DOJ Wants Sensitive Voter Data But Can’t Be Bothered to Protect It 

Midterms loom. Congress’s failure to rein in a runaway Executive has not endeared voters. “Shock and awe” tactics do not make for good governance and may cost dearly at the polls. But the White House and its Congressional allies have a plan: control who votes.   

Seemingly unconstrained by democratic will, the rule of law, or the Constitution, President Trump is making calls to “nationalize the voting.” Meanwhile, his allies are attempting to force the SAVE Act through Congress. The initial bill would have barred millions of Americans from voting due to onerous requirements like requiring a passport or birth certificate at the polls every time someone votes. And the SAVE Act has since been amended to require that States regularly submit their voter rolls to the Department of Homeland Security.  

Voter registration lists are a key part of the Administration’s attempt to suppress voting. Over the past year, the Department of Justice has doggedly pursued voter rolls from 47 states and the District of Columbia—personal data that the DOJ has no legal authority to demand. Last December, the nation finally got a peek behind the curtain into DOJ’s crusade. After the DOJ came knocking at Colorado’s door (and Colorado politely told the agency to kick rocks), the state released the Memorandum of Understanding (MOU) that the DOJ sent with its demand for voter data. Given this Administration’s catastrophic track record of protecting sensitive information, EPIC took a look. After comparing the data security safeguards laid out in the MOU to the data security controls required under federal law, we found that the DOJ is woefully unprepared to receive or protect VRL data. 

DOJ’s strong-arm tactics to obtain VRLs 

The amended SAVE Act mirrors a concerted legal effort by the Trump administration over the last year to build a nationwide voter registration list. To make that list, the DOJ has demanded access to unrestricted voter registration lists from 48 states and the District of Columbia. Most have refused the administration’s demands. Of those that refused, the DOJ has sued over two dozen jurisdictions, demanding they produce unredacted voter registration lists (VRLs) that include intensely private personal information such as driver’s license numbers and Social Security numbers. The DOJ has sought these VRLs despite legal objections raised by state officials seeking to protect voters’ sensitive personal information. Offers by states to share publicly available and/or redacted versions of the VRLs have been soundly rejected by the DOJ. The Trump administration wants all the data that it can get. And there is a tremendous amount of data at stake. 

To highlight one example, the DOJ’s request to California sought “a litany of sensitive, personally identifying information such as social security numbers linked to voters’ names, voters’ addresses, voters’ phone numbers, methods of voter registration, voter participation history, political party registration, driver’s license numbers, language preference for ballots, ID numbers if no driver’s license, emails, and current voter registration status … neatly packaged in one tranche of data, organized by the name of the voter.”¹ The DOJ’s suit against California has been dismissed, but the DOJ has appealed that ruling. Similar suits against Michigan and Oregon have also been dismissed and subsequently appealed. 

State officials are right to be concerned. The DOJ’s assurances of protecting voter data ring hollow. When asked what would prevent voters’ data from being shared, the DOJ cited to Section 304 of the Civil Rights Act. The section prohibits disclosure of records obtained by DOJ unless otherwise ordered by a court in the United States. But the prohibition has exceptions for disclosure to “Congress and any committee thereof, government agencies, and in the presentation of any case or proceeding before any court or grand jury.”²  

In fall 2025, the other shoe dropped: the Trump administration confirmed it was sharing these voter lists with DHS. Former DOJ attorneys further confirmed that DOJ intends for DOGE to go through the voter registration data and compare it to what DHS and the Social Security Administration has. Other Federal employees have been clear that the Trump administrations wants “a central, federal database of voter information.” Such a move by the Executive branch is blatantly unconstitutional. Article I, Section 4 of the Constitution³ explicitly gives the power to regulate federal elections to both States and Congress, not the Executive branch.  

But the Trump administration is adamant it wants to create such a database. To what end? That question was partly answered when Colorado publicly released a Memorandum of Understanding that the DOJ sought to have Colorado sign. Colorado refused. The MOU itself attempted (poorly, as we detail below) to allay some privacy and security concerns regarding the sharing of unredacted VRLs.⁴ But part of the MOU explicitly required Colorado to “remov[e] ineligible voters” when given notice by the DOJ of “any issues, insufficiencies, inadequacies, deficiencies, anomalies, or concerns…” The Trump administration wants to remove voters that it finds inconvenient. But it does not have that power. Under the Help America Vote Act of 2002, the federal government cannot remove anyone from a VRL; only States have that authority.⁵ 

The DOJ’s purported rationale for collecting VRLs is a guise for the unlawful creation of a federal voter database. But even if such a system were authorized by law, the DOJ’s implementation is a data security disaster waiting to happen. We at EPIC evaluated the adequacy of the security protections in place in the Colorado MOU by applying baseline controls and security requirements set out by FISMA for federal information systems. The security protections are anything but adequate.  

The data security standards DOJ must follow 

Even though DOJ has no legitimate claim to VRLs, several states have handed them over. Now, DOJ has to abide by the data security framework set by federal law. The key statute governing federal data security is the Federal Information Security Modernization Act (FISMA).  

