DHS used a customs summons to demand a Canadian's Google data over anti-ICE posts. ACLU sued May 4.

The ACLU filed suit on May 4 in the Northern District of California to block a Department of Homeland Security customs summons that demanded a Canadian man’s Google account data. The plaintiff, who has not entered the United States since 2015, posted online criticism of federal immigration agents after a fatal Minneapolis incident. DHS sent Google the summons days later.

The legal mechanism is the part developers and security teams should pay attention to. A customs summons is a 1930s tariff-act tool, designed for investigations into import and duty violations. It does not require a judge, a probable-cause showing, or any cross-border element other than the agency’s own assertion. DHS used it here to ask Google for the plaintiff’s name, residence, movement records, browsing history, and online communications metadata.

What DHS asked Google for

The summons names a single Google account and asks for the kinds of records the company collects on every signed-in user: subscriber information, account-creation IP, geolocation logs, sign-in timestamps, and the contents of messages tied to the account. Google did not say publicly whether it complied. The ACLU’s filing seeks to invalidate the summons before any production happens, but in practice the production has typically happened by the time a target finds out.

The Canadian, identified in court papers as John Doe to protect his family, learned about the request only after Google’s own notification, per the ACLU’s press release. Doe lives in Canada and his US connections are a long-since-expired visa stamp. The customs-enforcement frame is, on its face, hard to map onto a man who hasn’t been to the US in roughly 11 years.

Why customs law

The 1930 Tariff Act gives the Treasury Department (and now DHS, which inherited the customs authority in 2003) power to compel records from “any person” with information relevant to a customs investigation. Courts have read the authority broadly when the underlying matter is actually customs. They have not historically read it broadly enough to demand records on a foreign national whose only alleged offense is criticizing the agency online.

That gap is the heart of the suit. “A law designed to enforce customs does not give the government authority to target its critics around the world,” said Michael Perloff of the ACLU of D.C., quoted in the ACLU release. His co-counsel Jake Snow of ACLU NorCal added: “The Trump administration is illegally targeting online critics just because it doesn’t like what they’re posting.” DHS has not commented on the filing.

Three earlier ACLU cases challenged similar customs-law subpoenas. DHS withdrew each one before a judge ruled on the legality, leaving the question of whether the agency can do this at all unresolved on the merits. The Northern District of California case is the fourth attempt at a ruling.

The bigger pattern

The Canadian’s case is one of hundreds, The New York Times has reported. Google, Meta, Reddit, and Discord have all confirmed receiving similar DHS administrative subpoenas tied to ICE-related online posts. Some have been complied with, some have been challenged. Reddit’s transparency report shows the volume jumped sharply in the second half of 2025.

EFF has been the loudest dissenting voice on the platform side. In February the foundation published an open letter calling on the major platforms to push back on DHS demands they consider lawless, and in late April it walked through a case where Google had handed over a graduate student’s IP, address, and session history without giving him notice in time to object. The student, like the Canadian Doe, was outside the US when the demand landed.

What this means for you

If you ship software that touches user data on US infrastructure, your platform’s transparency report is the document worth reading this week. Look at how many administrative summonses you’ve received in the past two quarters, how many you’ve complied with, and how many you’ve notified the user about before complying. If the gap between received and contested is large, that gap is your future incident response.

For developers and security engineers personally: a US-issued administrative summons is the lowest-friction tool the executive branch has for getting at any account hosted on US-based services, regardless of where the account holder lives. The case the ACLU filed yesterday will eventually answer how far that authority reaches against foreign nationals. Until then, the practical answer is that any Google, Microsoft, or Apple account is one summons away from disclosure, and your legal redress is mostly after the fact. End-to-end encryption on the message contents helps. Geolocation logs and account metadata don’t get that protection, and that’s what DHS asked for here.