Elon Musk may be stepping back from running the so-called Department of Government Efficiency, but his legacy there is already secured. DOGE is assembling a sprawling domestic surveillance system for the Trump administration — the likes of which we have never seen in the United States.
President Trump could soon have the tools to satisfy his many grievances by swiftly locating compromising information about his political opponents or anyone who simply annoys him. The administration has already declared that it plans to comb through tax records to find the addresses of immigrants it is investigating — a plan so morally and legally challenged it prompted several top I.R.S. officials to quit in protest. Some federal workers have also been told that DOGE is using A.I. to sift through their communications to identify people who harbor anti-Musk or -Trump sentiment (and presumably punish or fire them).
What this amounts to is a stunningly fast reversal of our long history of siloing government data to prevent its misuse. In their first 100 days, Mr. Musk and Mr. Trump have knocked down the barriers that were intended to prevent them from creating dossiers on every U.S. resident. Now, they seem to be building a defining feature of many authoritarian regimes: comprehensive files on everyone so they can punish those who protest.
“This is what we were always scared of,” said Kevin Bankston, a longtime civil liberties lawyer and a senior adviser on A.I. governance at the Center for Democracy & Technology, a policy and civil rights organization. “The infrastructure for turnkey totalitarianism is there for an administration willing to break the law.”
Over the past 100 days, DOGE teams have grabbed personal data about U.S. residents from dozens of federal databases and are reportedly merging it all into a master database at the Department of Homeland Security. This month, House Democratic lawmakers reported that a whistle-blower had come forward to reveal that the master database will combine data from federal agencies including the Social Security Administration, the Internal Revenue Service and the Department of Health and Human Services. The whistle-blower also alleged that DOGE workers are filling backpacks with multiple laptops, each one loaded with purloined agency data.
For years, privacy advocates, myself included, have obsessed about just how much of our data Big Tech companies possess. They know our location, monitor our browsing history and our online shopping — and use that info to make inferences about our interests and habits.
But government records contain far more sensitive information than even the tech giants possess: our incomes; our bank account numbers; if we were fired, what diseases we have, how much we gamble.
In 2009, the Georgetown law professor Paul Ohm envisioned the assemblage of a DOGE-like amount of data and called it the “database of ruin.” “Almost every person in the developed world can be linked to at least one fact in a computer database that an adversary could use for blackmail, discrimination, harassment or financial or identity theft,” Professor Ohm wrote.
We are not all the way down the rabbit hole yet. It appears that DOGE has not yet tried to scoop up data from the intelligence agencies, such as the National Security Agency, which collect vast amounts of communications between foreigners — and often catch Americans’ communications in their net. (That said, it is not encouraging that the head of the N.S.A. was recently fired, apparently at the behest of an online influencer who is friends with the president.)
Even so, the creation of a huge government database of personal information about U.S. residents is dangerous and very likely against the law. In the 1960s, the Johnson administration proposed combining all of its federal dossiers together into a new national “databank.”
The administration said it just wanted to eliminate duplicate records and perform statistical analysis, but the public was outraged. The databank was scuttled, and Congress passed the Federal Privacy Act of 1974, which requires federal agencies to obtain consent before disclosing individuals’ data across agencies.
Of the more than 30 lawsuits that involve DOGE, several allege that its data incursions violate the Privacy Act. So far, courts have ruled in plaintiffs’ favor in two of those cases, issuing orders limiting DOGE’s access to data at the Social Security Administration and Department of Treasury. Both cases are ongoing. While the orders restricted DOGE from obtaining personally identifiable data, it remains unclear what happens with data that has been already collected.
But the deeper problem is that the Privacy Act lacks real teeth. It did not give judges the ability to levy meaningful fines or easily halt illegal actions. It failed to establish an enforcement arm to investigate privacy violations in ways that courts can’t. And since then, Congress hasn’t been able to pass comprehensive new privacy laws or create stronger enforcement mechanisms.
That makes the United States the only country in the 38-member Organization for Economic Cooperation and Development without a data protection agency to enforce comprehensive privacy laws. In the European Union, each country has a dedicated data protection authority that can conduct investigations, write rules, issue fines and even demand a halt to data processing.
Without a privacy cop on the beat, Americans can submit a Privacy Act request to try to find out what data DOGE is holding about them, or hope that judges side with them in one of the dozens of lawsuits winding their way through court. Still, DOGE continues going from agency to agency grabbing data.
To pick just two recent examples: Last month, DOGE bullied its way into the federal payroll records for about 276,000 federal workers, placing the officials who objected on administrative leave; and this month, a separate whistle-blower at the National Labor Relations Board came forward with evidence showing that after DOGE workers arrived, there was a spike in data being siphoned out of the agency.
“In no other country, could a person like Elon Musk rummage through government databases and gather up the personal data of government employees, taxpayers and veterans,” said Marc Rotenberg, a longtime privacy lawyer and founder of the Center for A.I. and Digital Policy, a nonprofit research group. “There are many U.S. privacy laws. But they are only effective when enforced by dedicated privacy agencies.”
We urgently need to modernize our approach to privacy by creating a federal data protection agency with robust investigative powers.
But short of that, we still have time to stop the creation of the database of ruin. Congress could defund DOGE, or repeal Mr. Trump’s executive order establishing it, or support legislation that the Democratic senators Ed Markey and Ron Wyden have introduced to update the Privacy Act to provide more meaningful fines and criminal penalties.
This should be a bipartisan issue. Because once we create a database of ruin, none of us are safe from having our information — no matter how innocuous — used against us.
