Civil Liberties Group Presses State Attorneys General to Probe Google’s Data-Sharing Practices
Google is facing renewed scrutiny over how it handles users’ personal information when U.S. law enforcement agencies come knocking. The Electronic Frontier Foundation (EFF) this week urged the attorneys general of California and New York to open formal investigations into what the digital-rights organization calls “deceptive trade practices” in the technology giant’s law-enforcement compliance program.
In two letters sent to the state officials, the EFF argues that Google has repeatedly pledged to inform account holders before turning over their data, yet in numerous instances—most notably a case involving a former Cornell University graduate student—no such notice was given. The group contends that the company’s secretive approach erodes civil liberties, compromises free-speech rights, and violates promises baked into Google’s own privacy policies.
A Public Promise Under Question
Since 2014, Google’s transparency reports and privacy statements have included explicit assurances that the company will, whenever legally permissible, alert users prior to handing their data to government agencies. The commitment is intended both to protect user privacy and to give individuals a chance to contest overbroad or unlawful demands in court.
Yet according to the EFF, the policy is inconsistently applied. Citing internal records, the group alleges that Google sometimes opts to send subscriber data immediately—even when there is no explicit court order demanding secrecy—because advance notice could “slow down” compliance. If proven true, the practice would contradict the spirit of Google’s public guarantees and, in the EFF’s view, run afoul of consumer-protection laws designed to prevent misleading statements to the public.
The Cornell Email Subpoena
The controversy was triggered by events on a university campus nearly two years ago. Amandla Thomas-Johnson, then a doctoral candidate and prominent pro-Palestine organizer at Cornell, learned in May 2025 that the Department of Homeland Security (DHS) had subpoenaed his personal Gmail account. Google informed him of the request and, according to Thomas-Johnson, indicated that only basic subscriber details were provided. There was no content handed over.
Because campus activism had attracted increased federal attention—especially toward international students—Thomas-Johnson assumed the subpoena might have extended to his Cornell-issued email address, also hosted on Google’s servers. That assumption was never confirmed. University officials said they had no record of a separate subpoena, while Google remained silent on whether data from the school account was turned over at all. The absence of clarification left Thomas-Johnson and his legal counsel suspecting that a second handover could have taken place without any notice.
For the EFF, the Cornell case exemplifies what it describes as a systemic loophole. Administrative subpoenas issued under 18 U.S.C. § 2703(c)(2) allow federal agents to demand certain non-content information—such as a user’s name, IP-login timestamps, and payment methods—without judicial approval. Because these subpoenas contain no gag order, companies are free to refuse cooperation or alert the subject. Google’s alleged decision not to notify Thomas-Johnson, the EFF says, contradicts its own policy while shielding a controversial form of government surveillance from public view.
Administrative Subpoenas: Easy to Issue, Hard to Fight
Unlike search warrants or court orders, administrative subpoenas can be issued unilaterally by agencies such as Immigration and Customs Enforcement (ICE) or the Federal Bureau of Investigation. They require no judge’s signature, and the burden rests on the recipient—often a technology platform—to evaluate legality and respond. Although companies may challenge them, most do not, partly because non-compliance risks a prolonged legal battle and potential public criticism for “hindering law enforcement.”
- What can be demanded: Subscriber name, physical and IP addresses, session logs, and payment details.
- What cannot be demanded without a higher-level order: Email or cloud-drive content, message subject lines, and real-time interceptions.
- Legal recourse for users: They can seek to quash or narrow the subpoena—but only if they know it exists.
The EFF argues that withholding notice strips people of this legal remedy, effectively denying them their First Amendment and due-process rights.
EFF’s Call for State Action
The organization is not merely requesting an examination of Google’s internal processes. It is also asking state authorities to levy civil penalties—up to $2,500 per alleged violation under California’s Unfair Competition Law—and to impose injunctive relief that would force Google to change how it responds to government demands.
