DOGE and Government Data Privacy

Center for Civil Rights and Technology Resources 03.20.25

A resource in collaboration between Center for Democracy & Technology and The Leadership Conference’s Center for Civil Rights and Technology

PDF version here

Despite the attention that the Department of Government Efficiency (DOGE) receives, little is known about their structure, staff, and actions, including how they are using data and technology to attempt to achieve their stated purpose of identifying and eliminating fraud, waste, and abuse in the federal government. This fact sheet is intended to summarize what is known about the evolution of DOGE’s access to government-held data, including mounting lawsuits based on potential violations of federal privacy protections, growing security concerns, and impacts to millions of people, as well as some of the myriad outstanding questions about this new entity.

Evolution of DOGE and Government Data Privacy

While at first it was purported to be an advisory body, DOGE has transformed into an embedded group obtaining expansive access to government databases enabling them to seize the most sensitive information about tens of millions of people across the United States.

THEN

NOW
 “[T]he Department of Government Efficiency will provide advice and guidance from outside of Government and will partner with the White House and Office of Management and Budget to drive large scale government reform….” Source: Statement on Truth Social from Donald Trump, November 12, 2024 “Agency Heads shall take all necessary steps, in coordination with the USDS [United States Digital Services] Administrator and to the maximum extent consistent with law, to ensure USDS has full and prompt access to all unclassified agency records, software systems, and IT systems. USDS shall adhere to rigorous data protection standards.” Source: Excerpt from executive order establishing DOGE, January 20, 2025

By The Numbers

Fourteen lawsuits allege violations of six federal privacy protections across eight federal agencies. Sources: Just Security Litigation Tracker; New York Times Lawsuit Tracker

Federal Privacy Protections

Personal data held by government agencies is protected under several long-standing federal privacy protections, including the following statutes that have been implicated in lawsuits directed at DOGE’s access to sensitive information:

  • Privacy Act of 1974: The Privacy Act prohibits the disclosure of a record about an individual from a system of records absent the written consent of the individual, unless the disclosure is pursuant to one of 12 statutory exceptions. This law was passed by Congress out of concern for curbing the illegal surveillance and investigation of individuals by federal agencies that had been exposed during the Watergate scandal. Source: Department of Justice Overview on the Privacy Act; The Privacy Act
  • § 6103 of the Internal Revenue Code (IRC Section 6103): IRC Section 6103 generally prohibits the release of tax information by an IRS employee except under specific circumstances. Privacy of tax information has been an American principle since 1870 — both administrative and legislative prohibitions on the sharing of taxpayer information were enacted that same year. The Internal Revenue Code was originally enacted in 1939 and then updated again in 1986, which is the current version we see today. Source: 26 USC 6103: Confidentiality and Disclosure of Returns and Return Information
  • Fifth Amendment: Substantive due process protects certain fundamental rights from government interference (grounded in the Fifth Amendment’s protection against deprivation of life, liberty, or property without due process). Infringements on such rights require a sufficient purpose and narrow tailoring to fulfill that purpose. Source: Justia; Substantive Due Process
  • E-Government Act of 2002: The E-Government Act recognized that increased reliance on computers, the internet, and other technologies have important ramifications for the protection of personal information contained in government records and systems. Federal Information Security Management Act (FISMA) and Confidential Information Protection and Statistical Efficiency Act (CIPSEA), both portions of the E-Government Act, set security standards and requirements for agencies in their maintenance of data. FISMA generally requires agencies to have a documented security system in place, and CIPSEA prevents the use of data or information that was acquired by an agency confidentially for statistical purposes from being used for any other (nonstatistical) purpose. Source: Federal Information Security Modernization Act of 2014; Confidential Information Protection and Statistical Efficiency Act
  • Computer Fraud and Abuse Act (CFAA): The CFAA makes it a criminal act to access a government computer without authorization, obtain information on a government computer that one is not authorized to obtain, share information with unauthorized people, or inhibit government operations without authorization. Source: Computer Fraud and Abuse Act
  • §1306 of the Social Security Act: Section 1306 of the Social Security Act prohibits the disclosure of any tax return information (or portion of return information) by officers or employees of the Social Security Administration and the Department of Health and Human Services, except under specific circumstances. Source: Disclosure of information in possession of Social Security Administration or Department of Health and Human Services

Reported Security Incidents & Sensitive Data Collected

DOGE’s access to sensitive information raises serious questions about the extent to which they are adhering to appropriate privacy and security practices and federal law. Reported security incidents include:

