The Trump administration’s regular flouting of privacy laws and data security protocols to support various authoritarian goals is jeopardizing Americans’ sensitive personal information.
The United States federal government knows a lot about you. If you’ve ever applied for federal student aid, the Department of Education has records of your income and assets. The Social Security Administration begins collecting information from the moment your parents apply for your Social Security number at birth, adds new data every time Social Security taxes are deducted from your paychecks, and continues to monitor you until the day you die.
Simply put, federal agencies maintain a vast network of databases, which house enough information to paint a detailed portrait of your life: where you’ve lived, where you’ve gone to school, where you’ve worked, how much money you’ve earned, medical histories, criminal records, travel histories, charitable donations, political contributions, marital status. And it’s not just your story. All that information exists for everyone in your family, all your friends, your neighbors, your boss, your coworkers, and your favorite barista. It’s hundreds of millions of portraits.
The Department of Government Efficiency was and remains one of the most consequential developments of the second Trump administration. Elon Musk championed data consolidation as a necessary step towards achieving DOGE’s nominal mission of rooting out waste, fraud, and abuse. Trump obliged by signing a March 2025 executive order advancing DOGE’s consolidation project.
Government efficiency, however, became a smokescreen to obscure the administration’s reliance on data centralization schemes to fuel various authoritarian policy goals. Cross-agency data sharing has boosted Immigration and Custom Enforcement’s capability to target individuals for detention and deportation, bolstering the administration’s white nationalist aspirations. Debunked voter fraud conspiracies form the basis for the administration’s demands for and illegal seizure of state voter records. The writing on the wall suggests Trump aims to subvert the 2026 midterms in an attempt to maintain his party’s hold on power, and shield himself from suffering the consequences for his corruption and cruelty.
There’s long been public expectation that the federal government will properly safeguard the information it collects and appropriately use it to dole out public benefits or administer federal programs. This became more relevant as the federal government grew dramatically during the 20th century, and so did the amount of information it collected about us. The advent of computers made records more accessible and made cross-referencing information easier, but it also increased worries about privacy. Those concerns were intensified after the dual scandals of Watergate and the illegal surveillance of various strains of political opposition, including anti-war protests against US involvement in Vietnam.
In response, Congress passed the Privacy Act of 1974, creating a framework for privacy and security of personal data. In addition to dictating how individually identifiable information is to be stored and accessed, the Privacy Act broadly prohibits agencies from using that information for purposes other than its intended use. Inter-agency sharing is likewise prohibited unless it’s for “routine use,” meaning the “use of such record for a purpose which is compatible with the purpose for which it was collected.”
At face value, using data to support a deportation regime is outside the bounds of the Privacy Act of 1974. Agencies can enter data sharing agreements under the law, but that data must still be used for its original purpose. It’s difficult to see what relation Social Security or Medicaid data has with immigration enforcement operations. The Constitution clearly gives authority over elections and voter data to the states, and limits how and why the US government can collect voter data. Surely, the Department of Justice must provide more than baseless conspiracies in its demands for access to that data.
Information silos installed within the federal bureaucracy are safeguards against excessive intrusions into our private lives. Information silos serve a dual purpose: they allow agencies to collect and use data specific to their goals (administering Social Security benefits, disbursing student aid) while limiting that data from being open to all agencies. Pulling those branching streams of data into a centralized database places us under Big Brother’s watchful eye. The Trump administration is eager to control, manipulate, and erase public information in pursuit of its authoritarian ambitions; panoptic surveillance is one more step towards establishing total control of the record of who we are, as individuals and as a nation.
Outside the discomfiture of living in an illegal surveillance state, the dangers presented by the administration’s displayed incompetence will result in tangible harm to Americans. Data security typically required of high ranking officials has fallen victim to the haphazard mindset that pervades the administration. DOGE, staffed by Musk’s handpicked technology “wizards,” is the worst perpetrator of privacy and data blunders. DOGE agents have acted with little regard for the established rules and measures maintaining data security, compromising sensitive personal information as a result. The most troubling example is the exposure of Social Security information on a third-party cloud server, but other stories of leaks and security breaches portray it as a rule rather than an exception.
