Comments from EPIC & 15 Organizations to the U.S. Department of Homeland Security on the System of Records Notice for the SAVE Program

The Electronic Privacy Information Center (EPIC) and the undersigned organizations submit these comments in response to the System of Records Notice (“SORN” or “the Notice”) for the Systematic Alien Verification for Entitlements Program (SAVE) published in the Federal Register by the Department of Homeland Security (DHS) on October 31, 2025.^[1] EPIC is a public interest research center in Washington, D.C., established in 1994 to protect privacy, freedom of expression, and democratic values in the information age.

Over the past seven months, DHS has effected radical changes to SAVE in defiance of long-established safeguards on how the system can be used, what types of records it incorporates, and whose information can be accessed. A tool once used to facilitate the provision of public benefits now serves as a jerry-rigged national citizenship database: an error-ridden system with vast quantities of sensitive personal information from Americans and noncitizens alike. Equally concerning, the system—newly linked to sensitive Social Security Administration (SSA) records—can now be queried in bulk by states looking to kick voters off of their rolls. Although DHS has undertaken some of these changes loudly, it has done so in clear violation of federal law, without public or Congressional input, and against stern warnings issued in recent years by the very agencies involved in the system’s overhaul.

Half a year after these changes began, DHS now comes before the public to seek retroactive authority for its sweeping violations of privacy and voting rights through the instant Notice. But the sensitive personal information of tens of millions cannot be so casually abused under federal law: the Privacy Act demands more of federal agencies. First, the Notice does nothing to legitimize the wrongful disclosure and consolidation of personal information that DHS has carried out over the past year; the Privacy Act is clear that agencies must solicit public comment on proposed uses of personal information before they act on them. Second, the routine uses and “need to know” disclosures set out in the Notice fall far short of the compatibility and specificity that the Privacy Act requires. Third, the Notice reveals numerous other legal and operational deficiencies in the overhauled SAVE system that demand its total unwinding. Finally, the agency’s failure to identify or disclose any Computer Matching Agreements applicable to the overhauled SAVE system represents an independent violation of the Privacy Act.

Accordingly, DHS should promptly withdraw its Notice, revert the radical changes it has made to the SAVE system over the past seven months, abandon any related modifications still under consideration, restore SAVE to its previous purpose and functionality, and take the steps necessary to ensure that user agencies delete all personal records and derived data wrongfully disclosed to them by the overhauled system.

I. DHS’s after-the-fact publication of a modified system of records notice cannot legitimize its radical restructuring of the SAVE system.

We object to DHS’s failure both to provide a meaningful opportunity to be heard on the proposed Notice and to conduct a meaningful review of public comments prior to the agency’s overhaul of the SAVE system. Having already violated its statutory notice obligations, DHS now seeks to absolve itself of its unlawful actions through the belated publication of a System of Records Notice. This it cannot do, particularly through a Notice that fails to meet the substantive requirements of the Privacy Act.

The Privacy Act requires an agency to, “at least 30 days prior to publication of information under paragraph (4)(D) of this subsection, publish in the Federal Register notice of any new use or intended use of the information in the system, and provided an opportunity for interested persons to submit written data, views, or arguments to the agency.”^[2] Paragraph (4)(D) of the subsection refers to “each routine use of the records contained in the system, including the categories of users and purposes of such use.”^[3] Further, agencies cannot “use a new or significantly modified routine use as the basis for a disclosure fewer than 30 days following Federal Register publication.”^[4]

The agency failed to provide adequate notice before expanding the SAVE system. The U.S. Citizenship and Immigration Services (USCIS) last published a revised Notice for the SAVE system in 2020.^[5] On April 22, 2025, DHS, USCIS, and the Department of Government Efficiency (DOGE) announced that they would “overhaul” the SAVE system to enable “mass status checks” and the integration of “criminal records, immigration timelines, and addresses.”^[6] On May 22, 2025, USCIS announced that it had dramatically altered the SAVE program, making it now a single source “for verifying immigration status and U.S. citizenship nationwide.”^[7] The agency further stated that it would “continue to improve and add more capability and functionality to SAVE.”^[8] The USCIS also updated its SAVE “fact sheet” to reflect significant changes to the overhauled SAVE system in August 2025.^[9]

But DHS’s after-the-fact Notice is insufficient: the agency is already engaged in the unlawful linking of personal records with the SAVE system—and has been since May 2025. Despite the Notice indicating that new or modified routine uses will be effective December 1, 2025, DHS and other agencies are actively using the overhauled SAVE system and encouraging states to use the tool to run citizenship checks.^[10] States like Texas and Louisiana have already used the SAVE system to identify purported noncitizens registered to vote.^[11] This cart-before-the-horse overhaul of SAVE not only violates DHS’s public notice obligations; it also violates the agency’s notice obligations to Congress and the Office of Management and Budget (OMB).^[12] Members of Congress were not informed prior to the expansion of the SAVE system and rightly criticized the lack of transparency around the use of the system.^[13]

The Privacy Act sets forth specific review, reporting, and publication requirements prior to the modification of a system of records which this belated Notice fails to meet. Even if the Notice were otherwise adequate—and it is not—a Notice issued long after DHS undertook major modifications to the system cannot cure the agency’s unlawful (and ongoing) use of that modified system. By ignoring mandatory safeguards set forth in the Privacy Act, DHS is skirting its accountability and transparency obligations and further undermining public trust.

