How to Stop DOGE from Building a Database of Ruin
Hi friends –
On January 7th, 1968, tucked onto the front page of The New York Times amidst news of the escalating Vietnam war and Senator Eugene McCarthy’s presidential ambitions, was an article that could have just as easily been published today.
“Do you drink heavily at home?” the article began. “Have you been married more than twice? Are your sexual preferences exotic? How are you and your wife getting along?”
“All these questions are of interest to numerous Government agencies, and the answers, or what purports to be the truth about millions of Americans in these intimate matters, are tucked away in official Washington dossiers,” the article continued.
Headlined “Data Bank: Peril or Aid?,” the article warned of the privacy implications of a U.S. government plan to combine all of its dossiers together - from tax returns, to census responses to retirement benefits – in a new national “data bank.”
Within a few years, public backlash forced the data bank to be scuttled. Congress passed the Federal Privacy Act of 1974 putting limits on what the government can do with the data it holds on individuals.
But now, fifty years later, Elon Musk and his Department of Government Efficiency tech bros are building a vastly larger and more comprehensive version of the ill-fated government data bank of the 70s. They have stormed into dozens of federal agencies and scooped up records ranging from Social Security payments to tax returns to mortgage applications.
A whistle-blower has come forward claiming that DOGE workers are filling backpacks with multiple laptops, each one loaded with purloined agency data, as they assemble a master database of files.
In other words, DOGE appears to be assembling the same national “data bank” that Congress tried to kill back in the 70s. In my latest piece for the New York Times, “‘This Is What We Were Always Scared of’: DOGE Is Building a Surveillance State” (gift link), I argue that this assemblage of data comprises a “database of ruin” that the Federal Privacy Law doesn’t have enough force to stop.
What’s the Problem? “For almost every person on earth, there is at least one fact about them stored in a computer database that an adversary could use to blackmail, discriminate against, harass, or steal the identity of him or her,” Georgetown Law Professor Paul Ohm wrote presciently back in 2009 in his paper “The Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization” that envisions a database of ruin.
Putting such a database – whether it is supposedly de-anonymized or not – in the hands of the Trump Administration, which is attempting to punish political opponents, ranging from distributors of clean energy technology to First Amendment protected protesters, is exactly the type of nightmare scenario privacy advocates have long worried about.
The data itself doesn’t have to be ruinous to have a ruinous effect. James McCaffrey suspects that his Social Security benefits were cut off without notice in February because the DOGE brigade was terminating anyone with a foreign birth place.
McCaffrey, an Oklahoma City retiree and American citizen who was born on a U.S. military base in Germany 66 years ago, did eventually get his benefits restored after hours on the phone. But the challenge of a database of ruin is that McCaffrey and others impacted by secret data-driven accusations will likely never know the true story of what happened.
What Can be Done? Congress passed the Federal Privacy Act in 1974 to prevent just this scenario. The law restricts agencies from using data for reasons other than what was envisioned when it was collected – unless they seek consent.
But when the Privacy Act was passed, the Ford Administration successfully lobbied to remove a key provision of the legislation – the creation of a privacy enforcement agency. Legislative efforts since then to establish a new federal privacy agency have also failed.
As a result, the U.S. is the only country in the 38-member Organization for Economic Cooperation and Development that doesn’t have a data protection agency enforcing privacy laws. Corporate privacy violations are monitored by the Federal Trade Commission. The U.S. intelligence agencies' use of data is watched by the Privacy and Civil Liberties Oversight Board. (The Trump Administration has fired the Democratic commissioners of both bipartisan bodies, who each separately allege in court that their firings are illegal.) But there is no cop on the beat of policing inter-governmental data hijinks like DOGE’s actions.
Judges have sought to block DOGE’s data incursions at several agencies including the Social Security Administration, citing the Federal Privacy Act. But law gives judges few enforcement tools: the fines are minimal and the remedies are often limited to improving processes around data access and consent.
For instance, consider the litigation surrounding DOGE’s incursions into the Treasury Department databases. Nineteen state attorneys general sued to block DOGE from accessing systems that include U.S. residents' bank account and social security numbers. After three months of litigation and the issuance of a temporary restraining order, the judge ruled that one DOGE staffer could access some data after completing a training course.
We urgently need to give judges better tools to block and punish privacy violators. A good start would be for Congress to pass legislation introduced by Democratic Senators Ed Markey and Ron Wyden that would update the Privacy Act to provide more meaningful fines and criminal penalties.
But in the long run, we need a federal data protection agency with robust investigative powers so that judges aren’t the only privacy beat cops.
As always, thanks for reading.
Best
Julia