Given
that
there
does
not
seem
to
have
been
a
single
thing
Trump
has
done
since
entering
office
that
has
been
legal,
nor
has
his
lackey
Musk
(or
is
it
Trump
that’s
the
lackey…?),
there
is
not
a
single
thing
that
doesn’t
require
litigation
to
challenge
and
enjoin.
But
we’re
starting
to
see
the
floodgates
open
as
more
and
more
aggrieved
plaintiffs
are
able
to
get
their
lawsuits
into
court.
They
are all worth
watching.
But
the
ones
of
particular
relevance
here
are
those
that
involve
DOGE’s lawless
incursions into
the
nation’s most
sensitive
computer
systems.
Each
incursion
that
Musk
and
his
minions
have
made
into
each
computer
system
has
caused,
or
portends
to
cause,
any
number
of
harms
to
any
number
of
people.
With
these
lawsuits
the
people
are
fighting
back
to
try
to
at
least
stop,
if
not
also
remediate,
all
this
harm.
For
instance,
we’ve
already
written
about
how
several
states sued over
DOGE’s
incursion
into
the
Treasury
department’s
systems
(which
was
just
one
of
the
lawsuits
brought
over
that
incursion).
Then
this
week
came
this lawsuit over
the
incursion
of
OPM’s
systems.
This
lawsuit
is
especially
notable
for
a
few
reasons.
OPM
is
the
Office
of
Personnel
Management,
or
basically
HR
for
federal
workers,
and
its
computer
systems
contain
an
incredible
amount
of
sensitive
information
about
millions
of
federal
employees
and
contractors,
past
and
present.
From
the complaint:
Defendant
OPM
maintains,
under
strict
disclosure
and
accounting
protocols
prescribed
by
the
Privacy
Act
of
1974,
5
U.S.C.
§
552a
(the
“Privacy
Act”),
the
highly
sensitive
personal
and
employment
information
of
tens
of
millions
of
current
and
former
federal
employees,
contractors,
and
job
applicants.
Those
records
include:
identifying
information
like
name,
birthdate,
home
address
and
phone
number,
and
social
security
number;
demographic
information
like
race/ethnicity,
national
origin,
and
disability;
education
and
training
information;
employment
information
like
work
experience,
union
activities,
salaries,
performance,
and
demotions;
personal
health
records
and
information
regarding
life
insurance
and
health
benefits;
financial
information
like
death-benefit
designations
and
savings
programs;
classified-information
nondisclosure
agreements;
and
information
concerning
family
members
and
other
third
parties
referenced
in
background
checks
and
health
records.
OPM
also
maintains
information
on
employees
in
highly
sensitive
roles
for
whom
even
acknowledging
their
government
employment
may
be
problematic.
Letting
all
that
information
fall
into
the
hands
of
people
not
lawfully
permitted
to
it
is
a
huge
problem,
and
itself,
as
the
lawsuit
alleges,
unlawful
under
the
Privacy
Act
of
1974.
The
crux
of
the
matter,
as
we
have
been
discussing,
is
that
no
one
in
DOGE
is
lawfully
permitted
to
have
access
to
it,
and
in
many
cases
never
could
be.
Concerns
about
unauthorized
parties
seeking
access
to
OPM
data
are
exacerbated
by
the
facts
that
DOGE
agents
have
not
received
security
clearance
through
a
normal
process,
and
that
at
least
one
of
those
agents
has
previously
been
fired
from
private
employment
in
connection
with
disclosure
of
his
employer’s
secrets
(which
means
he
would
not
have
passed
a
normal
security-clearance
vetting).
And
none
of
this
is
legal.
The
Privacy
Act
strictly
protects
personal
information
from
improper
disclosure
and
misuse,
including
by
barring
disclosure
to
other
agencies
within
the
federal
government
and
individuals
who
lack
a
lawful
and
legitimate
need
for
it.
OPM
Defendants
are
not
permitted
to
give
access
to
that
information
to
other
persons
or
agencies
unless
granting
that
access
fits
within
one
of
the
Privacy
Act’s
enumerated
exceptions.
So
one
of
the
interesting
and
important
things
about
this
lawsuit
is
that
it
is
calling
foul
on
the
sharing
of
the
data
with
DOGE.
But
another
aspect
that
is
interesting
and
important
is how.
This
lawsuit
names
two
sets
of
defendants.
The
first
is
the
OPM
department
itself,
as
well
as
its
acting
director
Charles
Ezell,
which
are
the
“OPM
Defendants.”
But
the
second
is
the
“U.S.
DOGE
Service
f/k/a
Digital
Service
(“USDS”),
the
unidentified
Acting
Director
of
USDS,
the
U.S.
DOGE
Service
Temporary
Organization
a/k/a
the
“Department
of
Government
Efficiency”
(“DOGE”),
and
Elon
Musk,
in
his
capacity
as
director
of
the
USDTSO,”
which
are
the
“DOGE
Defendants.”
