Is OPM More Interested in Surveillance than Privacy? Our Lawsuit Is Trying to Answer That 

For Sunshine Week, we’re celebrating open government practices that promote transparency and accountability—key features in a democracy. Earlier this week, we posted about how important open government laws like the Freedom of Information Act (FOIA) are to maintaining an open government. FOIA operates as a bridge between insight and accountability. We need that now more than ever. For 30 years, FOIA has been one of EPIC’s most valuable tools for holding government accountable to the people. In this post, we will look at EPIC’s latest FOIA lawsuit against the Office of Personnel Management (OPM) to understand why EPIC filed this case and how the information we seek will lead to meaningful accountability.  

The Office of Personnel Management is the federal government’s human resources agency and personnel manager. OPM is responsible for evaluating, adopting, and administering workforce policies, programs, and benefits. All told, the agency holds information on millions of people. Historically, this apolitical agency operated in the background. That is, until now. The once-obscure agency has been thrust into the spotlight as Elon Musk, the “Department of Government Efficiency” (DOGE), and the Executive Branch have forced their way into the agency and its information systems. Chilling reports have come out that suggest that the government’s new priority is surveillance at any cost, including the privacy and security of millions of people. To investigate, EPIC submitted two FOIA requests to OPM. The agency ignored our requests, so we sued.  

FOIA Request 1: Exposing OPM’s Attempts to Amass Information on Workers 

We filed our first request after an anonymous OPM employee revealed that OPM’s Chief Information Officer (CIO), career civil servant Melvin Brown, had been unceremoniously removed from his role after just one week. Brown’s replacement was “yes-man” Charles Ezell, formerly a low-level branch chief. According to this employee, Ezell’s office immediately began sending out memos to other federal agencies seeking information on agency employees. Agencies were instructed to send employee information to someone who did not have the proper security clearances to handle personal information. In response, EPIC sought the email records of Acting Director Ezell and former CIO Brown.  

Federal employees speculate that the Administration and Acting Director Ezell sent his memoranda to federal agencies and installed a Government-Wide Email Server (GWES) to weed out employees identified as posing “a threat to their agenda.” If true, this level of employee surveillance is a direct attack on the checks and balances that maintain our democracy. The federal workforce is overwhelmingly made up of career civil servants who are not affiliated with any political party. They process social security payments, coordinate medical appointments for veterans, maintain safe water sources, deliver the mail to keep us connected, and much, much more. These workers take an oath to serve the American public and uphold the Constitution. For this reason, the federal workforce is a critical check on the power of the Executive Branch. EPIC requested the email records of Director Ezell and former CIO Brown to investigate the content and extent of the Administration’s attack on the federal workforce and, by extension, the people they serve. 

FOIA Request 2: Investigating how OPM Protects Information and from Whom 

Shortly after, EPIC submitted a second FOIA request to OPM. This time, we sought records from the Office of the Chief Information Officer. This office receives requests for access to databases maintained by OPM. Numerous reports surfaced that access to OPM information was given to individuals who had not received proper security clearance or followed the appropriate security procedures. EPIC requested records of all requests received by that office seeking access to OPM databases and IT systems.  

This second request also sought information about OPM’s operation of the GWES. The GWES gained notoriety after Elon Musk and DOGE covertly installed the system and used it to simultaneously email all federal employees. Before a new email system can be installed, an agency must comply with the information security risk management practices laid out in the Federal Information Security Management Act. EPIC sought documentation that OPM complied with this process, including the required security assessment report for the GWES and the authorization to operate it. 

Being the federal government’s HR department, OPM information systems contain the information of American workers past, present, and future. As of November 2024, the federal workforce numbered about 3 million Americans. Millions of federal employee dependents and retirees rely on OPM programs for life-sustaining benefits. Countless more individuals have applied for federal positions. All of these people have personal information at risk.  

The OPM records may tell us something about how DOGE and the Administration might handle data security at other federal agencies. When it comes to the federal government’s privacy and data security practices, all of us have something at stake. We deserve assurance that agencies will act according to the law rather than whimsy. The database access request records and the security assessment report and authorization to operate the GWES will inform how EPIC, legislators, and individuals can act to best protect American’s information. 

Looking Ahead  

OPM has been largely unresponsive to EPIC’s FOIA requests. It has missed deadlines, ignored emails, disconnected phone calls, and fired its FOIA staff. But EPIC will not stop pursuing these records. If allegations about the government’s accumulation of federal workers’ information and disregard of basic, mandatory security practices prove true, it will also confirm that the government’s interest is surveillance at the expense of personal and national security. As the federal government attempts to hoard the sensitive information of countless people and suppress information to shield itself from accountability, EPIC and others are fighting to drag that information into the light.