This expert says DOGE is a privacy nightmare. Here's why

Nerds Gummy Clusters

This episode is brought to you by Nerds Gummy Clusters, the sweet treat that always elevates the vibe with a sweet gummy surrounded with tangy, crunchy nerds. Every bite of Nerds Gummy Clusters brings you a whole new world of flavor. Whether it's game night, on the way to a concert, or kicking back with your crew, unleash your senses with Nerds Gummy Clusters.

Stephen Overlea

Hey, welcome to Politico tech. Today's Wednesday, February 5th. I'm Stephen Overlea. It may only be Wednesday, but it's already been a head spinning week in Washington. Elon Musk is moving fast to dismantle and downsize federal agencies, and Democratic lawmakers are now pushing back. On Tuesday, Senators Elizabeth Warren and Ron Wyden called for an investigation into how Musk's Department of Government Efficiency got access to to payment systems at the Treasury Department. And House Democrats want answers of their own about whether Doge, as it's called, got a hold of sensitive or classified information, including at the U.S. agency for International Development, where a handful of young Musk allies took control over the weekend. For its part, the White House has branded a number of reports about Doge as fake news. Doge advisor Katie Miller posted on X that no classified material was accessed without proper security clearances at USAID and refuted a report that Doge was using an illegal server to control personnel records. But those denials have not quieted privacy and cybersecurity advocates like Alan Butler, the president and executive director of the nonprofit Electronic Privacy Information Center.

Alan Butler

Everyone is on board with stopping waste, fraud and abuse, but no one is on board with this. This is chaos.

Stephen Overlea

Alan is a longtime privacy advocate and litigator, and on the show today he breaks down his concerns about Doge and why he considers it to be the biggest data breach in government history. Here's our conversation. Alan, welcome to Politico Tech.

Alan Butler

Thanks for having me.

Stephen Overlea

So you're seeing all the headlines over the past few days about Elon Musk and Doge employees getting access to treasury payment data and to the US Agency for International Development. As a privacy advocate, what's going through your head?

Alan Butler

I mean, it's a rapidly developing story, as you say, and I think that every new piece is kind of a new horror. So to break it down a little bit, we've seen reported in the last week a number of things. One that feels like an eternity ago was the installation of a unvetted email server in the Office of Personnel Management. That our understanding has been used to blast out emails to the entire Federal workforce about, you know, deferred resignations and then was hacked and used to send out spam to the federal workforce. But then we started hearing about efforts by the DOGE to basically bring their staff and quasi affiliated workers in to take over IT systems within the Office of Personal Management and then within the Treasury Department itself. This includes extremely sensitive personnel and payment information, specifically the employment records of all federal employees, retirees, job applicants, anyone who's been vetted through the OPM system in that employment records, and all payments issued by the Treasury Department, which includes billions of dollars of payments made each year and still breaking sort of news about the extent to which that access has been given to these unvetted individuals affiliated with the doge. But you know, I can say, going through my head as a privacy expert, this is essentially the biggest breach, data breach in US history. You know, 10 years ago when the OPM system was breached by hackers affiliated with the ccp, there's a much smaller number of records breached. It was a top to bottom scandal, hearings in Congress, massive litigation with huge liability. And that was a foreign spy. Right. Infiltrating the system, getting a smaller slice of records than we're talking about right now. And we don't even know the whole of it. We don't know what's happening with this data. Is it getting exfiltrated? You know, we've seen evidence that it's being disclosed to individuals outside of the government, which is clearly illegal. The scope is really massive and unprecedented.

Stephen Overlea

And so walk me through kind of the risks here as you see them, like what could go wrong or is going wrong as a result of how this is all playing out.

Alan Butler

Sure. So there's a couple different dimensions to it. First and foremost, you have the immediate privacy risks to individuals that are implicated in these systems. And that includes current and former federal employees whose personnel records include things like their sensitive personal information, their home address, Social Security information, any derogatory information included on their clearance forms, like the SF86. All of this could not only be, you know, used in the context of whatever DOGE is trying to do in terms of kind of attacking the federal workforce, but could also be leaked or, you know, misused by individuals outside of the government or by foreign spies who we already know are trying to get access to this information.

