The Watergate-Inspired Law That’s Being Used to Fight DOGE

Andrew Couts, WIRED’s Senior Editor of Security and Investigations, joins Global Editorial Director Katie Drummond to talk about how The 1974 Privacy Act is being used in legal battles against Elon Musk’s so-called Department of Government Efficiency’s efforts to collect massive amounts of sensitive federal data. Plus, they discuss how you can protect yourself from government surveillance.

Mentioned in this episode:
The 50-Year-Old Law That Could Stop DOGE in Its Tracks—Maybe by Eric Geller
The WIRED Guide to Protecting Yourself From Government Surveillance by Andy Greenberg and Lily Hay Newman
How a ‘NULL’ License Plate Landed One Hacker in Ticket Hell by Brian Barrett

You can follow Michael Calore on Bluesky at @snackfight, Lauren Goode on Bluesky at @laurengoode, and Zoë Schiffer on Threads @reporterzoe. Write to us at uncannyvalley@wired.com.

How to Listen

You can always listen to this week’s podcast through the audio player on this page, but if you want to subscribe for free to get every episode, here’s how:

If you’re on an iPhone or iPad, open the app called Podcasts, or just tap this link. You can also download an app like Overcast or Pocket Casts and search for “uncanny valley.” We’re on Spotify too.

Transcript

Note: This is an automated transcript, which may contain errors.

Katie Drummond: Welcome to WIRED’s Uncanny Valley. I’m WIRED’s Global Editorial Director Katie Drummond. Today on the show How a Law Passed After Watergate Might Stop DOGE in its Tracks. I’m recording from the road today, but I am joined by Andrew Couts, WIRED’s Senior Editor for Security and Investigations. Andrew, welcome to Uncanny Valley.

Andrew Couts: Thanks for having me.

Katie Drummond: Now, before we jump into this story that you published on WIRED.com yesterday about the Privacy Act and how it relates to DOGE, tell me and our audience a little bit about what you do here at WIRED. I know what you do, but tell everybody else.

Andrew Couts: Sure. So a lot of my day-to-day responsibilities include overseeing our security desk, which covers cybersecurity, national security, privacy, surveillance, policing, crime, all the fun, light-hearted topics.

Katie Drummond: And you have been spending a fair bit of your time recently focused on DOGE and everything DOGE and Elon Musk are doing inside of federal agencies, which has obviously been a big priority for WIRED. Yesterday you published a story, it was written by Eric Geller about the Privacy Act and how it might be used through legal means to thwart what DOGE is doing inside of federal agencies. So why don’t you start by telling us a little bit about what the Privacy Act even is. When was it established? Why was it established?

Andrew Couts: Sure. So the Privacy Act came out of the Nixon era, the Watergate scandals, where Nixon abused his access to government resources to people’s data, including the IRS. He sicked FBI on his political opponents. And so lawmakers thought we need to do something to stop this from happening again. And so on December 31st of 1974, the Privacy Act was signed into law and basically it limits the ways in which the government can collect, share, or otherwise use people’s personal data.

Katie Drummond: That’s fascinating. So this Privacy Act has a very long history, and why is that important right now? Sort of explain to us how the Privacy Act is being leveraged to try to prevent DOGE from accessing data inside of these agencies.

Andrew Couts: So the Privacy Act is currently the basis for at least eight, maybe nine lawsuits against DOGE or against agencies where we know that DOGE workers have been accessing those systems. And so essentially the Privacy Act has a lot of limits on who can access data even internally or how that data can be used, but it does have several exceptions. I think 12 exceptions, two of which are pretty broad. One of them includes if an employee “has the need to access records in the performance of their duties, or a third party can have access if it’s for routine use.” “Routine use.” And so as you can imagine when there are loopholes in this moment when it seems every loophole is being exploited in ways that we didn’t expect, we’re getting to see in these lawsuits how those exceptions are going to be applied. And so in some cases, these lawsuits are already succeeding. We saw one from several states attorney general sued to prevent DOGE employees from accessing treasury records, and a judge very quickly ordered that access to be stopped or limited. In other cases, there were some students at the University of California who sued to prevent DOGE workers from accessing Department of Education records. And in that case, the judge didn’t issue a restraining order to prevent that access on some various grounds. And so we’re going to see how these other lawsuits play out. A lot of them are really in their early stages and we don’t really know yet whether they’re going to succeed.