The federal data systems were built to aid effective governing, but Trump’s administration has repeatedly flouted the law to consolidate and repurpose that information. Once data is exposed or misused, the harm is difficult to undo. With individual agencies openly violating data privacy laws and a GOP-controlled Congress reluctant to legislate against the president’s agenda, these trends will only accelerate. Evidenced by the pending litigation concerning DOGE’s violations of the Privacy Act, the courts remain the last meaningful check against the illegal use of our personal data.
The Trump Admin’s Mishandling of Sensitive Data
Last Updated March 3, 2026
Gross Incompetence
- Signalgate: High ranking Trump administration officials inadvertently shared secret military plans for US attacks on Yemen. The officials discussed the war plans in a group chat on Signal, the commercial messaging platform, breaching established national security safety protocols and violating several federal laws, including the Espionage Act. The revelation of the unsecured group chat became public knowledge after The Atlantic editor Jeffrey Goldberg was mistakenly added to the group and started receiving messages on the planned military actions.
- Former Social Security Administration chief data officer Charles Borges filed a whistleblower complaint in August alleging that DOGE agents had copied an SSA database containing sensitive info on hundreds of millions of Americans, then uploaded that information onto a third party cloud server, Cloudflare, with little oversight, which opened the data to attacks by bad actors. DOGE denied these claims at the time, but a DOJ filing in January 2026 acknowledged that the data was improperly accessed and uploaded. DOGE’s intrusion in the SSA last year was met with alarm, as employees warned that DOGE wasn’t observing the proper data security protocols. According to the Washington Post, records show that other staff had filed complaints about DOGE’s handling of SSA databases prior to Borges’ whistleblower complaint. SSA staff had also flagged Cloudflare as a security risk as it is not an approved server for storing SSA data and falls outside the agency’s security protocols. The DOJ filing drives the security risk home: because Cloudflare is a third-party service, SSA cannot access whatever was stored there, leaving unanswered questions about exactly what data was shared and whether it still exists on the server.
- Opexus, a third party software contractor hired by the Equal Employment Opportunity Commission, mishandled sensitive information and may have exposed personally identifiable information like names and contact information. According to an email sent by EEOC’s data security team, Opexus contractors had “privileged access to EEOC systems” and handled data in an unauthorized and prohibited manner.
- DOGE staffer Marko Elez was granted access to the Treasury Department’s sensitive payment systems, with the ability to rewrite code, even as Trump officials denied the claim. Elez could modify the code of the Payment Automation Manager (PAM) and the Secure Payment System (SPS). Housed within the Bureau of Fiscal Services (BFS), the payment systems are used to make trillions of dollars in payments each year, affecting everything from tax refunds and social security benefits to veterans pay. Access to the system also gave Elez and DOGE the potential to cut off Congressionally authorized payments, or, possibly, reroute them. The BFS internal threat intelligence team called DOGE’s access to payment systems the “single greatest insider threat risk the [BFS] has ever faced.”
- DOGE’s presence at Treasury also gave the initiative access to IRS data, which can be used to form robust profiles on individual taxpayers. The Tax Policy Center wrote that mishandling this data can expose taxpayers to identity theft. Moreover, it could fall into the hands of foreign governments, or be used for political purposes domestically.
- Federal employees sued the Office of Personal Management, alleging the agency sent its infamous “Fork In The Road” mass emails over an unauthorized commercial server. The lawsuit further claimed that, in setting up the server, OPM sidestepped federal law by failing to conduct the requisite privacy impact assessments and by operating without proper security controls. Plaintiffs warned that if the server was left operational it would continue to collect personal information while leaving that vulnerable to exposure.
- An audit report by the OPM Inspector General found that the government-wide email system (GWES) used for the emails lacked the proper protocols for handling sensitive data and that OPM senior management overrode established IT security and privacy controls in order to quickly send the emails out.