Stephen Overlea

For folks who are not kind of steeped in the privacy world or don't follow tech as closely as you and I do, I wonder if there's a way you might describe this or characterize this that puts it in Context in terms of how big of a deal it is.

Alan Butler

Yeah, I mean, I think that for people who, you know, don't follow this stuff as closely, you know, they probably have personal experience with their accounts, their financial accounts, their systems. You know, they've probably, you know, been asked to put their personal information on for forms before, but have never really had to think that much about where that information goes because they trust in general that their bank is going to keep it secure. They understand that the law requires institutions that serve their interests to use cybersecurity practices. Right. People use two factor authentication. They know that no one's supposed to be able to log into their bank account without their credentials, without their permission. So if you think about that being fundamentally violated, if someone were to just say, well, we've taken over the, your bank's payment system now, right. We now have access to all the bank's data, including information about your account. We might be able to change your balance, we might be able to issue payments without your permission. That's happening at the scale of the entire country. Right. So you're talking about people that are not supposed to be in that role, essentially barging in and taking over access. That could change. Stop. Issue payments on behalf of the federal government without permission. That is an economic risk on top of everything else. And then the privacy risk of the personnel records, you know, is basically every data breach notice everyone's ever received times tens of millions or more, and even worse, because it's not just one element of data, it's the whole system.

Stephen Overlea

How surprised have you been by this? Because obviously on the campaign trail, Donald Trump and Elon Musk talked about shrinking the size of government and reforming government. But I guess just in terms of how they're going about doing it and the laws and best practices that they are potentially flouting here. Has that been surprising to you?

Alan Butler

Yeah, I mean, I think it's absolutely unbelievable that even the ends that purportedly this administration is pursuing are being pursued in a completely lawless way. I mean, if you want to audit federal payments, there are systems to do that. Right. The President of the United States certainly has the authority to call on the Treasury Secretary to do a top to bottom audit of federal payments and say, what's going on with these payments? Let's check them against certain characteristics that can happen. And it can happen using established procedures for security and privacy and people that are vetted and actually have the authority to do that, as opposed to coming in over a weekend and demanding the keys to critical systems that run and operate the federal government and handing them over to random teenagers who don't have authority or training or security clearances. That is completely shocking and unbelievable.

eBay

Still, getting around to that fix on your car. You got this on ebay, you'll find millions of parts guaranteed to fit. Doesn't matter if it's a major engine repair or your first time swapping your windshield wipers. Ebay has that part you need ready to click perfectly into place for changes big and small, loud or quiet. Find all the parts you need at prices you'll love, guaranteed to fit every time. But you already know that ebay things people love. Eligible items only Exclusion supply.

Stephen Overlea

There are a contingent of people, and perhaps even a large contingent of people watching this play out and sort of saying, you know, these guys are cleaning up wasteful spending, which is a good thing. They have the blessing of President Donald Trump, which is all they should need. How do you respond to people who are kind of thinking in that way?

Alan Butler

My response there is to say that, you know, waste, fraud and abuse is a major area of concern within the federal government, as it would be within a state government, and that there are ways to review that, right? There are ways to conduct a deep investigation. You want to stand up a task force and say, hey, we need to do a deep dive to really root out waste, fraud and abuse. Let's do that. But that doesn't involve new waste, fraud and abuse, right? Like creating new systemic risks to our sensitive systems, our critical infrastructure and personal data. There is a right way to do an investigation into waste, fraud and abuse, and it can. That can be bipartisan, that can involve Congress hand in hand. There are plenty of people. Everyone is on board with stopping waste, fraud and abuse, but no one is on board with this. This is chaos, I will say.

Stephen Overlea

You know, I keep thinking that, like, transparency should be part of this process. Right. You know, if they are uncovering all this abuse as. As Elon Musk has talked about, then making that transparent, bringing it to light, seems like it would be the really responsible way to go about doing this. But that hasn't been the way so far, I will say. And I wonder if this kind of sets any of your concerns at ease, but my Politico colleagues reported over the weekend that Doge employees have read only access to treasury data. And then on Monday, Treasury Secretary Scott Bessant told Republican lawmakers that Doge doesn't control the agency's payment systems. Does any of that set your concerns at ease?

