The Trump Administration Is Using Americans’ Sensitive Data To Build a Digital Watchtower

Many Americans think of the U.S. government as a monolithic entity.¹ They refer to “the government” as if it were a single actor with unified intent, rather than a collection of individuals operating within distinct institutions, each constrained by its own legal and procedural boundaries. This view fuels the assumption that if one part of the government has your personal information, it makes little difference where it is held or whether another part accesses it as well. If “the government” already has it, why does it matter where it sits or how it is used?

In reality, “the government” can refer to state, local, or federal institutions. While people engage with local government agencies in daily life,² it is the federal government they turn to for essential public benefits such as health care, tax refunds, student financial aid, and retirement benefits.³ These services are delivered not by a single entity, but through a network of separate agencies, each tasked by Congress with a legal mandate and charged with administering a distinct set of programs.⁴ The Privacy Act of 1974 was designed to reflect this fragmented structure by restricting the use and sharing of personal information⁵—also referred to as federal records—that federal agencies are allowed to collect from millions of Americans in order to administer the specific programs they are charged to provide, placing firm boundaries around every agency’s authority.⁶ Under this law, when an individual provides personal information to a federal agency to receive a particular service, such as submitting a birth certificate to the Department of State for the purpose of obtaining a passport, that information must be used solely for its original purpose—to provide a passport. With some limited exceptions,⁷ the information agencies collect cannot be shared with other agencies or entities for unrelated uses. Other federal laws also impose additional restrictions on the disclosure of certain categories of data, such as tax return information or health records, reinforcing the expectation that personal data will be handled with purpose-specific care.⁸

While these legal limits are real and important, many Americans are unaware they exist and may assume that once the government has their information, it can be used or shared freely.⁹ That misunderstanding creates a false sense of inevitability and makes it easier for agencies to abuse their authority without public outcry. In fact, the Privacy Act’s framework governing federal data collection and use was built on the principles of consent and separation in response to the abuses of power that came to light during the Watergate era.¹⁰ These principles were intended to allow individuals to engage with federal government services without surrendering the entirety of their personal identity to a single, all-seeing federal entity.

Behind closed doors¹¹ and buried in executive¹² and court¹³ orders, the Trump administration is driving the federal government to engage in two overlapping practices that are quietly¹⁴ eroding the foundational principles of consent and separation—and violating the law in the process.¹⁵ The first practice is the unauthorized secondary use of agency-held data, where information that an individual has given to one agency for a specific purpose is later reused by that agency or by another agency or entity for an entirely different purpose without the individual’s consent. This report refers to this as “secondary data abuse” because it violates both the public’s expectation and the legal requirements that personal information will only be used for purposes aligned with those for which it was provided. The second practice is data centralization, where records and databases from across federal agencies are consolidated into a federal government database and housed under one or more infrastructures. The aggressive push toward centralization is led by the Department of Government Efficiency (DOGE),¹⁶ whose efforts to consolidate personal records from agencies began under the pretext of fraud prevention.¹⁷ That effort has since evolved into something far more expansive, with a broader goal now taking shape: the creation of massive, centralized databases of agency-held personal information.¹⁸ While the Trump administration has justified¹⁹ and framed both of these practices as harmless or even helpful,²⁰ they represent a shift away from long-standing limits on how personal information can be used by federal agencies.

These developments have enabled individuals with unclear or unofficial roles inside the federal government²¹ to construct what can only be described as a digital panopticon, a government watchtower comprised of previously unconnected data that executive agencies and officials can use to observe the lives of millions of Americans with unprecedented intimate detail. But while those in power can see us, we cannot see them. Most Americans already understand very little or nothing about how the government uses the personal data it collects, including when that information is used or repurposed to make critical decisions about their lives.²² To confront this digital panopticon, Americans need a stronger, modernized privacy framework that is designed to provide a bottom-up view of federal government data practices.²³ This begins with creating a duty to notify—a clear requirement that federal agencies inform individuals when their data are accessed, used, shared, or altered to make decisions that result in serious harm or loss. It continues with ensuring a right to reappear, which would protect individuals from harm caused by the federal government’s use of false, misleading, or misused data by providing them the right to seek meaningful and expedited redress in federal court.

