Stephen Overlea (4:56)

And so walk me through kind of the risks here as you see them, like what could go wrong or is going wrong as a result of how this is all playing out.

Alan Butler (5:06)

Sure. So there's a couple different dimensions to it. First and foremost, you have the immediate privacy risks to individuals that are implicated in these systems. And that includes current and former federal employees whose personnel records include things like their sensitive personal information, their home address, Social Security information, any derogatory information included on their clearance forms, like the SF86. All of this could not only be, you know, used in the context of whatever DOGE is trying to do in terms of kind of attacking the federal workforce, but could also be leaked or, you know, misused by individuals outside of the government or by foreign spies who we already know are trying to get access to this information.

Stephen Overlea (5:52)

For folks who are not kind of steeped in the privacy world or don't follow tech as closely as you and I do, I wonder if there's a way you might describe this or characterize this that puts it in Context in terms of how big of a deal it is.

Alan Butler (6:06)

Yeah, I mean, I think that for people who, you know, don't follow this stuff as closely, you know, they probably have personal experience with their accounts, their financial accounts, their systems. You know, they've probably, you know, been asked to put their personal information on for forms before, but have never really had to think that much about where that information goes because they trust in general that their bank is going to keep it secure. They understand that the law requires institutions that serve their interests to use cybersecurity practices. Right. People use two factor authentication. They know that no one's supposed to be able to log into their bank account without their credentials, without their permission. So if you think about that being fundamentally violated, if someone were to just say, well, we've taken over the, your bank's payment system now, right. We now have access to all the bank's data, including information about your account. We might be able to change your balance, we might be able to issue payments without your permission. That's happening at the scale of the entire country. Right. So you're talking about people that are not supposed to be in that role, essentially barging in and taking over access. That could change. Stop. Issue payments on behalf of the federal government without permission. That is an economic risk on top of everything else. And then the privacy risk of the personnel records, you know, is basically every data breach notice everyone's ever received times tens of millions or more, and even worse, because it's not just one element of data, it's the whole system.

Stephen Overlea (7:47)

How surprised have you been by this? Because obviously on the campaign trail, Donald Trump and Elon Musk talked about shrinking the size of government and reforming government. But I guess just in terms of how they're going about doing it and the laws and best practices that they are potentially flouting here. Has that been surprising to you?

Alan Butler (8:10)

Yeah, I mean, I think it's absolutely unbelievable that even the ends that purportedly this administration is pursuing are being pursued in a completely lawless way. I mean, if you want to audit federal payments, there are systems to do that. Right. The President of the United States certainly has the authority to call on the Treasury Secretary to do a top to bottom audit of federal payments and say, what's going on with these payments? Let's check them against certain characteristics that can happen. And it can happen using established procedures for security and privacy and people that are vetted and actually have the authority to do that, as opposed to coming in over a weekend and demanding the keys to critical systems that run and operate the federal government and handing them over to random teenagers who don't have authority or training or security clearances. That is completely shocking and unbelievable.

eBay (9:16)

Still, getting around to that fix on your car. You got this on ebay, you'll find millions of parts guaranteed to fit. Doesn't matter if it's a major engine repair or your first time swapping your windshield wipers. Ebay has that part you need ready to click perfectly into place for changes big and small, loud or quiet. Find all the parts you need at prices you'll love, guaranteed to fit every time. But you already know that ebay things people love. Eligible items only Exclusion supply.

Stephen Overlea (9:47)

There are a contingent of people, and perhaps even a large contingent of people watching this play out and sort of saying, you know, these guys are cleaning up wasteful spending, which is a good thing. They have the blessing of President Donald Trump, which is all they should need. How do you respond to people who are kind of thinking in that way?

Alan Butler (10:06)

My response there is to say that, you know, waste, fraud and abuse is a major area of concern within the federal government, as it would be within a state government, and that there are ways to review that, right? There are ways to conduct a deep investigation. You want to stand up a task force and say, hey, we need to do a deep dive to really root out waste, fraud and abuse. Let's do that. But that doesn't involve new waste, fraud and abuse, right? Like creating new systemic risks to our sensitive systems, our critical infrastructure and personal data. There is a right way to do an investigation into waste, fraud and abuse, and it can. That can be bipartisan, that can involve Congress hand in hand. There are plenty of people. Everyone is on board with stopping waste, fraud and abuse, but no one is on board with this. This is chaos, I will say.

