DOGE May Now Be Aware Of The CFAA But It’s Still Violating It, Along With Lots Of Other Laws

Another day, another computer system for DOGE to unlawfully access. This time it is the one running the Consumer Financial Protection Bureau, one of the latest to be unlawfully shut down.

Bloomberg is reporting that this time the DOGE bros incursion into the systems came with some sort of MOU, which did a few things of note for the CFAA analysis.

The team’s initial entry to CFPB Thursday had been accompanied by an “Assignment Agreement,” or a memorandum of understanding between the efficiency initiative and the consumer agency, a copy of which was seen by Bloomberg News. It explained that authority for the CFPB operation emanated from a Jan. 20 executive order. It also said that the scope of the DOGE team’s efforts would include, “work on software modernization initiatives,” the promotion of “inter-operability between agency networks and systems” and the use of software engineering to “champion the use of modern technology development and management approaches.”

That MOU gives the impression that Musk and Trump are trying to be a bit more diligent about dotting their legal i’s before continuing their onslaught against the Executive Branch, but their efforts here make their behavior no more legal than a thief notarizing a document declaring that he is now going to be lawfully robbing a bank. The claimed lawfulness remains illusory.

They did, however, appear to try to address it by making a specific claim about the authorization for the access DOGE demanded by pinning it to a January 20 executive order. But, as I explained earlier, that’s very nice that Trump tried to empower DOGE’s access, whether via Executive Order or something less formal. The operable point here is that Trump himself lacked the lawful authority to give that authorization. There are laws governing his use of power, including to even try to create new agencies like DOGE, plus laws about government personnel, including how they are hired and empowered, and then laws like the CFAA and Privacy Act that impose limits on system access. And then there is the Constitution itself that requires that, as President, he “shall take care that the Laws be faithfully executed.” And there is nothing in the Constitution that allows him to ignore or break them himself.

The MOU also seemed to acknowledge some limitations placed on data access.

The memorandum of understanding, which bore the seal of the Executive Office of the President, says CFPB leadership will see to it that the DOGE will “have full and prompt access to unclassified agency records, software systems, and IT systems.” It notes that DOGE “shall adhere to rigorous data protection standards” and that CFPB should “ascertain and mitigate any conflicts of interest or confidentiality protocols.”

I don’t think it’s enough to effectively limit the liability from accessing any of this data, although it’s interesting that any authorization Trump could have possibly given now expressly does not include classified information. But in any case it doesn’t appear that this authorization is actually limited.

Initially, CFPB officials were told that a DOGE team needed just “read only” access to their human resources, procurement and finance systems. By Friday evening, according to an email sent by Chilbert that was seen by Bloomberg News, Vought had instructed CFPB to give DOGE administrative access — a much broader form of permissioning.

Even if this access does not include access to rewrite software code (although, given the mission to promote the “inter-operability between agency networks and systems,” it would seem to), it would give unlimited access to read and even potentially modify data stored on CFPB systems, which not only includes sensitive financial information of countless American citizens but also potentially sensitive, and even trade secret, information for financial institutions, whom Musk wants to compete with. Which means that, when we consider who the potential victims of Musk are, and who might be able to sue him for harm, we need to include some of the most powerful companies in America.

We then see Vought try to claim his own power to authorize.

“I’m sending this e-mail in my capacity as acting director of the Bureau of Consumer Financial Protection,” Vought wrote in the email, which was seen by Bloomberg. “See attached letter which has been signed by me. This e-mail also constitutes my authorization to begin work under the agreement.”

But this missive is basically no more legally meaningful than the sort of nonsense so-called “sovereign citizens” cite, like fringe on the flag (whose legal significance exists only in their heads). Because he, too, is constrained by statute in terms of what he can do and what he can authorize. And the wholesale access to the agency’s computers by people who qualify as neither entitled federal employees nor contractors legitimately engaged through the federal contracting process (which is also governed by laws) is not among his own powers to do.

And kicking everyone out of the building who is lawfully allowed to have access to these systems would seem to reflect that he knows it.

But as a reminder, the point of being able to invoke the CFAA is not so much to be able to use it as a lever against Vought (although perhaps it could be) but the vandals he’s allowed to rampage through America’s most sensitive computer systems and data. When the authorization they claim to do it with is fictional there is nothing that protects them. And it is coming time to use the laws we do still have to make them realize it, especially when laws like the CFAA, for better or worse, let any affected American do it themselves.