DHS Used a 1930s Customs Law to Demand Google Hand Over Data on a Canadian Trump Critic
The Department of Homeland Security used a 1930s customs law to demand Google hand over a Canadian's location, activity logs, and identifying information — over anti-ICE posts. The Canadian has not entered the United States in more than ten years. The ACLU is suing.
WIRED reported on May 4, 2026, that the Department of Homeland Security used an administrative summons issued under the Tariff Act of 1930 to demand Google surrender activity logs, location information, and identifying details about a Canadian individual who criticized the Trump administration online following the killings of Renee Good and Alex Pretti by federal immigration agents in Minneapolis early this year. The targeted individual has not entered the United States in more than ten years. The ACLU of the District of Columbia and the ACLU of Northern California are now jointly suing DHS Secretary Markwayne Mullin over the summons in the U.S. District Court for the Northern District of California; the lawsuit, Doe v. Mullin, alleges DHS violated the customs law that gives the agency power to request records, given that the targeted person did not export or import anything from the United States during the time frame DHS specified.
The single most important fact is jurisdictional reach. DHS used a U.S. trade law to compel a U.S. company to hand over data on a non-U.S. resident who has not been on U.S. soil in over a decade. The legal theory — that the Tariff Act gives DHS authority to investigate someone who has neither imported nor exported anything from the U.S., based on online speech — is novel even within the broader DHS administrative-subpoena pattern that civil-liberties groups have been documenting since February 2026. The case is now the test of whether the U.S.-domiciled-platform pathway can be used to subject foreign nationals to U.S. surveillance authority over speech.
| DHS Tariff Act Summons: Case Profile | |
|---|---|
| Detail | Information |
| Targeted individual | Canadian citizen (unnamed); has not entered the U.S. in more than 10 years |
| Legal authority invoked | Tariff Act of 1930 — administrative summons, no judicial approval required |
| Data demanded from Google | Location information, activity logs, identifying information |
| Time frame requested | September 1, 2025 to February 4, 2026 |
| Trigger for investigation | Online criticism of Trump administration following the killings of Renee Good and Alex Pretti by federal immigration agents in Minneapolis |
| Lawsuit defendant | Markwayne Mullin, Secretary of DHS |
| Case name & venue | Doe v. Mullin, U.S. District Court for the Northern District of California |
| Plaintiff representation | ACLU of D.C. and ACLU of Northern California; lead attorney Michael Perloff (ACLU-DC senior staff) |
| Lawsuit's central claim | DHS violated the customs law that gives it record-request authority — target did not import or export anything from the U.S. in the requested period |
| Broader pattern (Feb 2026) | Hundreds of DHS administrative subpoenas to Google, Meta, Reddit, Discord targeting anti-ICE accounts; multiple withdrawn after legal challenge |
The Tariff Act Question, in Plain Terms
The Tariff Act of 1930 gives DHS, through U.S. Customs and Border Protection and related authorities, the power to issue administrative summonses to obtain records from businesses and other parties relevant to customs investigations. The statute's traditional use is investigating import-export activity: trade fraud, smuggling, customs violations. Administrative summonses under this authority do not require judicial approval — DHS issues them directly.
The ACLU's lawsuit makes a narrow but pointed claim: the targeted Canadian did not export or import anything from the United States during the requested time frame, September 1, 2025 to February 4, 2026. The summons, included in the complaint, does not give a specific reason for the investigation beyond citing the Tariff Act. Lead attorney Michael Perloff, an ACLU-DC senior staff attorney representing the unnamed man, was quoted in WIRED's reporting: "I don't know what the government knows about our client's residence, but it's clear that the government isn't stopping to find out." The lawsuit's framing is that DHS exceeded the statutory authority of a customs law by using it for what looks like a speech-related investigation against a non-U.S. resident.
This is the legal-novelty axis of the case. Even within the broader DHS administrative-subpoena pattern documented in February 2026 by The New York Times, TechCrunch, and Daily Beast — which has produced hundreds of subpoenas to Google, Meta, Reddit, and Discord targeting accounts critical of ICE — the use of the Tariff Act for a non-U.S. resident is on the outer edge. Most of the prior subpoenas targeted U.S.-based anonymous accounts. The Canadian case extends the framework to people DHS would ordinarily have no jurisdictional pathway to investigate.
The Broader DHS Subpoena Pattern Around This Case
The Canadian lawsuit lands inside a now-substantial pattern that civil-liberties organizations have been documenting for months. Hundreds of DHS administrative subpoenas have been issued to Google, Meta, Reddit, and Discord over the past year, focused on anonymous accounts that criticize ICE or post information about ICE operations. The subpoenas were "previously used sparingly," per New York Times reporting, but have become "increasingly common in recent months."
The pattern of legal pushback has been informative. DHS withdrew a subpoena targeting the Pennsylvania Facebook page Montco Community Watch after the ACLU filed a federal motion arguing the targeted speech was protected. DHS withdrew five additional subpoenas in September 2025 after Bloomberg-reported lawsuits by anonymous Instagram account owners. The Electronic Frontier Foundation sued DHS and ICE in late April 2026 over the agencies' failure to respond to FOIA requests for records about the use of administrative subpoenas. EFF also asked California's and New York's attorneys general to investigate Google for deceptive trade practices for not consistently notifying users before complying.
EFF's reporting documents specific cases that frame the speech-targeting concern: in 2025, Google handed over Amandla Thomas-Johnson's data to ICE without giving him the chance to challenge the subpoena, breaking what EFF describes as a nearly decade-long promise to notify users. A doctoral student was targeted with an ICE subpoena after briefly attending a pro-Palestine protest. In October 2025, DHS sent Google a subpoena demanding information about a retiree who had emailed the agency asking it to use "common sense and decency" in a high-profile asylum case — federal agents later appeared on the retiree's doorstep.
