DOJ demands Apple, Google and Amazon unmask 100,000+ car app users

The U.S. Division of Justice has issued subpoenas to Apple, Google, Amazon and Walmart demanding private knowledge on no less than 100,000 individuals who used or bought a automobile tuning app, in what privateness advocates are calling one of the vital sweeping client knowledge calls for ever sought by civil litigation discovery.

The subpoenas, disclosed in a joint letter filed earlier this month with the court docket, stem from a 2021 lawsuit the DOJ introduced towards EZ Lynk, a Cayman Islands-based know-how firm. The federal government alleges that EZ Lynk bought defeat units – {hardware} and software program designed to take away emissions controls from automobiles – in violation of the Clear Air Act. EZ Lynk disputes that characterization.

The dimensions of the demand is phenomenal. In line with the court docket submitting, Apple and Google had been subpoenaed between March and April 2026 for particulars on anybody who downloaded EZ Lynk’s Auto Agent app. Separate subpoenas had been served on Amazon and Walmart, requesting names and addresses of people that purchased the bodily EZ Lynk {hardware} – a dongle that plugs right into a automobile’s onboard diagnostics port. Collectively, the requests cowl the private knowledge of no less than 100,000 people, although the precise determine may very well be significantly increased.

What the EZ Lynk {hardware} truly does

The Auto Agent system connects to a automobile’s OBD-II port, a standardized diagnostic connector discovered on nearly each automobile bought in america since 1996. As soon as related, it communicates wirelessly with a smartphone app and permits customers to learn diagnostic knowledge, monitor engine efficiency parameters, and add customized software program calibrations – generally referred to as “tunes” – to the automobile’s engine management unit.

EZ Lynk argues the system has a number of respectable purposes. Fleet operators use it for distant automobile monitoring. Fanatics use it for efficiency upgrades that don’t essentially have an effect on emissions outputs. Automobile homeowners use it to diagnose fault codes and perceive what a dashboard warning mild means. The federal government, nonetheless, has compiled proof – together with Fb posts and messages on EZ Lynk’s personal boards – displaying customers discussing learn how to use the product to take away diesel particulate filters, disable selective catalytic discount techniques, and strip out different emissions controls.

Defeat units and the Clear Air Act

Below the Clear Air Act, it’s illegal to fabricate, promote, or set up any system whose principal impact is to bypass or render inoperative a motorcar’s emissions management system. These are referred to as defeat units, a time period that gained wider public consciousness after Volkswagen admitted in 2015 to putting in software program in hundreds of thousands of diesel vehicles that activated emissions controls throughout testing however disabled them in regular driving.

The EZ Lynk case includes aftermarket defeat units – merchandise bought to automobile homeowners after the unique buy, relatively than embedded by the producer. Enforcement on this house has been important. The EPA finalized 172 civil enforcement instances from fiscal 12 months 2020 by 2023 involving aftermarket defeat units, leading to civil penalties totalling $55.5 million. Legal instances over the identical interval produced an extra $5.6 million in penalties.

EZ Lynk was based in 2014 by mechanics Brad Gintz and Thomas Wooden. The corporate, which has remained bootstrapped, expanded from its authentic car-tinkering focus into fleet monitoring providers for patrons throughout america and Canada. Its merchandise developed a following in automotive hacking circles and the broader “proper to restore” motion, the place customers consider they need to be free to change merchandise they’ve bought.

The DOJ’s first authorized impediment: Part 230

Earlier than the info calls for turned the central controversy, EZ Lynk pursued a special authorized technique. The corporate argued it was protected by Part 230 of the Communications Decency Act of 1996, which offers immunity to interactive pc service suppliers when customers misuse their platforms for unlawful functions. EZ Lynk’s place was that it merely supplied a software program platform and couldn’t be held chargeable for what customers selected to do with it.

A decide rejected that argument in August 2025, permitting the case to proceed. Tom McBrien, counsel on the Digital Privateness Data Heart, wrote on the time that know-how firms shouldn’t be ready to make use of Part 230 as a protect after they knowingly promote instruments for unlawful purposes. McBrien cited EZ Lynk’s personal patent purposes as proof, noting they described options particularly designed to sidestep emissions rules.

The subpoenas and the size drawback

With the Part 230 protection disposed of, the DOJ moved into discovery – the section of litigation the place events collect proof. It was on this context that the federal government served the 4 subpoenas in search of consumer knowledge.

In line with EZ Lynk’s legal professionals within the joint court docket letter, Apple and Google are planning to contest the subpoenas. Walmart declined to remark publicly. Not one of the different firms subpoenaed responded to a request for remark.

The federal government’s acknowledged rationale is witness identification. DOJ legal professionals need to interview individuals who truly used EZ Lynk’s know-how, to construct proof about how the product was utilized in follow. The federal government mentioned within the letter that its request was honest and acceptable, and that it had “constantly sought buyer info” for this objective. It had already offered to the court docket social media posts and discussion board discussions displaying customers using the merchandise to take away emissions controls.