II. The routine uses and “need to know” disclosures set out in the modified SAVE Notice fail to satisfy the Privacy Act.

To align with the Trump administration’s various executive orders and stated intention to identify (virtually nonexistent) noncitizen voting,[14] DHS has overhauled the SAVE system to allow user agencies to query using the full or last four digits of a Social Security number, name, and date of birth in bulk. The Notice, completed months after the overhauled SAVE system has been deployed, attempts to paper over the agency’s Privacy Act violations by asserting new legal bases to consolidate, use, and disclose personal information. This attempt fails.

As the Notice reflects, DHS has transformed (and seeks to further transform) SAVE from a limited-purpose tool into a system that incorporates sensitive personal data about virtually all Americans and noncitizens in the U.S. The Notice lists new data sources to the SAVE system and new data categories that the SAVE system will incorporate, including full and truncated (last four digits) Social Security numbers, U.S. passport numbers, driver’s license numbers, and information from SSA. New record sources include SSA’s Numerical Identification System (Numident) and state or other agencies that issue or maintain drivers’ license information.^[15]

The Notice also purports to establish Routine Use L, which would allow records to be used “to support sharing with Social Security Administration and other federal organizations” and would authorize disclosure “to the Social Security Administration and other federal, state, tribal, territorial, local, governments and other authorized entities to assist user agencies determine U.S. citizenship and immigration status of an individual when a DHS approved agreement is in place between DHS and the entity.”^[16] The Notice asserts that SAVE data may be disclosed to other DHS components that “have a need to know” of the information “to carry out their national security, law enforcement, immigration, intelligence, or other homeland security functions.”^[17]

For the reasons below, this new “routine use” is incompatible with the Privacy Act, and DHS’s apparent construction of the “need to know” exception is impermissibly broad.

1. The verification of citizenship and immigration status is incompatible with the purpose for which many newly incorporated SAVE records were originally collected.

Routine Use L—“to assist user agencies determine U.S. citizenship and immigration status of an individual”—is not a lawful basis for the use and disclosure of a great many records now accessible through the SAVE system. Among the exceptions to the Privacy Act’s general prohibition on the disclosure of personal records are “routine use” disclosures, i.e., those made “for a purpose which is compatible with the purpose for which [a record] was collected.”^[18] Determining “compatibility” requires “a dual inquiry into the purpose for the collection of the record in the specific case and the purpose of the disclosure.”^[19] Once the purposes of the collection and disclosure are identified, there must be more than a mere “relevance” of the disclosure’s objective to the collection’s aim.^[20] Instead, “[t]here must be a more concrete relationship or similarity, some meaningful degree of convergence, between the disclosing agency’s purpose in gathering the information and in its disclosure.”^[21] DHS’s stated aim of enabling user agencies to determine individuals’ citizenship and immigration statuses cannot be squared with the purpose for which the relevant SSA records were originally collected.

Before DHS’s recent overhaul, SAVE was a system that queried USCIS data sources so that user agencies could determine whether an individual was eligible to receive government benefits, such as social security benefits, SNAP benefits, Medicaid, etc. —a purpose incompatible with the general voter verification the agency now proposes.^[22] The SAVE system was queried individually using A-Numbers, which are assigned to individuals who come into contact with immigration authorities.[23] This made the pre-overhauled SAVE system unfit, as a general matter, to determine U.S. citizenship status for voter verification:^[24] SAVE was not a comprehensive database of U.S. citizens, since most U.S.-born citizens do not interact with USCIS or DHS.^[25] SAVE was also not updated to include all naturalized citizens, and does not include derivative citizens born to U.S. parents abroad.^[26]

The overhauled SAVE system is likewise unfit for citizenship and immigration status verification. In particular, the SSA records newly linked to the overhauled SAVE system were not collected for a purpose compatible with verifying U.S. citizenship or immigration status. The recent SORN and the PIA state that when the SAVE system is queried using a full or last four digits of the Social Security number (SSN), data from SSA is queried.^[27] However, SSA data was collected in order to administer Social Security and other federal benefits.^[28] As SSA has emphasized, such records do not provide reliable information on U.S. citizenship or immigration status.^[29] Indeed, it is DHS that is responsible for maintaining current immigration and work authorization status for all noncitizens.^[30] Many SSA records may be outdated because an individual’s immigration status may change after they apply for their SSN, and there is no obligation for an individual to report to SSA a change in their immigration status unless they are receiving Social Security payments.^[31] A 2006 audit by SSA’s Office of Inspector General estimated that SSA’s citizenship data inaccurately identified about 3.3 million U.S. citizens as non-citizens “because they had become U.S. citizens after obtaining their SSN” and “had not updated their records with SSA.”^[32] Further, there are inaccuracies in SSA citizenship data for U.S.-born citizens because the agency did not consistently collect and maintain this information before 1981.^[33] Verifying the citizenship status of registered voters is simply not a compatible application of records collected to administer public benefits, and the unfitness of the SSA data for such purpose clearly attests to as much.

