DHS Filed Zero Privacy Reviews in 2026

Introduction

The law is short and old. Before a federal agency builds or buys any system that collects data on you, it has to file a Privacy Impact Assessment, a public document that says what's being collected, who can see it, and whether anyone flagged a risk. DHS filed 24 of them in 2024. In 2025, eight. In 2026, zero, the same year DHS signed a $1 billion contract putting Palantir software inside CBP, ICE, FEMA, and CISA.

The surveillance gear isn't the interesting part. What happened to the people whose job was to check it is.

How You Take the Brakes Off

Over roughly fifteen months, every mechanism that was supposed to review DHS surveillance got removed, defunded, or threatened, and the timing lines up with the buildout almost exactly.

Start with the privacy reviews themselves. Roman Jankowski became DHS Chief Privacy Officer on January 20, 2025, inauguration day, and one of his first acts was to delegate the office's review authority downward. By December, the Privacy Office issued what an internal email called a "major change": all future Privacy Threshold Analyses, the screening documents that decide whether a full assessment is even needed, would carry a disclaimer marking them "pre-decisional, deliberative, and For Official Use Only." Translation: not subject to FOIA. A few weeks later, deputy FOIA chief Catrina Pavlik-Keenan put it more bluntly in a February 20 email obtained by WIRED: "PTAs are NOT supposed to be released at all."

That order had a trigger. A CBP FOIA officer had legally released a Privacy Threshold Analysis for Mobile Fortify, a facial recognition app, and the document showed the app captures faces and fingerprints without consent and stores the images for up to 15 years, including for U.S. citizens and lawful permanent residents who were never arrested. Instead of reexamining the app, DHS reclassified the paperwork so the next disclosure couldn't happen and moved out the officers who'd objected. WIRED reported that CBP's top privacy officer, one of its two privacy branch chiefs, and its FOIA director were all reassigned. A former FEMA attorney, Ginger Quintero-McCall, told WIRED the new policy "is illegal," because nothing in the FOIA statute lets an agency categorically withhold a whole category of privacy documents.

So that's the front door closed: no PIAs filed, the screening documents marked secret, and the career staff who pushed back moved out. Now look at the watchdog.

What Happened to the Watchdog

DHS Inspector General Joseph Cuffari is a Trump appointee who's held the job for almost six years, which matters for what comes next, because none of this reads as a partisan grudge. On February 4, 2026, a week after Senators Warner and Kaine asked him to, Cuffari opened an audit titled "DHS' Security of Biometric Data and Personally Identifiable Information." He confirmed it in writing and offered to brief the senators on his findings.

Ten days later, DHS entered a partial shutdown, and Cuffari's office had to suspend roughly 85% of its audits. When the dust settled, his access didn't come back the way it left. In a March 2 letter to Congress, Cuffari documented obstruction across at least 10 investigations. ICE had revoked his office's access to the Enforcement Integrated Database, a system his auditors had used for 10 years. DHS pulled his access to the database tracking who holds classified-information clearances. TSA refused him the Secure Flight system. Secretary Kristi Noem asked the IG to hand over a list of all pending matters, including criminal investigations, "so that she may consider whether any audits, inspections, or investigations should be terminated."

When Cuffari moved to tell Congress about all this, DHS General Counsel James Percival warned him that doing so would amount to "bad faith and bordering on a material misrepresentation." The Inspector General Act exists precisely to protect IGs who report obstruction to Congress. Percival's letter dressed a threat in legal language and called it a compliance concern. Republican Senator Thom Tillis flagged the letter on the Senate floor; Democratic Senator Gary Peters opened an investigation. The biometric audit is still listed as active, with no public report.

