Unleashed and Unlawful: How DOGE Violates the Privacy Act
FAFO doesn't work in the US Government, and yet nobody bothered to let Elon or the Administration know.
This blog is a reader-supported publication, and for the cost of one reasonably-priced beer a month, or maybe a super fancy coffee, or in my case, a few cans of cat food, you can show your support by becoming a paid subscriber. And just because I really want to hammer the cheap beer/coffee/cat food point, I’m offering a Carey Birthday Discount of 20% off a yearly subscription if you just click this link…
DOGE’s Privacy Problems
Despite its memeified name, the Department of Government Efficiency (DOGE), created through Executive Order 14158 on January 20, 2025, is neither an actual government department, nor all that efficient. Quite the opposite, actually. Since its creation, DOGE has fired tens of thousands of federal workers (many of whom have been hired back), procured over 40,000 "deferred resignations" (though how many have actually followed through is unknown), and shuttered entire agencies including the Consumer Financial Protection Bureau, the US Agency for International Development, and most recently, the Department of Education (ED). Or at least, they’ve tried.
DOGE staffers have demanded and received access to sensitive systems across nearly two dozen agencies, including the Treasury Department, Office of Personnel Management (OPM), the IRS, the Department of Health and Human Services (HHS), and others—accessing employee, beneficiary, and taxpayer health information, financial data, social security numbers, and more. They've locked career civil servants out of databases, implemented AI tools to decide terminations without human oversight, and reportedly host these tools on cloud computers hosted outside federal facilities.
I have even more details on DOGE’s bad dog behavior here:
But I want to focus on how the law might be able to put a shock collar on DOGE—at least when it comes to their abuse of personal data.
Enter the Privacy Act of 1974—a little-known federal privacy law that emerged from the aftermath of the Watergate scandal. In a nutshell, the Privacy Act establishes rules governing how agencies collect, maintain, use, and disclose records about people in systems they control. The law provides strong guardrails against matching records between agencies and imposes strict limitations on disclosures to other agencies or third parties. It also mandates accountability, transparency, and provides individual rights to access and correct data. Importantly, it also allows people to sue, when the agencies willfully ignore the law.
I wrote a much more in-depth piece on the Privacy Act here:
In this piece, I lay out exactly how DOGE, the complicit agencies, and the Administration (who I’ll refer to as the defendants) are violating the Privacy Act. I’ll look at the exemptions the defendants have asserted, as well as why their use of AI to wreak destruction on America is also unlawful.
A Friendly Legal Qualifier
Before we get into exactly how the defendants, including Elon Musk, aka Phony Stark, and that guy named “Big Balls” allegedly broke the law, I want to caveat that the Privacy Act, like so many laws, is rife with exceptions. And while I’ve made reasonable efforts to identify those exceptions in Part II discussing the Act in more detail, it’s possible I missed something.
Additionally, courts come to their own conclusions based on their own reasoning, and one or more of them may decide that DOGE’s dismantling of the federal government is fine, or that the plaintiffs have not suffered concrete, particularized damages or harm. Or the Supreme Court may decide that notwithstanding the facts, Orange Julius Caesar and Phony Stark are entirely above the law. My analysis is premised on the following two conditions remaining true1:
The rule of law remains intact;
Judgments are complied with by the Administration.
Absolutely none of this analysis matters if either of those conditions fail. But then again, if the rule of law dies, we’re all fucked.
Count 1: The Agencies Violated the Privacy Act's Disclosure Obligations
The Privacy Act of 1974 is, on its face, deceptively straightforward. In short: Agencies are prohibited from disclosing records in a ‘system of records’ ‘by any means of communication to any person, or to another agency’ outside of the agency maintaining the records, without consent, unless an exception applies.
So, let’s lay out how that applies to DOGE and the various agencies DOGE staffers have infiltrated.
For purposes of simplifying things, a ‘system of records’ is a fancy word for a computer system or database. For example, the OPM has around 53 systems that maintain records of over 20 million federal employees, contractors, and job applicants in various databases, while the Social Security Administration (SSA) has around 130 systems and maintains records of hundreds of millions of social security recipients and other beneficiaries of funds managed by the SSA, like Supplemental Security Income.
And the records themselves are broad. In essence, if you’re a US citizen, resident, or anyone who has a social security number, one or more of these systems probably have loads of data about you, including your:
Name, address & contact information;
Government IDs / Social Security Numbers;
Disability status, health information & medical benefits;
Financial information, including information on net worth and income;
Sexual orientation information (including marital status & information).
By sharing information with DOGE personnel, with third parties, or even with other agencies without consent, and absent an exception, the agencies may have violated the Privacy Act.
Since lawsuits have been filed, I think it's safe to rule out consent as a defense. So, let’s talk about exceptions under the Act itself.2 There are two potential legal excuses they might assert though:
information was shared with "officers and employees of the agency,” in the performance of their duties (often referred to as the ‘need to know’ exception); or
information was shared as part of a ‘routine use.’3
Does DOGE Have a Need to Know?