- According to a whistleblower disclosure, DOGE agents may have copied and removed at least 10 gigabytes of sensitive data from the National Labor Relations Board’s internal systems. It is unclear what files were taken, but the sensitive nature of NLRB data opens the possibility that if the information is leaked or shared, it could then be used to retaliate against employees or gain an unfair advantage in ongoing litigation. DOGE employees are also alleged to have turned off programs monitoring their activity and taken measures to prevent others from seeing what they were doing at the agency. The whistleblower disclosure also shared what appeared to be a software tool that would install a backdoor to NLRB systems, designed by one of the DOGE programmers working at NLRB at the time.
- Making this especially egregious is the fact that Musk’s companies have repeatedly faced scrutiny over labor violations, raising serious conflict of interests concerns about access to the sensitive labor data.
- DOGE posted classified information about the National Reconnaissance Office (NRO) onto its website, raising concerns about how DOGE staffers got the information and how they were using it. The budgets and staffing levels of the NRO, the federal intelligence agency that designs, builds, and operates spy satellites, are classified and aren’t even shared with allied governments. Yet, DOGE published the NRO’s headcount online, instigating a scramble to learn who obtained the information while it was public and what other information was released.
- DOGE staffers at the Education Department fed sensitive personally identifiable and financial data into “AI software accessed through Microsoft’s cloud computing service Azure.” At OPM, DOGE similarly used Meta’s Llama AI to read through staff responses to the “Fork in the Road” emails. Using AI to gather and read sensitive information presents security risks; the data is shared with an outside party, increasing the risk that it is mishandled and exposed, and creates more points of entry for hackers to breach systems.
- In response to an executive order, the CIA sent an unclassified email to OPM that included the first names and last initials of probationary employees hired in the previous two years. The list included new recruits hired specifically to focus on China. Although the list contains limited information, former intelligence officials called it a “counterintelligence disaster,” warning that even partial names could be combined with other information, allowing foreign intelligence agencies to identify and target CIA personnel.
- The former interim head of the Cybersecurity and Infrastructure Security Agency (CISA) uploaded sensitive contracting documents into a publicly available version of ChatGPT in July 2025, prompting security warnings and an internal review to assess any harms to government security. Madhu Gottumukkala, who led CISA until February 2026, had requested special permission to use ChatGPT after arriving at the agency in May 2025, although DHS had blocked their employees from using the app. The uploaded files were marked “for official use only,” a designation indicating the files were sensitive and not for public release. Uploading the files into a public version of ChatGPT means the materials can be incorporated in training data, exposed to other ChatGPT users, and lead to “loss of data control, expanded exposure surface, secondary misuse risk, and policy boundary collapse.”
- The turnover of CISA leadership amid the stalled confirmation of an agency Director has prompted concern about the strength of domestic cybersecurity. Without a permanent head, serious cybersecurity issues, such as a Chinese-linked hack into critical infrastructure systems, have not been adequately addressed, and progress on other security initiatives, like reinstating the Critical Infrastructure Partnership Advisory Council, have stalled. The combination of a vacant Director’s seat and a gutted CISA workforce has cybersecurity experts and lawmakers worried sick about the agency’s ability to handle a serious crisis. A former assistant director at CISA said the agency is “ill-prepared” to handle a significant cyberattack from China.
Unlawful Data Sharing and Collection
- The IRS improperly shared confidential taxpayer information of 47,000 individuals targeted by ICE. The IRS had agreed to share the names and addresses of people the Trump administration believed to be here illegally. When sharing data with DHS, the IRS also inadvertently disclosed the private information of thousands of additional taxpayers, a mistake only recently discovered in February 2026. Public Citizen filed a lawsuit to stop data sharing between the IRS and DHS; the case is currently ongoing, but two federal courts concluded that the IRS and DHS acted unlawfully.
- A U.S. District Judge found that the IRS broke the law nearly 43,000 times when it shared taxpayer information with ICE. An agency requesting taxpayer information from the IRS must first submit the name and address of the person of interest. ICE, however, submitted thousands of requests with unknown or incomplete addresses, or listed jails, detention centers, and prisons as a taxpayer’s address. The IRS ignored these inconsistencies and sent ICE the taxpayer information anyway.