Naturalized citizens are most at risk for having incorrect citizenship information in SSA data because their status would have changed, and recent developments under the Trump administration heightens the risk for such citizens. In March of this year, SSA quietly paused the Enumeration Beyond Entry Program (EBE),^[34] in which SSA processed automatically the issuance of new Social Security cards for noncitizens granted work authorizations and newly naturalized U.S. citizens if the individual authorized the transfer of information from USCIS to SSA to do so.^[35] The EBE’s continued pause requires recently naturalized citizens to request SSA to process a name change and update their citizenship status through an in-person visit to an SSA field office.^[36] The quiet policy change with no public notice meant that newly naturalized citizens who requested the automatic processing for a new social security card on their USCIS forms may wait for months for a new social security card under the false belief that a new social security card is being processed. As a result, the SSA database will have outdated Social Security numbers for newly naturalized citizens unaware that they must undertake an in-person appointment to obtain a new social security number. The “pause” appears to be ongoing^[37] (even though the SSA website continues to claim that the EBE program is still in effect, furthering confusion).^[38] In addition to creating confusion, unnecessary obstacles by requiring in-person appointments, and administrative burdens for field SSA staff,^[39] the pause of EBE unnecessarily delays SAVE correctly reflecting that a newly naturalized person is a citizen, potentially for several months. This threatens the ability of recently naturalized citizens to vote in upcoming elections.

The overhauled SAVE system’s use of the last four digits of the SSN to query the system creates novel and unmitigated risks of false identity matches, further evincing the incompatibility between the purpose for which the source data was collected and the purpose of citizenship verification. While DHS purports to “enhance” voter verification by allowing SAVE queries using the last four digits of the SSN^[40] instead of the full SSN, the last four digits of an SSN are not a unique identifier. Because the last four digits of an SSN are not unique, there is a risk of misidentifying or mismatching individuals between the voter file and the data accessed by SAVE. DHS itself admits in its SAVE PIA that “due to misspelling of names, transposed numbers, or incomplete information, the SAVE Program may produce inaccurate results,” and that these risks cannot be fully mitigated when SAVE users conduct searches by SSN because DHS “does not have direct access to the Social Security Administration system to support” additional verification steps, and SAVE user agencies “may not go through all steps to ensure accuracy of information.”^[41] Despite the self-reported risks of inaccuracies, DHS is forging ahead, portraying the SAVE overhaul as an “enhancement” to voter verification.

SAVE’s purported additional verification procedures provide little confidence of preventing erroneous results, further underscoring the incompatibility of using the source data accessed for citizenship verification. The updated SAVE fact sheet states that USCIS cannot or will not conduct “additional verification” for queries with only an SSN and will only conduct additional verification if a DHS numeric identifier is provided by the user agency or found in querying SSA data.^[42] SAVE’s additional verification procedures involve additional levels of manual verification conducted by USCIS employees and are “important for ensuring an accurate and complete response.”^[43] User agencies are required to escalate cases when prompted by SAVE or when requested by the applicant.^[44] However, the track record of user agencies suggests otherwise, and the Notice provides no concrete support that DHS ensures additional verification occurs. A 2017 report by the U.S. Government Accountability Office (GAO) reflects that, from approximately 2012 to 2016, “the majority of SAVE user agencies that received a SAVE response prompting them to institute additional verification did not complete the required additional steps to verify the benefit applicant’s immigration status.”^[45] None of the states’ SAVE Memoranda of Agreement (MOAs) for voter registration or list maintenance purposes address the unreliability and incompleteness of SSA citizenship data or the risk of error when using it for voter citizenship checks.^[46] And DHS itself recognizes the risk in its PIA that SAVE user agencies “may not go through all steps to ensure accuracy of information.”^[47] Despite such concern, neither the PIA nor the SORN provide concrete compliance and accountability mechanisms that DHS will impose on user agencies to undertake the additional verification steps.

The dramatic expansion of the SAVE system for the purpose of verifying voters’ citizenship status violates the Privacy Act and threatens real harm of voter disenfranchisement and wrongful prosecution. The newly created risks of erroneous results from the SAVE system requires naturalized citizens to update their citizenship status with SSA through in-person appointments—despite there being no legal obligation for them to do so if not for the risk of disenfranchisement. Misidentification or an inconclusive response for voters may create additional burdens for the citizen to prove their citizenship to their voting jurisdiction. In fact, Texas, a SAVE user, has asked over 170 counties to send notices^[48] to thousands of voters who have been flagged by the new SAVE system as “potential” non-citizen registered voters.^[49] Early reports indicate a high error rate, with numerous eligible voters being wrongfully identified as non-citizens and forced to re-prove their citizenship status to prevent cancellation of their voter registrations within 30 days.^[50] Louisiana claims to have removed nearly 400 voters from their voter rolls using the SAVE system,^[51] and an October 2025 report by the Virginia Department of Elections says that between September 1, 2024, and August 31, 2025, 1,644 Virginia voter registrations were cancelled as a result of SAVE citizenship checks.^[52] Requiring documented proof of citizenship of registered voters impermissibly burdens the right to vote, wrongfully risks disenfranchisement, and further underscores the unfitness of SSA data now being channeled into the SAVE system for use in voter verification.