These proposals are intended to address some of the most urgent threats to public trust and democratic accountability arising from the Trump administration’s data practices. However, they represent only a first step. As government data collection and use grows in scale, complexity, and consequence, a broader modernization of the Privacy Act will be necessary to fully address how federal agencies manage personal information in the digital age. In addition to legal reforms, Americans deserve a full account detailing how these systems were built and used.²⁴ Congressional, independent, and criminal investigations should be undertaken to uncover the extent of the Trump administration’s data consolidation and secondary data abuse, as well as to determine whether federal agencies have violated the law and public trust. Building trust in the federal government’s future collection and use of data—some of which is necessary for it to fulfill its purpose—will require reforms and accountability.

Americans have long harbored anxieties about the scope of government surveillance.²⁵ Those fears are not unfounded, but they often have been shaped by how difficult it is to understand or exercise their rights to access and control personal data under current federal privacy law.²⁶ Surveys show that public concern has less to do with specific government actions or capabilities and more to do with a widespread belief that individuals lack meaningful control over their personal data.²⁷ In addition, the public has low confidence that their information will remain private or secure once it is in the government’s hands,²⁸ with civil liberties groups on the left and libertarian groups on the right both warning about the risks of surveillance and unchecked federal power.²⁹ However, these fears can ebb and flow depending on which political party holds power.³⁰ When individuals feel their values are reflected by those in power, they are often more inclined to tolerate intrusive government data practices. When they feel politically opposed, those same practices feel invasive or threatening.³¹

As the second Trump administration adopts new data practices, even supporters may find themselves exposed to risks they once assumed would only affect others. The rise of secondary data abuse and efforts to centralize personal records are turning long-held suspicions of surveillance and lost personal control into concrete and justified concern.³² The federal government requires access to personal information, and it depends on the public’s trust to collect that data in order to deliver services, enforce laws, and effectively carry out its responsibilities. However, unless safeguards are put in place, the Trump administration’s changes will validate and deepen public distrust of government data collection.

Secondary data abuse is growing across federal agencies

Under the second Trump administration, secondary use of data is becoming more common across federal agencies.³³ This “secondary data abuse” occurs when personal information that an individual provided to one agency for a specific purpose is later reused by the same agency, a different agency, or another entity for a different goal, without the individual’s knowledge or consent. One high-profile example involves the IRS, which has begun sharing taxpayer data with Immigration and Customs Enforcement for the purpose of identifying and deporting tax-paying individuals.³⁴ This data-sharing arrangement reportedly led to internal clashes within the IRS, including disputes over the legality and ethics of sharing sensitive taxpayer information for immigration enforcement purposes. These tensions escalated in the weeks leading up to the dismissal of the IRS commissioner. Though the dismissal happened after the commissioner told agency executives that the IRS would not furnish confidential taxpayer information outside of the confines of the data-sharing agreement, his termination was never officially tied to this.³⁵ In another case, the Trump administration quietly shared Medicaid enrollment records of immigrants with deportation officials.³⁶ These types of data repurposing violate the principle that, without consent, personal information should only be used for the purpose for which it was collected.

Increasingly, the Trump administration is testing the boundaries of how the federal government can reuse personal information. These practices often begin with politically targeted groups, allowing federal agencies to test their technical capabilities and legal justifications with minimal pushback. But once those systems and practices are in place, the scope of data sharing quietly expands, leaving everyone vulnerable.³⁷ This shift affects not only the groups the administration claims to be targeting but also everyone who has ever interacted with a federal agency.³⁸ That includes anyone who has ever applied for Medicare or Social Security, registered for the Selective Service System, or applied for a passport. In each instance, individuals provided sensitive information to a particular federal agency with the expectation that it would be used for a specific, well-defined reason. These examples illustrate the breadth of records potentially at risk under expanded data-sharing practices.

