Doge’s Access To Federal Data Is ‘an Absolute Nightmare,’ Legal Experts Warn

Elon Musk’s headlong rush to take control of crucial federal agencies and functions — and to dismantle some of them virtually overnight — has stoked widespread alarm in Washington about the aims of his Donald Trump-backed mission.

The opaque office’s early moves have violated the Privacy Act and cybersecurity laws, according to legal experts, and triggered a lawsuit challenging the Trump administration’s assault on government bureaucracy.

Legal and security experts are particularly exercised by Musk’s move to shutter the U.S. Agency for International Development and take control of the Treasury Department's central payments database.

“The scale here is unprecedented in terms of the risk to sensitive personal and financial information,” said Alan Butler of the Electronic Privacy Information Center. “It’s an absolute nightmare.”

The Musk-led effort to gain entry into Treasury’s huge payment database drew a lawsuit Monday from two major federal employee unions and left some lawyers who specialize in regulation of such data nearly apoplectic.

Mary Ellen Callahan, former Chief Privacy Officer at the Department of Homeland Security, called DOGE’s access “a data breach of exponential proportions.” “If we lose control of that data, we've lost control forever,” she said.

The suit filed in federal court in Washington on Monday by the American Federation of Government Employees and the Service Employees International Union argues that the Trump administration is breaching the Privacy Act of 1974 by sharing payment information with members of the DOGE team.

Other lawyers said DOGE’s access could also violate cybersecurity-related laws, like the Federal Information Security Modernization Act of 2002.

Reports that career employees at the Office of Personnel Management were locked out of key databases by DOGE personnel also triggered deep concern Monday among legal and security experts. A key OPM database was breached by hackers in 2013, prompting widespread outrage from lawmakers and federal workers. The U.S. government blamed the hack on China and said the data could be used to target or enlist federal employees in espionage.

“They're not following the law, they're not following any semblance of best practice, they're just hacking and slashing government IT systems in a way that threatens national security and puts everyone at risk,” Butler said.

Claims by Musk that he is shutting down USAID were met with widespread skepticism as well. USAID was created through an executive order issued by President John F. Kennedy in 1961. But it was formally established as a federal government agency by Congress in 1998, creating doubts about Trump’s authority to simply abolish it or, as Secretary of State Marco Rubio has suggested, fold it into the State Department.

“I think it’s the most clearly unconstitutional act that he’s doing,” said Alex Joel, an adjunct professor of law at American University. “He can’t just destroy the whole agency.”

DOGE’s potential access to tax data at Treasury in particular alarmed privacy experts.

Butler noted that the Treasury systems almost certainly contain data about tax refunds that would also be considered taxpayer information, which is even more highly restricted under federal law.

“That’s almost certainly being violated if you’ve given unauthorized access to 18 or 19 year olds to the Treasury payment system,” Butler said. He acknowledged that contractors can sometimes access such systems, but only after they’ve been vetted and trained.

“You just can't, like, wave a pen and grant authority to access these sorts of systems. There's actual rules that do govern this,” Butler said. “It's not that it can't happen. It's that there are processes and procedures in place.”

Butler said the dangers go beyond privacy, since there’s also a risk that someone could accidentally shut down vital federal government payment systems.

“Imagine if you just granted some random coder access to a critical system, and they just start going in there and start messing with stuff, and it breaks the system, and then all of a sudden, the US government can't issue payments. That's catastrophic,” Butler said.

Speaking to reporters Monday at the White House, Trump was vague about Musk’s access, suggesting he may not have direct access to data at Treasury, despite the recent showdown between DOGE personnel and career officials.

“Well, he's got access only to letting people go that he thinks are no good, if we agree with him, and it's only if we agree with him,” Trump said.

A spokesperson for DOGE did not immediately respond to a request for comment.

Presidents do have broad authority to grant individuals access to classified information and Trump has moved to make it easier for people to get interim clearances than it was in his first term.

“There is an argument — not one I would support — that he could direct that DOGE have access to classified information without going through any process and procedure that might be out there,” said Joel, a former privacy and civil liberties officer for the intelligence community. “I would argue that if he were to do something, he needs to do something that takes into account executive orders that are on the books.”

But the unclassified information in sensitive systems is now governed by a regime of statutes and regulations that the president has no clear authority to waive, lawyers said. Some of those measures also require public notices that have not been issued in the two weeks Trump has been in office. Complicating the legal picture is a lack of clarity about whether the DOGE members are government employees, contractors or just outsiders given special access.

The ultimate legality of Trump’s move to shutter or reorganize USAID will depend on what the Supreme Court does, one legal expert said. The high court may take up looming battles over the president’s authority to not spend funds appropriated by Congress and over the breadth of his ability to dismiss executive branch employees.

“Some of this is going to be resolved in litigation down the road,” said Paul Larkin of the Heritage Foundation. “There are some aspects of the law that are clear, but they're old and the question is whether the Supreme Court is willing to reconsider them.”

Democratic lawmakers also insisted that no revamp of USAID can take place without Congress.

“Any effort to merge or fold USAID into the Department of State should be, and by law must be, previewed, discussed and approved by Congress,” Senate Foreign Relations Committee Democrats wrote in a letter Sunday to Rubio.

In a reply to lawmakers Monday, Rubio seemed to concede a role for Congress in whatever restructuring the Trump administration eventually recommends for USAID. “This letter provides notice and advises you of our intent to initiate consultations with you,” wrote Rubio, whom Trump named Monday as acting administrator of USAID. He called it a “review and potential reorganization … consistent with applicable law.”