2. The Notice raises serious questions about how DHS may evaluate and undertake so-called “need to know” disclosures of SAVE records to agency personnel.

The Notice’s passing invocation of the “need to know” exception for intra-agency disclosure of SAVE system records raises further troubling questions. The Notice states that “information stored in SAVE may be shared with other DHS Components that have a need to know of the information to carry out their national security, law enforcement, immigration, intelligence, or other homeland security functions.”^[53] The “need to know” exception only allows data sharing “to those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties.”^[54] As the OMB has explained, a “need to know” disclosure should be “generally related to the purpose for which the record is maintained.”^[55]

Given that DHS employs over 260,000 people and contains subcomponents including Customs and Border Protection, Immigration and Customs Enforcement, and the Transportation Security Administration,^[56] even intra-agency data sharing within DHS can have potentially dramatic consequences. Congress itself recognized the importance of limiting intra-agency data sharing when it passed the Privacy Act.^[57] The overhauled SAVE is a vast interagency system meant to facilitate access to the sensitive data of virtually all Americans, including SSA data, State Department of Data, and drivers’ license data from state and other entities (such as the National Law Enforcement Telecommunications System (NLETS)).^[58] Given this, one would expect DHS to provide some insight into the applicable access protocols or the “needs” that might justify disclosure of SAVE’s expanded data types to DHS personnel, but the Notice omits these insights. Nor does the Notice suggest how DHS will determine whether a “need” asserted in the future is sufficiently related to the purposes for which the data was originally collected or how DHS intends to protect against misuse of SAVE data. Simply put, DHS’s assertion that it may make “need to know” disclosures of SAVE records raises more questions about the agency’s adherence to the Privacy Act than it answers.

III. The Notice reveals numerous other Privacy Act violations left unaddressed by DHS.

Even beyond its dubious discussion of routine uses and need to know disclosures, the Notice reveals multiple other Privacy Act violations.

First, although DHS vaguely motions at 8 U.S.C. § 1373(c) and two executive orders^[59] to justify its actions, the agency fails to establish that its significant expansion of SAVE and its users is either “relevant” or “necessary to accomplish” any valid, legal purpose under those authorities.^[60] The Privacy Act requires a system of records to be both,^[61] but DHS has made no attempt to demonstrate either element. Of course, it is difficult to imagine that DHS could ever establish necessity and relevance for its haphazard and sweeping expansion of the SAVE system as described in the Notice. DHS’s revisions link massive amounts of sensitive information from across federal, state, and local governments, creating just the kind of “national data banks” that Congress has explicitly considered and rejected.^[62] Nothing in 8 U.S.C. § 1373(c) justifies (much less requires) DHS’s decision to broaden SAVE’s orbit. Further, no executive order may, and the orders cited in the Notice do not purport to, supersede the data protections of the Privacy Act. DHS is acting far outside its authority and has certainly failed to meet its burden here under 5 U.S.C. § 552a(e)(1).

Second, DHS has made no effort to ensure that the wrongfully acquired SSA information the agency now maintains^[63] and disseminates^[64] through SAVE is accurate, timely, or complete, despite the highly sensitive nature of both the information and DHS’s stated use for determining voter eligibility. Not only has SSA admitted that its citizenship data is incomplete, unreliable, and not “definitive,” but it has repeatedly warned that its data should not be used for making citizenship determinations.^[65] Despite this, and despite DHS’s in-court admission that these inaccuracies likely still exist,^[66] DHS has pressed on. Now the agency disseminates information it knows to be inadequate and encourages non-federal users to use the SAVE system in ways that will disenfranchise many of their fundamental right to vote. These are blatant violations of 5 U.S.C. § 552a(e)(5)-(6).

Third, DHS’s changes to the SAVE system create significant security risks that the Notice does not adequately address. The agency has piped sensitive personal information into the SAVE system, including dates of birth, Social Security information, driver’s license information, and citizenship information. At the same time, DHS has enabled users to conduct bulk uploads, undertaken a concerted effort to expand SAVE’s user base for nearly any purpose, and enabled many users to access the cases and information of other users. These significant changes to the SAVE system have made it an even more compelling honeypot for malicious actors. Not only is the information housed in the system far more attractive, but the entry points are numerous.

Threats to the SAVE system are not limited to external actors, however. DHS has diluted the SAVE system’s security and further endangered the privacy of affected individuals by enabling bulk uploads and allowing many SAVE users to access the cases and information uploaded by other users.[67] As a result of these new capabilities, control over the information given to SAVE users is limited and easily lost altogether. Any SAVE user could take advantage of these features to seed their own surveillance systems across the U.S., which in turn pose further security hazards and risks to civil liberties. The agency fails to discuss what safeguards, if any, are in place nor what exactly the “proper legal authority”^[68] is for a user to take advantage of the dramatically expanded functions the agency provides. Instead, it states generically that the system is protected “according to applicable rules and policies” and the “strict controls” that DHS maintains.^[69] This simply is not enough to know whether the agency has in fact established “appropriate safeguards,” and it certainly does not satisfy the Privacy Act.^[70]

Finally, DHS is not equipped to prevent the risks invited by its changes to the SAVE system. The agency intends to retain records for a period of ten years, leaving ample room for the system to be compromised.^[71] The Notice invokes NARA retention schedule N1-566-08-007^[72] (improperly cited as N1-566-08-07), a schedule developed in 2008 that does not contemplate a centralized repository like the one DHS proposes here. Despite this, and despite the significant privacy risks introduced by DHS, the Notice fails to acknowledge the danger in maintaining records for a full decade. The Privacy Act demands more. Indeed, this is particularly unsettling in light of the federal government’s long and sordid record of data breaches, including at OPM,^[73] DHS,^[74] CBP,^[75] ICE,^[76] and SSA.^[77] The Notice not only fails to account for these hazards but identifies no mechanisms to detect, prevent, or hold account for illegitimate access, breach, or use of SAVE information.