This trend toward secondary data abuse threatens to further fracture the relationship between people and the federal government, which depends on individuals being willing to share sensitive information. That willingness rests on trust—but not always trust in the government itself.³⁹ Many people are unaware of the legal limits of federal data use, or they assume those limits will not be respected in practice.⁴⁰ Instead, their trust is shaped by informal social assurances. People often rely on what friends, family, or community members say about what is safe. They may hear that it is fine to apply for a benefit or submit documents to a specific agency because the information will not be used for anything else. These social assurances create a sense of comfort that government systems can be engaged without risk. As people become aware that their information might be shared across agencies or used in unforeseen ways, they may withdraw from public life. For example, they may hesitate to interact with the government, avoid filing taxes, or choose not to seek care out of fear for how their data might be used. Such hesitation would weaken the government’s ability to deliver services, enforce laws fairly, and respond to national challenges. Upholding boundaries around data use is essential for building trust and encouraging full participation in public systems.

The threat of centralized databases

While secondary data abuse spreads data laterally across federal agencies, centralization pulls it vertically into a single infrastructure. DOGE is building systems that combine data⁴¹ from multiple federal sources by pulling records from agencies such as the IRS, the Social Security Administration (SSA), and the Department of Homeland Security⁴² into a single infrastructure. This type of consolidation increases the government’s ability to monitor individuals in ways that were previously limited by legal and technical barriers. When information from different parts of a person’s life is combined, federal authorities are able to build detailed profiles that can be used to make high-stakes decisions. These profiles may be used to flag someone for investigation, deny them benefits, or label them as a security risk. In many cases, individuals will have no idea their data are being used this way, no insight into whether the data are accurate, and limited to no opportunity to contest the outcome. This is the defining feature of the government watchtower: Those in the tower can see everything. Those on the ground cannot see who is watching or why.

Centralized databases are also more vulnerable to security breaches and internal misuse. If everything is stored in one place, a single cyberattack or leak can expose the personal data of millions of people. In 2015, the Office of Personnel Management suffered a massive breach that compromised the highly sensitive Standard Form 86s of more than 21 million federal employees and contractors.⁴³ These forms contained detailed background information, including, among other things, financial histories, address histories, and names of family members. More recently, in 2023, breaches of Microsoft’s cloud email service exposed sensitive federal communications, including emails from senior officials and government agencies.⁴⁴ These incidents make clear that instead of pushing for further centralization of data across agencies, the federal government should prioritize strengthening safeguards and oversight within the systems that agencies already operate. These risks are growing more serious as federal cybersecurity capacity continues to erode. The Trump administration’s ongoing dismantling of the Cybersecurity and Infrastructure Security Agency⁴⁵ threatens to leave agencies without the resources or leadership they need to detect and defend against cyberattacks.

Beyond external threats, centralized systems also increase the risk of internal misuse. When records are pulled from the federal agency that originally collected them, they lose critical context. Records may be merged without clear documentation of source, the legal restrictions that apply, or the purpose for which they were originally collected. Information that was once protected by agency-specific rules can then be accessed more freely across government, including by individuals with limited training or unclear authority. This lack of oversight creates opportunities for misuse, including targeting people based on race, religion, immigration status, or political beliefs. The risks grow even more serious when viewed through the lens of political power. A centralized database that lacks transparency can be weaponized. Officials could quietly use sensitive records to retaliate against political opponents, discredit critics, or intimidate voters. In the lead-up to the 2026 midterm elections, this risk is especially alarming. Without public oversight or built-in checks, nothing prevents those in power from exploiting private information to influence the political process, or to selectively prosecute or publicly damage candidates.

These risks are not contained to the federal government. Without meaningful constraints, centralized databases could be accessed, shared, or sold to private actors, either through authorized channels or illicit leaks. Data brokers, political operatives, and technology firms could gain access to sensitive information that was never meant to leave federal custody, compounding the harm. To protect against these outcomes, Congress must require that any update to the Privacy Act of 1974 or any new federal privacy legislation includes strong safeguards. These must mandate the deletion of any data that were collected, shared, or used unlawfully. In addition, if that data were used to develop automated systems, the law should mandate algorithmic disgorgement to ensure those systems do not retain or benefit from tainted inputs.⁴⁶

The longer a centralized database remains in use, the more deeply it becomes embedded in government operations and the harder it becomes to unwind. Newer records will be added routinely, often without preserving information about their origin, legal protections, or permissible uses. Over time, additional systems may be designed to interact with or depend on the centralized database, making it even more difficult to dismantle and increasing the risk that it becomes a permanent fixture of government infrastructure.

