without warning, the window closes before it ever opens.

Through court proceedings, the EFF discovered that Google has been operating a systematic workaround to this commitment. Google's own outside counsel revealed the practice by name: "simultaneous notice" — the company complies with a subpoena and notifies the user on the same day, not before. By the time a user reads the email, their data is already gone.

• What Google publicly promised: Notify users before disclosing their data to law enforcement
• What Google actually does: Disclose data first, then send a notification on the same day as compliance
• The practical result: Users lose the only window they had to challenge an invalid or overbroad subpoena

One Comparison That Exposes Everything

Thomas-Johnson's case becomes especially damning when placed alongside a parallel one. Momodou Taal, another international student targeted by ICE for similar First Amendment-protected (speech and protest-related activities protected under the U.S. Constitution) activities, received advance notice from both Google and Facebook about the subpoenas issued against him.

That early warning gave Taal time to act. Law enforcement ultimately withdrew its requests before any data was ever handed over. His private communications, location data, and personal identifiers were never disclosed. Thomas-Johnson's were — because the same version of Google's notice policy simply didn't apply to him.

Two students. Two government subpoenas targeting constitutionally protected protest activity. Two completely different outcomes — determined entirely by whether Google chose to notify in advance or on the same day as disclosure.

What the Subpoena Actually Captured

The scope of the April 2025 ICE subpoena is worth understanding precisely. It wasn't limited to a name and email address. The request covered:

• IP addresses — the unique numerical identifiers assigned to a device when it connects to the internet, which can be used to approximate a user's physical location at any given time
• Session times and durations — precise logs of when Thomas-Johnson accessed Google services, for how long, and at what frequency
• Personal identifiers — linked data points that can be cross-referenced with other government or commercial databases
• Home address — his registered subscriber address in the United States

Taken together, this data creates a detailed movement and communication profile. IP logs map where someone connects from; session duration data reveals when they're active and how often they reach out. Thomas-Johnson had already crossed the border into Canada at Niagara Falls and traveled to Switzerland when the disclosure occurred. "I believed that once I left U.S. territory, I had also left the reach of its authorities," he wrote in a public statement. "I was wrong." Data stored inside Google's servers crosses no border.

A Hidden Practice — Repeated How Many Times?

The EFF has filed formal complaints with the Attorneys General of California and New York, arguing that Google's "simultaneous notice" practice constitutes deceptive trade practices (misleading conduct that violates consumer protection laws) under state law. The legal argument is straightforward: Google made a specific, decade-long public promise to billions of users and systematically failed to keep it.

"Google should answer the question: How many other times has it broken its promise to users?" said F. Mario Trujillo, EFF Senior Staff Attorney. "Advance notice is especially important now, when agencies like ICE are unconstitutionally targeting users for First Amendment-protected activity. State attorneys general should investigate Google for this deception."

The EFF describes the "simultaneous notice" practice as neither accidental nor isolated. Google received the subpoena in April 2025 and had more than 30 days before disclosing data on May 8, 2025 — ample time to send a warning and allow legal challenge. The decision not to was deliberate, according to the EFF's filing.

Thomas-Johnson framed the broader implication plainly: "What this experience has made clear is that anyone can be targeted by law enforcement. And with their massive stores of data, technology companies can facilitate those arbitrary investigations. Who, exactly, can I hold accountable?"

What Every Google User Should Do Right Now

This case raises a practical question for anyone using Gmail, Google Maps, Google Search, or any Google-connected service: if a government agency sent a subpoena for your account tomorrow, would Google warn you in time to respond? Based on the EFF's findings, the honest answer is: it depends on which version of Google's policy applies — and you won't know in advance.

Here are concrete steps you can take today:

• Review your Google Account Data & Privacy settings to understand exactly what data Google currently holds about you
• For sensitive communications, switch to end-to-end encrypted tools (meaning only you and the recipient can read the messages — not the platform, not a government agency) like Signal
• If you receive a Google legal notice about a government request, contact the EFF or a civil liberties attorney immediately — even retroactively, the data already disclosed may define the scope of a case being built
• Follow the EFF's ongoing complaints at eff.org for updates on the California and New York attorney general investigations

The EFF's strategy reframes Google's behavior as a consumer protection violation rather than a purely constitutional fight — a more durable legal path than challenging individual subpoenas. If state attorneys general open formal investigations, Google may be required to disclose exactly how many users received "simultaneous notice" instead of the advance warning it promised. That number, whatever it turns out to be, is one Google has yet to be forced to answer.

Related Content — Get Started | Guides | More News