IV. DHS’s lack of Computer Matching Agreements applicable to the overhauled SAVE system violates the Privacy Act.

The Notice does not identify or solicit public comment on any Computer Matching Agreements between DHS and the relevant agencies that would authorize DHS to carry out the proposed consolidation of information. Absent such agreements, DHS’s establishment of a new matching program using SSA data and driver’s license information violates the computer matching restrictions of the Privacy Act.^[78]

Under the Privacy Act, a Computer Matching Agreement is required when matching datasets to determine federal benefit eligibility.^[79] Matching agreements must include detailed data elements and meet strict requirements designed to ensure public transparency and participation, congressional and agency oversight, and rigorous legal compliance.^[80] Like SORNs, an agency must provide advance notice to the public and Congress and opportunity for public comment whenever it establishes or significantly changes a matching program.^[81]

The Notice describes new bulk matching of state, SSA, and DHS records for federal benefits determinations, among other purposes. Specifically the Notice revises record source categories to add “Master Files of Social Security Number Holders, Social Security Number Applications . . . and state or other national agencies that issue or maintain driver’s license information.”^[82] The bulk consolidation and matching of federal and state-held personal data to verify citizenship of U.S. citizens by birth “for all registered benefits and licenses by registered SAVE user agencies” undoubtedly constitutes a new or revised “matching program” under the Privacy Act.^[83] By definition, a “matching program” includes any “computerized comparison of two or more automated systems of records or a system of records with non-Federal records for the purpose of . . . establishing or verifying the eligibility of . . . beneficiaries of . . . cash or in-kind assistance or payments under [a] Federal benefit program [.]”^[84] And DHS claims that, as of November 3, the overhauled SAVE system has already “allowed federal agencies to submit over 110 million queries to help verify eligibility for federally funded benefits.”^[85] Yet DHS has not specified or otherwise disclosed any Computer Matching Agreements that relate to the overhauled SAVE system in its Notice. By failing to disclose this information, DHS has deprived the undersigned organizations and the public of critical information to which they are entitled by law, as well as the opportunity to provide public comment on this sweeping new inter-governmental data matching.

The only publicly disclosed DHS Computer Matching Agreement with SSA is related to SSA accessing DHS data to identify noncitizens that leave voluntarily or have been removed “to determine suspension of payments, nonpayments of benefits, and/or recovery of overpayments[.]”^[86] But this agreement does not address accessing the overhauled SAVE system from either agency for its expanded use in verifying citizenship or immigration status for public benefits.

Given the scale and sensitivity of the overhauled SAVE system, it is incumbent on DHS to disclose any and all relevant Computer Matching Agreements. If DHS has not completed an applicable Computer Matching Agreement with SSA or any other relevant agencies from which the overhauled SAVE system draws records, DHS must immediately deactivate and unwind such data transfer mechanisms until it has completed, publicly noticed, and published a Matching Agreement in accordance with the Privacy Act and OMB Circular A-108.

Conclusion

For the above reasons, DHS should promptly withdraw its Notice, revert the radical changes it has made to the SAVE system over the past seven months, abandon any related modifications still under consideration, restore SAVE to its previous purpose and functionality, and take the steps necessary to ensure that user agencies delete all personal records wrongfully disclosed by the overhauled system. If you require any additional information about DHS’s Privacy Act and related statutory obligations, please contact John Davisson, EPIC Director of Litigation, at [email protected].

Respectfully submitted,

Electronic Privacy Information Center (EPIC)

American Immigration Council

Association of Public Data Users

Center for Democracy & Technology

Defending Rights & Dissent

Demand Progress Education Fund

Free Speech for People

Freedom from Religion Foundation

Government Information Watch

Japanese American Citizen League

National Hispanic Media Coalition

National Women’s Law Center

Project on Government Oversight

Restore the Fourth

Secure Elections Network

Surveillance Technology Oversight Project (STOP)

---

[1] 90 Fed. Reg. 48948, 48948 (Oct. 31, 2025) (“2025 SAVE SORN”).

[2] 5 U.S.C. § 552a(e)(11).

[3] Id. at (e)(4)(D).

[4] Off. of Mgmt. & Budget Circular No. A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act, at 7 (2016), https://perma.cc/N9QK-SDLE (“OMB Circular No. A-108”).

[5] Privacy Act Notice of Modified System of Records, DHS, 85 Fed. Reg. 31798 (May 27, 2020).

