Interview: Why DOGE Is A National Privacy And Cybersecurity Risk
The creation of the Department of Government Efficiency (or DOGE) through the renaming of the United States Digital Service has been closely followed by growing controversy over the organization’s demands for wide ranging access to US government computer databases in order to facilitate funding cuts and mass layoffs as ordered by its apparent leader Elon Musk, as well as around Musk’s role in the organization.
As a result, DOGE and the US agencies that have allowed DOGE database access, like the Office of Personnel Management, now face multiple lawsuits, with a Maryland federal judge issuing a temporary restraining order on February 25 against both, ordering them to stop sharing personal information of plaintiffs.
Overt Defense spoke with Adam Schwartz, Privacy Litigation Director at the Electronic Frontier Foundation, on why the Foundation is pursuing a separate lawsuit against OPM and DOGE, and the cybersecurity risks posed by DOGE’s access to government databases.
This interview has been edited for clarity.
Why is the Electronic Frontier Foundation filing a lawsuit?
We, the Electronic Frontier Foundation, and our co-counsel, law firm Lex Lumina, have filed a lawsuit on behalf of federal workers against the federal Office of Personnel Management, and against the new U.S. agency known as the DOGE, which is led by Musk.
What we are challenging is that the Office of Personnel Management has disclosed to DOGE the personal information of tens of millions of past and present federal workers, and even applicants who never worked for the government.
This dragnet disclosure of personal information violates a law in the United States known as the Privacy Act, which says government agencies cannot disclose personal information even to other government agencies unless there is a good reason to do so.
We filed this case on 11 February and we are trying to stop this privacy violation.
What makes the Office of Personnel Management databases so important?
The information that is held by the Office of Personnel Management concerns tens of millions of people, of everybody who works for the federal government, who has done so in the past, or applied to work there.
And it is a very rich data set. It contained identifying information like names, social security numbers and home addresses. It is demographic information, including race and ethnicity. It is employment information, including salary, demotions and union activity. It is financial information, health information, education information.
This is information that our foreign adversaries want to have. A decade ago, a foreign nation, probably China, broke into this very database and stole information like this about federal workers. It’s considered one of the most scandalous and harmful data breaches that has ever happened.
So there are three harms that are caused when, as has happened here, the federal Office of Personnel Management discloses it all to DOGE.
First, there has already been a privacy violation. People have a right to privacy, that includes control over who sees their information, and this is literally the face of the federal privacy act. The information cannot be disclosed. This is the privacy harm, and it has already occurred.
Number two, everybody is suffering from a great risk in that the DOGE team that has this information is going to use it against them to try to fire them, or to disclose it to third parties who will try to humiliate or even harass them. So, there is the risk about how DOGE is going to use this information.
And number three, the federal government has spent the decade since the data breach trying to harden this security system. And that is a lot of work to maintain data in a way that organized criminals and foreign nations can’t break in and steal it.
And when you release the DOGE team, who infamously is a bunch of very young people who have gone through no vetting and include people who have been fired from previous jobs for security lapses and people who are notorious racists and set them loose to access data without any oversight from the people who are ordinarily managing these databases.
The result is they are blowing holes in walls, making it easier for foreign nations and organized criminals to access the crown jewels of federal data about its workforce.
So, in short, there are three harms – the privacy harm that has already occurred, The risk that DOGE is going to abuse this data in ways that hurt these 20 million workers, and that DOGE has made it easier for foreign nations and organized criminals to bust in, steal this data and abuse it in still other ways.
The Office of Personnel Management database is not the only one DOGE has attempted to access, so why focus on the OPM database access?
There is a broader problem that the federal government is swimming in oceans of personal information about Americans and we’re focused on the Office of Personnel Management, which is the data of tens of millions of federal workers.
There are other agencies that process data about the general public. So, the Treasury Department writes checks. And if you get a Social Security check, they know your Social Security number.
Other agencies have more discrete sets of information about the general public. The Department of Education might know about students, and likewise, every agency knows things about its workforce.
I would argue that the two agencies that have the most data are the Treasury Department, which is the writer of all the checks and the Office of Personnel Management, which is the personnel office or the entire federal workforce. And DOGE is in the process of raiding all of these agencies.
