⚧️📝 DOGE Social Security and Census Bureau transgender data privacy vulnerability
"Full access" to Numident national database containing trans first name changes

Resources

• Benjamin Cerf Harris (2015) study on Census.gov: Likely Transgender Individuals in U.S. Federal Administrative Records and the 2010 Census (Internet Archive of Census.gov on 2024-12-25)
• Summary of issue: files.genderideology.org/numident/1 - 2025-03-15_numident.pdf
• Rolling Stone: Why DOGE Having Your Social Security Data Is Dangerous (2025-03-21)

  • Two SSA insiders warn the potential for misuse of this data is virtually endless: The agency data could be used by hostile foreign governments to locate defectors and political dissidents inside the United States; officials in DOGE and the Trump administration itself could theoretically use the data to threaten elected officials and journalists, among other political foes, or create databases of transgender Americans and citizens who were born in other countries. [...]

    Some of those perceived enemies could include transgender Americans, according to Zinnia Jones, a transgender activist and researcher. Jones warned that the SSA data could be used to "identify nearly all likely transgender people in the US with 99 percent confidence." Jones cited a 2015 U.S. Census Bureau study that utilized the same SSA data accessed by DOGE to estimate the number of transgender Americans.

    "For all we know, they may already know about the possibility of doing this and it's part of why they insisted so forcefully on full access" to the data, Jones tells Rolling Stone. In her deposition, Flick noted that Bobba requested and was eventually given access to the SSA's full dataset, "including source code."

    A former federal employee speaking on the condition of anonymity out of fear of retribution agreed with Jones' assessment, telling Rolling Stone that the Trump administration could use the SSA data -- as well as agency hiring paperwork and passport applications -- to identify and purge transgender employees from the government.

    The Trump administration is already leading an aggressive crackdown on trans life in America. Musk has been outspoken on transgender issues for years following his daughter's transition, which he blames on the "woke mind virus." His thoughts on transgender people appear to have helped drive his shift to the hard right.

• Popular Information: How the Social Security Administration is dodging a federal court order (2025-03-26)

  • Popular Information obtained an internal memorandum from Acting SSA Commissioner Leland Dudek announcing Scott Coulter, a DOGE operative previously assigned to NASA and the SSA, as the SSA's new CIO. [...]

    

    As required by the TRO, the SSA submitted a status report on Monday, certifying that "SSA has taken all necessary steps to implement the Court’s Order" and "revoked all SSA DOGE Team members’ access to SSA systems of records." The status report did note that "SSA may continue work on" projects that "SSA DOGE Team members previously led or worked on" but "without the SSA DOGE Team members’ involvement." The status report also added the caveat that "Acting Commissioner, [then-CIO Michael] Russo, and other SSA employees may continue to access SSA records for other official SSA duties."

    The next day, the agency replaced Russo with Coulter, who was previously a member of the SSA DOGE Team. It is unlikely that the timing was accidental. By naming Coulter SSA's CIO, the administration appears to be attempting to transform Coulter from a member of the DOGE Team to a regular SSA employee.

    What does this mean? Despite the court order, someone who, until Tuesday, was identified as a member of the DOGE Team can continue to access sensitive personal information at SSA. And Coulter can use that sensitive information to continue the same projects that were previously led by DOGE. Those projects may even be done by the same people, who presumably could be hired onto SSA's staff by the agency's new CIO.

• Reuters: Judge stops Musk's team from 'unbridled access' to Social Security private data (2025-03-20)

  • One of the systems DOGE accessed is called Numident, or Numerical Identification, known inside the agency as the "crown jewels," three former and current SSA staffers told Reuters. Numident contains personal information of everyone who has applied for or been given a social security number.

• Memorandum opinion in AFSCME, AFL-CIO v. Social Security Administration, 1:25-cv-00596, (D. Maryland, Mar. 20, 2025), ECF No. 49 (PDF)

  • According to Flick, Acting Commissioner King requested additional details from Russo on “why this level of access was necessary for the work [of] Mr. Bobba . . . .” Id. ¶ 44. But, she did not receive an answer. Id. Instead, on February 16, 2025, Commissioner King “received an email from the White House noting that the President had named Mr. Dudek as the Acting Commissioner,” although Flick understood that Dudek was on administrative leave. ... Flick claims that, upon her departure, Dudek gave Bobba and “the DOGE team access to at least the EDW database, and possibly other databases.” Id. ¶ 47. [...]