Alan Butler

I've seen contradictory reporting on this. And so first and foremost, we need a top to bottom investigation to get to the bottom of what's actually happening here. And that needs to be conducted by a neutral party, whether that's Congress, a special investigator. There is enough here to call for a deep and severe investigation into what's happened. Second of all, even read only access to this system on behalf of these unvetted DOGE associated individuals is completely illegal and not allowed. I mean, you're talking about the fundamental payment system that clears payments for the federal government. You can't just hand access to that over to some random person who's. It's his first, their first week on the job for the doge, which we don't even know if it's a legitimate federal, federal entity yet. Right. We don't even know whether Elon Musk is considered a federal employee. There's been a claim that he is, but no one has cleared that or confirmed whether he has passed employment screens or standards. There's huge conflict of interest problems, by the way, since he manages companies that have federal contracts. So access alone to that treasury data payment system is fundamentally likely illegal and a huge problem in and of itself. If they have more than read access to that system, that's catastrophic. Right? That's like could the wrong press of a delete button could shut down the global economy level. Catastrophic. So it only assuages me if that's true against the sort of world ending catastrophe, let's say. But the rest of the bad stuff is still there.

Stephen Overlea

Yeah, it sounds. Sounds dire when you put it that way. Frankly, there is legal pushback brewing to this, including a pair of labor unions who represent federal workers suing to block doge's access to treasury records. And they argue it violates the Privacy act of 1974, which I know you mentioned, and that's a law that dictates how federal agencies have to protect personal information. For the non lawyers listening, can you just break down quickly the argument there and whether there is a compelling case that the law is for sure being broken?

Alan Butler

Yeah. So the Privacy act regulates the federal government's procurement of technology and collection of personal data in the form of databases and other systems, and how it's handled and how it's used, and whether it's disclosed. And fundamentally, if there's been a disclosure, especially at this scale, of personal information from these federal systems beyond the uses that are approved under federal law and regulation, then that violates the Privacy act. And there's strong evidence that that has happened. So you know, in short version, if someone in the government is disclosing personal information outside of their authorization that violates the Privacy Act.

Stephen Overlea

Are the courts really the main kind of recourse here? Are you looking at all to Congress and sort of asking, you know, where is Congress on this?

Alan Butler

Yes. And all the above. Right. We have three branches of government, and all three branches of government need to be engaged on this because we're not talking just about violations of the Privacy Act. These are critical government systems. And unauthorized access is essentially a form of hacking. Right. And the Computer Fraud and Abuse act is our main hacking statute. It's enforced by law enforcement. I think that the FBI should be investigating this. I think that Congress should be investigating this. I think courts have a role to play. And there's questions in all three branches about who can move most quickly. Obviously, the executive branch, the President himself can move the most quickly in terms of shutting this down if he were so inclined. Congress can react. It takes longer for Congress to act beyond an investigation, courts have the ability to step in as an independent arbiter and issue an injunction and say this needs to stop.

Stephen Overlea

For an advocacy group like Epic, are you planning any sort of response to this moment?

Alan Butler

I mean, what I can say at this moment is we are planning a response. Can't give more detail on that, but yes, absolutely.

Stephen Overlea

Can you hint what's the range of responses you're looking at?

Alan Butler

Yeah, we've litigated cases before about violations of the Privacy act and the E Government act and other misconceptions, collection and misuse of personal records by the government. We've done it before, we'll do it again.

Stephen Overlea

Excellent, Alan. Appreciate you being here on Politico Tech.

Alan Butler

Thanks, Stephen.

Stephen Overlea

That's all for today's Politico Tech. If you enjoy Politico Tech, please subscribe. And for more tech news, subscribe to our newsletters, Digital Future Daily and Morning Tech. Our managing producer is Annie Reiss. Today's show was produced by Cara Tabor. I'm Stephen Overleigh. See you back here tomorrow.