This Google user data scandal shows why more people are using GrapheneOS
Source: Android Authority
TL;DR
- A legal complaint has been filed against Google after it gave a student’s data to the government without notifying the user.
- Google’s own policy notes that, with a few exceptions, it will notify users before handing over data.
- This news also comes as Google‑free Android forks like GrapheneOS gain steam, along with alternatives to Google apps.
Background
US authorities routinely send requests for user data to tech companies. Google is no exception, but the company’s own policy states that it will generally notify people when authorities have requested their user data. However, a new legal complaint might motivate you to deGoogle your digital life.
A legal complaint by the Electronic Frontier Foundation (EFF) alleges that Google may have broken its own rules and given a user’s data to Immigration and Customs Enforcement (ICE) without notifying the user first. The user, Amandla Thomas‑Johnson, is a foreign PhD student who apparently attended a pro‑Palestine protest at Cornell University.
Thomas‑Johnson claims that he was forced into hiding amid a government crackdown on student protests, with federal agents looking for him at his home. He also claimed that a friend was interrogated at a Tampa airport in connection with his whereabouts.
Thomas‑Johnson was visiting Switzerland weeks later when he received an email notifying him that Google had handed over his user data to the Department of Homeland Security. He didn’t receive an email from Google to notify him of the request.
“That notice is meant to provide a chance to challenge the request. In my case, that safeguard was bypassed,” he explained.
Google’s notification policy
Google’s policy webpage notes that it will generally notify users of the request before handing over any data to the government. However, the company also explains that there are a few exceptions:
- Legal prohibition – No notice when legally prohibited; notice is provided after the gag period expires.
- Account issues – No notice if the account has been disabled or hijacked.
- Emergencies – No notice for emergencies (e.g., threats to a child’s safety or someone’s life); notice is provided once the emergency has passed.
In other words, the company may have been barred from notifying the subject of a data request due to a legal requirement, or it might hand over data without notification if there’s a threat to someone.
Data that was disclosed
Google apparently handed over Thomas‑Johnson’s:
- IP addresses
- Physical address
- Session times/durations
- Other “identifiers”
While this may not sound like much, it can be used to determine someone’s location, home, and when they’re communicating with others. The search giant also claims that it often seeks to narrow the scope of disclosed data if it feels the request is too broad.
Implications and alternatives
It’s no wonder that more people are switching to Android forks like GrapheneOS. The platform doesn’t phone home to Google and even offers a duress PIN, a separate PIN that can wipe the entire device—handy if you’re forced to hand over your phone to authorities or criminals.
We’ve also seen users moving from Google apps and services to alternatives such as Brave, ProtonMail, and BitWarden. Diversifying your digital tools can reduce the risk of a single point of failure, especially under repressive regimes.
Outlook
We’ve reached out to Google for comment on this legal complaint and will update the article if the company responds.