Tag Archives: privacy act

More litigation over federal access to the voter files (and and and)

Department of Justice, voter registration

On Tuesday, a group of nonprofits and private citizens sued DHS, SSA, and DOJ, alleging “a months-long campaign to access, collect, and consolidate vast troves of personal data about millions of U.S. citizens and residents stored at multiple federal agencies,” centralized at a USCIS “data lake.”

Per the complaint, this includes the pooling of data in the immigration-related SAVE database and distinct Social Security records (which NPR was on top of from the beginning), along with the voter rolls that DOJ’s been after and DOGE teams thrown in the mix. And on both the voter file side and the SAVE side, the complaint asserts (inter alia) violations of the Privacy Act along the same lines I’d been flagging.

This is a case to watch.

Share this:

DOJ sues six more states over the voter file

Department of Justice, election administration, NVRA (motor voter), voter registration

This morning, the DOJ’s Civil Rights Division filed six new lawsuits, against states that have refused to give DOJ copies of the voter file complete with sensitive information like SSN digits (and, not for nothing, data on individuals’ party registration). The litigation was filed against California, Michigan, Minnesota, New York, New Hampshire, and Pennsylvania (the complaints are linked in the press release) — joining suits filed a few days ago against Maine and Oregon.

As with Maine and Oregon, while nobody likes getting sued, I think this litigation is likely to be a good thing — now there will be federal judges carefully examining the claims that DOJ has made about its authority under specific statutes, and truly putting them to the test. I also think the breadth of the litigation is likely to be a good thing, as it enables that conversation in the context of the DOJ’s reported attempt to acquire a national voter file – having eight states sued at once makes that context more present.

I’ve not been shy about my feelings about the merits of the DOJ’s demands under HAVA or the NVRA or the CRA, or about what I still think are grievously unanswered questions about Privacy Act lapses subjecting DOJ officials to criminal liability. (See, for example, here, here, and here.) Now there are eight opportunities for federal judges to decide whether those concerns are right or wrong — and eight reasons for other states to wait for the courts rather than rush to comply with an unwarranted demand — and I think that’s also a good thing. (And even if the states lose, having disclosure driven by court order — including the potential for court-supervised confidentiality protections otherwise unavailable in just responding to a DOJ letter — also seems like a win.)

Share this:

DOJ’s new lawsuit seems to show DOJ is violating federal law

Department of Justice, legislation and legislatures, voter registration

Justin again. On Wednesday, Ned linked to two new lawsuits DOJ filed in Oregon (here’s the complaint) and Maine (here’s the complaint) over DOJ’s demand to get full copies of the voter files.  Though it’s never a great feeling to be sued, I’m glad these suits were filed.  Because I think the litigation is likely to show exactly why Oregon and Maine have been right to push back against DOJ’s demands.  The Privacy Act still seems like a giant red flag to me.

Leave aside, for a second, the flawed factual predicate in both complaints, which includes an insinuation of wrongdoing based on a repeatedly debunked apples-to-oranges methodology, comparing a pinpoint number of registrants on the file to a multi-year census estimate of eligible locals.  (A summary of the problems with the comparison: these aren’t measures of the same information, they’re not measures of the same time range, they’re comparing a snapshot to a survey estimate, and they don’t account for the law.  Which is why a federal court said 7 years ago that the disparate data sets do not allow for an accurate comparison and did not amount to credible evidence of wrongdoing, and why the 11th Circuit affirmed that conclusion.) 

The real fight here isn’t over inadequate list maintenance.  It’s about getting access to the lists themselves.  

I’ve written about these DOJ demands for the lists before (for starters, here and here), trying to explain why they’re not particularly useful in enforcing the parts of the statutes the Civil Rights Division says it needs them to enforce.  There’s new reporting that indicates DOJ may be after the information for an entirely different reason: to give it to DHS for immigration probes (though that’s likely to be a conspicuously target-poor environment for DHS).  The Civil Rights Division hasn’t mentioned that little detail in its demands to the states.

But the real sticking point for me is the Privacy Act, which I think affirmatively precludes the DOJ from getting the voter files until it answers some basic questions about who would have access to what information for what purpose.  (Indeed, the Privacy Act makes it a federal crime to collect the info first and explain later.)

The DOJ has been demanding these files with such confidence that I’ve been wondering whether there’s some not-visible-to-outsiders internal document that relieves those Privacy Act concerns.  Both the Oregon complaint and the Maine complaint begin to lay out DOJ’s response to why it’s complying with the Privacy Act.  And if what they said is all they got, that’s an awful lot of confidence without the substance to back it up.