Structural separation enables trust through friction

The current system, for all its perceived inefficiencies, offers something essential. Storing personal data separately within individual agency databases, rather than in a single centralized repository, builds friction among agencies, and that friction serves as a check on overreach. The federal government is comprised of distinct agencies, each responsible for a different area of life. As a result, individuals interact with different parts of the government depending on their needs. They regularly share sensitive personal information with these institutions. They submit financial records to the IRS, medical histories to the Department of Health and Human Services, education and loan data to the Department of Education, employment details to the Department of Labor, and personal identification for passports or visas to the Department of State. Over time, these submissions create a detailed picture of an individual’s life.

This existing level of disclosure is made possible by the trust that each agency will use the information only for its specific mission.⁴⁷ That trust is maintained by both structural separation and purpose limitations. Agency systems are siloed, and agency employees must abide by purpose limitations, limiting how easily records can be shared, linked, and/or reused across government. This ensures that no single part of the government can access every aspect of a person’s identity at once. Efforts to break down those boundaries in the name of modernization or effectiveness are not harmless. Siloing data reduces the risk of mass profiling, targeting, and automated decision-making that draws on a complete composite of someone’s digital footprint. When agencies operate in isolation, it becomes harder for the government to misuse information or act without accountability.

At the same time, it is true that siloed data can pose challenges to effective governance and modernization.⁴⁸ Agencies may miss opportunities to improve services, detect fraud, or coordinate programs because they cannot easily communicate or share information. But rather than breaking down silos entirely, the focus should be on building stronger, lawful coordination between them.⁴⁹ Agencies should be encouraged to share information, but only when it is legally permitted and narrowly tailored to fulfill a specific purpose, not as a blanket practice of consolidation. Better coordination is possible without abandoning the principles of transparency, consent, and data minimization that protect the public. In fact, when federal data systems have been modernized in the past, those efforts were typically paired with safeguards intended to preserve public trust and prevent abuse.⁵⁰ Before DOGE, the work of modernizing federal data systems was led by many government technologists who aimed to improve efficiency and interagency cooperation in ways that were lawful and secure rather than hurried, opaque, and illegal. Reforms to the law may be needed to facilitate certain types of data sharing, but those reforms should be openly debated and passed by Congress, not carried out unilaterally through executive action.

There are concrete steps Congress can take to rebuild trust and strengthen accountability in how the federal government collects and uses personal information. Two key reforms would update and expand the individual rights and governmental duties under the Privacy Act of 1974 to better meet the demands of the current moment. The Privacy Act currently grants individuals several rights that govern how federal agencies handle their data. Two of the most central rights protecting against inaccurate government data are the right to access and the right to request corrections.⁵¹ These are meaningful rights in theory, but in practice they are limited and designed to address only a narrow range of harms. They work for routine, harmless mistakes such as fixing a typo or updating outdated information, but they are not built to address the deliberately obfuscated and punitive data practices increasingly being seen across federal agencies in the Trump administration.

Both rights place the full burden on individuals to identify which agencies hold information about them and navigate multiple record systems. To access their records, individuals must already know which agency holds their data and how to request it.⁵² To request a correction, they must identify the error on their own, submit formal documentation, and wait through a slow and often opaque administrative process. These rights are reactive; they assume that people will somehow detect a problem without being told it exists, and that the harm has not yet occurred. In reality, most individuals have no insight into how their data is being used,⁵³ and they often do not learn that something has gone wrong until they experience the consequences. The harm itself becomes their first and only notice. A denied benefit or a rejected application is often the moment they discover that a decision was made using their personal information through a process they could not see or in which they were never included. At that point, the correction process is too slow to offer real relief, and the damage has already taken hold.