Katie Drummond: So Andrew, help me understand here, this Privacy Act and these lawsuits, why is this potentially such a big deal for DOGE? How much of their time from what we can tell is being spent basically trying to access data?

Andrew Couts: So as far as we know, the vast majority of it appears to be at least accessing these systems. And we don’t necessarily know for certain what records they’ve accessed, what they’ve downloaded, what they’ve transferred, what they’ve uploaded to AI. All of these things seem to be possible. And there’s reports that both from WIRED and elsewhere that they’re using this data in a lot of different ways, but we just don’t know what they’re accessing. But what they could have access to is basically every possible sensitive detail about a person that exists. And so why are we concerned about that? Because we don’t know what they’re going to do with that information and how they’re securing that information, whether they’re making those systems less secure by subverting access controls and things that have typically been in place to protect this information, which everyone agrees it’s highly sensitive.

Katie Drummond: Got it. I mean, it’s fair to say that if according to Musk and according to President Trump, DOGE’s priorities are rooting out fraud, cutting costs, cutting personnel, they would need access to these systems. They would need data to even begin to start that process, you would think. And if they don’t have access to that data, I guess that sort of stops them in their tracks in a given agency.

Andrew Couts: I mean, one of the first places they went was the Office of Personnel Management, and that’s going to be all the records on all federal workers like present, past federal workers. And so that’s just information on millions and millions of people. But when we get outside of the federal worker systems, we’re talking about everyone who resides in the United States ostensibly.

Katie Drummond: It’s interesting to me that… What we’re almost at is certainly it’s true that the Privacy Act and these lawsuits can slow down DOGE access to data in different agencies, but it’s wild to imagine that depending on the agency and the judge and the judge’s interpretation of this Privacy Act, we might see this very slapdash approach to data access depending on the agency and depending on the lawsuit and depending on the outcome of the lawsuit. Is that right? When we’re talking about treasury, that access has been halted for now, Department of Education, not so much. So this might vary agency to agency and lawsuit to lawsuit. Am I accurate in interpreting it that way?

Andrew Couts: It absolutely seems that way and that seems to be how these lawsuits are already playing out. Part of what I think about is oftentimes a lawsuit will hinge on whether there’s actual realized harm or if there’s imminent harm. And when we’re seeing this government be manipulated in the way that it is by DOGE workers right now, we don’t have precedent to rely on to be able to judge is there imminent harm here? Do we know how this data is going to be used? Do we know whether it’s going to be weaponized? And if we look at historical precedent, there’s maybe not evidence that that harm exists or that imminent harm exists. And so we might have to wait for people to be actually injured by this access for a judge to say, “That was bad and we’re going to stop it.” And so there’s likely going to be victims here, whether these lawsuits succeed or not.

Katie Drummond: Fascinating. Well, we’re going to take a short break. When we come back, we’re going to pick up where we left off and talk about how concerned Americans actually should be about their privacy and about DOGE accessing their data. Welcome back to Uncanny Valley, I’m WIRED’s Global Editorial Director Katie Drummond. I’m here with our senior editor for Security and Investigations, Andrew Couts. Andrew, thank you again for being here.

Andrew Couts: Thanks for having me.

Katie Drummond: And let’s talk a little bit more broadly about DOGE and American privacy. So there has been, as we at WIRED know very well, a ton of coverage about DOGE and what they’re doing inside the federal government over these last several weeks. A lot of swirl, a lot of sort of chaos and a lot of concern, right? There’s a lot of concern among journalists and among Americans more broadly about DOGE having access to various government systems, having access to data, access to sensitive information about Americans. Can you explain what kind of information would DOGE potentially have access to based on the agencies that they are currently working in inside the federal government?

Andrew Couts: So they’re going to have access to essentially everything, and they’re going to know everywhere you’ve lived, everywhere you bank, exactly how much money you make, potentially what your tax returns are. They’re going to have access to your medical history, likely to what your networks look like, what your social networks look like, everywhere you’ve worked, potentially travel records.

