JANUARY 29, 2025
President Donald Trump addresses the 2025 Republican Issues Conference at the Trump National Doral Miami on January 27, 2025 in Doral, Florida. Joe Raedle/Getty Images
A new lawsuit alleges President Donald Trump’s administration is collecting information on federal employees in violation of the law.
The class-action suit, filed on behalf of two anonymous federal employees in the U.S. District Court for the District of Columbia on Monday, alleges the Office of Personnel Management (OPM) set up an on-premise server to send out test emails to federal employees and store the information received without conducting a privacy assessment on the system.
It cites an anonymous Reddit post written by someone purporting to be an OPM employee that said the information is being directed to Amanda Scales, who recently became chief of staff at OPM. Scales worked at Elon Musk’s artificial intelligence company xAI until recently.
Newsweek has contacted OPM, the White House and a lawyer for the plaintiffs for comment via emails sent outside regular business hours.
Why It Matters
The lawsuit says the actions violate the E-Government Act of 2002, which requires federal government agencies to conduct Privacy Impact Assessments before creating databases that store personally identifiable information.
Scales’ job at OPM, managing the federal workforce, comes after Musk, her former employer, was tapped by Trump to lead the Department on Government Efficiency (DOGE), a nongovernmental task force aimed at reducing federal spending and making the federal government more efficient.
On his first day in office Trump officially integrated DOGE into the federal government, though it remains unclear whether Musk will formally join the government. On January 20 Trump also issued a memo directing OPM and DOGE to submit “a plan to reduce the size of the Federal Government’s workforce through efficiency improvements and attrition.”
What To Know
The lawsuit claims an email was sent from HR@opm.gov on January 24 saying it was a test of “a new distribution and response list,” asking recipients to reply “yes.”
The day before, OPM said in a statement that it was “testing a new capability allowing it to send important communications to ALL civilian federal employees from a single email address.” Some leaders of agencies had told their employees that the emails that address could be trusted, the lawsuit said.
On January 26, the plaintiffs received another email from HR@opm.gov that said it was the second test of the distribution and response list to “confirm that an email can be sent and replied to by all government employees” and recipients were told to reply “yes,” even if they hadn’t replied to the first email.
The lawsuit goes on to cite an anonymous Reddit post from someone who claimed to be a current employee at OPM.
The post alleged that a new on-site server was installed at their office recently and that was where the test emails were coming from.
It alleges that Melvin Brown II, who was replaced as OPM’s chief information officer last week, “was pushed aside just one week into his tenure because he refused to set up email lists to send out direct communications to all career civil servants. Such communications are normally left up to each agency.
“Instead, an on-prem (on-site) email server was set up. Someone literally walked into our building and plugged in an email server into our network to make it appear that the emails were coming from OPM. It’s been the one sending those various ‘test’ messages you’ve all seen.”
The post added: “We think they’re building a massive email list of all federal employees to generate mass [reduction in force] notices down the road.”
The post also alleges that employees have been instructed to share lists of those responding to the test emails with Scales. “But Amanda is not actually an OPM employee, she works for Elon Musk,” the post said.
The lawsuit alleges that the server and systems linked to it “are retaining information about every employee of the U.S. Executive Branch” and that it is “not sending these or other emails securely due to the rapid deployment.”
It adds: “Secure communications take time and coordination to plan and implement. Standard email is not encrypted, and it is common practice among hackers—including hackers affiliated with hostile foreign services—to begin attempting to access a new U.S. Government device as soon as they learn of its deployment.”
The lawsuit alleges that OPM has not conducted a Privacy Impact Assessment “for this unknown email server or any system which collects or maintains Personally Identifiable Information (‘PII’) obtained from its use.” It also says that OPM has not ensured a review of a PIA by a chief information officer or equivalent official and that it has also not published an assessment or made it available for public review.
“OPM’s failure to take these steps constitutes agency action unlawfully withheld or unreasonably delayed in violation of 5 U.S.C. § 706(1),” the lawsuit says.
“Plaintiffs are being materially harmed by this inaction because they are being denied information about how these systems—which will be rich in PII about every employee of the U.S. Executive Branch—are being designed and used.”
What People Are Saying
Kel McClanahan, the executive director of National Security Counselors who filed the lawsuit, said in a statement to CNN: “Plugging in a new email server for the sole purpose of sending messages directly to every federal employee is an invitation to be hacked, and every employee out there needs to know how much of their data is at risk.”
McClanahan said the system should be shut down “until OPM treats this data with the security it warrants.”
Trump’s executive order establishing the Department of Government Efficiency last week said agency heads “shall take all necessary steps, in coordination with the [US Doge Service] Administrator and to the maximum extent consistent with law, to ensure USDS has full and prompt access to all unclassified agency records, software systems, and IT systems.”
What’s Next
The lawsuit asks the court to issue an injunction to stop OPM from using the email server and linked systems until privacy assessments are conducted.
Courtesy/Source: Newsweek