This gap in the law has real consequences. Each year, a small percentage of Americans are mistakenly added to the SSA’s Death Master File due to routine clerical errors or outdated records. While unintentional, these mistakes still cut people off from essential services, but in the past these errors were isolated and relatively rare.⁵⁴ However, under the Trump administration, these types of errors and misclassifications have become a deliberate tactic. In April, the SSA added more than 6,000 living immigrants to the Death Master File, a deliberate attempt to coerce self-deportation by cutting people off from the legal and economic systems upon which they depend.⁵⁵ This is not only an example of the extreme power the government holds when it can act unilaterally without notice or review but also a disturbing abuse of that power. While this conduct may already be prohibited under other federal laws,⁵⁶ it should be explicitly barred under federal privacy law as well. Individuals were stripped of their legal identity and cut off from public benefits based on a false entry in a government database. Without any formal warning that their status had changed, they were left vulnerable to serious downstream impacts. In such cases, it is likely that individuals would have no idea what happened until they were denied access to banking services, health care, or employment. As federal agencies increasingly repurpose data collected for one use and as entities such as DOGE seek to merge agency records into centralized systems, the potential for similar harms only grows.

In the past, when errors like these were few and mostly unintentional,⁵⁷ the Privacy Act’s limited access and correction rights may have seemed sufficient. But as Americans now face large-scale, intentional manipulation of records, it is clear that stronger safeguards are needed. To address this new reality, the nation needs a second generation of protections: 1) a new duty for the government to provide timely notice when personal records are used in decisions with adverse consequences; and 2) a right for individuals to reclaim legal recognition—to reappear—when they are harmed by decisions based on false, misleading, manipulated, or misused records.

The duty to notify functions as an updated form of access, while the right to reappear provides a stronger safeguard than the existing right to correct. The duty to notify would serve as the first line of defense, requiring government agencies to inform individuals when their personal data is accessed, shared, or used to make a decision that could materially affect them. Timely notice gives people the opportunity to act before a harm takes effect. But when that opportunity is denied or missed, individuals need more than a slow, opaque correction process overseen by the same agencies responsible for the error; they need a guaranteed way to return to legal visibility. The right to reappear would give people a clear, expedited process to challenge harmful decisions in federal court and compel restoration of their legal rights.

The existing right to access and correction in combination with the duty to notify and the right to reappear would create a more complete system capable of addressing both minor mistakes and serious harms resulting from government data use.

Duty to notify

Just as credit reporting laws provide individuals with the right to know when their data are used to deny them a loan or job,⁵⁸ federal privacy law should impose a similar duty on government agencies. Any agency or centralized system that accesses, shares, uses, or alters personal data to make decisions that result in serious harm or loss should be required to notify the affected individual. This includes cases where data are drawn from a siloed system of records within the same agency or from a centralized database that combines records across agencies. This duty should operate in conjunction with the existing rights under federal law that allow individuals to access and request corrections to the data the government holds about them.

That notice must be timely. Individuals should receive it early enough to take meaningful action before the harm occurs. The content of the notice should clearly explain which records were used, where the data came from, whether any automated systems were involved, an explanation on how the decision was reached, and how individuals can correct any errors or inaccuracies.

This duty is rooted in transparency. It ensures that people understand when and how the government is using their data against them, rather than only finding out after harm has occurred. Notice should be automatic and proactive. Individuals should not have to guess whether their data were involved in a decision or chase down information across multiple agencies. Timely notice would allow individuals to respond quickly, review their records, and submit corrections before the harm materializes. Requiring agencies to provide notice would also have a secondary benefit: It would force upgrades to outdated federal data systems that are currently incapable of tracking when and how data are used, which in turn would improve accuracy, accountability, and long-term system integrity.