In the complaints, most of the DOJ responses on the Privacy Act (including their citation of a website for voluntary reports by individual citizens of civil rights violations) are non sequiturs: they just don’t answer the question.  But the DOJ does mention the “systems of records notices” – the disclosure required under the Privacy Act – that it thinks authorize grabbing the voter files.  (Here, here, and here.)  There’s only one that’s even plausibly relevant: it’s the one that allows the Civil Rights Division (CRT) to keep general info on targets, victims, and witnesses associated with their cases.  The notice is pretty straightforward, and its roots go back to 1975 (when the information was stored “on index cards and file jackets”). 

It’s not hard to understand why law enforcement needs to keep some information on people for cases involving people.  Here’s the unedited description of the “individuals covered by the system” that DOJ has provided to the public:

These persons may include: Subjects of investigations, victims, potential witnesses, individuals of Japanese ancestry who were eligible, or potentially eligible, for restitution benefits as a result of their evacuation, relocation, or internment during World War II, and representatives on behalf of individuals and other correspondents on subjects directed or referred to CRT or other persons or organizations referred to CRT in potential or actual cases and matters of concern to CRT, and CRT employees who handle complaints, cases or matters of concern to CRT.

You know who’s not in that list?  Voters who are innocent bystanders for all of this nonsense.  The 3 million people in the Oregon voter registration file and the 1 million people in the Maine voter registration file aren’t targets, victims, or witnesses of a civil rights investigation.  Before the DOJ “explained” itself, I was wondering where DOJ ever notified the public that it’s going to be collecting all those voters’ information.  After the DOJ “explained” itself, I’m still left wondering where DOJ ever notified the public that it’s going to be collecting all those voters’ information. 

Read the public notice for yourself, and see whether you think it offers fair notice that the Civil Rights Division plans on building a database to collect the personal information of every voter in the country, including not just SSN digits and dates of birth but party registration.  The notice DOJ issued decades ago (and updated periodically in the interim) isn’t built to authorize fishing expeditions.  It’s built for individual records pertinent to an individualized investigation. Because that’s actually the individualized information DOJ needs when it’s doing its real job.

I suspect that the states resisting DOJ’s demands are going to respond, in part, by saying that they’ve got the right (and responsibility) to decline to abet DOJ’s violation of federal law.  That, in turn, means that the DOJ is likely to have to defend its compliance with the Privacy Act in court, with federal judges probing whether they’ve done their homework.  And that is a resolution I think Oregon and Maine – and their citizens – are likely to welcome. 

Share this:

The recent rash of DOJ voter file “requests”

Department of Justice, voter registration

Recent reports have disclosed that DOJ has now “asked” at least nine states for copies of their voter rolls, and I know that there are at least a handful of counties that have separately also received requests/demands for the county’s voter file.  I’m not at all sure the requests are lawful.  And what’s more, depending on why the requests are coming (the explanation the DOJ is giving doesn’t make much sense), federal law may not only prohibit DOJ from asking, but may also create liability for states and counties that respond.

Some voter registration data (including parts of the voter file) are public (and required to be public by federal law).  Some information on the voter file is more sensitive data (like Social Security digits, driver’s license numbers, and signatures) that states have protected from public release, and in every case I’m aware of (this decision collects several of the others), courts have ratified states’ ability to keep that information protected.  (In a truly odd case, DOJ has sued over this sensitive PII in Orange County, and if I were betting, I’d bet on them losing.)

But here’s the thing: even data that’s available to the public may not be legally available to the federal government.  In the Privacy Act of 1974, based on some then-recent disclosure of unsavory federal efforts to amass personal data, Congress regulated federal access to data records of identifiable individual Americans (statistical compilations are treated differently).  Congress was particularly sensitive to the treatment of data on individuals revealing activity protected by the First Amendment (like, say, voting).

For the most part, Congress didn’t prohibit federal agencies from collecting this data outright.  But it did set up some procedural protections.  The law says that if a federal agency is going to collect data — even data otherwise available to the public — we first have to  be able to have a public conversation about what’s being collected for what purposes (and how it’s stored and secured and transmitted and accessed, etc.)   The agency has to provide a notice in the Federal Register with an opportunity for comment, and has to notify Senate HSGAC and House Oversight committees, for any new set of data records, or any new use of existing records.  The rules are serious: criminal penalties are attached.

