The App Store Is A Dragnet

This one got lost in the shuffle of other stories a couple weeks back, and I almost let it slide. That would have been a mistake. Because while the headlines have moved on, the case hasn't — and what's sitting inside it is worth paying attention to.

The DOJ wants Apple, Google, and Amazon to hand over the names, addresses, and purchase histories of more than 100,000 people connected to a car diagnostics app called EZ Lynk. Walmart received a separate demand — names and addresses of everyone who bought the physical hardware at retail.

Not 100,000 suspects. Not 100,000 people under investigation. 100,000 people who either had the app on their phone or bought the hardware at retail.

Let that number sit there for a second.

The case itself is a Clean Air Act enforcement action. The DOJ sued EZ Lynk back in 2021 over allegations that the company sells "defeat devices" — software that strips emissions controls from vehicles. EZ Lynk, which operates out of the Cayman Islands (conveniently beyond the reach of a direct US court order), says their app is a legitimate tool for performance monitoring, software upgrades, and diagnostics. The government says some people used it to delete their catalytic converters in software. Both things can be simultaneously true and still not justify what happened next.

EZ Lynk already tried to invoke Section 230 immunity — the shield typically used to protect platforms from liability for user-generated content. That failed. A district court initially dismissed the case on those grounds, but the Second Circuit Court of Appeals revived it in August 2025, ruling that EZ Lynk allegedly contributed directly to the creation of the "delete tunes" rather than simply hosting what users uploaded. The case is now on remand to the district court, with a possible path to the Supreme Court.

What happened next — after losing that immunity argument — is the DOJ sent subpoenas to Apple and Google in March and April demanding the full identity stack on everyone who downloaded EZ Lynk's Auto Agent app. Names. Addresses. Purchase histories. Separate subpoenas went to Amazon and Walmart for names and addresses of everyone who bought the physical EZ Lynk hardware dongle. Over one hundred thousand people across all four requests. Because the company they're actually after is parked in the Cayman Islands, so they went to the retailers and app stores instead.

Privacy Guides, citing Inside EPA, called it nearly unprecedented — noting the only comparable case was from 2019, when the DOJ sought to identify around 10,000 purchasers of gun scope software. That was 10,000. This is ten times that.

EZ Lynk's own lawyers put it plainly in their letter to the court: "These requests for potentially hundreds of thousands of people's PII go well beyond the needs of this case and create serious privacy concerns. Investigating this claim does not require identifying each person who has used the product."

That's the company being sued saying the government's demand is overreach.

They're not wrong.

I've written before about what Apple's privacy promises actually cover and how that holds up under government pressure — and more specifically about what happens when a company that markets itself as your privacy guardian is simultaneously sitting on a database of every single thing you've ever downloaded, every purchase you've ever made, and your billing address. That database doesn't disappear because the privacy billboards are nice. It sits there. Waiting for the right subpoena.

This is that subpoena.

And the thing is — most of those 100,000 people probably used EZ Lynk to read their OBD codes, check why their check engine light was on, or tune some parameters on their truck. People do legitimate things with car diagnostic tools. That's what car diagnostic tools are for. The DOJ has already presented evidence of people using EZ Lynk specifically to remove emissions controls — forum posts, Facebook discussions, actual documentation. They have evidence. They have a case. What they don't have is any particular reason to need six figures worth of customer PII to pursue it.

Unless the goal isn't just the company. Here's what the witness strategy actually looks like in practice.

The government's stated rationale is that they want to interview witnesses about how people used the product. Think about what that actually looks like across 100,000 people.

Bucket one — the overwhelming majority — read a code, cleared it after a repair, and have nothing useful to offer. Their PII gets swept up anyway.

Bucket two — people who tell them to kick rocks. Which is their right. And then the DOJ has to decide if each one is worth litigating individually.

Bucket three — and this is the one worth paying attention to — the people who actually did remove their emissions controls, who are now sitting across from a federal agent.

Here's the thing about that third bucket that's become common enough knowledge to show up in TV courtroom dramas: lying to a federal agent is its own federal crime under 18 USC 1001, completely independent of whatever the original issue was. Martha Stewart didn't go to prison for insider trading. Michael Flynn didn't plead guilty to the underlying conduct. The "lying to a fed is its own charge" dynamic has been covered enough in true crime and legal drama that it's practically cultural literacy at this point.

The DOJ knows this. Which is what makes the interview strategy more cynical than it first appears. A panicked person talking to a federal agent without counsel isn't giving accurate testimony — they're giving survival testimony. And they now have to choose between admitting the underlying issue, staying silent (legally fine, but they may not know that in the moment), or getting one word wrong while scared. That third option hands the government a 1001 charge on top of everything else.

That's not witness gathering. That's a pressure funnel. And the 100,000-person subpoena is how you cast the net wide enough to find the people worth running through it.

Here's the part that's easy to miss. A hundred thousand American interviews doesn't change EZ Lynk's geography one bit. The company is still in the Cayman Islands. Still outside US jurisdiction. Whatever the witness pool produces, it doesn't touch the people who built and sold the product — unless there's some bilateral agreement or financial relationship between the US and the Caymans that gives the DOJ something to leverage. That's possible. It's not guaranteed.