There are two important questions that must be satisfied for the ‘need to know’ exception to apply. Namely who and why.
In response to some of the 12 cases brought thus far, the defendants have argued that the Privacy Act is inapplicable, as DOGE staffers are ‘officers and employees’ of the respective agencies being reviewed, and therefore have a need to know the information provided by the agencies in order to fulfill the Administration’s wider remit of demolishing the federal government and destroying America, identifying fraud, waste, and abuse to make the government more efficient. So, the question is, do the DOGE employees who all seem to operate out of the Executive Office of the President, and not the agencies themselves, need to know this information?
Recall that the EO establishing DOGE was quite narrow. Specifically, DOGE (which is basically the US Digital Service in a skin suit) was empowered to perform a “Software Modernization Initiative” to:
“improve the quality and efficiency of governmentwide software, network infrastructure, and information technology (IT) systems”;
“promote interoperability between agency networks and systems”;
"ensure data integrity”; and
"facilitate responsible data collection and synchronization."
Now, I’m no longer a practicing lawyer any more, but I can read, and there’s nothing in the EO that extends DOGE’s software modernization function to include root access to highly sensitive databases. Likewise, the EO does not bestow DOGE with any authority to fire technical experts, mishandle sensitive data or break critical systems. Oh yeah, and the EO says absolutely SFA about training its shadowy AI system (aka, “Federal Grok”) with the personal data of millions of people. Trust me, I looked. And that EO is quite literally the only thing the defendants are hanging their hats on.4
I don’t know about you, but to me breaking critical government systems and lying about their successes seems antithetical to what the EO actually says. And I’m not sure even the Fifth Circuit would interpret the scope of the EO to include the cancellation of contracts, payments & grants, and the elimination of entire agencies that Musk personally has grievances against.5 I’m not saying that they couldn’t find another reason to dismiss the case, just that I can’t see how they would do so on this ground.
Was This a Routine Use of Records?
The next exception the defendants have asserted is that disclosing information to DOGE didn’t violate the Privacy Act because the agencies did so as part of a routine use.6 This is a slightly more compelling argument on its face because agencies define their ‘routine uses’ and some of those uses can be staggeringly broad.
But, the routine use exception is not limitless. The disclosure and use of a record must still be “compatible with the purpose for which it was collected,” and while the facts differ across the various complaints, it strains reason to argue that disclosing highly sensitive, personal information about tens or hundreds of millions of individuals for ‘IT modernization’, meets that definition.7
Secondly, a routine use must be known. Specifically, agencies must provide notice to the public of their ‘systems of records’ in the federal register (known as a SORN). This includes the name and address of the person or agency to whom the disclosure is made. And well, DOGE isn’t listed anywhere. On any SORN. At all.8
Count 2: Elon’s Use of ‘Federal Grok’
But Elon & Co. aren’t content to just muck around with the nation’s personal data. No, they also want to use AI and machine learning to analyze everything and root out fraud and waste. Which is to say, DOGE wants to dump your tax records and health & benefit information into Government Grok, and to have a machine learning model decide who to fire and which job roles to cut automatically without any real human oversight. According to news reports, DOGE is reportedly using Anthropic’s Claude Haiku and Sonnet models to power their GSAi chatbot, potentially leaking sensitive personal information and records outside of government systems.
But the Privacy Act also generally prohibits this kind of nonsense. While Congress in the 1970s had no idea that we’d be living in a world where a billionaire manchild uses chatbots and chainsaws to implode the government, it did call out the use of automated systems to combine or match records, especially where such matching can lead to an adverse impact to individuals.
The Privacy Act defines matching in a rather … convoluted way, but in essence, a ‘matching program’ refers to any automated comparison of two or more agency systems of records, or with non-Federal records to establish or verify eligibility for government benefits or assistance programs, or to make employment decisions about federal personnel (like hiring or firing).
Matching isn’t illegal per se, but it imposes additional rules and legal obligations, including having so-called ‘matching agreements’ in place between the disclosing and recipient parties and making those agreements publicly available. Unsurprisingly, no such agreements exist between the agencies, DOGE, or Anthropic.
Agencies also need to do other things like establishing a data integrity board, and conducting privacy impact assessments prior to mixing any data. I’m going to bet that none of the agencies bothered with that, either.9
A word to DOGE & the Administration: If you want to actually make government efficient, you might want to try reading the damn laws for a change, or at least lobbying Congress to get rid of them first. Surely, Congress is cheaper than buying Twitter.