    As Russo avers: “In the case of DOGE team data access, data access to the DOGE team was first approved by SSA’s Acting Commissioner [Dudek].” ECF 36-1 (“Russo Decl.”), ¶ 6. And, he concedes that on February 12, 2025 and February 20, 2025, access to personally identifiable information was granted with respect to SSA’s MBR, SSR, Numident, and Treasury Payment Files. Id. ¶ 7. Thus, the access concerned virtually all data and records systems maintained by SSA, despite a longstanding policy and practice at SSA of guarding the confidentiality and privacy of PII, except as needed. [...]

    As noted, defendants claim that the members of the DOGE Team are employees of the SSA and that the plaintiffs’ records were not disseminated outside SSA. But, based on the current record, it does not seem that this is true for all employees identified by defendants. Employees 1 and 9, for example, do not have finalized detail agreements, nor are their respective background investigations complete. Yet, both were granted access to PII in the SSA data systems. And, the background investigation for Employee 9 has not been completed. Yet, this employee also has the same access.

    During the hearing, the Court asked counsel for the government if the “detail agreement[s] were effectuated before the access was provided.” ECF 45 at 20. Counsel sidestepped the question, answering: “All of the detail arrangements are complete.” Counsel did not say they were complete before access was provided, however. Id. The Court rephrased, asking if the agreements were complete when “the disclosures were first made or access provided.” Id. Counsel for the government responded that he “believe[d]” that was the case but would need to follow up. Id. Thus, it is unclear whether all members of the DOGE Team were SSA employees at the time access was granted. [...]

    Plaintiffs’ members do not know if their information has been viewed or documented by any of these employees, nor how many times it has been viewed or will continue to be viewed in the coming hours, days, weeks, or months. But, plaintiffs know their sensitive, personally identifiable information is accessible to the DOGE Team on a daily basis, with no proper justification. [...]

    To facilitate the expedition, SSA provided members of the SSA DOGE Team with unbridled access to the personal and private data of millions of Americans, including but not limited to Social Security numbers, medical records, mental health records, hospitalization records, drivers’ license numbers, bank and credit card information, tax information, income history, work history, birth and marriage certificates, and home and work addresses. [...]

    In my view, plaintiffs are likely to succeed on their claim that such action is arbitrary and capricious, and in violation of the Privacy Act and the APA. Plaintiffs have also demonstrated that their members will suffer irreparable harm in the absence of a TRO, the equities tip in their favor, and the TRO serves the public interest.

"Likely Transgender Individuals" study produced by Census Bureau of U.S. Department of Commerce

Background

• Benjamin Cerf Harris, U.S. Census Bureau, U.S. Department of Commerce, 2015-05-04: Likely Transgender Individuals in U.S. Federal Administrative Records and the 2010 Census (archive)

  • This paper identifies likely transgender individuals in a large, confidential, national data source and then links those individuals to their 2010 Census records. Specifically, I analyze the Social Security Administration (SSA) Numerical Identification System (the "Numident"), which contains information on first and middle names, sex-coding, and date of birth for every holder of a Social Security Number (SSN). I identify all adult SSN holders who permanently change their first names--or their middle names, in cases of gender-neutral first names--from traditionally male to traditionally female names (or vice versa). Because the Numident includes information on sex-coding, I also identify those who permanently change their sex-coding in the same direction as their name change. From October 2002 through the summer of 2013, the SSA required evidence of genital sexual reassignment surgery (SRS) for a person to change the sex-coding on his or her records. Therefore, while looking at name changes alone corresponds to a person's presentation of gender in society, looking at coincident changes in names and sex-coding during certain periods in the SSA's history corresponds to a definition of transgenderism that depends on surgical intervention.

    Using these two main identification strategies, I explore the following research questions: First, how many adult SSN holders have changed the personal information on their accounts in ways that are consistent with a gender transition, and to what extent have the rates of transgender-consistent changes grown or decreased since the creation of the SSA in 1936? Second, among those who were alive on April 1 2010--the 2010 Census day--how many change their names only, and how many change both their names and their sex-coding? Of those who change both their name and their sex-coding, do they typically change their name first and their sex-coding later, or do they typically change both their name and their sex-coding simultaneously? Finally, by linking to the 2010 Census, I am able to answer questions about basic demographic characteristics and residential patterns.