  • DOGE staffer Marko Elez was ‘mistakenly’ given ‘read/write’ permissions over part of the Treasury Department payment system responsible for disbursing trillions of dollars every year. Source: Treasury revoked editing access ‘mistakenly’ given to DOGE staffer, February 11, 2025
  • The doge.gov website that was spun up to track Elon Musk’s cuts to the federal government is insecure and pulls from a database that can be edited by anyone. Source: Anyone Can Push Updates to DOGE Website, February 14, 2025
  • DOGE released information about the headcount and budget of an intelligence agency. Multiple intelligence community sources [said] that this likely represents a significant breach…because anytime any details about U.S. citizens working for one of the intel agencies is released, it puts their safety in jeopardy. Source: DOGE data release criticized by intel community; Trump admin says it’s public data, February 14, 2025
  • Twenty-one staffers of the U.S. DOGE Service announced their resignations Tuesday citing, among other worries, “mishandling sensitive data.” Within the White House complex, the WiFi permissions — meant to bolster security by prompting users to log in frequently — were recently changed to allow guests to remain logged in for a year, up from seven days, because so many personal devices are newly in use. Source: DOGE’s grab of personal data stokes privacy and security fears, February 25, 2025

These reported security incidents are particularly troubling given the extremely sensitive nature of the data that the federal government collects about individuals, including the examples below.

Examples of Sensitive Data Collected By Federal Agencies

Identifying Information Demographics Contact Information Life Events Financial Information Beneficiary Information Alleged Legal Violations
Legal name

Date of birth

Social Security Number

Beneficiary identifier

 Race

Sex

Disability

Citizenship status

 Work and mobile phone numbers

Home and work addresses

Email address

 Pregnancy and birth

Marriage and divorce

Job loss

Employment records

Bankruptcy

Family deaths

 Family income

Family information

Bank account information

Credit reports and scores

Loan requests and denials

 Medical diagnoses and conditions

Past treatments and procedures

Mental and behavioral health history

Prescription drug use

Hospital bills

Housing information

 Domestic violence case files with addresses of survivors

Detailed descriptions of civil rights violations, including sexual assaults

Incarceration

Impact of Artificial Intelligence Use on Government Data

Emerging stories about how artificial intelligence (AI) may be used to make high-stakes decisions, like firing tens of thousands of federal workers, replacing federal workers, and cutting billions in funding, do not account for limitations of the technology, like inaccuracy, lack of security, and bias. The public may find themselves on the receiving end of AI-driven decisions that upend their access to fundamental government services like Social Security, Medicare, and Medicaid.

Impact of Improper DOGE Data Access and Use

Collecting, accessing, and sharing sensitive information carries inherent risk to the people who provide the data, making it important to ensure that the potential benefits outweigh the harms. Individuals whose data are being accessed and used by DOGE are at risk of experiencing the following harms:

  • Data misuse and privacy invasion: DOGE’s access to sensitive personal information, including Social Security Numbers and personal health information, threatens people’s privacy and may even violate long-standing federal privacy protections. Without additional transparency about why and to what extent DOGE has accessed personal data, potential legal violations and other misuses of data may occur without the public’s awareness. Source: At least 11 lawsuits are taking on DOGE over data access and privacy laws, February 19, 2025
  • Increased risk of fraud and identity theft: DOGE’s potentially reckless treatment of personal data undermines basic privacy and cybersecurity practices, exposing such information to heightened risks of misuse, leakage, and attacks. If such information is hacked by scammers or foreign adversaries, people are likely to see their data used against them for fraud and identity theft. Source: 4 ways to protect your personal data from Musk’s DOGE, March 1, 2025
  • Federal operations confidentiality: DOGE’s practices also threaten the data privacy of federal employees and the confidential work many of them do. The implementation of a new, governmentwide email system to collect millions of data points on federal employees creates significant security vulnerabilities as email is widely understood to be insecure. This practice, along with using AI to assess responses to government-wide queries, threaten both confidential personnel information and information about sensitive government operations. Source: DOGE will use AI to assess the responses of federal workers who were told to justify their jobs via email, February 24, 2025
  • Hindering government efficiency and wasting taxpayer dollars: While the use of data and AI systems can play a legitimate role in increasing government efficiency, DOGE is reportedly using these tools to make high-risk decisions about a host of government programs and hiring. Without appropriate oversight, transparency, and testing, AI tools may not only fail to function properly and reduce government efficiency, thus wasting taxpayer dollars, but can cause significant harm to individuals by producing inaccurate and biased results. Source: The truth about DOGE’s AI plans: The tech can’t do that, March 3, 2025