They have metadata (ips, ports, date, time, bytes, etc.) and can be compelled to release it. This can be (and is) used to correlate activities and make accusations, obtain warrants, etc.

Metadata is very powerful and is captured on every network. It's a byproduct of the requirements of the network and its protocols. How many bytes were sent? To where from where? How long was the session? etc. They may not know what the data contained, but they'll know everything else down to the second.