    I find that since the SSA's inception in 1936, as many as 135,367 individuals changed their name or sex-coding in ways that are consistent with a gender transition. While transgender-consistent claims registered with the SSA are evident in the agency's earliest years, the frequency of such claims increased dramatically during the SSA's history. This growth primarily mirrored growth in all other types of claims, reflecting both a growing population as well as an increased use of the SSN as a universal identifier. Of those 135.4 thousand likely transgender individuals, 89,667 were alive during the 2010 Census. Most had changed their name from one gender to another, but 21,833 had also changed their sex-coding.

    [...]

    3.1 SSA administrative records

    The data used in this paper are administrative records from the SSA, provided to the Census Bureau under Titles 5, 13, and 42 of the U.S. Code. The SSA Numident is an administrative database containing the name, date of birth, and a sex-coding for every SSN holder. Furthermore, the Numident contains a record for every claim that changes the information associated with a given SSN. The Census Bureau acquires the Numident through a data sharing agreement with SSA, and uses the data to facilitate record linkage and statistical operations. In addition, the SSA sends quarterly updates to inform the Census of the creation of new SSNs as well as changes and corrections of information associated with existing SSNs. Thus, the Numident contains a record of every claim for the population of SSN holders as of the most recent update. This study evaluates all the Numident records from 1936 to the end of 2010. These administrative records, alone, are sufficient to answer the first three research questions about the historic trends in likely-gender transitions, the number of likely transgender SSN holders as of the 2010 Census, and the paths people take with regard to timing of name and sex-coding changes.

    [...]

    3.1.2 Determining the gender of a name

    Using the 347.8 million stable records, I construct name-sex crosswalk tables showing, for every name, the proportion whose sex-coding is "M" and the proportion that is "F". Since the gender of names changes over time, I generate these crosswalks by birth-decade (Barry III and Harper, 1993; Lieberson et al., 2000; Rossi, 1965).8 8Some records list the first name as a single letter (e.g., J DOE). Other names are so rare that they appear fewer than 5 times in a decade. These names are not included in the crosswalks. I then link the crosswalk, by name and birth decade, onto the 25.0 million records with non-stable first names, first by the original first name and then by the new first name. I can identify name changes that are consistent with gender transitions by comparing the likelihood that the original first name is male to the likelihood the new first name is male.

    [...]

    3.1.3 Determining which name changes are likely transgender

    I have no prior notion of what likelihood threshold is sufficient to confidently classify a name as likely male or likely female, so I present results for three progressively demanding sets of thresholds: 10 and 90 percent, 5 and 95 percent, and 1 and 99 percent. That is, for the first set, a name is categorized as likely male (female) if 90 percent or greater (10 percent or lower) of all stable records with that name had a sex-coding that was "M" ("F"). I call this the 90 percent confidence threshold. I similarly define the 95 percent confidence threshold and the 99 percent confidence threshold. Note that name combinations that meet the 99 percent threshold also meet the 90 and 95 percent thresholds, so these are not mutually exclusive categories.

    [...]

    This paper presents a novel method for identifying likely transgender individuals in federal administrative files and learning about some of their basic characteristics. When transgender individuals file a claim to legally change their first names, their sex-coding, or both with the SSA, a record of that transaction is created. By sorting through hundreds of millions of claim records from 1936 to 2010, I am able to identify individuals who changed their names from strongly feminine to strongly masculine names (or vice versa) and also changed their sex-coding in the same direction. I am able to identify 135,367 individuals who are likely to be transgender. Of these, 89,667 were alive during the 2010 Census. Probability record linkage techniques allow the persons in the SSA Numident to be linked to their responses to questions on race, Hispanic origin, age, sex, and residential location in the Census.

    This approach surely misses certain transgender individuals--those whose name changes are not as sharply gendered, those who change their names via common law (and not with the SSA), those who do not change their names at all, and those who do not have an SSN--so my data are open to some of the same critiques as in previous studies.

• Social Security Administration, 2025-01-31: Emergency Message EM-25014: Updated Instructions for Requests to Change Sex Field Data on the NUMIDENT (Internet Archive)

  • An individual's sex data is male (M) or female (F). In accordance with the recent Presidential Actions under Executive Order, Defending Women from Gender Ideology Extremism and Restoring Biological Truth to The Federal Government, sex field data changes on the NUMIDENT (e.g., M to F or F to M) must not be accepted or processed.