[6] Press Release, DHS, USCIS, DOGE Overhaul Systematic Alien Verification for Entitlements Database, DHS, (April 22, 2025), https://perma.cc/Y8A5-YX3M.

[7] Press Release, USCIS Deploys Common Sense Tools to Verify Voters, USCIS (May 22, 2025), https://perma.cc/HBZ5-RW2E.

[8] Id.

[9] Voter Registration and Voter list Maintenance Fact Sheet, USCIS (last updated Aug. 27, 2025), https://perma.cc/PP4H-T7CK.

[10] See Jude Joffe-Block & Miles Parks, 33 Million Voters Have Been Run Through a Trump Administration Citizenship Check, NPR (Sep. 11, 2025), https://perma.cc/QWL3-DCVR.

[11] See Press Release, Texas Completes Citizenship Verifications in Save Database, TX Sec. of State (Oct. 20, 2025), https://www.sos.state.tx.us/about/newsreleases/2025/102025.shtml; Wesley Muller, Louisiana Election Investigation Finds 79 Noncitizens Have Voted Since 1980s, Louisiana Illuminator (Sep. 4, 2025), https://lailluminator.com/2025/09/04/louisiana-election-investigation-finds-79-noncitizens-have-voted-since-1980s/.

[12] 5 U.S.C. § 552a(r).

[13] See e.g., Letter from Senators Alex Padilla, Ranking Member of the Senate Rules and Admin Comm., Gary Peters, Ranking Member of the Senate Homeland Sec. and Gov’t Aff. Comm., and Jeff Merkley, to Kristi Noem, Sec., DHS (July 15, 2025), https://perma.cc/3KD2-FCNQ.

[14] See Miles Parks, Despite grand claims, a new report shows noncitizen voting hasn’t materialized, NPR (July 30, 2025), https://www.npr.org/2025/07/30/nx-s1-5462836/noncitizen-voting-trump-ceir-review; Stuart A. Thompson, No, noncitizens are not voting in droves, NY Times (Oct. 28, 2024), https://www.nytimes.com/2024/10/28/technology/noncitizen-voting-election.html.

[15] DHS, Privacy Impact Assessment for the Systematic Alien Verification for Entitlements “SAVE” Program, at 8 (Oct. 31, 2025), https://perma.cc/Q3AX-KQS7 (“2025 SAVE PIA”).

[16] 2025 SAVE SORN at 48948.

[17] Id. at 48949.

[18] See 5 U.S.C. §§ 552a(a)(7), (b)(3).

[19] Britt v. Naval Investigative Serv., 886 F.2d 544, 548–49 (3d Cir. 1989).

[20] Id. at 549.

[21] Id. at 549–50 (citing Mazaleski v. Treusdell, 562 F.2d 701, 713 n. 31 (D.C.Cir. 1977)) (other citation omitted).

[22] DHS, Privacy Impact Assessment for the Systematic Alien Verification for Entitlements “SAVE” Program, at 2 (June 30, 2020), https://perma.cc/HU2M-NTL8 (“2020 SAVE PIA”).

[23] Id. at 3.

[24] Jasleen Singh & Spencer Reynolds, Homeland Security’s “SAVE” Program Exacerbates Risks to Voters, The Brennan Center (July 21, 2025), https://www.brennancenter.org/our-work/research-reports/homeland-securitys-save-program-exacerbates-risks-voters.

[25] See Using the Systematic Alien Verification for Entitlements (SAVE) Program for Voter Eligibility Verification, American Immigration Council (Aug. 2, 2012), https://www.americanimmigrationcouncil.org/fact-sheet/using-systematic-alien-verification-entitlements-save-program-voter-eligibility/.

[26] U.S. Comm’n on C.R., An Assessment of Minority Voting Rights Access in the United States, at 148 (2018), https://www.usccr.gov/files/pubs/2018/Minority_Voting_Access_2018.pdf.

[27] 2025 SAVE SORN at 48950, 2025 SAVE PIA at 4.

[28] SSA, Privacy Act of 1974; System of Records; Correction, 90 Fed. Reg. 10025, 10026 (Feb. 20, 2025); Frequently Asked Questions: Numerical Identification (NUMIDENT) Files, Appendix, National Archives (last updated July 27, 2022), https://aad.archives.gov/aad/content/aad_docs/rg047_num_faq_2022July.pdf.

[29] SSA Off. of the Inspector Gen., Cong. Resp. Rep. No. A-08-06-26100, Accuracy of the Social

Security Administration’s Numident File 13 (Dec. 18, 2006), https://perma.cc/5G2J-FF4V (“Accuracy of SSA Numident File”).

[30] Policy for U.S. Citizenship, SSA(Feb. 23, 2024), https://perma.cc/PJL4-MVCP.  

[31] Letter from SSA Off. of Gen. Counsel to Fair Elections Ctr. 2 (July 13, 2023), https://fairelectionscenter.org/wp-content/uploads/2025/07/SSA-Touhy-Decision-letter.July-13-2023-signed.pdf (“Letter from SSA to FEC”).

[32] Accuracy of SSA Numident File at 13.

[33] Letter from SSA to FEC at 2.

[34] Judd Legum, EXCLUSIVE: Secret policy shift could overwhelm Social Security offices with millions of people, Popular Information (Mar. 20, 2025), https://popular.info/p/exclusive-secret-policy-shift-could.