EZ Lynk’s legal professionals pushed again sharply. “These requests for doubtlessly a whole lot of 1000’s of individuals’s PII go effectively past the wants of this case and create severe privateness considerations,” they wrote. “Investigating this declare doesn’t require figuring out every one who has used the product.”

The third-party doctrine argument

Central to the federal government’s authorized reasoning is a precept referred to as the third-party doctrine. When customers signed up for EZ Lynk’s service, they supplied private info and agreed to the corporate’s phrases of use. The DOJ argued within the letter that, having executed so, these customers “not have a cognizable privateness curiosity as to that info.”

Aaron Mackey, deputy authorized director on the Digital Frontier Basis, described that argument as “significantly problematic.” Most customers by no means learn firm phrases and situations intimately, he famous. Moreover, he mentioned the demand for all customers’ knowledge “raises questions on why they need this knowledge and what they will use it for past the prosecution of this case.” The priority is that people who merely downloaded an app or ordered a bit of {hardware} might discover themselves implicated in a federal enforcement motion with no direct connection to any alleged wrongdoing.

The third-party doctrine has a contested current authorized historical past. In Carpenter v. United States (2018), the Supreme Court docket held that people retain an affordable expectation of privateness in historic cell-site location knowledge, regardless that it’s collected by a 3rd get together. The court docket refused to increase the normal third-party doctrine to digital knowledge generated passively and at scale. That ruling left open many questions on how far Fourth Modification safety extends to different classes of consumer knowledge held by firms.

McBrien at EPIC drew a direct line from the present case to these constitutional questions. “It is worrying that the federal government might get hold of personally identifiable info for each buyer by discovery, which is exterior of the privateness protections supplied by the Fourth Modification and different privateness statutes,” he mentioned.

Discovery versus warrant: the constitutional hole

One cause this case attracted consideration from civil liberties organizations is that it exposes a structural hole in privateness legislation. Acquiring a warrant requires the federal government to exhibit possible trigger and to explain with particularity the individuals or issues to be seized. Civil litigation discovery operates below completely different and extra permissive guidelines – events can search broad classes of paperwork and knowledge as long as they’re fairly calculated to result in admissible proof.

That hole has lengthy involved privateness students. When the federal government is the plaintiff in civil litigation, it may well use discovery mechanisms to acquire knowledge it couldn’t entry by way of a legal warrant course of. The EZ Lynk subpoenas are an unusually stark instance of this dynamic taking part in out in a client know-how context.

The case isn’t with out historic precedent, although the size is considerably bigger than prior examples. In 2019, Apple and Google had been ordered to offer info on greater than 10,000 individuals who had put in a gun scope utility on their smartphones. The present EZ Lynk demand covers no less than 10 occasions as many people.

What the info requests cowl

The app retailer subpoenas to Apple and Google are in search of personally identifiable info – names, addresses, and doubtlessly buy historical past or account particulars – for each consumer who downloaded the Auto Agent app from both the App Retailer or Google Play. The subpoenas to Amazon and Walmart search names and addresses for patrons who bought the bodily EZ Lynk {hardware} system.

The breadth of the requests signifies that individuals who could have downloaded the app out of curiosity, used it just for respectable diagnostics, or by no means activated the {hardware} for emissions-related functions would have their private info handed over to federal prosecutors. EZ Lynk’s legal professionals described this as inherently problematic: if the federal government’s purpose is to search out witnesses who used the product to avoid emissions controls, the info on law-abiding customers is irrelevant to that objective, but equally uncovered.

There may be additionally an extra dimension raised within the court docket letter. EZ Lynk’s legal professionals claimed the federal government had beforehand, in 2019, sought to accumulate consumer knowledge by requesting that EZ Lynk set up “a backdoor to the EZ Lynk system that may permit authorities monitoring of unsuspecting customers.” The federal government denied within the letter that it had ever requested for an “inappropriate backdoor.”

Justin Montalbano, president of the Automobile Hacking Village on the Def Con hacking convention in Las Vegas, objected to the federal government’s strategy. “Violating individuals’s privateness by subpoenaing an organization for private info is not the proper path to wash air,” he mentioned. In its place, Montalbano advised that obligatory annual inspections requiring drivers to have their automobiles checked for defeat units can be a extra focused and proportionate enforcement mechanism.

Montalbano additionally questioned whether or not aggressive authorized motion would deter modification habits in any respect. “Folks need to modify their vehicles and at all times will, no matter legal guidelines,” he mentioned.

The automobile modification and right-to-repair communities have lengthy argued that automobile homeowners ought to have the proper to tune and reprogram their very own vehicles, significantly for off-road or monitor use. The counter-argument, which the EPA and DOJ have constantly maintained, is that defeat units for on-road automobiles produce measurable will increase in nitrogen oxide and particulate matter emissions that hurt public well being, and that the cumulative affect of widespread set up is important.