• Chris Geidner at Law Dork, 2025-02-01: Exclusive: Social Security "immediately" stopped making sex identification changes on Friday

  • In Friday's SSA emergency message, field offices are told, "Effective with the publication of this EM, explain to individuals requesting a change to the sex field on their NUMIDENT, that we cannot change or process their request."

• Wired, 2025-03-13: Inside Elon Musk's 'Digital Coup' (archive)

  • DOGE had installed a handpicked chief information officer at the SSA--the former CTO of a payments company headed by Jared Isaacman, a billionaire who once commanded two trips to space using SpaceX rockets and is Trump's current nominee to lead NASA. That new CIO, Michael Russo, had asked to bring on Akash Bobba, the former Palantir intern who had been working out of OPM, as an engineer.

    But there were "challenges" with Bobba's background check, Tiffany Flick, the acting chief of staff to the acting administrator, later stated in a sworn affidavit given in a suit against the SSA. Bobba wasn't brought on immediately. By February 10, seven days after he was requested to be onboarded, phone calls and emails started to come in--from Russo, Steve Davis, and others--making clear that Bobba was to be given access to SSA systems and data by the end of the day. As Russo and Davis "grew increasingly impatient" that evening, Flick recalled, Bobba was sworn in over the phone at 9 pm.

    Initially, Flick and officials from the CIO's office determined that Bobba would be given anonymized, read-only access to records in the Numerical Identification System, which contains information on everyone who has ever applied for a Social Security number. On February 15, Bobba reported that there were issues with the dataset he'd been provided. Russo demanded that Bobba be given full access to "everything, including source code," Flick recalled. This included the SSA's Enterprise Data Warehouse, which contains the "names of spouses and dependents, work history, financial and banking information, immigration or citizenship status, and marital status," according to Flick's affidavit.

    Later that day, the chief information officer for the whole federal government--a political appointee working out of the Office of Management and Budget--issued an opinion to Russo granting Bobba the access. Flick retired. In her affidavit, she expressed serious concerns about the potential for SSA records to be "inadvertently transferred to bad actors" and about "incredibly complex web of systems" being "broken by inadvertent user error."

• Wired, 2025-03-13: These Are the 10 DOGE Operatives Inside the Social Security Administration (archive)

  • According to the SSA court filing and accompanying sworn statements, seven of them have read-only access to several datasets including the Master Beneficiary Record, which contains detailed information about individuals and their benefits. Those same DOGE representatives also have read-only access to Numident, a database containing information about everyone who's ever applied for a Social Security number, as well as data referred to as "Treasury Payment Files Showing SSA Payments from SSOARS." (The Social Security Online Accounting and Reporting System is a set of systems containing "information on the SSA's financial position and operations," according to the SSA.)

    These records contain a great deal of personally identifying and financial information; in filings the government says DOGE accessing them is necessary to "detect fraud."

    While it's been unclear even to well-placed insiders what specifically DOGE is doing inside the Social Security Administration, Musk has repeatedly voiced his desire to "eliminate" large parts of the system in the US, recently claiming that the fact that there are more Social Security numbers than there are US citizens--a well-known quirk of the SSA system--"might be the biggest fraud in history."

    Sources have told WIRED that one of the tasks the DOGE cohort will be assigned is how people identify themselves to access their benefit payments. Experts with decades of experience at the agency are now worried that DOGE operatives working across multiple agencies increases the risk of SSA data being shared outside of the agency or that their inexperience will lead to them breaking systems entirely.

Updates

2025-03-20:

• Mother Jones: Tesla's in Trouble. Elon Blames... Trans People? (2025-03-20)
• Reuters: Judge stops Musk's team from 'unbridled access' to Social Security private data (2025-03-20)
• Washington Post: White House scrambles after JFK files expose Social Security numbers (2025-03-20)
• Bloomberg: Social Security Says DOGE Ruling Could Force Agency to Shut Down (2025-03-20)
• Temporary restraining order in AFSCME, AFL-CIO v. Social Security Administration, 1:25-cv-00596, (D. Maryland, Mar. 20, 2025), ECF No. 48 (PDF)
• Memorandum opinion in AFSCME, AFL-CIO v. Social Security Administration, 1:25-cv-00596, (D. Maryland, Mar. 20, 2025), ECF No. 49 (PDF)

Flick also provided details concerning Bobba’s access to SSA systems and data. Based on Flick’s conversations with experts in the CIO’s office, she “determined” that Mr. Bobba would have “anonymized and read-only Numident data using a standard ‘sandbox’ approach,” so that he would not have access to other data. Id. ¶ 26. She explained that this approach was consistent with the way that SSA handles “any request to review SSA’s records for potential fraud, waste, and abuse by oversight agencies . . . or auditors. . . .” Id.