[35] Amy L. Peck & Otieno B. Ombok, SSA Pauses Automatic Issuance of SSNs for Certain Immigration Applicants, Jackson Lewis (June 11, 2025), https://www.globalimmigrationblog.com/2025/06/ssa-pauses-automatic-issuance-of-ssns-for-certain-immigration-applicants/.

[36] Michael Sainato, Millions of legal immigrants’ lives upended after social security freeze, The Guardian (June 3, 2025), https://www.theguardian.com/us-news/2025/jun/03/social-security-program-quietly-frozen-musk-immigrant-claims.

[37] See id.; r/USCIS, Are SSN cards no longer being sent to immigrants?, Reddit (Oct. 31, 2025), https://www.reddit.com/r/USCIS/comments/1okww61/are_ssn_cards_no_longer_being_sent_to_immigrants/; r/USCIS, Automatic processing of SSNs for H-4 EAD application?, Reddit (Sept. 17, 2025), https://www.reddit.com/r/USCIS/comments/1njc2y9/automatic_processing_of_ssns_for_h4_ead/.

[38] SSA, Enumeration Beyond Entry (Feb. 10, 2025), https://perma.cc/G649-QW8W.

[39] Letter from Gerald E. Connolly, Ranking Member, H. Comm. on Oversight and Gov’t Reform, to Leland Dudek, Acting Comm’r for Soc. Sec. Admin., at 2–3 (Apr. 16, 2025), https://perma.cc/4RYF-Q6E8.

[40] Press Release, USCIS Enhances Voter Verification Systems, USCIS (Nov. 3, 2025), https://www.uscis.gov/newsroom/news-releases/uscis-enhances-voter-verification-systems.

[41] 2025 SAVE PIA at 19–20.

[42] Voter Registration and Voter List Maintenance Fact Sheet, USCIS (Aug. 27, 2025), https://www.uscis.gov/save/current-user-agencies/guidance/voter-registration-and-voter-list-maintenance-fact-sheet.

[43] U.S. Gov’t Accountability Off., Rep. No. GAO-17-204, Immigration Status Verification for Benefits: Actions Needed to Improve Effectiveness and Oversight at 4 (Mar. 23, 2017), https://www.gao.gov/assets/gao-17-204.pdf.

[44] USCIS, SAVE User Reference Guide Ch. 9.2 (July 16, 2025), https://perma.cc/DE8W-9US6.

[45] U.S. Gov’t Accountability Off., Rep. No. GAO-17-204, Immigration Status Verification for Benefits: Actions Needed to Improve Effectiveness and Oversight at 17–18 (Mar. 2017),

https://www.gao.gov/assets/gao-17-204.pdf.

[46] See, e.g., USCIS, Voter Verification Agency Sample MOA Draft (June 9, 2025),

https://perma.cc/7X59-4DF4; MOA between the DHS, USCIS, and the Va. St. Board of Elections (Mar. 20, 2014), https://www.courtlistener.com/docket/69234255/26/3/virginia-coalition-for-immigrant-rights-v-beals/; Texas Secretary of State Communications Concerning Voters Searched in SAVE, American Oversight (June 18, 2025), https://americanoversight.org/featureddocument/texas-secretary-of-state-communications-concerning-voters-searched-in-save/.

[47] 2025 SAVE PIA at 19–20.

[48]  Notice to Registered Voter for Proof of Citizenship (USCIS Verification), Tex. Sec’y of St. (Oct. 2025), https://perma.cc/Q5XA-CW3R.

[49] Press Release, Texas Completes Citizenship Verifications in the SAVE Database, Tex. Sec’y of St. Jane Nelson (Oct. 20, 2025), https://www.sos.state.tx.us/about/newsreleases/2025/102025.shtml; List of Potential Non-Citizens, Tex. Sec’y of St. Jane Nelson, https://www.sos.state.tx.us/about/newsreleases/2025/potential-non-citizens.pdf.

[50] Natalia Contreras, Texas counties look into ‘potential noncitizens’ on voter rolls. Here’s what they’re finding., Votebeat Texas (Oct. 31, 2025), https://www.votebeat.org/texas/2025/10/31/county-election-officials-investigate-potential-noncitizens-flagged-save-database/.

[51] Colin Vedros, La. Secretary of State finds 390 registered illegally to vote in the state, KALB (Sept. 4, 2025), https://www.kalb.com/2025/09/04/la-secretary-state-finds-390-registered-illegally-vote-state/.

[52] Va. Dept. of Elections, Annual List Maintenance Report: September 1, 2024 – August 31, 2025, at 19, https://www.elections.virginia.gov/media/formswarehouse/maintenance-reports/2025-Annual-List-Maintenance-Report.pdf.

[53] 2025 SAVE SORN at 48949.

[54] 5 U.S.C. § 552a(b)(1); See also, Overview of the Privacy Act: 2020 Edition, DOJ Off. of Privacy and C.L. (Dec. 15, 2022), https://perma.cc/997Q-XQEQ.

[55] OMB, Privacy Act Implementation: Guidelines and Responsibilities, 40 Fed. Reg. 28948, 28954 (Jul. 1, 1975), https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/omb/inforeg/implementation_guidelines.pdf.

