The Subject
Five minutes at a protest. Eight months later, ICE had his bank account numbers — no judge, no warrant, no notification. The legal architecture that made this possible was written in 1986.
Amandla Thomas-Johnson is a British citizen. In September 2024, he was pursuing a doctorate at Cornell University on a student visa. He attended a pro-Palestinian protest at a Cornell career fair — five minutes, by later reporting — where students confronted recruiters from Boeing and L3Harris over arms sales to Israel. Cornell suspended him and banned him from campus, then later expunged the disciplinary record.
On March 31, 2025, Immigration and Customs Enforcement sent Google an administrative subpoena for his account data. On May 8, Google complied. Thomas-Johnson received no advance notice and no opportunity to challenge the subpoena before compliance. He found out from a brief email Google sent after the fact — after his data was already in ICE’s hands.
What Google provided: his usernames, physical addresses, IP addresses, phone numbers, subscriber identities, credit card numbers, and bank account numbers. Google described the production to his attorney as “basic subscriber information.” Under the statute that authorized the disclosure, that characterization is legally accurate. The problem is what the statute classifies as basic.
The Stored Communications Act of 1986 divides data held by service providers into two categories. Content — the text of emails, messages, documents — requires a warrant reviewed by a judge. Non-content — subscriber identifiers, metadata, means of payment — can be obtained by administrative subpoena, issued by a mid-level agency official with no judicial oversight. When the law was written, non-content meant the number a phone called and how long the call lasted. The categories have not been updated. In 2025, a bank account number linked to a Google account is classified as non-content subscriber information — legally equivalent to a 1986 phone call log. ICE issued the subpoena under its immigration enforcement authority. The Stored Communications Act determined what Google was required to turn over. Two statutes, written decades apart for different purposes, combining to place a student journalist’s financial records in an immigration enforcement file.
The third-party doctrine completes the circuit. Under Smith v. Maryland (1979), information voluntarily shared with a service provider carries reduced Fourth Amendment protection. Thomas-Johnson gave Google his bank account number to pay for services. That transaction converted his financial data from constitutionally protected to administratively reachable.
Thomas-Johnson is not undocumented. He is a British national on a student visa. The subpoena was issued by an immigration enforcement agency under immigration enforcement authority. But what the authority was used to investigate was not whether Thomas-Johnson had a right to be in the country. It was what he did while he was there.
He did not know the full scope of what ICE had obtained until The Intercept reported it in February 2026 — nine months after compliance. “I was quite surprised to see that I didn’t have that opportunity” to challenge the subpoena, he said. In April, he published a first-person account for the Electronic Frontier Foundation: “Google Broke Its Promise to Me. Now ICE Has My Data.”
Thomas-Johnson’s data reached ICE through a technology company. In Delaware, the same legal instrument — the administrative subpoena — is reaching through the state itself.
In April 2025, ICE subpoenaed the Delaware Department of Labor for wage records of fifteen businesses: names, addresses, wages, and Social Security numbers of every employee for the final two quarters of 2024. The authority cited: 8 U.S.C. Section 1225(d)(4), which grants immigration officers power to subpoena documents “relating to the privilege of any person to enter, reenter, reside in, or pass through the United States.” Delaware refused. The state argued that compliance would collapse the trust between the Department of Labor and the businesses that report to it — if employers learned their wage filings were being forwarded to immigration enforcement, they would stop filing, destroying the data system that funds unemployment insurance for every worker in the state.
On April 13, Chief Judge Colm Connolly of the District of Delaware ordered the state to comply. In a twenty-seven-page opinion, he called the issues “not close calls.” Delaware’s position, he wrote, was “a political argument; not a legal one.” On April 21, Governor Matt Meyer announced the appeal to the Third Circuit. “In Delaware, we protect workers,” he said. “We don’t set traps.” The case is pending. No stay has been granted.
These are not isolated applications. DHS has sent hundreds of administrative subpoenas to Google, Meta, Reddit, and Discord targeting accounts that track or criticize immigration enforcement. Former officials estimate thousands issued annually — approved by mid-level officials, shielded from judicial review and public accounting. The EFF filed a FOIA lawsuit on April 22 demanding records on how DHS uses administrative subpoenas to unmask online critics — after its March FOIA request went unanswered. FIRE sued in February, alleging DHS coerced Apple into removing an app that tracked ICE operations and pressured Meta to delete a hundred-thousand-member Facebook group monitoring ICE activity in Chicago. A federal judge ruled the government likely violated the First Amendment and issued a preliminary injunction. The ACLU moved to quash a subpoena targeting a Philadelphia-area man whose act of dissent was emailing an ICE attorney asking him to “apply principles of common sense and decency.” DHS withdrew the subpoena after the legal challenge was filed. The preference for withdrawal over adjudication is telling: the architecture is worth more than any individual case. Better to lose one subpoena than risk a court finding that limits the power to issue the next.
Nobody designed this system. No legislation created a surveillance architecture connecting immigration enforcement to technology companies to state labor departments to financial records. What exists was assembled: a 1986 statute that classifies bank account numbers as metadata. An administrative subpoena power drafted for immigration enforcement, applied to a journalist who attended a protest. A third-party doctrine that converts paying for email into consent to government access. A judiciary that calls the result “not close calls.” Each component was authorized separately. The combination was not authorized at all.
Thomas-Johnson is in Senegal now. He left the United States.
“We need to think very hard about what resistance looks like under these conditions,” he told The Intercept, “where government and Big Tech know so much about us.”
He called them conditions. The Stored Communications Act is forty years old. The third-party doctrine is forty-seven. Administrative subpoena authority predates this administration by decades. None of the current legal challenges address any of them. Architecture outlasts the administration that discovers what it can do.
Sources
- The Intercept — “Google Fulfilled ICE Subpoena Demanding Student Journalist’s Bank and Credit Card Numbers”, February 10, 2026
- Amandla Thomas-Johnson — “Google Broke Its Promise to Me. Now ICE Has My Data”, EFF Deeplinks, April 16, 2026
- EFF — FOIA Lawsuit Against DHS and ICE, April 22, 2026
- Spotlight Delaware — “Judge Orders Delaware to Turn Over Labor Data to ICE”, April 14, 2026
- State of Delaware — Appeal Announcement, April 21, 2026
- Delaware Public Media — “Del. Dept. of Labor Pushes Back on ICE Request”, August 7, 2025
- TechCrunch — “Homeland Security Reportedly Sent Hundreds of Subpoenas”, February 14, 2026
- ACLU — Motion to Quash Abusive DHS Subpoena
- Reason — “Judge Says DOJ and DHS Likely Coerced Tech Firms”, April 20, 2026
- Solen