The Electronic Frontier Foundation reported this month that a user’s data ended up with ICE despite Google having made explicit assurances about that data’s privacy. The piece has attracted substantial discussion, and the obvious question is how a company’s stated privacy guarantee can simply fail. The answer involves a specific piece of technical history, a legal framework that predates the modern cloud by three decades, and a structural problem that affects every major platform, not only Google.
The Promise That Seemed Architectural
In December 2023, Google announced it would migrate Google Maps Timeline data, the continuous location history accumulated for users who had the feature enabled, from Google’s servers to users’ own devices. The framing was deliberate: data stored on a device that Google doesn’t hold cannot be produced in response to a legal demand served on Google. This wasn’t presented as a policy change or a new privacy toggle. It was an architectural shift that would physically remove certain data from Google’s custody.
For anyone who had been following the geofence warrant story, this carried real weight. Google’s internal location database, reported on by the New York Times in 2019, had quietly become a routine investigative resource for law enforcement. Police agencies would send Google a geographic boundary and a time window, and Google would return identifiers for every device whose location history showed them present in that area during that period. The practice required no suspect in advance; it cast a geographic net over everyone who had been nearby. Google received over 11,000 such demands in 2020. Moving that data to devices would, in principle, close that window.
What the Migration Actually Covered
The technical scope of the 2023 migration was narrower than its framing suggested. Google moved Maps Timeline data. It did not move Web and App Activity records, which capture search queries, YouTube viewing history, app interactions, and website visits, all of which can establish location with reasonable precision through the content of the searches alone. It did not alter how Gmail, Calendar, or login authentication records are stored. Users enrolled in Google One backup services could find that their device-local data, including the newly migrated Timeline entries, had synced back to Google’s servers through the backup path.
A user who understood the migration as making their location data legally unreachable was working from an incomplete model. Multiple data streams that imply or directly record location remained on Google infrastructure, subject to the same legal access mechanisms as before. The migration reduced one specific exposure while leaving others intact, and the announcement did not fully account for that gap.
The Civil Enforcement Distinction
Most public discussion of government data access focuses on the Fourth Amendment and its warrant requirement. The Carpenter v. United States decision in 2018 extended Fourth Amendment protections to cell-site location information held for extended periods, requiring a warrant rather than a subpoena. That ruling was the Supreme Court’s most significant limitation of the third-party doctrine in decades, establishing that sharing location data with a carrier doesn’t automatically strip it of constitutional protection.
But Carpenter applies to criminal law enforcement. Immigration enforcement is largely civil in character, and the distinction matters considerably for data access. ICE operates under legal authority that does not require the same warrant standards applicable to criminal investigation. Administrative subpoenas, which carry a lower threshold than criminal warrants and do not require prior judicial approval, are a standard ICE tool for obtaining records from institutions. Courts have not uniformly extended Carpenter’s reasoning to civil immigration proceedings, which means the legal floor for data access in that context can sit meaningfully lower than in a parallel criminal case.
Layered beneath this is the Electronic Communications Privacy Act, passed in 1986 when the largest commercially available hard disk held roughly 10 megabytes. ECPA establishes tiered protections for different categories of electronic data: content receives stronger protection than metadata, real-time interception carries a higher bar than access to stored records. The thresholds were calibrated for a world of dial-up bulletin boards. They have not been comprehensively updated to account for continuous cloud-synchronized location trails, multi-year search histories, or the data exhaust produced by always-connected smartphones.
The third-party doctrine, established in Smith v. Maryland (1979), holds that information voluntarily shared with a third party loses Fourth Amendment protection. Every search query, every location ping transmitted before the 2023 migration, every authentication log Google retains falls under this principle. A company can contest an individual demand as overbroad or legally deficient, and Google has done exactly that with geofence warrants on specificity grounds. But contest happens within the legal system. A company that receives a valid legal order and chooses not to comply faces contempt; the privacy promise and the legal compulsion are not operating in the same register.
What Signal Gets Right
The structural problem here is not unique to Google. Any company that retains user data can be served with legal process compelling its production. The only way to make compliance technically impossible is to not have the data.
Signal is the clearest production illustration of this principle. Its architecture is designed around the premise that the company should be genuinely unable to produce user message content, because it does not hold it. Metadata is minimized by design; Signal knows little about who communicates with whom, and what it does retain it is structured not to accumulate. When Signal has received legal demands, it has produced what it has, which amounts to account creation dates and last connection timestamps. That outcome is a consequence of architectural decisions made before any legal demand arrived, not a stronger policy commitment than other messaging services.
Google is not structured like Signal and cannot be. A general-purpose cloud platform serving billions of users requires holding and processing data; the business logic of Maps, Search, Gmail, and Drive depends on it. The 2023 Maps Timeline migration was a genuine reduction in one specific exposure. It did not make Google’s overall data footprint unavailable to legal process, and it did not address the civil-versus-criminal distinction that governs how immigration enforcement approaches data requests differently from criminal investigation.
The Gap Between Promise and Guarantee
For users whose threat model includes government data demands, the relevant question is not whether a company has made privacy commitments. It is whether the company is technically capable of producing the data at all. For Google’s core services, the answer is yes across most data streams. That is an acceptable trade-off for most people, who receive substantial value from those services and do not face the specific circumstances that make government data requests a practical threat.
For people who do face that exposure, the EFF’s reporting identifies a gap that is both technical and legal. Technical: the migration covered one data stream, not the broader set of data that can place a person at a location. Legal: the civil enforcement framework under which immigration agencies operate carries lower access thresholds than the criminal warrant standards that most privacy analysis assumes. The EFF has argued for years that ECPA reform is necessary to align legal protection with the data retention practices of modern cloud infrastructure. That argument has not grown less urgent.
Google’s 2023 announcement was a real step on one specific axis. The legal framework that converted it into a broken promise was in place long before Google made it, and moving a single data type to on-device storage was never going to be sufficient to change that.