The right to reappear

While the duty to notify offers a first line of transparency and intervention, the right to reappear serves as a critical safeguard when individuals are unable to prevent serious harm. Beyond simply being informed, individuals need a way to swiftly contest decisions that rely on false, misleading, or misused data. The “right to reappear” refers to an individual’s ability to be restored to legal visibility in government systems after they have been effectively erased or misclassified. This is distinct from the existing right to request corrections under the Privacy Act. Correction is appropriate for routine and harmless mistakes such as misspelled names, outdated addresses, or missing fields. The right to reappear is designed to address something fundamentally different: It applies in more serious cases where a person’s legal identity is lost or distorted in a way that causes significant harm, whether due to innocent error or intentional manipulation of data. This is especially urgent in a climate where federal agencies have used data tampering as a tool to target disfavored groups and pursue political objectives.⁵⁹ In these cases, the standard correction process is too slow or limited to provide meaningful relief,⁶⁰ and it unfairly forces individuals to seek redress from the very agencies responsible for the harm.

The right to reappear would be triggered by decisions that carry significant consequences, such as being denied access to public benefits or flagged as a risk in a federal system. It would also apply to changes in status, such as being added to the Death Master File⁶¹ or removed from a registry, even when those changes are not initially labeled as adverse. Being declared dead may not be formally treated as an adverse action, but in practice, it can have devastating consequences.⁶² The inability to work, access health care, or interact with financial institutions creates a complete severing of a person’s legal identity.⁶³ Even when the error is acknowledged, the process of proving you are alive is long and challenging.⁶⁴

Where a decision based on incorrect or manipulated information threatens an individual’s ability to function in public life, they must have access to an expedited review process in federal court. Under this process, individuals would have the ability to challenge their classification or the use of inaccurate data without lengthy delays. For example, someone wrongly reclassified from a citizen to a noncitizen could immediately petition the court to restore their legal status and compel the correction of agency records. They should not have to wait months or navigate a maze of administrative procedures⁶⁵ to correct their records and restore their rights. Nor should they be forced to rely on the very agency that caused the harm. In these cases, individuals are expected to trust that the same system that failed them, whether through negligence or deliberate manipulation, will suddenly function properly or deliver a fair outcome.

To prevent future abuse, federal privacy law should be updated to further prohibit agencies and government officials from knowingly entering, altering, or reclassifying records using false or misleading information about an individual. These violations should carry both civil and criminal penalties to ensure meaningful accountability. Creating a record-focused criminal provision would send a clear signal that altering federal records to the detriment of individuals is not only improper but also illegal. This would make it easier to hold government officials accountable when they engage in acts such as administrative erasure or retaliation through data manipulation. The Fair Credit Reporting Act offers a useful model.⁶⁶ Like the Privacy Act, it includes a duty to ensure accuracy, but it also goes further, making it illegal for someone to furnish information to a credit bureau if they know or have reason to believe the information is inaccurate.⁶⁷ Criminal penalties would help ensure that data is handled with the seriousness it deserves.

Together, the duty to notify and the right to reappear would help ensure that individuals are not subjected to harmful decisions driven by hidden data-sharing practices. These reforms would reinforce a core democratic principle that no one should lose access to their rights, services, or legal identity because of silent actions taken without their knowledge. By requiring agencies to notify individuals, provide access to the records and explanations behind decisions, and offer a fair chance to respond to or correct errors, these reforms would build due process into digital governance.

Secondary data abuse and the centralization of agency-held personal records are not merely technical improvements. They are significant structural changes that redefine the relationship between the federal government and Americans. These practices are especially dangerous when applied to sensitive data, where the risks are high and the consequences of misuse can be severe. If allowed to continue unchecked, they will undermine privacy, erode trust, and make government systems less fair and less accountable. To address this evolving landscape, Congress must enact a modern privacy framework that governs both commercial and governmental data practices.

The Privacy Act of 1974 was not designed to address this new reality and must be updated to reflect modern abuses. A modernized framework should include a duty to notify individuals when their personal data is used to make decisions with adverse consequences, as well as a right to reappear when that data is false, misleading, or misused in the course of decision-making. To protect democratic values, Congress needs to go beyond setting clear limits on how information is collected, shared, and used. It needs to make sure that individuals always have a way to understand and challenge what is being done in their name. Trust in the government’s ability to collect and use data will never be rebuilt without this understanding, and without that trust, the government will lose the willing cooperation of the people it serves. The alternative is a system built not on consent but on control, a coercive panopticon that this administration is already constructing.