Hostile Nation States Love This One Weird Trick
But the Privacy Act isn’t the only law that DOGE and the agencies are fouling up. If, as has been alleged, DOGE staffers copied information directly onto non-governmental laptops or uploaded it to non-agency systems, they’ve got new fresh hells to deal with. Other laws, including the Federal Information Security Act (FISMA) of 2014 and the E-Government Act of 2002, might end up shocking the defendants.
FISMA requires agencies to provide information security protection "commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction" of information or information systems maintained by the agency. The E-Government Act requires that agencies conduct a privacy impact assessment for new or substantially changed information technology systems that contain personal information on individuals.
Both FISMA and the E-Government Act have their own standards and transparency requirements, as well as various technical, organizational, and security measures to safeguard access to government records and systems prior to any data changing hands. At this point, I’m repeating myself when I say it’s doubtful that the agencies bothered to read, much less meet, any of these requirements.
But, we’re honestly beyond technical compliance questions. DOGE is fucking up all on its own. We already know, for example, that DOGE’s security posture is terrible, and that DOGE staffers have a history of leaking sensitive information. We also know that DOGE keeps leaking sensitive information on their website. Oh yeah, they also fired top cybersecurity officers from numerous agencies, gutted NIST and the Cybersecurity and Infrastructure Agency (CISA), a key resource in defending the US against cyber attacks. Basically, DOGE hung out a welcome mat to our adversaries and said ‘Come right in!’
So, What Now?
In short, the administration & DOGE’s efforts to speed run Snow Crash have led to serious, documented harms. Not just anxieties about how data is being used, but actual breaches in security, violations of the Privacy Act, and the continued, ongoing peril of knowing ones data can be weaponized instantly.
One good bit of news is that the Privacy Act offers some small comfort, including civil and criminal penalties against agencies that run afoul of the law, including penalties and attorneys’ fees, if the acts are judged to be willful or intentional.10 Recovery isn’t much, but it’s something.
In the best world, courts will put the kybosh on DOGE’s bad behavior. Better still, they’ll demand that DOGE impound or destroy any data they have already collected. This is already starting to happen via temporary restraining orders issued against the agencies. You can follow along on Just Security’s excellent Trump Litigation Tracker. So maybe, there’s hope.
And with that, I’ll finish my beer, and go pet some cats. Thank you for reading until the end. As a reward, here’s a picture of my new cat rock band, “We Chase Lasers”.
I have had a few folks accuse me of being overly catastrophic on the whole demise of the rule of law thing, and that’s fine. We all believe what we want. But it’s worth reflecting that in the course of human history, when autocratic regimes and tyrants took power, they tended to incrementally ramp up the awful. To quote Hemingway: 'How did you go bankrupt?' Bill asked. 'Two ways,' Mike said. 'Gradually, then suddenly.'
Most of the exceptions under the Privacy Act aren’t applicable to DOGE or this situation. I explain why in my earlier article summarizing the Privacy Act.
For anyone playing along at home, you’ll find this in 5 U.S.C. § 552a(b)(1) and § 552a(b)(3).
See: University of California Student Ass’n v. Carter et al., Case No. 1:25-cv-00354, ECF 26-1 at 26.
I swear, Elmo is using DOGE to go after literally any agency who did him dirty. According to a House Judiciary Committee Fact Sheet, there have been at least 12 instances where Musk, DOGE or the administration targeted government agencies that were investigating Musk or his companies.
Musk’s vendetta against USAID, one of the first agencies in the great purge, was potentially motivated by the agency’s Inspector General initiating a probe against Starlink terminals provided to the government of Ukraine.
On February 15-16, 2025, Reuters reported that DOGE fired approximately 20 employees at the Food and Drug Administration’s Office of Neurological and Physical Medicine Devices, including workers overseeing the review of Defendant Musk’s Neuralink brain implant company. A separate complaint was launched by the US Department of Agriculture Inspector General against Neuralink for potential animal welfare violations. The IG was fired by Trump January 30, 2025.
In February, the Administration closed the CFPB’s headquarters and put employees on administrative leave. The CFPB has been investigating various Musk companies since 2024, in response to over 300 consumer complaints.
On January 21, 2025, Trump signed an executive order shutting down the Department of Labor’s Office of Federal Contract Compliance Programs, which had previously been investigating Tesla for workplace discrimination.
Since January, Musk has repeatedly gone after the Federal Aviation Administration (FAA), including terminating 132 probationary employees (and then having to hire them back), ostensibly to cut waste, but arguably because the FAA has been critical of Musk’s SpaceX violating launch licenses. The FAA had proposed fining SpaceX in September 2024.
5 U.S.C. § 552a(b)(3).
5 U.S.C. § 552a(7).
See: 5 U.S.C. § 552a(e)(4)(D). A quick search of the Federal Register includes a few citations to DOGE-specific implementing documents and the EO itself, but no SORNs.
If you’re really curious, the other stuff is at 5 U.S.C § 552a(o)-(q), (u).
See my earlier article discussing remedies under the Privacy Act.