(In
the
description
of
the
parties
the
complaint
refers
to
him
as
the
“apparent”
director,
and
one
thing
that
stands
to
be
salient
in
this
case
is
that
the
fact
that
we
aren’t
sure
who
is
doing
what,
and
under
what
authority,
which
is
a
big
reason
why
everything
that
has
happened
is
likely
illegal.)
The
lawsuit
also
brought
five
claims.
The
first
two
are
against
both
sets
of
defendants
for
violations
of
the
Privacy
Act.
In
general
they
describe
the
various
ways
that
OPM
Defendants
giving
access
to
the
DOGE
Defendants,
and
the
latter
taking
it,
violated
it.
The
third
cause
of
action
explains
how
it
also
violates
the
Administrative
Procedure
Act
(ACA)
as
a
vehicle
for
violating
the
Privacy
Act.
Then
the
fourth
cause
of
action
is
just
against
the
OPM
Defendants
for
violating
the
ACA
because
it
was
“arbitrary
and
capricious”
to
let
DOGE
have
the
access
it
did.
OPM
Defendants
failed
to
engage
in
reasoned
decision-making
when
they
implemented
a
system
under
which
DOGE
Defendants
could
access
OPM’s
records
for
purposes
other
than
those
authorized
by
the
Privacy
Act.
In
particular,
OPM
Defendants
failed
to
consider
their
legal
obligations
under
federal
law,
the
harm
that
their
actions
would
cause
to
the
objectives
that
those
statutes
sought
to
achieve,
or
the
harm
caused
to
Plaintiffs
and
their
members.
But
it
is
the
fifth
cause
of
action,
for
“ultra
vires”
acts,
against
just
the
DOGE
Defendants,
that
is
the
most
intriguing.
The
term
“ultra
vires”
means
“beyond
one’s
authority,”
and
this
claim
calls
out
how
no
authority
allowed
DOGE
to
do
what
it
has
done
to
breach
these
systems.
DOGE
is
purely
a
creation
of
executive
order;
no
statute
directed
or
contemplated
its
existence.
[Its]
limited
functions
are
to
advise
and
assist
the
President;
it
is
not
empowered
to
perform
any
other
functions.
[It]
has
no
authority
in
law
to
direct
operations
or
decisions
at
government
agencies.
In
directing
and
controlling
the
use
and
administration
of
Defendant
OPM’s
systems,
as
alleged
above,
DOGE
Defendants
have
breached
secure
government
systems
and
caused
the
unlawful
disclosure
of
the
personal
data
of
tens
of
millions
of
Americans.
[But]
DOGE
Defendants
may
not
take
actions
that
are
not
authorized
by
law.
[Yet
no]
law
or
other
authority
authorizes
or
permits
DOGE
Defendants
to
access
or
administer
OPM
systems.
And
that
by
so
breaching
them
DOGE
has
unlawfully
caused
harm.
Through
such
conduct,
DOGE
Defendants
have
engaged
and
continue
to
engage
in
ultra
vires
actions
that
violate
federal
laws
and
injure
Plaintiffs
and
their
members
by
violating
their
constitutional
rights,
exposing
their
private
information,
and
increasing
the
risk
of
further
disclosure
of
their
information.
What
is
significant
is
that
so
far
most,
if
not
all,
of
the
other
lawsuits
have
focused
on
the
President
and
agency
head’s
own
inability
to
grant
the
access
to
DOGE
that
it
did.
And
this
lawsuit
does
too.
But
what
this
lawsuit
also
does
is
point
out
how
DOGE taking it
was
its
own
wrongful
act
for
which
it
can
be
liable
as
well.
So
far
it
seems
like
this
lawsuit
may
be
the
first
attempt
to
impose
any
sort
of
accountability
on
Musk
or
anyone
connected
with
DOGE
directly
for
their
rampage
through
America’s
computer
systems.
And
although
it
only—so
far,
at
least—names
them
in
their
alleged
“official”
capacity
(to
the
extent
that
any
exists),
and
it’s
not
a CFAA claim—so
far,
at
least—and
it
is
limited
to
the
incursion
on
just
OPM’s
computer
systems—so
far,
at
least—it
does
directly
call
foul
on
the
whole
DOGE
enterprise,
seemingly
for
the
first
time,
but
presumably
not
the
last.
At
Last,
DOGE
And
Musk
Are
Finally
Named
In
A
Lawsuit,
Albeit
“Officially”
More
Law-Related
Stories
From
Techdirt:
Mississippi’s
Top
Court
Says
Rights
Violations
Are
OK
If
Cops
Don’t
Know
How
To
Do
Their
Jobs
Appeals
Court
Judges
Say
Some
Worrying
Things
While
Re-Thinking
Their
Geofence
Warrant
Decision
Trump
FCC
Tries
To
Bully
Comcast
Away
From
Its
Already
Flimsy
Dedication
To
Civil
Rights