Google's stated policy, given to NYT and others, is that the company informs users when their accounts have been subpoenaed, "unless under legal order not to or in an exceptional circumstance," and that it pushes back against demands it considers overbroad. DHS's standard response, per a spokesperson quoted in subsequent reporting: "Any allegation DHS and its components are attempting to 'squash' free speech is categorically FALSE." Our policy and government coverage tracks the regulatory and litigation arcs around these patterns.
Why This Is a CISO Question, Not Just a Civil-Liberties One
The reason this story matters for security and privacy programs goes beyond the speech dimension. The Canadian case formalizes a question that vendor-risk and privacy teams have been navigating informally: when a U.S. authority compels a U.S.-domiciled platform to disclose data on a non-U.S. user, what is the platform's response? Google's stated policy of user notification is a meaningful protection — but only when the platform notifies, only when there is no gag order, and only when the user has the resources and time to challenge.
For organizations operating internationally, the practical implications are concrete. If your service has U.S. operations, U.S. authorities can compel disclosure of data on non-U.S. users via legal pathways that may include administrative subpoenas without judicial approval. Whether your privacy policy and terms of service disclose this clearly is now a meaningful trust question — not a theoretical one. The Canadian case will, depending on its outcome, either confirm or constrain the Tariff Act pathway, but the general principle that U.S.-domiciled platforms are reachable by U.S. authority is unchanged. The friction this creates in international relationships is not hypothetical — see our reporting on how the Coupang breach turned a corporate data leak into a U.S.–South Korea diplomatic standoff for an adjacent example of cross-border data politics in 2026.
Defender Actions for Privacy and Vendor-Risk Programs
- For organizations operating internationally: review data-handling and law-enforcement-request policies for non-U.S. customers. If your service has U.S. operations, U.S. authorities can compel disclosure of data on non-U.S. users. Document where in your privacy policy and terms of service this is disclosed; if it is not disclosed clearly, get legal review on a 30-day timeline.
- For privacy-program managers: use this case as a forcing event to brief leadership on the administrative-subpoena pattern. Most CISOs and privacy officers underestimate how routine DHS administrative subpoenas have become. Get a quarterly metric in front of your privacy committee covering subpoena volume, response policy, and user-notification practice.
- For platforms and services that host user-generated content: establish a written policy on user notification before you receive a subpoena and have to make a real-time decision. Google's stated position (notify unless legally prohibited) and Meta's behavior (notify and give 10–14 days) are emerging norms. Document yours.
- Brief legal counsel on the Tariff Act pathway specifically. The novel jurisdictional reach has implications for international customers' trust and for service-design decisions about where data is stored and what notice is provided. The lawsuit outcome will affect whether the pathway gets narrowed, sustained, or expanded.
- For organizations with employees who may have publicly criticized U.S. immigration enforcement online: this is a reasonable moment to remind staff that platform privacy expectations may not match the actual disclosure regime. The point is not to discourage speech; it is to make sure people understand the technical reality of cross-border data exposure when it exists.
The CyberSignal Analysis
Signal 01 — The U.S.-domiciled-platform pathway is the structural pivot
The substantive innovation in this case is not the Tariff Act citation; it is the use of a U.S. legal pathway, against a U.S. company, to obtain data on a non-U.S. resident. The architecture that enables it is the same architecture that makes Google, Meta, and other large platforms commercially valuable: global user bases, U.S.-headquartered data infrastructure, a single corporate entity reachable by U.S. process. International users have always been theoretically reachable by U.S. authority through these companies. What changes with this case is that the theoretical reach has now been activated against a person whose only connection to the U.S. is online speech and the residence of the platform he used. Whether the courts permit this expansion or constrain it will set the template for how non-U.S. residents experience U.S.-domiciled services going forward.
Signal 02 — Administrative subpoenas have become routine and the legal challenge model is the only working brake
The pattern is now visible across multiple cases: DHS issues an administrative subpoena, the platform notifies the user (sometimes), the user challenges in court with help from ACLU or EFF, DHS withdraws before a judge rules. The pattern works only when the targeted user has resources, awareness, and time. ACLU Pennsylvania attorney Steve Loney, quoted earlier in the broader subpoena coverage, described the dynamic: "The government is taking more liberties than they used to. It's a whole other level of frequency and lack of accountability." For most targeted users, the legal challenge model is not accessible — which is a feature, not a bug, of the administrative-subpoena framework. The Canadian lawsuit, with ACLU representation, is the version of this case that will produce a published ruling. Most do not.
Signal 03 — Google's notification policy is the most important platform-level variable
The single most consequential platform behavior in this story is whether Google notifies the targeted user. Google's stated policy is to notify unless legally prohibited or in exceptional circumstances. The 2025 Amandla Thomas-Johnson case, where Google handed over data without notification, is the documented exception that shows the policy is not absolute. For users of any platform, the practical question is whether the notification policy is enforced reliably and whether it survives gag orders and emergency-disclosure pressure. EFF's open letter to ten major tech companies — Amazon, Apple, Discord, Google, Meta, Microsoft, Reddit, Snap, TikTok, and X — asks for written commitments to court orders before compliance, user notification, and resistance to gag orders. The companies that codify those commitments and audit themselves against them will be the platforms users can trust in cases like this. The companies that do not will produce more Amandla Thomas-Johnson-shaped surprises.
