Google secretly handed Immigration and Customs Enforcement (ICE) the bank account numbers, credit card details, and personal data of student journalist and activist Amandla Thomas-Johnson in February 2026 - without ever notifying him, in direct violation of a public policy the company has upheld since 2015.
What Happened: A Secret Subpoena, No Warning
ICE served Google with an administrative subpoena demanding data on Thomas-Johnson, who had been covering immigration enforcement as a student journalist. Google complied - handing over financial records including bank account numbers and credit card data - without alerting Thomas-Johnson or giving him any opportunity to challenge the request in court.
Administrative subpoenas are issued directly by federal agencies, without judicial oversight or a warrant signed by a judge. Unlike court orders, they carry no requirement for prior court approval, making them a favored tool for agencies like ICE seeking rapid access to user data. Thomas-Johnson only discovered that Google had complied with the subpoena after the fact, when The Intercept broke the story. By then, he had already fled to Switzerland to avoid detention.
Thomas-Johnson later described the experience on social media: "So, @Google handed ICE my credit card and bank account numbers as they attempted to track and detain me. I fled to Switzerland before they could." The disclosure was not a security breach or a hack - it was Google voluntarily handing his financial data to a federal agency without ever telling him.
Google's Broken Promise: A Policy Abandoned in Silence
Since at least 2015, Google had maintained a clear public commitment: when the company receives a government demand for user data, it will notify the affected user before complying - unless legally prohibited from doing so. This policy exists precisely so that users can hire lawyers and challenge overreach in court before their private information is handed to authorities.
In Thomas-Johnson's case, Google quietly abandoned that promise. The company offered no explanation for why it chose not to notify him. The Electronic Frontier Foundation (EFF), which took up the case, described the situation bluntly in an April 2026 blog post: "Google Broke Its Promise to Me. Now ICE Has My Data."
The EFF has also written formally to the California Attorney General, citing Google's failure to comply with California law, which may impose additional notification obligations when companies receive certain government data demands.
Administrative Subpoenas: The Legal Gray Zone Threatening Privacy
The Thomas-Johnson case highlights a growing problem: administrative subpoenas allow government agencies to bypass the judiciary entirely. Unlike search warrants, administrative subpoenas require no judge's signature, no probable cause finding, and no advance notice to the target. They are self-issued by agencies like ICE, the DEA, and the IRS, and tech companies frequently comply with them without contest.
According to Google's own transparency reports, the company receives thousands of government data requests per year from US authorities. The vast majority result in some data being disclosed. The Thomas-Johnson case is alarming not just because of what was disclosed, but because of how it was disclosed - silently, and in apparent violation of the company's own stated principles.
EFF Demands Legislation: Notification Must Become Law
The EFF's response goes beyond criticizing Google. The organization is now pushing for federal and state legislation that would legally require tech companies to notify users before complying with government data demands - removing the discretion that allowed Google to break its promise in this case without legal consequence.
EFF staff attorney Saira Hussain called the case a "blueprint for abuse," noting that student journalists, immigration activists, and ordinary people with no connection to criminal activity are increasingly targeted through administrative subpoenas simply because they exercise their First Amendment rights online.
Privacy advocates argue that voluntary corporate policies are insufficient protection. As the Thomas-Johnson case demonstrates, policies can be abandoned without notice, without explanation, and without recourse - leaving users exposed precisely when legal protection matters most.
The Broader Implications for Digital Privacy
This case carries implications far beyond one activist's experience. If Google - a company with a decade-long public commitment to user notification - will quietly hand financial data to immigration enforcement without warning, users have little reason to trust that any voluntary corporate privacy policy offers real protection.
The data Google disclosed was not passwords or private messages - it was bank account numbers and credit card records, the kind of financial data that can be used to trace a person's movements, associations, and support networks. For an immigration journalist, this information is not just personal - it is potentially dangerous to sources and contacts.
Cases like this are a reminder that every data point stored with a third-party service is potentially reachable by government agencies with minimal legal barrier. Minimizing the data you share with large platforms - and using tools that give you greater control over your digital footprint - has moved from a technical preference to a practical necessity for journalists, activists, and privacy-conscious users alike.