Specifically, the EFF wants:
- Audit trails showing every instance since 2014 in which Google declined to notify users while lacking a binding gag order.
- Public disclosure of any internal policies or training materials that instruct staff to skip user notice for the sake of speed or convenience.
- An enforceable agreement that Google will provide advance notice unless a court expressly forbids it.
Google’s Response
Google has long maintained that it pushes back against overbroad or improper requests. After the Cornell story first surfaced in local media, a company spokesperson stressed that each legal demand is reviewed for “legal validity,” adding that Google sometimes objects or refuses outright. According to that spokesperson, the subpoena involving Thomas-Johnson sought only non-content data—information that, by law, Google is generally obligated to produce when properly asked.
While the company did not comment directly on the EFF letters, industry observers note that Google’s transparency reports continue to highlight instances in which the company fought government demands. Yet critics argue that these aggregate figures obscure individual missteps, and that the absence of notice in even a small fraction of cases undermines the credibility of the broader promise.
What’s at Stake for Users
Beyond Google’s potential liability, the dispute spotlights an enduring friction between Silicon Valley and law enforcement. If companies favor rapid, quiet compliance, activists, journalists, and other vulnerable communities may not learn they are under investigation until months—or years—later. That uncertainty can have tangible consequences, including self-censorship and the chilling of legitimate political activity.
Imagem: Alex Castro
For immigrants in particular, data sharing with ICE or DHS can trigger removal proceedings. Student organizers point to earlier incidents in which international scholars were deported or denied re-entry after participating in political demonstrations. Knowledge that their email records might be silently shared adds to a climate of fear.
Potential Ripple Effects
Should California and New York open formal probes, the outcome could set a precedent for tech companies nationwide. Both states have robust consumer-protection frameworks, and their enforcement actions often serve as templates for other jurisdictions. Penalties or mandated reforms imposed on Google could quickly influence how rival firms such as Apple, Microsoft, and Meta approach law-enforcement requests.
The timing is also notable. Federal lawmakers are debating updates to the Electronic Communications Privacy Act (ECPA) to clarify when notice is required and to tighten oversight of administrative subpoenas. A high-profile state investigation could add momentum to those legislative efforts by spotlighting perceived gaps in federal privacy protections.
Meanwhile, Users Remain in the Dark
For Thomas-Johnson, the immediate question still lingers: Did ICE access his Cornell email without warning? Until either Google or the university provides a definitive answer, the case remains emblematic of the opacity surrounding government data demands. More broadly, the EFF’s push underscores that many users have no practical way to verify whether tech companies are honoring their own promises.
Whether state investigators decide to take up the cause may hinge on how convincingly the EFF can demonstrate a pattern rather than isolated errors. But the letters alone have reignited a public conversation about the fine print in corporate privacy pledges—and about the power imbalance between individuals and sprawling technology platforms.
FAQ
Why is the EFF involved?
The Electronic Frontier Foundation is a nonprofit focused on defending civil liberties in the digital world. It routinely challenges what it sees as overreach by both governments and corporations regarding surveillance and data privacy.
What does the EFF allege Google has done?
The group claims Google sometimes hands over user data to law enforcement without giving the promised advance notice, even when there is no legal requirement to remain silent.
Is Google legally obligated to provide notice?
Federal law allows, but does not always require, companies to notify users unless a gag order is attached. Google has voluntarily promised to do so whenever possible.
What penalties could Google face?
Under California law, civil fines of up to $2,500 per violation are possible. New York has similar statutes against deceptive trade practices. Injunctive relief could also force policy changes.
Has Google responded to the EFF letters?
As of publication, Google has not issued a new statement. Past comments emphasize that the company reviews every request and sometimes pushes back.
What can users do to protect themselves?
Users can enable two-factor authentication, use encrypted services for sensitive communications, and regularly review transparency reports from service providers to stay informed about general data-request trends.