Why this issues for the digital promoting and advertising know-how neighborhood

The EZ Lynk case, whereas centered on automotive emissions, has direct relevance for anybody who collects, holds, or processes consumer knowledge as a part of a enterprise. The case illustrates that client knowledge held by app shops and e-commerce platforms can turn into the topic of large-scale authorities discovery requests in civil litigation – not simply in legal investigations the place warrant necessities apply.

For advertising know-how practitioners, this can be a concrete demonstration of 1 class of privateness danger that customers bear when their knowledge is collected by third events. The Apple App Store policy changes around data sharing disclosure that Apple launched in November 2025 – requiring builders to explicitly disclose when private knowledge can be shared with third events – tackle added significance on this context. Customers who consent to knowledge assortment below an organization’s phrases of service could not admire that these phrases might make their knowledge accessible to authorities plaintiffs in civil litigation.

The SECURE Data Act, launched within the Home on April 21, 2026, proposes a nationwide framework for client knowledge privateness. That invoice explicitly addresses what have to be disclosed when knowledge is shared with governmental entities – a provision that straight speaks to the sort of civil discovery at situation within the EZ Lynk case. How courts and lawmakers resolve the strain between civil discovery guidelines and constitutional privateness protections will form the obligations of each firm that holds client knowledge.

The case additionally connects to broader questions on what occurs to consumer knowledge collected below app retailer platforms. The Google privacy verdict of September 2025, by which a federal jury awarded $425.7 million towards Google for persevering with to gather knowledge by its Firebase SDK even after customers disabled monitoring settings, demonstrates that courts are scrutinizing how platform knowledge practices work together with consumer expectations. A inhabitants of customers who believed they had been merely downloading a automobile diagnostics software could have equally restricted consciousness that their identities may very well be disclosed to federal prosecutors below civil discovery guidelines.

Timeline

• 2014 – EZ Lynk based by Brad Gintz and Thomas Wooden, initially targeted on automobile tuning instruments for fans
• 2019 – Apple and Google ordered to offer info on over 10,000 individuals who put in a gun scope app, an earlier precedent for app-store consumer knowledge subpoenas; EZ Lynk legal professionals later allege the federal government additionally sought a system backdoor for consumer monitoring that 12 months
• 2021 – The Division of Justice information swimsuit towards EZ Lynk, alleging the corporate bought defeat units in violation of the Clear Air Act
• August 2025 – A decide rejects EZ Lynk’s Part 230 protection, permitting the case to proceed; Google ordered to pay $425.7 million in a separate privacy verdict over undisclosed Firebase knowledge assortment
• November 2025 – Apple tightens App Store data sharing disclosure requirements, requiring specific consumer consent earlier than private knowledge is shared with third events or AI techniques
• March – April 2026 – DOJ subpoenas Apple and Google for knowledge on Auto Agent app downloaders; separate subpoenas served on Amazon and Walmart for {hardware} purchaser knowledge
• April 21, 2026 – SECURE Data Act introduced within the Home, proposing a nationwide framework for client knowledge privateness together with guidelines on authorities knowledge sharing disclosures
• Early Might 2026 – EZ Lynk and DOJ file a joint letter to the court docket disclosing the subpoenas and the disputes over their scope; Apple and Google sign plans to battle the subpoenas
• Might 14, 2026 – Forbes reports on the subpoenas, citing the joint court docket letter

Abstract

Who: The U.S. Division of Justice, EZ Lynk (a Cayman Islands-based automotive know-how firm based in 2014), Apple, Google, Amazon, Walmart, the Digital Privateness Data Heart, and the Digital Frontier Basis.

What: The DOJ issued civil litigation subpoenas to Apple and Google demanding personally identifiable info on no less than 100,000 individuals who downloaded EZ Lynk’s Auto Agent app, and to Amazon and Walmart for names and addresses of people that purchased the related {hardware} system. EZ Lynk and privateness organizations contest the subpoenas as overbroad, elevating Fourth Modification considerations. Apple and Google are reportedly planning to battle the calls for.

When: The subpoenas had been served between March and April 2026. The joint court docket letter disclosing the dispute was filed in early Might 2026. The underlying DOJ lawsuit towards EZ Lynk was filed in 2021, and a decide cleared it to proceed in August 2025 after rejecting EZ Lynk’s Part 230 protection.

The place: The case is pending in U.S. federal court docket. EZ Lynk is registered within the Cayman Islands and operates in america and Canada. The subpoenas goal knowledge held by Apple, Google, Amazon, and Walmart.

Why: The DOJ claims it wants consumer knowledge to determine witnesses who can testify about how EZ Lynk’s know-how was utilized in follow, particularly to take away emissions controls from automobiles in alleged violation of the Clear Air Act. Privateness advocates argue that the demand encompasses hundreds of thousands of information factors on individuals with no connection to any wrongdoing, and that utilizing civil discovery to bypass Fourth Modification warrant protections units a harmful precedent for client knowledge privateness broadly.