So, our case is one of a dozen that have been filed, in at least four courthouses against by my last count, at least a half dozen federal agencies who all have the same problem, which is that the agency is disclosing personal data to DOGE and in doing so, violating the Privacy Act.
DOGE employees have reportedly connected to OPM and other agency databases with computers, servers and other devices of uncertain origin, and have allegedly tried to transfer data from the databases to what they call “AIs”. What are the information security risks here?
Yeah, I think this information security risk is exactly one of, as I’ve suggested, the three harms, the first, the privacy violation, the second that DOGE is going to abuse the data. And the third is that someone else is going to have an easier time busting in, getting the data and abusing it, the information security risk.
And I’m not an expert in this, but EFF employs many technologists who are. My understanding is that trying to build an information security system that keeps out opponents requires constant effort. It requires complicated systems, and it is very easy to make mistakes.
And so you have a set of experienced professionals who have built the system over time and know how it works. When you make changes to the system, they go through an internal vetting process and consensus is made about security trade-offs.
None of that is happening here.
The people who for years have been in charge of securing the ramparts, in many cases have been sidelined. And these DOGE agents are showing up who don’t know anything about how the system works, they are altering the system design and doing new things.
This intrinsically creates new information security risks that adversaries like foreign governments and organized criminals will be able to exploit – It’s the equivalent of blowing a hole in a wall and hoping that only the person who blew open that hole can walk through and that other people won’t also walk through.
The kinds of things that you just identified DOGE agents as doing are precisely the kinds of things that as a lay person who is not an information security expert understand to create infosec weakness that can be exploited by other adversaries. Since I’m not an infosec expert, I can’t say a lot more than that, only because I don’t know.
But it is the position of EFF, based on all of our infosec experts, that what DOGE is doing by bringing in new systems and servers and softwares and hires is weakening a decade of professionalized agency expertise in doing information security, and we are more vulnerable to a breach now.
Does the success of other lawsuits against the Trump administration give you confidence in your odds of success, particularly where the administration has been found in violation of the Administrative Procedures Act?
It does. I’m aware of 11 of these lawsuits, 10, us plus 10 others. And in two of these lawsuits, a judge already has placed emergency limits on agency disclosure to DOGE.
One was a temporary restraining order (TRO), on February 6, in the lawsuit against the Treasury Department by the Alliance for Retired Americans. The other was a TRO on February 8, in the case by New York State, also against the Treasury. So in two of these cases, both against the Treasury, there have been TROs.
One thing I want to clarify is that the Administrative Procedures Act is a general statute that says, you know, the administrative state agencies who are doing the bidding of Congress. It has to do various things. One is to obey the law, another is to not be arbitrary.
The Privacy Act has a provision, as I’ve said, that says the agency shall not disclose data without accepted narrow situations.
In the litigation, these 11 lawsuits, the Privacy Act claim and the Administrative Procedures Act claim overlap what a lot of plaintiffs, including my case, say – you have violated the Privacy Act by disclosing the information, and therefore also you have violated the Administrative Procedures Act, which says you can’t violate another act, so the APA and the PA stack together.
What happens if the courts rule that DOGE has to stop, but it continues trying to access OPM data?
Yeah, that is a really good question. EFF is a digital rights organization, and as part of that, we believe in the rule of law and the separation of powers. And we hope and expect that our federal agencies are going to comply with the orders of federal courts. And beyond that, it’s outside of EFF’s expertise.
Would we be in a constitutional crisis if that were to happen?
You’ve asked the right question, but I don’t have an answer.
In closing, why should someone care about the outcome of the EFF’s lawsuit against DOGE, and those by other organizations?
Data privacy is a fundamental human right.
The way that ordinary people protect themselves from coercion, from powerful governments and corporations is by controlling information about themselves. The last time that the US Congress passed a statute to prevent an out of control president from spying on Americans, the Watergate scandals in the 1970s, it enacted the Privacy Act.
And now is the time for the federal courts to enforce that Privacy Act and stop Trump, DOGE and the Federal Personnel Management Office from violating the data privacy of tens of millions of people in our hardworking workforce.
The views expressed in this article do not necessarily reflect the views of Overt Defense.