A Dangerous Lack Of Clarity: Does DOGE’s Negotiated “Read Only” Access Mean “Read Only” Access To Data Or Code?
News moves fast… While this post was getting finalized came news that Marko Elez has resigned after his racist tweets were found and publicized. Nevertheless, the point made herein still stands.
Amidst all the news today is news suggesting that Musk and his lackeys have had their access to the federal government’s payment systems limited. While it appears true that there are now some limits, it is too soon to celebrate before we know whether there are enough. The limits might only be on the data used by these systems, and not the code that powers these systems. And that difference is important.
The news from today relates to the negotiated restraining order a judge approved arising from the Alliance for Retired Americans v. Scott Bessett litigation. Per that order, access to the Treasury Department’s data has now been limited to just two DOGErs, Tom Krause and Marko Elez, and that that access is “read only”:
The Defendants will not provide access to any payment record or payment system of records maintained by or within the Bureau of the Fiscal Service, except that the Defendants may provide access to any of the following people:
o Mr. Tom Krause, a Special Government Employee in the Department of the Treasury, as needed for the performance of his duties, provided that such access to payment records will be “read only”;
o Mr. Marko Elez, a Special Government Employee in the Department of the Treasury, as needed for the performance of his duties, provided that such access to payment records will be “read only”;
This order comes after reporting from earlier this week that, despite promises from the Treasury Department that Krause had “read only” access, Elez appeared to have admin privileges and may have even pushed live code into the system. Nathan Tankus, who has been closely tracking the access issue also reported today that, from a practical standpoint, Elez’s access may have already been somewhat curtailed in response to public reporting.
On Saturday, they had given Marko read/write access and marked his access request as completed and closed. There was no mistake in their wording: they explicitly said they had given Marko read/write access to SPS. On Wednesday, they reopened his access request and stated his permissions were now read only.
But reporting on what’s going on at Treasury in response to this court order keeps obscuring an important issue, and it’s leading people to breathe a sigh of relief that is potentially, and critically, not warranted. Indeed, there’s a way to read the court order that should be cause for alarm, not relief.
True, it is good that access to Americans’ social security numbers is limited to just two Muskers, and that their access is limited, although there is a lack of clarity for what these limitations mean. It may mean that they cannot change the data, and it may also mean that they cannot download or share it, but “read only” is not defined in the order, so it’s hard to be sure.
It is also not clear that it goes beyond payment records. Per the order access is limited to “any payment records,” which presumably includes Americans personal information. And access is also limited to “any payment system of records.” But “payment system of records” is a term desperate for definition, because it’s not at all clear that it applies to what it really needs to apply to.
What is really dangerous is for these renegades to have access to the software code that makes the payments out of Treasury. But this provision looks like it only prevents them from accessing the system that handles how Treasury handles the records about whom to pay. It does not look like this injunctive provision extends to anything that controls the payments themselves. It looks like any number of DOGErs (beyond just Krause and Elez) could still have access to those systems and the software Treasury uses to make payments (even if they don’t have direct access to the records of payments). There appears to be nothing in this order to limit any DOGEr’s access to not just see the software code but potentially also change the code, upload the code, and run the code.
If anything, the negotiated settlement suggests that DOGE very much still intends to do such things, given that Krause and (previously) Elez still needed access to records “for the performance of [their] duties.” What duties are these? How do they relate to actual payments? What are they still doing in these systems?
This lawsuit of course may not have been the right vehicle to limit their access to the software code, given that it was brought to address the separate problem of the the privacy harm resulting when any of them can see Americans’ personal information. But that’s not the only harm the nation faces if these guys still have control over the computers that handle whether and how America pays its bills. It is critically important that reporting recognize that this question has not been fully answered in a way that can give anyone confidence that our entire economy does not still rest in their unauthorized hands.