Stephen Overlea (10:58)

You know, I keep thinking that, like, transparency should be part of this process. Right. You know, if they are uncovering all this abuse as. As Elon Musk has talked about, then making that transparent, bringing it to light, seems like it would be the really responsible way to go about doing this. But that hasn't been the way so far, I will say. And I wonder if this kind of sets any of your concerns at ease, but my Politico colleagues reported over the weekend that Doge employees have read only access to treasury data. And then on Monday, Treasury Secretary Scott Bessant told Republican lawmakers that Doge doesn't control the agency's payment systems. Does any of that set your concerns at ease?

Alan Butler (11:41)

I've seen contradictory reporting on this. And so first and foremost, we need a top to bottom investigation to get to the bottom of what's actually happening here. And that needs to be conducted by a neutral party, whether that's Congress, a special investigator. There is enough here to call for a deep and severe investigation into what's happened. Second of all, even read only access to this system on behalf of these unvetted DOGE associated individuals is completely illegal and not allowed. I mean, you're talking about the fundamental payment system that clears payments for the federal government. You can't just hand access to that over to some random person who's. It's his first, their first week on the job for the doge, which we don't even know if it's a legitimate federal, federal entity yet. Right. We don't even know whether Elon Musk is considered a federal employee. There's been a claim that he is, but no one has cleared that or confirmed whether he has passed employment screens or standards. There's huge conflict of interest problems, by the way, since he manages companies that have federal contracts. So access alone to that treasury data payment system is fundamentally likely illegal and a huge problem in and of itself. If they have more than read access to that system, that's catastrophic. Right? That's like could the wrong press of a delete button could shut down the global economy level. Catastrophic. So it only assuages me if that's true against the sort of world ending catastrophe, let's say. But the rest of the bad stuff is still there.

Stephen Overlea (13:17)

Yeah, it sounds. Sounds dire when you put it that way. Frankly, there is legal pushback brewing to this, including a pair of labor unions who represent federal workers suing to block doge's access to treasury records. And they argue it violates the Privacy act of 1974, which I know you mentioned, and that's a law that dictates how federal agencies have to protect personal information. For the non lawyers listening, can you just break down quickly the argument there and whether there is a compelling case that the law is for sure being broken?

Alan Butler (13:50)

Yeah. So the Privacy act regulates the federal government's procurement of technology and collection of personal data in the form of databases and other systems, and how it's handled and how it's used, and whether it's disclosed. And fundamentally, if there's been a disclosure, especially at this scale, of personal information from these federal systems beyond the uses that are approved under federal law and regulation, then that violates the Privacy act. And there's strong evidence that that has happened. So you know, in short version, if someone in the government is disclosing personal information outside of their authorization that violates the Privacy Act.

Stephen Overlea (14:31)

Are the courts really the main kind of recourse here? Are you looking at all to Congress and sort of asking, you know, where is Congress on this?

Alan Butler (14:40)

Yes. And all the above. Right. We have three branches of government, and all three branches of government need to be engaged on this because we're not talking just about violations of the Privacy Act. These are critical government systems. And unauthorized access is essentially a form of hacking. Right. And the Computer Fraud and Abuse act is our main hacking statute. It's enforced by law enforcement. I think that the FBI should be investigating this. I think that Congress should be investigating this. I think courts have a role to play. And there's questions in all three branches about who can move most quickly. Obviously, the executive branch, the President himself can move the most quickly in terms of shutting this down if he were so inclined. Congress can react. It takes longer for Congress to act beyond an investigation, courts have the ability to step in as an independent arbiter and issue an injunction and say this needs to stop.

Stephen Overlea (15:34)

For an advocacy group like Epic, are you planning any sort of response to this moment?

Alan Butler (15:39)

I mean, what I can say at this moment is we are planning a response. Can't give more detail on that, but yes, absolutely.

Stephen Overlea (15:47)

Can you hint what's the range of responses you're looking at?

Alan Butler (15:50)

Yeah, we've litigated cases before about violations of the Privacy act and the E Government act and other misconceptions, collection and misuse of personal records by the government. We've done it before, we'll do it again.

Stephen Overlea (16:02)

Excellent, Alan. Appreciate you being here on Politico Tech.

Alan Butler (16:05)

Thanks, Stephen.

Stephen Overlea (16:08)

That's all for today's Politico Tech. If you enjoy Politico Tech, please subscribe. And for more tech news, subscribe to our newsletters, Digital Future Daily and Morning Tech. Our managing producer is Annie Reiss. Today's show was produced by Cara Tabor. I'm Stephen Overleigh. See you back here tomorrow.