FISMA requires DOJ to provide information security protections for both the information it collects and the databases information is housed in.⁶ The protections that are required vary based on the security categorization of the collected information: low, medium, or high. Following the process set up by the National Institute for Standards and Technology (NIST), an agency designates a security categorization by assessing the risk level of the collected information and the magnitude of harm that could be inflicted if that information was compromised.⁷ Based on the security categorization, the agency must implement a set of baseline security requirements (also dictated by NIST).⁸ In addition to establishing the minimum requirements an agency must follow, NIST also suggests additional security protections that agencies should consider implementing. 

What security classification applies to the voter data that DOJ is gunning after? At a minimum, DOJ has to implement a moderate level of security controls because they contain sensitive personal information like social security numbers and driver’s license numbers. But in our full analysis, EPIC determined that a moderate level is not enough under the law. Voter rolls include sensitive and identifying information for hundreds of millions of people, the maintenance of which poses a high risk of misuse and carries a high burden of confidentiality. 

Nearly 200 million people were registered to vote as of 2024. DOJ seeks sensitive information on each and every one of them. At a minimum, DOJ seeks a voter’s full name, date of birth, residential address, and state driver’s license number or partial Social Security Number. But DOJ has its sights set on more. In California, for example, DOJ sought (and failed) to get its hands on voters’ participation histories and political party registrations. All of this information was collected to facilitate our fundamental right to vote—a right so foundational that the Supreme Court calls it a right “preservative of all rights.” And as we discussed, the likelihood that such information is abused to suppress voting rights and intimidate lawful voters is scarily high.  

In light of all of this, DOJ must apply the high security categorization to voter registration information. This would include implementing controls for determining who may access VRL data and under what conditions; how information systems containing VRL data will be protected and how access to those systems will be audited; and what procedures are in place should those systems be breached.  

To date, DOJ has received VRLs from at least ten states containing the sensitive information of over 37 million registered voters. We have to ask: how is DOJ protecting them? 

DOJ Does Not Do Nearly Enough to Protect Voter Information  

In our full analysis, we compared the NIST and FISMA standards to the data safeguards described by DOJ in the MOU sent to Colorado. Our analysis concludes that DOJ’s security controls for VRLs are woefully inadequate.  

The MOU does not impose any particular controls for accessing or disclosing VRL data. It does not contain a plan for authenticating users, guaranteeing that access to VRL data is limited to those with an actual need, reviewing user privileges, or in any other way impose meaningful review and accountability. Nor does the MOU shed light on how DOJ will identify or address cybersecurity incidents. 

In fact, the MOU is indefensibly vague about core security controls that would be required to protect the tremendous amounts of sensitive PII that DOJ is demanding. Instead of the particularized security controls FISMA requires, the MOU is littered with ambiguous security promises and empty recitations. It promises that VRL data is protected “in accordance with applicable Department security regulations for systems of records,” and that systems storing VRL data “will comply with all security requirements applicable to Justice Department systems,” including those promulgated by NIST. In effect, these statements give states nothing to go off of to evaluate DOJ’s security. DOJ does not name what the “applicable” security requirements are (or would be) or how DOJ plans to comply with them.  

Further, the MOU puts pressure on states to move as quickly as possible—a principle that is incompatible with data security and that casts serious doubt on DOJ’s ability and willingness to protect the VRL data it vacuums up. Section IV of the MOU, for example, asks that states sign it within a week and states that no part of the MOU (including its security controls) should delay transferring VRL data. States have the legal obligation to make sure that DOJ has appropriate security controls in place before disclosing voter rolls. If they like, states may require better controls than what is proposed. The MOU leaves no room for negotiation.  

This is the full picture: DOJ’s data security plan appears virtually nonexistent. The MOU consists of vague gestures and empty assurances. When these are compared against the MOU’s otherwise “move fast” mentality and the Trump Administration’s abysmal track record of upholding its cybersecurity obligations, DOJ’s promises are inherently untrustworthy.  

1. Order Granting Defendant’s Motion to Dismiss and Intervenor’s Motion to Dismiss at 5, United States v. Shirley Weber, No. 2:25-cv-09149 (C.D. Cal. Jan. 16, 2026), ECF No. 128. ↩︎
2. 5 U.S.C. § 20704.   ↩︎
3. “The Times, Places and Manner of holding Elections for Senators and Representatives, shall be prescribed in each State by the Legislature thereof; but the Congress may at any time by Law make or alter such Regulations, except as to the Places of chusing Senators.” U.S. CONST. art. 1, § 4, cl. 1. ↩︎
4. “On December 1, 2025, attorney Eric Neff followed up by email to Secretary Griswold requesting Colorado’s Statewide Voter Registration list (“SVRL”) (the December 1 Email). The December 1 Email also stated that: 
   The United States is prepared at this early stage to enter into an MOU with the State of Colorado regarding the sharing of the nonpublic, unredacted voter registration list. I have  attached that MOU, which we believe cures all potential concerns a state might rightfully raise regarding its citizens’ private data and identifying information.”  
   Compl. At ¶ 24, United States v. Griswold, No. 1:25-cv-03967 (D. Col. Dec. 11, 2025), ECF no. 1 (emphasis added).  ↩︎
5. 52 U.S.C. § 21083(a)(2).  ↩︎
6. 5 U.S.C. §§ 3554(a)(1)(A)(i)-(ii). ↩︎
7. 5 U.S.C. § 3554(a)(1)(A).  ↩︎
8. 5 U.S.C. §3554(a)(1)(B)(i); 40 U.S.C. § 11331(b)(2)(A)(i).  ↩︎