Katie Drummond: There was a paragraph in the story that we published yesterday that I thought was really stunning, and it reads in just a few weeks, DOGE staffers have accessed federal employee records at the Office of Personnel Management, government payment data at the Department of Treasury data on student loan recipients at the Department of Education, information on disaster victims at FEMA and vast amounts of employment and workplace-related data at the Department of Labor. And it goes on from there. I mean, this is a sweeping endeavor to access and sort of hoover up a ton of really sensitive information about Americans. Can you walk us through a few different hypothetical scenarios? If DOGE and Musk and President Trump and the White House obtain all of this data, obtain all of this access, what could they do with it?

Andrew Couts: One of the things we think about internally at WIRED a lot is threat modeling and just basically like what’s the chance you’re going to be targeted by any type of attack? And in this case, we have to completely redefine what our threat models look like. And that’s especially true if you’re a vulnerable person. So if you are trans, if you are an immigrant, if you are seeking an abortion, just to throw out the most obvious examples. This information could be used to target you in one way or another, and we just don’t know how that information could be used. Historically, you’re not going to think that a highly-placed government employee, such as Elon Musk as he is now, would tweet out your banking records or your health records, and we could see that happen now, if you are publicly critical of the Trump administration. Obviously law enforcement, if the FBI is going to be able to use the vast amounts of information that they have on people to target whoever they’re going to target, and we just don’t know. We’re only a month into this administration. We’re already seeing sweeping crackdowns on immigration, and that’s going to evolve. We’re going to go through at least four years of this, and it’s impossible really for anyone to know if they are going to be a target. So we just don’t know what the threat model looks like in an environment where anyone could potentially become a political target. And if we look at authoritarian regimes, it’s going to be used in all different types of ways to go after people. And that data might be manipulated to make up charges against people to accuse people of crimes that they didn’t commit. For years, WIRED has covered best privacy practices, best security practices, and a lot of people just say, “If you have nothing to hide, don’t worry about it.” But now we don’t know what you have to worry about and we don’t know what you should have hidden and the things you tried to hide or the things that were protected by government systems are now potentially exposed. And so it’s really anyone’s guess what could happen and what the consequences could be.

Katie Drummond: And ironically, as you mentioned earlier, that’s part of what makes these lawsuits so challenging to see through because a judge is assessing risk based on hypothetical harms to American citizens as opposed to actual harm or actual injury. Is that right?

Andrew Couts: I mean it depends on exactly what the lawsuit is alleging or what it’s attempting to achieve, what kind of legal standards they’re going to apply. But typically judges, if they’re looking for actual or potential imminent harm, they’re going to be looking at past precedent to say, is it likely that this worst case scenario that is laid out in a hypothetical lawsuit is going to happen? And if they can’t find any evidence that has happened in the past, it’s entirely plausible that the judge isn’t going to rule in favor of the plaintiffs. We can’t necessarily rely on history to tell us what’s going to happen next, at least not US history. We can look to dictatorships elsewhere in the world potentially, but US history is not going to give us all the information we need to make those calls.

Katie Drummond: That’s right. And we’re also still up against this very real possibility, I would argue that a judge rules in one way and that ruling may not actually be adhered to within a federal agency. We’ve certainly seen a degree of lawlessness and impunity with DOGE’s behavior thus far. So I think that sort of adds this extra element of uncertainty where I have been telling people for the last several weeks who are concerned about DOGE, concerned about what Musk is doing. Well, yes, they’re moving very quickly. The courts will catch up, the legal system will catch up. That only gets you so far if the administration decides not to adhere to what a judge is saying on a given issue.

Andrew Couts: Absolutely, and I think the fact that we’re even talking about that possibility of the government just ignoring judicial branch rulings, that is an example of how little we can rely on past precedent to show us where the guardrails are here. The guardrails may not exist anymore because they’ve plowed over them with a cyber truck. It’s not a good situation to be in when you’re trying to figure out how to operate in this moment and feel safe and secure that your data is protected or you’re not going to be targeted for political reasons.

Katie Drummond: Absolutely. Well, Andrew, there’s so much uncertainty right now. In the next few weeks, what would you tell our listeners to pay attention to in the context of DOGE and privacy? Are there certain lawsuits that are particularly salient or particularly interesting? What should they be watching for in the headlines as all of this unfolds?

