Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Feb 05, 2026 · 5 min read

DOGE Built a Mass Email System for Federal Workers—Without a Privacy Assessment

Elon Musk's Department of Government Efficiency helped OPM set up a new email server to blast messages to the entire federal workforce. They skipped the privacy impact assessment the law requires, then quietly filed one after getting sued.

A government office hallway with rows of computer monitors displaying email inboxes, with subtle digital surveillance symbols floating above in indigo tones

The Email That Started a Lawsuit

In early 2026, millions of federal employees received an unusual email from the Office of Personnel Management. Subject line: "Fork in the Road." The message, part of the Trump administration's reduction in force effort, offered a resignation deal to government workers across every agency.

But the email itself was not the problem. The system that sent it was. According to a class action lawsuit filed by federal employees, OPM stood up a new Government Wide Email System without first completing a privacy impact assessment, a requirement under the 2002 E-Government Act for any federal information system that collects, maintains, or disseminates personal information.

The lawsuit alleges that Elon Musk's Department of Government Efficiency (DOGE) team helped build and operate the system, gaining access to federal employee data while career civil servants were allegedly locked out of OPM's own computer systems.

What the System Collects

OPM's own privacy impact assessment, filed after the lawsuit, states that the Government Wide Email System maintains employee names, government email addresses, and voluntary responses to mass emails. The system operates on government computers within Microsoft mailboxes.

But the lawsuit raises broader concerns. DOGE personnel reportedly gained access to OPM systems containing far more sensitive data, including Social Security numbers, performance evaluations, and personnel records for millions of federal workers. The extent to which this data was accessible through or connected to the email system remains a central question in the litigation.

The OPM Inspector General has opened a separate investigation to assess risks associated with new and modified information systems at the agency, including the email server.

The Privacy Assessment That Appeared After the Lawsuit

The E-Government Act requires agencies to complete a privacy impact assessment before deploying systems that handle personal information. OPM initially argued no assessment was needed because the email system only handled internal communications, not public facing data.

Then, on the same day OPM filed its motion to dismiss the lawsuit, it submitted a newly drafted privacy impact assessment to the court. The timing raised immediate questions about whether the document was a genuine compliance effort or a litigation strategy.

OPM later quietly replaced that privacy assessment with a revised version that removed key language cited by plaintiffs in their court filings. The original assessment acknowledged certain data handling practices. The replacement softened or eliminated those acknowledgments.

Why Email System Privacy Matters

A mass email system that reaches every federal employee is not just a communication tool. It is an infrastructure that knows who works for the government, which agencies they belong to, and how they respond to official messages. When employees reply to a "Fork in the Road" resignation offer, that response data becomes part of the system.

Privacy impact assessments exist precisely because systems like this can be misused. They force agencies to document what data they collect, who has access, how long it is retained, and what safeguards exist. Skipping the assessment does not eliminate the risks. It just eliminates the documentation.

A federal judge has already ruled in a related case that Treasury, Education, and OPM cannot share personal information with DOGE, reinforcing that privacy protections apply even when the White House directs the data sharing.

The Broader Pattern

The OPM email server lawsuit is part of a broader trend of email systems being deployed without adequate privacy safeguards. Whether it is a government agency bypassing impact assessments or a healthcare provider embedding tracking pixels without auditing where patient data ends up, the pattern is the same: email infrastructure moves faster than privacy compliance.

Every email system, whether government or commercial, has the potential to collect behavioral data about recipients. When you open an email, read receipts and tracking pixels can report that activity back to the sender. Mass email systems can aggregate those signals across millions of recipients to build behavioral profiles.

Privacy assessments, consent requirements, and tracking pixel blockers all serve the same purpose: ensuring that email systems are used to communicate, not to surveil.