When Elon Musk and his staffers — many of them young, recent high school and college graduates — gained access to the Treasury Department’s central payment systems, that means they also got access to tax refunds, Social Security numbers, home addresses, and veterans’ benefits information for millions of Americans.

In addition, at least nine DOGE agents had broad access to private information about millions of federal employees and job applicants. And now DOGE is reportedly transferring sensitive data from the Department of Education to highly risky external AI systems for analysis.

Unsurprisingly, according to internal Treasury Department documents, the department's in-house threat-analysis team designated DOGE as an "inside threat" and warned that it "likely poses the single greatest insider threat risk the Bureau of the Fiscal Service has ever faced."

This is not just a huge security risk and political scandal, this unvetted access to sensitive data is against the law — specifically, it violates the Privacy Act of 1974.

What is the Privacy Act of 1974?

Danielle Citron, writing in Lawfare, has an excellent summary: DOGE betrays foundational commitments of the Privacy Act of 1974.

She argues:

Congress adopted the Privacy Act of 1974 to address agencies’ computerization of personal data without congressional authorization or safeguards. The act mandated transparency, accountability, and protections around the collection, use, and sharing of personal data. Federal agencies were allowed to computerize personal information only if doing so was “relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by the executive order of the President.” Sharing personal information outside the agency was permissible only if the agency obtained the person’s written consent or if doing so would be “compatible with the purpose for which the [personal information] was collected.” Agencies were banned from collecting information about people’s First Amendment activities; individuals could access their records to ensure that they were accurate.

President Gerald Ford described the Privacy Act of 1974 as “an historic beginning” of the codification of “fundamental principles to safeguard personal privacy in the collection and handling of recorded personal information by federal agencies.” (As vice president, Ford served on President Nixon’s Domestic Council Committee on the Right to Privacy.) For President Ford, the law struck a “reasonable balance between the right to be left alone and the interest in society in open government, national defense, foreign policy, law enforcement, and a high quality and trustworthy Federal work force.” He promised that his administration would “act aggressively to protect the right of privacy for every American” and called for “the full support of all Federal personnel in implementing requirements of this legislation.” President Ford echoed his predecessor’s recent radio address about the “American right to privacy.” Just months before his resignation, on Feb. 23, 1974, Nixon warned: “At no time in the past has our government known so much about so many of its individual citizens. This new knowledge brings with it awesome potential for harm as well as good—and an equally awesome responsibility on those who have that knowledge.” (Yes, the Watergate privacy-violating irony.)

So how do DOGE’s actions so far relate to the Act? In short, per Danielle:

Musk and his team’s access to agency computerized records is an affront to the purpose, spirit, and words of the Privacy Act of 1974. Musk’s staffers may not have been subject to any vetting, let alone the rigorous vetting necessary for government consultants or employees. The Privacy Act does permit the “routine use” of protected information if such use (including sharing) would be compatible with the reason the information was collected in the first place. In connection with the Privacy Act’s commitments, the Treasury Department and the Office of Personnel Management have given notice about situations under which agency employees can share records with outside parties and agencies. Were those recognized “routine uses” at play when Musk’s team accessed agency systems of sensitive personal records? What if Musk’s team retrieved people’s records to assess their loyalty to the Trump agenda? What will Musk’s team do with the personal data stored in these highly sensitive systems of records? Will those records be used to carry out retribution that the president has promised? Retribution or loyalty tests have nothing to do with the purpose for which agencies collected that data.

Asking these questions helps answer them. We do not have any assurance that Musk’s team has been vetted or has a congressionally authorized reason to access our personal data. We are bearing witness to the kind of power grab, abuse, and overreach that the Privacy Act of 1974 was passed to prevent.

Read the whole piece here.

Share

Why we’re suing

Our lawsuit alleges that the Treasury Department, Office of Personnel Management, and Department of Education are violating the Privacy Act by providing DOGE representatives access to vast databases containing Social Security numbers, financial information, and other personal data without proper authorization or safeguards.

To be clear, the issue is not that certain executive branch officials, like career OPM and Treasury personnel, have access to this data — the problem is that the president’s political appointees aren’t supposed to have access to huge swaths of personal data like this without proper authorization, vetting, and safeguards as mandated by law. (It’s also much more of a problem when the same person has access to all of this personal information at once vs. a narrow slice of it necessary to fulfill a certain responsibility.)

Five key things to know about what’s going on here:

1. This data violation impacts basically everyone — anyone who gets a tax refund, receives Social Security, has federal student loans, works for (or has applied to) the federal government, or earned benefits from their service in the military.

2. This isn’t just bending rules in the spirit of “efficiency,” DOGE is clearly breaking laws — the Privacy Act of 1974 exists precisely to prevent unauthorized snooping by politicians and their cronies.

3. This sort of threat is exactly why Congress passed this law — Congress passed the Privacy Act of 1974 after Watergate because it specifically wanted to stop the government from building massive databases to target Americans.

4. The government security experts whose job it is to protect this data are calling this a five-alarm fire — again, they’re describing it as the “single greatest insider threat risk” ever. (Note one of the DOGE staffers was previously fired for leaking sensitive info.)

5. The stakes here are extremely high — not only is this some of the most sensitive data imaginable (trillions in government payments, personnel files of millions of people, nationwide student loan information, veterans benefits data, etc.), but once it’s out there, there’s no getting it back. This personal information could be used for identity theft and financial fraud, not to mention political targeting and retribution.

According to Kristy Parker, who is Counsel for the case:

“We're watching in real time as unvetted Trump cronies break the law to get access to Americans’ most sensitive and personal data. No one should be fooled into thinking they're doing this for our benefit. Their goal is to snoop on vast amounts of Americans' data and try to use what they find to enrich themselves, reward their allies, and punish their critics.”

The plaintiffs in this case are a coalition of individual veterans who have served in various branches of the military and unions representing teachers, scientists, engineers and workers from across the federal government, including the American Federation of Teachers, National Active and Retired Federal Employees Association, International Association of Machinists and Aerospace Workers.

We’re simply asking the court to: (1) stop unauthorized and illegal access to Americans’ protected personal information, (2) ensure retrieval or destruction of improperly disclosed records, and (3) restore proper Privacy Act protections for sensitive government databases.

Read the complaint and more here.