The Offices That Got Zeroed Out

The IG isn't the only check. DHS runs internal civil-rights and ombudsman offices whose job is to catch exactly the kind of harm an unreviewed surveillance system produces, and the FY2026 spending bill cuts them to the bone. The Office of Immigration Detention Ombudsman, with a $28.6 million budget and roughly 100 staff, gets zeroed out entirely. The Office for Civil Rights and Civil Liberties drops from $42.9 million to $10 million, its staff from more than 150 to around 20. The CIS Ombudsman's budget gets cut in half. At one point a single career official was holding three of these jobs at once. DHS justified the cuts by calling these offices "impediments to immigration enforcement efforts," which is an unusually honest description of what oversight does. A former CRCL employee said in a court filing the office "no longer has the capacity to conduct meaningful investigations."

Who Benefits

Two beneficiaries, and they're connected.

The first is DHS leadership, and what they get is cover. A Privacy Impact Assessment is a paper trail. File one, and there's a public record of what data a system collects, how long it's kept, who can access it, and whether a privacy officer concluded it poses a real risk. File none, and that record never exists. No assessment means no document to FOIA and no internal finding for a court or a congressional subpoena to reach. The whole apparatus the Goldman letter and the IG audit were trying to examine simply produces no reviewable paper. Remove the privacy officers, defund the civil-rights offices, and threaten the IG, and you've taken out the people who would have generated or demanded that paper from the inside.

The second beneficiary is Palantir, and what it gets is money plus structural lock-in. The $1 billion deal isn't a normal contract. It's a single-award Blanket Purchase Agreement, a ceiling that lets CBP, ICE, FEMA, TSA, the Secret Service, and CISA buy Palantir's Gotham and Foundry software through individual task orders that, as WIRED put it, "essentially skip the competitive bidding process." A Limited Sources Justification filed on SAM.gov in May confirms it was structured as a limited-competition vehicle on the theory that Palantir's capabilities are proprietary. Government contracts are roughly 55% of Palantir's revenue, and the company pulled in about $1 billion from government in fiscal 2025, nearly double the year before. Here's where the two beneficiaries meet: because the BPA is a framework contract rather than a specific system, no single PIA is triggered when it's signed. Each task-order deployment could require one. With zero filed in 2026, none have. Palantir's software goes live across the department, and there's no public document anywhere describing what any of it does with your data.

A Vacuum, Not a Backlog

The easy read is that this is bureaucratic decay: a shutdown, a staffing crunch, and a pile of paperwork falling behind. DHS would prefer that read. A spokesperson told WIRED that any claim the department made privacy assessments FOIA-exempt is "FALSE," which is hard to square with the internal email saying those assessments are "NOT supposed to be released at all" and with the officers removed for objecting.

What separates a backlog from a design is whether the failures point in the same direction, and these do. PIAs stop, and the screening documents get marked secret. The officers who object get reassigned. The IG gets locked out of ten investigations and told that reporting it is bad faith, and the civil-rights offices get defunded as "impediments." Every one of those moves reduces the amount of reviewable information about what DHS is collecting, and every one happened while DHS was spending more on surveillance than it ever had. A backlog slows the paperwork down; this took out the people who write it and the office that reads it.

The legal gap underneath all this is real and predates the current crew. The E-Government Act's PIA requirement carries no civil penalty for non-compliance. It's an accountability obligation, not an enforced one. Congress has left surveillance law largely untouched for 40 years; the Electronic Communications Privacy Act dates to 1986, before smartphones existed. The current DHS didn't invent the vacuum. It found a law with no teeth, a watchdog it could lock out, and oversight offices Congress was willing to defund, and it used all three.

The Bottom Line

Thirty members of Congress, led by Representative Dan Goldman and Senator Ron Wyden, sent DHS a seven-page letter on April 14 with eleven specific questions: whether the systems retain data on U.S. citizens, what legal authority governs the collection, whether any internal assessment exists at all. DHS never answered. The Goldman letter asked for documents that, per everything above, were never written in the first place.

If an agency can stop filing Privacy Impact Assessments, remove the staff who'd insist on it, block the Inspector General, and defund the civil-rights offices, and the only consequence is one congressional letter that gets ignored, then the requirement was only as durable as the people willing to enforce it. DHS spent 2026 finding out exactly how few of those people it needed to keep.