[56] Operations and Support Components, DHS (Mar. 5, 2025), https://www.dhs.gov/operational-and-support-components.

[57] OMB, Privacy Act Implementation: Guidelines and Responsibilities, 40 Fed. Reg. 28948, 28954 (Jul. 1, 1975), https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/omb/inforeg/implementation_guidelines.pdf.

[58] 2025 SAVE SORN at 48951; 2025 SAVE PIA at 6.

[59] See Executive Order 14159: Protecting the American People Against Invasion, 90 Fed. Reg. 8443, 8443 (Jan. 20, 2025) and Executive Order 14248: Preserving and Protecting the Integrity of American Elections, 90 Fed. Reg. 14005, 14005 (Mar. 25, 2025).

[60] 5 U.S.C. § 552a(e)(1).

[61] Id.

[62] See Pub. L. 100-503, § 9 (Oct. 18, 1988). Section 9(1) states that “[n]othing in the amendments made by this Act shall be construed to authorize… the establishment or maintenance…of a national data bank that combines, merges, or links information on individuals maintained in systems of records by other Federal agencies.”

[63] 5 U.S.C. § 552a(e)(5) (requiring DHS to “maintain all records which are used by the agency in making any determination about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination.”).

[64] Id. at § 552a(e)(6) (requiring DHS to “make reasonable efforts to assure that [records] are accurate, complete, timely, and relevant for agency purposes” before it disseminates records to non-federal entities, such as states.).

[65] Letter from SSA to FEC at 2.

[66] Mot. Hr’g Tr. at 61: 1-9, League of Women Voters v. Dep’t Homeland Sec., 1:25-cv-03501, (D.D.C. Oct. 30, 2025).

[67] 2025 SAVE SORN at 48948 (“Additionally, user agencies with appropriate legal authority may now view, within SAVE, other user agencies’ case data through a linking mechanism based on either benefit type granted (e.g., Medicare) or by state. This new account type will have reporting options to view case data.”).

[68] Id. at 48951.

[69] Id. at 48955.

[70] 5 U.S.C. § 552a(e)(10).

[71] 2025 SAVE SORN at 48954–55.

[72] Id.

[73] See Hon. Jason Chaffetz, et al., The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation, U.S. House of Rep. Comm. Oversight & Gov’t Reform (Sept. 7, 2016), https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-Generation.pdf.

[74] See, e.g., Megan Roos, Suspected Russian SolarWinds Hack Compromised Homeland Security Department, Newsweek (Dec. 14, 2020), https://www.newsweek.com/suspected-russian-solarwinds-hack-compromised-homeland-security-department-1554656. For many more examples of data breaches at DHS and its subcomponents, see Comments to Dep’t of Homeland Security on Collection of Biometric Data from Aliens Upon Entry to and Departure From the United States, EPIC at 9–11 (Dec. 21, 2020), https://epic.org/documents/collection-of-biometric-data-from-aliens-upon-entry-to-and-departure-from-the-united-states/. In fact, a September 2025 report from the DHS Office of the Inspector General found that an DHS high-value asset system containing sensitive information had inadequate cybersecurity and significant, exploitable weaknesses. See DHS OIG, Inadequate Cybersecurity Rendered DHS Headquarters High-Value System Vulnerable to Attack, OIG-25-43 (Sept. 23, 2025), https://www.oig.dhs.gov/sites/default/files/assets/2025-09/OIG-25-43-Sep25.pdf.

[75] See Joseph Cuffari, Review of CBP’s Major Cybersecurity Incident During a 2019 Biometric Pilot, Dep’t of Homeland Sec. Off. of Inspector Gen. (Sept. 21, 2020), https://www.oig.dhs.gov/sites/default/files/assets/2020-09/OIG-20-71-Sep20.pdf.

[76] See, e.g., Luke Barr, Names, Personal Information of 6,000 Noncitizens Posted on ICE Website ’Erroneously,’ ICE Says, ABC News (Dec. 1, 2022), https://abcnews.go.com/Politics/names-personal-information-6000-noncitizens-posted-ice-website/story?id=94308375.

[77] Geoff Brumfiel, Whistleblower Says Trump Officials Copied Millions of Social Security Numbers, NPR (Aug. 26, 2025), https://www.npr.org/2025/08/26/nx-s1-5517977/social-security-doge-privacy.

[78] See 5 U.S.C. § 552a(o).

[79] Id.

[80] See id. §§ 552a(o)(1)–(2).

[81] See id. §§ 552a(e)(12), (r). See also OMB Circular No. A-108, supra note 4, at 18–19.

[82] 2025 SAVE SORN at 48948.

[83] See id.

[84] 5 U.S.C. § 552a(o).

[85] USCIS Enhances Voter Verification Systems, USCIS (Nov. 3, 2025), https://www.uscis.gov/newsroom/news-releases/uscis-enhances-voter-verification-systems.

[86] Computer Matching Agreement Between the SSA and the DHS, SSA Match #1010 (Feb. 10, 2025), https://www.dhs.gov/sites/default/files/2025-02/25_0210_priv_dhs-ssa-cma-aggrement.pdf.