And what’s more: if the federal agency plans to use the data records in a matching program that affects an individual’s benefits, there are legal repercussions not only for the federal agency, but for any other governmental entity sending them data.  Those sorts of programs have to be set up with careful written agreements, available to Congress and to the public … and state and local providers of data are on the hook if they send information they know is going into a program like this, without dotting “i”s and crossing “t”s first.

I flagged these potential Privacy Act issues in DHS’s apparent expansion of a system designed for tracking immigrants, to expand to contain searchable data on U.S.-born citizens.  And there are similar (and similarly disturbing) issues if DOJ’s just accumulating voter files.  DOJ keeps its Privacy Act disclosures online, here.  (At least, I’m not aware of another repository.)  It’s the Civil Rights Division that’s asking. And so I’ve looked through the Privacy Act notices submitted by the Civil Rights Division, and the only one that’s even plausibly anywhere near close is the authorization to keep general case files.  That notice says it’s for “case files, matters, memoranda, correspondence, studies, and reports relating to enforcement of civil rights laws and other various duties of the Civil Rights Division” – if you’re investigating a civil rights violation, you’re going to have personal information about the victims and targets and witnesses.  Fair enough.  But I don’t think anyone would look at that notice and expect that DOJ plans to collect and keep a bunch of voter files, with identifiable information about individuals’ registration and/or voting history who aren’t themselves plausibly part of any investigation into state practices.

So I don’t think DOJ has jumped through the necessary hoops to collect what it’s requesting, even if it were telling the truth about why.  But I’ve also got questions about the why.

Collecting the voter files is also of extremely limited utility in investigating what DOJ says it’s investigating in these requests.  The requests cite provisions of the National Voter Registration Act and the Help America Vote Act that require officials to have general programs of voter list maintenance.  To assess whether officials are satisfying these statutory mandates, you’d want to know what procedures they have in place, and maybe some statistics about overall list maintenance activity.  But the individual records on the list aren’t really relevant to that inquiry: whether “Justin Levitt” happens to be on any state or county’s voter list has very, very little to do with whether the state or county has the general program it’s required to have under federal law. 

I’m not claiming that temporary access to particular voter registration data will never be necessary for any federal investigation.  But if the voter rolls aren’t really necessary for the asserted purpose here, that raises questions about why the DOJ actually wants the lists – not only whether it’s not telling the truth (or the whole truth) in its demand letters, but also whether it has other purposes in mind, like matching databases to each other in a way that might impact benefits (with the mistakes that follow from bad matching).  That’d have distinct protections under the Privacy Act, with distinct consequences for the state and local officials asked to supply data.  There have been reports about the degree to which the DOGE approach is to move fast and break things — which may be fine for the private sector, but not consistent with federal statutory protections for public activity.  I guess I’m wondering whether the demands for voter rolls are more of the same.

Share this:

Reporters keep buying the claim that DOGE is looking for voter fraud, at face value and without further questions

fraudulent fraud squad, voter registration

Buried in this NYT profile of Elon Musk’s latest PR offensive is the following paragraph:

It is unclear how many of Mr. Musk’s most prominent deputies will stay ensconced in their new government roles. Antonio Gracias, the billionaire investor, has transitioned from leading the DOGE team at the Social Security Administration to a role combing through federal databases to try to identify instances of foreign nationals voting illegally, according to people familiar with the effort.

This isn’t a new revelation (Rick blogged an NPR story on this a month and a half ago).  But the discussion here is weird for a few reasons.

First, it’s wholly unclear why anyone describing government personnel and ostensibly official government roles should need anonymity, so I really don’t understand the “sources familiar” anonymous sourcing.  Second, there are no federal databases that identify voters.  Third, if Gracias is actually a government official trying to match federal databases with state voting databases, there are specific legal requirements under the Privacy Act that he’d have a responsibility to follow before acquiring any of that data or doing that matching, and there’s no indication whatsoever that anyone’s taken those steps.  It’s important that these legal requirements apply because it’s the federal government: just because some voter files may be available to the public does NOT mean that they’re available to the federal government.  (Right or wrong, we’ve been antsier about the government having your data than about private individuals having your data, for a long time now.)  So if what these needlessly anonymous sources have said is actually true, even before getting to the logistics or results of the effort, there should have been a slew of follow-up questions.  And/but that’s where the paragraph ends.

Share this: