The U.S. Department of Justice has issued subpoenas to Apple, Google, Amazon and Walmart demanding personal data on at least 100,000 people who used or purchased a car tuning app, in what privacy advocates are calling one of the most sweeping consumer data demands ever sought through civil litigation discovery.

The subpoenas, disclosed in a joint letter filed earlier this month with the court, stem from a 2021 lawsuit the DOJ brought against EZ Lynk, a Cayman Islands-based technology company. The government alleges that EZ Lynk sold defeat devices - hardware and software designed to remove emissions controls from vehicles - in violation of the Clean Air Act. EZ Lynk disputes that characterization.

The scale of the demand is exceptional. According to the court filing, Apple and Google were subpoenaed between March and April 2026 for details on anyone who downloaded EZ Lynk's Auto Agent app. Separate subpoenas were served on Amazon and Walmart, requesting names and addresses of people who bought the physical EZ Lynk hardware - a dongle that plugs into a vehicle's onboard diagnostics port. Together, the requests cover the personal data of at least 100,000 individuals, though the actual figure could be considerably higher.

What the EZ Lynk hardware actually does

The Auto Agent device connects to a vehicle's OBD-II port, a standardized diagnostic connector found on virtually every car sold in the United States since 1996. Once connected, it communicates wirelessly with a smartphone app and enables users to read diagnostic data, monitor engine performance parameters, and upload custom software calibrations - commonly called "tunes" - to the vehicle's engine control unit.

EZ Lynk argues the device has multiple legitimate applications. Fleet operators use it for remote vehicle monitoring. Enthusiasts use it for performance upgrades that do not necessarily affect emissions outputs. Car owners use it to diagnose fault codes and understand what a dashboard warning light means. The government, however, has compiled evidence - including Facebook posts and messages on EZ Lynk's own forums - showing users discussing how to use the product to remove diesel particulate filters, disable selective catalytic reduction systems, and strip out other emissions controls.

Defeat devices and the Clean Air Act

Under the Clean Air Act, it is unlawful to manufacture, sell, or install any device whose principal effect is to bypass or render inoperative a motor vehicle's emissions control system. These are called defeat devices, a term that gained wider public awareness after Volkswagen admitted in 2015 to installing software in millions of diesel cars that activated emissions controls during testing but disabled them in normal driving.

The EZ Lynk case involves aftermarket defeat devices - products sold to vehicle owners after the original purchase, rather than embedded by the manufacturer. Enforcement in this space has been significant. The EPA finalized 172 civil enforcement cases from fiscal year 2020 through 2023 involving aftermarket defeat devices, resulting in civil penalties totalling $55.5 million. Criminal cases over the same period produced an additional $5.6 million in penalties.

EZ Lynk was founded in 2014 by mechanics Brad Gintz and Thomas Wood. The company, which has remained bootstrapped, expanded from its original car-tinkering focus into fleet tracking services for customers across the United States and Canada. Its products developed a following in automotive hacking circles and the broader "right to repair" movement, where users believe they should be free to modify products they have purchased.

Before the data demands became the central controversy, EZ Lynk pursued a different legal strategy. The company argued it was protected by Section 230 of the Communications Decency Act of 1996, which provides immunity to interactive computer service providers when users misuse their platforms for illegal purposes. EZ Lynk's position was that it merely provided a software platform and could not be held responsible for what users chose to do with it.

A judge rejected that argument in August 2025, allowing the case to proceed. Tom McBrien, counsel at the Electronic Privacy Information Center, wrote at the time that technology companies should not be able to use Section 230 as a shield when they knowingly promote tools for illegal applications. McBrien cited EZ Lynk's own patent applications as evidence, noting they described features specifically designed to sidestep emissions regulations.

The subpoenas and the scale problem

With the Section 230 defense disposed of, the DOJ moved into discovery - the phase of litigation where parties gather evidence. It was in this context that the government served the four subpoenas seeking user data.

According to EZ Lynk's lawyers in the joint court letter, Apple and Google are planning to contest the subpoenas. Walmart declined to comment publicly. None of the other companies subpoenaed responded to a request for comment.

The government's stated rationale is witness identification. DOJ lawyers want to interview people who actually used EZ Lynk's technology, to build evidence about how the product was used in practice. The government said in the letter that its request was fair and appropriate, and that it had "consistently sought customer information" for this purpose. It had already presented to the court social media posts and forum discussions showing users employing the products to remove emissions controls.

EZ Lynk's lawyers pushed back sharply. "These requests for potentially hundreds of thousands of people's PII go well beyond the needs of this case and create serious privacy concerns," they wrote. "Investigating this claim does not require identifying each person who has used the product."

The third-party doctrine argument

Central to the government's legal reasoning is a principle called the third-party doctrine. When users signed up for EZ Lynk's service, they provided personal information and agreed to the company's terms of use. The DOJ argued in the letter that, having done so, those users "no longer have a cognizable privacy interest as to that information."

Aaron Mackey, deputy legal director at the Electronic Frontier Foundation, described that argument as "particularly problematic." Most users never read company terms and conditions in detail, he noted. Furthermore, he said the demand for all users' data "raises questions about why they want this data and what they're going to use it for beyond the prosecution of this case." The concern is that individuals who simply downloaded an app or ordered a piece of hardware could find themselves implicated in a federal enforcement action with no direct connection to any alleged wrongdoing.

The third-party doctrine has a contested recent legal history. In Carpenter v. United States (2018), the Supreme Court held that individuals retain a reasonable expectation of privacy in historical cell-site location data, even though it is collected by a third party. The court refused to extend the traditional third-party doctrine to digital data generated passively and at scale. That ruling left open many questions about how far Fourth Amendment protection extends to other categories of user data held by companies.

McBrien at EPIC drew a direct line from the current case to those constitutional questions. "It's worrying that the government could obtain personally identifiable information for every customer through discovery, which is outside of the privacy protections provided by the Fourth Amendment and other privacy statutes," he said.

Discovery versus warrant: the constitutional gap

One reason this case attracted attention from civil liberties organizations is that it exposes a structural gap in privacy law. Obtaining a warrant requires the government to demonstrate probable cause and to describe with particularity the persons or things to be seized. Civil litigation discovery operates under different and more permissive rules - parties can seek broad categories of documents and information so long as they are reasonably calculated to lead to admissible evidence.

That gap has long concerned privacy scholars. When the government is the plaintiff in civil litigation, it can use discovery mechanisms to obtain data it could not access via a criminal warrant process. The EZ Lynk subpoenas are an unusually stark example of this dynamic playing out in a consumer technology context.

The case is not without historical precedent, though the scale is substantially larger than prior examples. In 2019, Apple and Google were ordered to provide information on more than 10,000 people who had installed a gun scope application on their smartphones. The current EZ Lynk demand covers at least 10 times as many individuals.

What the data requests cover

The app store subpoenas to Apple and Google are seeking personally identifiable information - names, addresses, and potentially purchase history or account details - for every user who downloaded the Auto Agent app from either the App Store or Google Play. The subpoenas to Amazon and Walmart seek names and addresses for customers who purchased the physical EZ Lynk hardware device.

The breadth of the requests means that people who may have downloaded the app out of curiosity, used it only for legitimate diagnostics, or never activated the hardware for emissions-related purposes would have their personal information handed over to federal prosecutors. EZ Lynk's lawyers described this as inherently problematic: if the government's goal is to find witnesses who used the product to circumvent emissions controls, the data on law-abiding users is irrelevant to that purpose, yet equally exposed.

There is also a further dimension raised in the court letter. EZ Lynk's lawyers claimed the government had previously, in 2019, sought to acquire user data by requesting that EZ Lynk install "a backdoor to the EZ Lynk system that would allow government monitoring of unsuspecting users." The government denied in the letter that it had ever asked for an "inappropriate backdoor."

Reactions from the car modification community

Justin Montalbano, president of the Car Hacking Village at the Def Con hacking conference in Las Vegas, objected to the government's approach. "Violating people's privacy by subpoenaing a company for personal information isn't the right path to clean air," he said. As an alternative, Montalbano suggested that mandatory annual inspections requiring drivers to have their vehicles checked for defeat devices would be a more targeted and proportionate enforcement mechanism.

Montalbano also questioned whether aggressive legal action would deter modification behavior at all. "People want to modify their cars and always will, regardless of laws," he said.

The car modification and right-to-repair communities have long argued that vehicle owners should have the right to tune and reprogram their own cars, particularly for off-road or track use. The counter-argument, which the EPA and DOJ have consistently maintained, is that defeat devices for on-road vehicles produce measurable increases in nitrogen oxide and particulate matter emissions that harm public health, and that the cumulative impact of widespread installation is significant.

Why this matters for the digital advertising and marketing technology community

The EZ Lynk case, while centered on automotive emissions, has direct relevance for anyone who collects, holds, or processes user data as part of a business. The case illustrates that consumer data held by app stores and e-commerce platforms can become the subject of large-scale government discovery requests in civil litigation - not just in criminal investigations where warrant requirements apply.

For marketing technology practitioners, this is a concrete demonstration of one category of privacy risk that users bear when their data is collected by third parties. The Apple App Store policy changes around data sharing disclosure that Apple introduced in November 2025 - requiring developers to explicitly disclose when personal data would be shared with third parties - take on added significance in this context. Users who consent to data collection under a company's terms of service may not appreciate that those terms could make their data accessible to government plaintiffs in civil litigation.

The SECURE Data Act, introduced in the House on April 21, 2026, proposes a national framework for consumer data privacy. That bill explicitly addresses what must be disclosed when data is shared with governmental entities - a provision that directly speaks to the kind of civil discovery at issue in the EZ Lynk case. How courts and lawmakers resolve the tension between civil discovery rules and constitutional privacy protections will shape the obligations of every company that holds consumer data.

The case also connects to broader questions about what happens to user data collected under app store platforms. The Google privacy verdict of September 2025, in which a federal jury awarded $425.7 million against Google for continuing to collect data through its Firebase SDK even after users disabled tracking settings, demonstrates that courts are scrutinizing how platform data practices interact with user expectations. A population of users who believed they were simply downloading a car diagnostics tool may have equally limited awareness that their identities could be disclosed to federal prosecutors under civil discovery rules.

Timeline

  • 2014 - EZ Lynk founded by Brad Gintz and Thomas Wood, initially focused on car tuning tools for enthusiasts
  • 2019 - Apple and Google ordered to provide information on over 10,000 people who installed a gun scope app, an earlier precedent for app-store user data subpoenas; EZ Lynk lawyers later allege the government also sought a system backdoor for user monitoring that year
  • 2021 - The Department of Justice files suit against EZ Lynk, alleging the company sold defeat devices in violation of the Clean Air Act
  • August 2025 - A judge rejects EZ Lynk's Section 230 defense, allowing the case to proceed; Google ordered to pay $425.7 million in a separate privacy verdict over undisclosed Firebase data collection
  • November 2025 - Apple tightens App Store data sharing disclosure requirements, requiring explicit user consent before personal data is shared with third parties or AI systems
  • March - April 2026 - DOJ subpoenas Apple and Google for data on Auto Agent app downloaders; separate subpoenas served on Amazon and Walmart for hardware purchaser data
  • April 21, 2026 - SECURE Data Act introduced in the House, proposing a national framework for consumer data privacy including rules on government data sharing disclosures
  • Early May 2026 - EZ Lynk and DOJ file a joint letter to the court disclosing the subpoenas and the disputes over their scope; Apple and Google signal plans to fight the subpoenas
  • May 14, 2026 - Forbes reports on the subpoenas, citing the joint court letter

Summary

Who: The U.S. Department of Justice, EZ Lynk (a Cayman Islands-based automotive technology company founded in 2014), Apple, Google, Amazon, Walmart, the Electronic Privacy Information Center, and the Electronic Frontier Foundation.

What: The DOJ issued civil litigation subpoenas to Apple and Google demanding personally identifiable information on at least 100,000 people who downloaded EZ Lynk's Auto Agent app, and to Amazon and Walmart for names and addresses of people who bought the associated hardware device. EZ Lynk and privacy organizations contest the subpoenas as overbroad, raising Fourth Amendment concerns. Apple and Google are reportedly planning to fight the demands.

When: The subpoenas were served between March and April 2026. The joint court letter disclosing the dispute was filed in early May 2026. The underlying DOJ lawsuit against EZ Lynk was filed in 2021, and a judge cleared it to proceed in August 2025 after rejecting EZ Lynk's Section 230 defense.

Where: The case is pending in U.S. federal court. EZ Lynk is registered in the Cayman Islands and operates in the United States and Canada. The subpoenas target data held by Apple, Google, Amazon, and Walmart.

Why: The DOJ claims it needs user data to identify witnesses who can testify about how EZ Lynk's technology was used in practice, specifically to remove emissions controls from vehicles in alleged violation of the Clean Air Act. Privacy advocates argue that the demand encompasses millions of data points on people with no connection to any wrongdoing, and that using civil discovery to bypass Fourth Amendment warrant protections sets a dangerous precedent for consumer data privacy broadly.

Share this article
The link has been copied!