What the subpoena does change is the domestic picture. The users are here. The platforms are here. The retailers are here. And now you potentially have a user pool to prosecute directly on the consumer side, and precedent that app stores and retailers are compellable when a sufficient federal interest is framed correctly — because once you've established you can do it once, the next ask starts from a much stronger legal position.

It's also worth asking whether EZ Lynk's offshore structure is accidental. A company that sells a product with obvious legal exposure, incorporates in a jurisdiction beyond US reach, and distributes through US app stores and US retailers creates a very specific situation: if the legal fallout comes, it lands entirely on the American customer base while the company watches from Grand Cayman. That architecture may not be a coincidence.

I've written about how this pattern plays out when infrastructure holds more than it should — where the gap between what a platform promises and what it actually retains is exactly the gap a government request walks through. The app store is that gap here. So is the Amazon product listing. So is the Walmart checkout. The negotiation over whether to hand it over happens without you. You're not at the table. You're the agenda item.

Both Apple and Google are reportedly planning to challenge the subpoenas. That matters — but the challenge and the database are two separate things. The challenge is a good thing. The database is the problem. And getting scope defined on the record is precisely why the challenge matters, for this case and every one that comes after it.

There's a detail buried in this that deserves its own moment. "Purchase histories" isn't speculation — that's confirmed in the reported subpoena language across multiple sources including Forbes and the court filing. The DOJ explicitly asked for identities, addresses, and purchase histories from Apple, Google, and Amazon. The Walmart subpoena confirms retail hardware purchase data is in scope too — your name, your address, and a record of a physical product you ordered, tied to your account.

What isn't confirmed is how narrowly or broadly "purchase history" is scoped in the actual subpoena text — because we don't have it. If it's limited to app store transactions specifically, that's one thing. If it isn't carefully bounded, Apple Pay and Google Pay transaction records live in the same account ecosystem. That's not app store metadata — that's merchant names, amounts, dates, and locations of real-world transactions. Where you shop. Where you eat. Where you fill up. What you buy at the pharmacy. Things you'd fight hard to keep out of government hands under normal circumstances, that would ordinarily require a specific targeted warrant against you personally.

That's the question the challenge needs to answer explicitly before anyone complies with anything.

Here's where it gets darker. Assume for a moment that financial or behavioral data comes in and an analyst reviewing it sees something interesting — a pattern, a merchant, a location, a timing — that has nothing to do with catalytic converters. That's potentially probable cause for something else entirely. A completely separate investigation, with its own clean paperwork, its own justification, that nobody looking at it would ever connect back to an emissions enforcement action against a Cayman Islands company.

The predicate disappears. The investigation it spawned looks entirely legitimate on its own documentation.

This is a documented and controversial law enforcement practice known as parallel construction — where the actual origin of an investigative thread gets obscured behind a cleaner-looking chain of evidence. It was publicly confirmed in a 2013 Reuters investigation where DEA officials acknowledged it on record. I touched on a version of this dynamic in the Proton piece — data gets reviewed, potentially shared laterally, and the "not relevant" determination happens after it's already been seen. Parallel construction is the logical extension of that. The data doesn't just sit there after it's been reviewed. It can actively generate new investigative threads that look entirely clean on their own paperwork.

To be clear — I'm not asserting this happens here specifically. I'm noting that the mechanism is real, documented, and considerably easier when a single broad subpoena hands you financial behavior data on a hundred thousand people who thought they were buying a car diagnostic tool.

This also isn't the first time platforms have been leaned on this way. Privacy Guides noted that in 2025 the government demanded Apple and Google remove apps like ICEBlock — which showed where ICE agents had been spotted — from their stores entirely. The compellability of platforms isn't a new idea. It's a muscle that's been getting exercised quietly for a while now. EZ Lynk is just the biggest flex yet.

Best case — the DOJ leverages whatever agreement exists between the US and the Cayman Islands, gets some cooperation out of EZ Lynk, or forces the platforms to pull the app entirely. An app ban is probably the most realistic win here. The company still exists. Still operates. Just loses US distribution, which stings but doesn't end them — especially if they pivot to direct APK distribution or sideloading.

Worst case — they don't get anywhere near the offshore company, they go after individual users for consumer-side Clean Air Act violations, and they collect the platform precedent as a structural bonus. Individuals get made examples of, platforms get precedent set against them, and EZ Lynk watches from Grand Cayman.

The uncomfortable reality is that both outcomes probably happen simultaneously to different degrees. Some users get prosecuted. The app gets pulled. EZ Lynk restructures slightly and keeps going. And buried somewhere in the legal record is a ruling nobody headlines that says app stores and retailers produce bulk user data when the federal interest is framed correctly.

That's the one that matters five years from now. Not the catalytic converters. Not EZ Lynk. The ruling.

The app install record isn't just a receipt. The hardware purchase record isn't just a receipt. It turns out they might also be warrants. Depends entirely on who's asking.