- The DOJ filed a lawsuit in July 2025 demanding that New Hampshire turn over the state’s voter files, arguing it needed them to determine if the state was complying with the Civil Rights Act. Voter information like names, addresses, and party affiliations are already publicly available in New Hampshire but the DOJ requested social security numbers and driver’s license numbers. State officials and a bipartisan group of residents has asked a federal court to throw out the suit.
- The Centers for Medicare and Medicaid Services (CMS) entered into an agreement with DHS to share Medicaid data with ICE for Trump’s immigration crackdown. The agreement gives ICE access to Medicaid recipients’ names, addresses, Social Security numbers, dates of birth, sex, phone numbers, localities, and ethnicity and race. The agreement does not specifically limit data sharing to noncitizens, meaning ICE may have access to all Medicaid enrollee data regardless of immigration status.
- The SSA classified thousands of living immigrants as dead and cancelled their Social security numbers in service of Trump’s immigration crackdown. The people added to the SSA’s “Death Master File” were legally allowed to live in the US. At the time of reporting (April 2025), the administration had moved around 6,300 immigrants into the Death Master File after DHS, without evidence, identified them as temporary paroled aliens on the terrorist watch list or as having FBI criminal records. Without a Social Security number, one cannot legally get a job, collect benefits, or enroll their kids in school.
- In April 2025, Wired reported that as DOGE pooled sensitive data from across the government, the SSA started to share “citizen and immigration information” with DHS. However, the SSA issued a public notice in November 2025, making the data sharing agreement official months after the fact. Nikhel Sus, deputy counsel at Citizens for Responsibility and Ethics in Washington (CREW), said the agreement was problematic because Social Security data doesn’t accurately reflect immigration or citizenship status since it was never the collected information’s intended use.
- Twenty-one state attorneys general sued USDA to block its collection of sensitive information of individuals participating in the Supplement Nutrition Assistance Program (SNAP). USDA requested states share participant information from the last five years in what is seen as data collection designed to boost the Trump administration’s deportation agenda. The suit brought by State AGs contends that the proposed data sharing violates federal privacy laws.
- Civil rights groups sued the Trump administration to protect voter information after the FBI raided the Fulton County Election Hub and confiscated election records. Fulton County Board of Commissioners Chair Robb Pitts said the records were safe and secure at the facility, but cannot guarantee their safety now that they are in FBI custody. The lawsuit seeks to prevent the Trump administration from misusing voter information. Fulton County also filed a lawsuit for the return of the materials.
- Affidavits used to seize the voter data were obtained by NPR and show that the FBI’s rationale for its raid was based on misinformation already investigated in the immediate aftermath of the 2020 election. This is the same jurisdiction where Trump pressured the Georgia Secretary of State to find “more votes” during his conspiracy-fueled effort to overturn the 2020 election.
- Tulsi Gabbard, Director of National Intelligence, was present at the time of the raid. The DNI has no domestic law enforcement authority, raising concerns about the legality and motives behind the cross-agency involvement.
- A report from the Center for Strategic and International Studies (CSIS) warns that the private data ICE is collecting on millions of Americans has become a “high-value target for nation-state adversaries.” Aggregating sensitive personal and biometric data from different agencies into a centralized hub gives hackers more points of attack, and they just need to find the weakest point of entry to access all the data. Biometric data is especially valuable: unlike passwords or addresses, biometrics are immutable data points which can be used for “long term targeting, profiling, and exploitation of individuals both inside and outside the U.S.”
- ICE is reportedly preparing to outsource the decisions on what tech the agency buys, builds, and deploys to a private contractor, increasing the number of points of entry a hacker can use to enter the system. “Contractors operate across portfolios of clients. They may rely on subcontractors. They maintain their own networks and security postures. Even when operating in good faith, they expand the ecosystem of access.”
Image Credit: “Data Security Breach” by Blogtrepreneur is licensed under CC BY 2.0.