Andrew Couts: Well, one, I think we’re going to be looking for other instances where we know that specific records have been accessed or we know specifically how they’ve used the records that they’ve accessed. WIRED is certainly going to be keeping a close watch on that and doing the reporting to find answers to those questions. But the more we know about what they’re actually doing or what the consequences of what they’re doing are, the more we’re going to be able to assess what the actual risks are. In terms of the lawsuits, I would be paying attention to essentially all of the Privacy Act lawsuits and seeing where those succeed and fail. And those are going to give us specific instances of potentially blocking access to specific records. So the Treasury Department is a good example of one we’ve already seen, and we’re going to want to be getting reassurances that that access actually has been cut off in the instances where there’s orders telling them to do so. Because the Privacy Act is really our primary legal blockade against these kinds of abuses that are being alleged in these lawsuits, we really need to know how strong that law actually is. We’re also going to be wanting to see whether there are members of Congress attempting to amend change, scrap the Privacy Act, or any other legislation that might be the basis for lawsuits against what the Trump administration is doing. And so paying attention to legislation that’s introduced, how that legislation proceeds through Congress is going to be really important as well, because we have to know what the safeguards are, whether they’re abided by or not, they have to exist in the first place for us to have any sense of reliance on them.

Katie Drummond: Got it. And all of those Privacy Act lawsuits, by the way, are listed in WIRED’s story that we will link out to for all of you. We’re going to take a short break and we’ll be back with Andrew in a minute. Welcome back to Uncanny Valley. I am WIRED’s Global Editorial Director, Katie Drummond, here with Andrew Couts, and we are talking all about DOGE and your privacy. Andrew, I promise we are almost done. But before we go, you have been an editor at WIRED for several years now, publishing really, really vital work, particularly in the security space. And your team has done a lot of really great reporting that actually helps people understand privacy, data, the sort of personal context around their privacy and sort of what information about them is out there on the internet. But do you have any recommendations from the WIRED Archives, from stories that you’ve edited that might help people either educate themselves about privacy and about data, or at least shore up their own personal security right now?

Andrew Couts: Yes, though I’ll caveat it by saying there’s very little we can do about… If you’re going to be targeted by law enforcement or other US federal operatives, there’s maybe not that much you can do about it. So I highly recommend people check out the WIRED Guides: Protecting Yourself from Government Surveillance. This was written by two of our senior reporters, Andy Greenberg and Lily Hay Newman. It’s a really comprehensive guide on just many steps you can take to protect yourself, protect the systems that you use on a daily basis, and to communicate securely with anyone you’re wanting to communicate with. So that’s the really practical one. We’re talking a lot about the unknown consequences of DOGE having access to these systems, and it made me think of a fun article that our executive editor Brian Barrett wrote back in 2019. It’s called How a Null License Plate Landed One Hacker in Ticket Hell. And I think it’s just a really good example of how accessing these systems, doing thing in systems can have really unintended consequences. And in this case, this hacker made his license plate null, N-U-L-L, which is also a term that computer programmers use when there’s nothing in a field. And through various shenanigans that you can read about in this story, it ended up with him getting $12,000 in tickets because of automated systems detecting his license plate and ticketing him because of his license plate. So I think that’s just a really tangible example of how even if DOGE, all their intentions are perfectly innocent and they’re really just wanting to save the government money. If they’re accessing these systems in ways that they aren’t intended to be accessed that way or doing things in those systems that weren’t approved by whatever layers of committees approve everything that happens, it can go really badly, even if they don’t mean it to. So read WIRED.com. We have a ton of guides out there that will tell you how to kind of lock down all your basic systems, but that’s the best you can hope for. If you’re hoping to evade being targeted by the Trump administration, hope you can get an EU passport and move to Lithuania or something. I don’t know.

Katie Drummond: Well, we’ll see about Lithuania. I will say my entire family has recently migrated to Signal because I said I wouldn’t communicate with them if they didn’t. So that’s great advice. Andrew, thank you so much for joining me today.

Andrew Couts: Thanks so much for having me.

Katie Drummond: That’s our show. Make sure to check out tomorrow’s episode of Uncanny Valley. Our hosts dive into the long and complicated relationship between Elon Musk and Sam Altman. If you like what you heard today, make sure to follow our show and rate it on your podcast app of choice. If you’d like to get in touch with us for questions, comments, or show suggestions, write to us at uncannyvalley@WIRED.com. Amar Lal at Macrosound mixed this episode. Jordan Bell is our executive producer. Conde Nast’s Head of Global Audio is Chris Bannon. And I’m Katie Drummond, WIRED’s Global Editorial Director. Goodbye.