The Department of Government Efficiency is building a single, cross-agency database of sensitive information from the IRS, Social Security Administration, Department of Health and Human Services and other agencies, according to new, whistleblower-informed oversight on Capitol Hill.
The effort is “unprecedented,” said a Thursday letter the top Democrat on the House Oversight and Accountability Committee, Rep. Gerry Connolly, D-Va., sent to SSA’s watchdog, whom he’s asking to open up an investigation.
DOGE’s work may run afoul of privacy law, the letter said. Experts that Nextgov/FCW spoke with agreed.
Already, associates of the government-slashing initiative led by Elon Musk have accessed sensitive data across numerous agencies even as federal employees object, resign or are fired in the process.
There are at least fourteen lawsuits alleging violations of federal privacy protections across agencies, according to the nonpartisan, nonprofit Center for Democracy and Technology.
Now, the DOGE team is building a single, cross-agency master database by combining sensitive information from various agencies, according to whistleblower information Democrats on the House’s oversight committee say they’ve received.
“It’s terrifying,” said John Davisson, senior counsel and director of litigation at the Electronic Privacy Information Center, which sued the Office of Personnel Management and Treasury Department in February over personnel records and payment system data that was taken.
“The Privacy Act is really designed to prevent this exact thing from happening, and it’s pretty horrifying to watch it playing out now,” he said.
It is an “egregious disregard towards existing privacy laws,” said one former government technology official, who requested anonymity for fear or retribution.
For one agency to share information with other agencies, they either have to get written consent from the individuals in that database before disclosing their information or use a limited exception in the statute, at which point documentation requirements kick in.
“I am concerned that DOGE is moving personal information across agencies without the notification required under the Privacy Act or related laws, such that the American people are wholly unaware their data is being manipulated in this way,” Connolly wrote in his letter.
He asked that the watchdog investigate this and other concerns about disruptions at SSA due to changes to its IT infrastructure and staffing, as well as plans to quickly overhaul its technology.
“DOGE engineers have tried to create specialized computers for themselves that simultaneously give full access to networks and databases across different agencies,” the letter said, calling this “an apparent attempt to sidestep network security controls.”
“Individuals associated with DOGE have assembled backpacks full of laptops, each with access to different agency systems, that DOGE staff is using to combine databases that are currently maintained separately by multiple federal agencies,” it continued.
“A pattern of technical malfeasance has emerged, showing these DOGE staffers are not abiding by our nation’s privacy and cybersecurity laws,” a senior aide on the House Oversight Committee told Nextgov/FCW. “They are using excessive and unprecedented system access to intentionally cover their tracks and avoid oversight so they can creep on Americans’ data from the shadows.”
Pulling datasets together this way also raises cybersecurity concerns that the government could create a honeypot of information for bad actors, the former official told Nextgov/FCW.
That former official detailed a “lack of security — you can see that from firing security experts, ignoring rules and policies and authorizations, the usage of literally commercial computers that have no way been assessed — [where] there’s potential that we could be opening up a door by which we could see a breach in magnitude that dwarfs what occurred at OPM.”
The 2015 data breach at the government’s HR agency exposed the personal information of millions of current and former feds and their families.
“I am also concerned about what will be done with this information, and by whom,” said Elizabeth Laird, CDT’s director of equity in civic technology, noting that it’s likely that the Trump administration may want to use this information for immigration enforcement.
The IRS and Department of Homeland Security recently penned an agreement for the tax agency to share taxpayer information to do just that — a move that resulted in the acting IRS chief and other senior officials choosing to resign.
The data collection may not stop at the federal level, said Laird, pointing out that a recent executive order focused on accelerating data-sharing across government agencies also calls on agencies to get data from states, which have their own sets of sensitive data about Americans, given that they often administer federally-funded programs like unemployment.
That order also directs agencies to offer recommendations on how to update or eliminate their system of record notices — required by the Privacy Act — for the sake of sharing data, said Laird, musing that the order may be a response to the number of lawsuits agencies are under alleging that they’re not in line with privacy laws.
Another recent executive order could pave the way for agencies to consolidate datasets at the Treasury Department in the name of fraud prevention, said Davisson.
“Aggregation of data is building a weapon, essentially, and it’s one that can be used in a lot of different ways,” he said.
The White House did not return a request for comment on the letter.
