Advocates Demand Google Stop Sharing Data With ICE

The Electronic Frontier Foundation asked California and New York to investigate Google. The group says Google has been handing consumer data to immigration authorities without warning users.

What the EFF alleges

The Electronic Frontier Foundation, a digital-rights group, has asked state attorneys general in California and New York to open investigations into Google’s handling of law enforcement demands for user data. The EFF says Google repeatedly didn't notify users before handing over data to agencies like ICE, according to the group's complaint.

The EFF says this wasn't a one-off. It alleges Google chose speed over notice in multiple cases, the letter claims. The complaint centers on so-called administrative subpoenas, which don’t require a judge’s sign-off and can be issued by federal agencies.

The group is asking the states to consider whether Google engaged in deceptive trade practices by breaking promises it has made to users about notifying them before disclosing personal data. It wants injunctive relief and civil penalties under California law, including fines of up to $2,500 per violation.

A specific case: Cornell and one former student

At the heart of the EFF’s push is the case of Amandla Thomas-Johnson, a former PhD candidate at Cornell University. Thomas-Johnson says he never received notice that immigration authorities had accessed his university email account as part of an investigation.

"This is the big question — whether they were using our [Cornell] emails to track us as well," Amandla Thomas-Johnson, a former PhD candidate at Cornell University, told the Cornell Daily Sun. His records show that information tied to his account was accessed under federal communications law 18 U.S.C. 2703(c)(2).

Under that law, providers can turn over non-content subscriber details — addresses, phone numbers, session times, and billing information — when served with a valid legal demand. But the EFF says administrative subpoenas issued by agencies like the Department of Homeland Security can be abusive because they skip judicial oversight.

Google’s response and company practices

Google told the Cornell Daily Sun that its processes for handling law enforcement requests are intended to balance legal obligations and user privacy. The company said it reviews demands for legal validity and challenges requests that are overly broad or improper.

But the EFF says Google's internal practices don't match its public promises. According to the organization, Google sometimes complies without notifying users in order to save time and avoid delays. If true, the EFF argues, that conduct would contradict Google’s long-standing pledge to alert users before releasing data to law enforcement.

Google also informed the Cornell Daily Sun that the subpoena in Thomas-Johnson’s case requested basic subscriber information and didn't seek the contents of his email. Still, the EFF sees the use of administrative subpoenas in immigration investigations as raising constitutional concerns, including possible First Amendment implications for affected communities.

Why notice matters

Notifying users lets them challenge the request in court or hire a lawyer, and without notice many never learn their data was handed over. Without advance notice, users might never know their information was handed over, which means they can’t contest the request or try to limit what the government receives.

And those limits exist for a reason. Administrative subpoenas are a tool federal agencies use to gather data quickly, but they can be broad. The EFF argues those tools are sometimes used in ways that reach far beyond their original intent—sweeping up data on bystanders and broader communities.

Google’s public promises to notify users are part of the company’s effort to reassure billions of account holders that privacy protections are in place. The EFF’s letters to the two state attorneys general say Google’s failure to follow through with those notices is deceptive, and they ask state officials to examine whether the company induced consumers to trust a policy it didn’t uniformly apply.

Legal and policy context

Administrative subpoenas aren't uncommon. They’re a long-standing investigative tool across federal agencies. The difference is that they don’t require a court to approve the demand, and companies can comply without penalty for noncompliance. That gap puts more pressure on companies to enforce clear rules inside their own operations, since they often decide whether to push back on a government request.

Under 18 U.S.C. 2703(c)(2), service providers may be required to disclose certain categories of non-content information. What those categories include, and when they’re turned over, has been a recurring point of debate among privacy advocates, lawmakers and tech companies.

State attorneys general have authority under state consumer protection laws to investigate deceptive practices and pursue penalties. The EFF’s request asks those officials to look at whether Google’s failure to notify users before disclosing data fits that definition.

Broader implications for users and tech firms

If state probes find violations, Google could face civil penalties and be ordered to change how it handles government demands. For consumers, any enforcement would likely be aimed at forcing clearer, more consistent notice practices — and giving people a chance to respond when their data is sought.

But enforcement would also test Balancing complying with lawful government requests and protecting user privacy. Tech companies say they’re bound by law to respond to certain orders. Privacy groups counter that companies often have discretion to push back or at least notify users before turning over information that could affect their safety or speech.

Right now, much depends on the specifics of each demand, the internal decision-making at firms like Google, and whether regulators find the gap between policy and practice wide enough to warrant action.

What advocates want next

The EFF’s letters ask the attorneys general to investigate and consider injunctive relief — remedies that could force policy changes — and civil penalties under state law. The organization is urging state officials to examine whether Google has misled users about its notification practices and to require fixes if needed.

Google didn't provide a named company representative for additional comment beyond its response to the Cornell Daily Sun, where the company said it challenges overly broad demands. The EFF, meanwhile, has signaled it expects state officials to take a close look at the company’s records and internal procedures.

What to watch

Watch for whether California or New York attorneys general open formal probes. If they do, the investigations could dig into how often Google complies without notice, the reasons given for doing so, and what internal rules guided those choices.

And if state regulators find violations, the remedies could include both money penalties and binding changes to Google’s policies. That could ripple across the industry and prompt other tech companies to revisit how and when they notify users about government demands.

Bottom line: the EFF wants notice to mean notice — not a promise on a webpage that gets ignored when law enforcement calls.

Related Articles

• Developers Are Running AI Locally. CISOs Didn't See This Coming.

The EFF has asked state attorneys general to investigate and seek injunctive relief and civil penalties of up to $2,500 per violation in California.