[...]

Flick asserts that Bobba’s work off-site did not align with the typical requirements of SSA’s standard telework agreements, which “state that employees need to work in a private location and should be careful to protect systems and data from unauthorized access.” Id. ¶ 42. Moreover, Flick states that she understood Bobba was not viewing data to which he was given access “in a secure environment because he was living and working at the Office of Personnel Management around other DOGE, White House, and/or OPM employees.” Id. ¶ 43. She believes that non-SSA may have had access to the SSA data. Id. ¶ 28.

As noted, on February 15, 2025, Bobba experienced technical issues with the anonymized Numident file. Id. ¶ 28. Rather than waiting for SSA to resolve the technical issues, Russo obtained “an opinion” from the federal Chief Information Officer, a Presidential appointee housed within the Office of Management and Budget, stating that “he could give Mr. Bobba access to all SSA data.” Id. ¶ 39. And, Russo and “other DOGE officials demanded that Mr. Bobba be given immediate, full access to SSA data in the Enterprise Data Warehouse (‘EDW’), which included Numident files, the Master Beneficiary Record (‘MBR’) files, and the Supplemental Security Record (‘SSR’) files.” Id. ¶ 30.

Moreover, Russo “repeatedly stated that Mr. Bobba needed access to ‘everything, including source code.’” Id. ¶ 36. When the Commissioner’s Office tried to determine why Bobba needed full access to the EDW, Russo was “evasive and never provided the kind of detail that SSA typically requires to justify this level of access.” Id. ¶ 38.

Flick was contacted by SSA staff, who indicated that Russo requested full access to the EDW for Bobba. Id. ¶ 40. She instructed the CIO’s office not to provide Bobba with such access until Russo spoke with Acting Commissioner King. Id. Flick explained: “[W]e needed to understand why this level of access was necessary to address the specific questions or issues they were looking at.” Id. Flick avers that SSA’s delay in providing Bobba with full access to SSA’s data systems “led to the escalation of tensions” over the weekend of February 15 and 16, 2025. Id. ¶ 42.

According to Flick, Acting Commissioner King requested additional details from Russo on “why this level of access was necessary for the work [of] Mr. Bobba . . . .” Id. ¶ 44. But, she did not receive an answer. Id. Instead, on February 16, 2025, Commissioner King “received an email from the White House noting that the President had named Mr. Dudek as the Acting Commissioner,” although Flick understood that Dudek was on administrative leave. Id. ¶ 45.

Shortly after Acting Commissioner King informed Flick that Dudek had been elevated to Acting Commissioner, Flick retired. Id. ¶ 46. Flick claims that, upon her departure, Dudek gave Bobba and “the DOGE team access to at least the EDW database, and possibly other databases.” Id. ¶ 47.

According to Flick, EDW contains “extensive information about anyone with a social security number, including names, names of spouses and dependents, work history, financial and banking information, immigration or citizenship status and marital status.” Id. ¶ 31. The Numident file “contains information necessary for assigning and maintaining social security numbers.” Id. ¶ 32. The MBR and SSR records “contain detailed information about anyone who applies for, or receives, Title II or Title XVI benefits.” Id. ¶ 33.1

Full access, according to Flick, means different levels of permission, depending on the data system. Full access to the EDW, for example, would provide “read” access to most of SSA’s data, which would permit a user to copy and paste, export, screenshot, or otherwise compile data for analysis, but does not permit a user to change data. Id. ¶ 34. Full access to other SSA systems may also include “write” access, which would permit a user to change the data in the system. Id. ¶ 35.

Notably, Flick avers that SSA “would not provide full access [to] all data systems even to [SSA’s] most skilled and highly trained experts.”

2025-03-21:

• Rolling Stone: Trump Admin Threatens to Stop Social Security If DOGE Can’t Have Data (2025-03-21)
• Rolling Stone: Why DOGE Having Your Social Security Data Is Dangerous (2025-03-21)
• Justin Glawe at American Doom: DOGE Social Security data access puts millions at risk (2025-03-21)