by Anna Maria Barry-Jester and Brett Murphy

ProPublica is a nonprofit newsroom that investigates abuses of power. Sign up to receive our biggest stories as soon as they’re published.

It was the week President Donald Trump had signed a sweeping executive order shutting off the funding for foreign aid programs. Inside the U.S. Agency for International Development, his political appointees gathered shell-shocked senior staffers for private meetings to discuss the storied agency’s new reality.

Those staffers immediately raised objections. USAID’s programs were funded by Congress, and there were rules to follow before halting the payments, they said. Instead of reassuring them, the agency’s then-chief of staff, Matt Hopson, told staff that the White House did not plan on restarting most of the aid projects, according to two officials familiar with his comments.

Then Hopson added a stark coda: Trump could not have a higher tolerance for legal risk, the officials recalled. They understood the message to mean that the administration was willing to bend or even break laws to get what it wanted, and then take the fight to court. (Hopson, who resigned shortly after, did not respond to numerous phone calls and written messages requesting comment, and he turned away a reporter who came to his door.)

No president in history has unilaterally shuttered an agency formally enshrined in law — let alone deputized his wealthiest donor, Elon Musk, to carry out that task in his name with little oversight or accountability.

While USAID was first created by President John F. Kennedy in a 1961 executive order, Congress passed a law in 1998 to make it an “independent establishment” like others in the cabinet. Multiple administrations, Democratic and Republican alike, built USAID into an institution that has helped save millions of lives around the world, promoted U.S. interests in remote corners of the globe and employed thousands of Americans.

Now Trump and Musk have nearly destroyed it in three weeks. “It’s very hard not to see what’s going on as a constitutional crisis,” said Peter Shane, a law professor and one of the country’s leading scholars on the Constitution. “It’s very scary and tragic.”

Several experts consulted by ProPublica said the new administration may have broken the law almost immediately.

Around Jan. 31, Jason Gray, the acting administrator of USAID, passed along orders to the agency’s IT department to hand the entire digital network to Musk’s engineers, Luke Farritor and Gavin Kliger, among others. (Farritor, Kliger and Gray did not respond to requests for comment.)

Do you work in the federal government? Have information about humanitarian aid? Reach out via Signal to reporters Brett Murphy at 508-523-5195 and Anna Maria Barry-Jester at 408-504-8131.

From there, the engineers from Musk’s Department of Government Efficiency quickly gained access to USAID’s financial system. On top of that, they became “super administrators” and had access to thousands of employees’ personal information, including their desktop files and emails, two USAID officials told ProPublica. The material also included information gathered during security clearance background checks, ranging from Social Security numbers and credit histories to home addresses.

“They had complete access to everything you could think of,” one official said. “The keys to the kingdom.”

By providing that access, USAID may have violated the Privacy Act of 1974, three experts on the law told ProPublica, regardless if the engineers were government employees at the time. The law requires consent from individuals before the government gives their private information to anyone.

“It is a catastrophic privacy and information security violation for a band of some government and some nongovernment personnel to barge into an agency and take over systems that contain personal information,” said John Davisson, director of litigation at Electronic Privacy Information Center and one of the country’s foremost authorities on the Privacy Act. Breaking the law can carry civil penalties and a minimum $1,000 fine for each violation if the victim can prove they were harmed, or much more if there were damages like loss of income.

With a series of executive orders, Trump established DOGE as a technology unit to improve IT and human resources functions at government agencies. He ordered his cabinet to give “full and prompt access to all unclassified agency records, software systems, and IT systems.” There are exemptions to the Privacy Act if those accessing the personal files have proper authorization, which includes special training and other rules for each set of records, and if they are conducting routine USAID business. But the three experts ProPublica consulted said that doesn’t appear to be the case here.

Davisson and others said that the law, which Congress passed with overwhelming support from both parties in the wake of Watergate, is meant to prevent presidents and others in high office from abusing their access to records for political ends. “The Privacy Act stands at the fountainhead of all this,” he........

© ProPublica