The 26-State Pattern: DOJ’s "Confidential" MOU and the Expansion of Eligibility Checks
How a “confidential” MOU makes SAVE a de facto national eligibility gate.
Part IV of the Warrantless Surveillance Series. Read Part III here. Part V is dropping here.
If you care about voting rights, privacy, or due process—share this with one local election official.
TL;DR
Full reference list and primary documents are in the paid subscriber Evidence Vault.
DOJ is asking states for full, unredacted statewide voter rolls—including driver’s license numbers and SSN4s—under a “confidential” MOU.
The agreement imposes a 45 day compliance clock: if DOJ flags “anomalies,” states are pressured to “clean the rolls” fast.
This isn’t just “election integrity.” It’s building a national verification pipeline—a system that can link identity + eligibility at scale.
False flags are predictable when databases lag (naturalization updates, NUMIDENT timing, name mismatches): deadlines turn errors into purges.
Iowa wasn’t an outlier—it reads like a pilot run for a scalable national permission layer.
If you are naturalized, have changed your name, or have ever had a mismatch in SSA records, verify your voter registration status now—and document any “unable to verify” notices.
Table of Contents
The Offer: A “Confidential” Deal With a Deadline
The Network: The States in the Verification Grid
The Contract Engine: What the MOU Actually Demands
The Scale: From Lookup Tool to Infrastructure. Update (Feb. 20, 2026): An interactive exhibit mapping the contract and funding architecture has been added below.
The Skeleton Key: Bulk Upload + SSN4
The Data Trap: NUMIDENT Lag and Manufactured “Anomalies”
The Switchboard: The Machine Behind the Screen
Permanence Without Consent: The Records Don’t Roll Back
What This Builds: A Permission Layer for Civic Life
On a damp February morning, Lorenzo Gutierrez Lugo steered his black Dodge pickup south toward Brownsville, Texas. A Mexican-American trucker hauling clothing and furniture for a small transport company, he expected a routine drive—until a local cruiser pulled him over for 50 in a 45.
The real reason wasn’t on the roadside. Records show federal systems had already flagged his route as “suspicious.” Agents searched his truck, found only cash payments from customers, and arrested him anyway—accusing him of money laundering. They found no contraband. Charges were later dropped. His employer spent $20,000 on legal fees to clear his name.
That is what happens when sensitive personal data fuels a federal machine: a “flag” becomes a fact. And it’s the same kind of data the Justice Department is now seeking from state voter registration lists.
The same federal agencies that monitored Lugo’s license plate are demanding unredacted voter rolls from dozens of states. A confidential memorandum of understanding (MOU) spells out how states must hand over full voter lists—including driver’s-license and partial Social Security numbers—and “clean” the lists within 45 days. Although the Justice Department labeled the MOU confidential, a federal judge ordered the hearing transcript discussing it released to the public; the agreement is now part of public court exhibits accessible on PACER. This contrast between claimed secrecy and public availability underscores the high stakes at the outset.
DOJ’s stated rationale:
DOJ argues it has a statutory role enforcing NVRA/HAVA list-maintenance compliance and needs access to statewide records to test accuracy.
They say the MOU is meant to protect data during transfer/use and to standardize security procedures.
DOJ frames the timeline as operational urgency—time-bound compliance and responsiveness to anomalies.
DOJ frames the effort as election‑integrity enforcement and warns non‑compliant states they will be taken to court.
The counterargument from states/critics:
States argue the request goes beyond what’s necessary and risks exposing sensitive identifiers (DL numbers, SSN4).
Critics warn “anomalies” can reflect database latency or matching errors—deadlines can turn false positives into removals.
“Confidential” terms reduce transparency and public oversight for a system that touches voting rights.
Critics warn that the demanded identifiers aren’t “just voter rolls.” They are join-keys that can be linked across systems—sometimes all the way back to state ID records, including the photo on your driver’s license.
Both claims can be true at once: list maintenance is real—and a system designed for auditing can still function as a scalable eligibility gate if the data is centralized, time-pressured, and automated.
The States’ Offer
The clock starts the moment a state signs DOJ’s confidential SAVE MOU: 45 days and counting. That is how long election officials have to “resolve” every anomaly a federal database flags—names that don’t match, codes it doesn’t like, voters the system doesn’t recognize.
Miss the deadline and the state is out of compliance; meet it, and someone is struck from the rolls.
The first test of the MOU’s ultimatum came on Dec. 1, 2025. At 11:34 a.m., DOJ trial attorney Eric Neff sent Colorado officials a “confidential” contract with a 24‑hour deadline.
Neff did not ask for a meeting; he attached the draft MOU and demanded a reply by end of business the next day. The email offered a binary choice to avoid a federal lawsuit: surrender the state's unredacted voter roll and agree to "clean" the list within "forty-five (45) days" of any federal notice.
Neff promised the agreement would “cure all potential concerns,” then warned he doubted it would satisfy the state’s “various concerns” and asked for a quick decision: accept the MOU or prepare for litigation.
But the attachment doesn’t cure concerns. It codifies them.
Section XII.F goes further: it labels the entire agreement—and even preliminary communications—“confidential.” This wasn’t written for public debate.
The cost of that secrecy is surrender.
Under the MOU, states must hand over their entire statewide voter database, including driver’s‑license numbers and the last four digits of Social Security numbers (SSN4).
The federal government runs that file through its own verification engine called SAVE. If DOJ flags “issues… anomalies… or concerns,” Section VIII gives states just 45 days to remove “ineligible” voters.
Attorney General Pam Bondi framed list maintenance as essential to “free and fair elections,” warning that states that fail to provide accurate statewide voter lists “will see this Department of Justice in court.”
Critics don’t dispute the goal of accurate rolls. The fight is over the mechanism: bulk identifiers, a compressed deadline, and a system states can’t fully audit.
Forty-five days is an administrative cycle; for a voter correcting federal records, it’s a trap. The MOU turns the presumption of eligibility into a countdown to erasure.
This isn’t election "integrity"—it’s a federal permission layer built by contract, enforced by litigation, and executed by systems states can’t audit.
The Colorado MOU shows the mechanism in plain text: secrecy, mass data transfer, and a timed “clean” mandate enforced on DOJ’s terms.
This is not just about who gets a ballot. The same identity spine that can mark you as an “anomaly” in the voter file is wired, through Routine Use 50, into Treasury’s Do Not Pay system. The same system that can stop you at the polling place can also freeze a tax refund, block a Social Security payment, or hold up disaster relief. In this design, election integrity, eligibility for work, and access to money all hang from the same kill switch.
Colorado said no. Iowa said yes.
Colorado balked at DOJ’s terms. Iowa embraced Executive Order 15, reclassifying professional licenses as “public benefits” so they could be conditioned on federal clearance. That compliance didn’t just solve an immigration scandal—it proved the model. Once Iowa showed it could wire E‑Verify and SAVE into licensing and hiring decisions, DOJ packaged the same approach into the “confidential” MOU now sitting on desks in 26 other states.
Iowa as Proof of Concept
Iowa is not an outlier. It is the prototype.
As Part III showed, what happened here wasn’t a freak event—or a uniquely reckless governor—or a state that “went too far.” It was something quieter and more dangerous: administrative alignment. Iowa moved early into a system that was already designed, funded, and waiting.
That’s why this story does not stay in Iowa. The same tools, the same data fields, the same vendor stack, and the same federal interfaces now showing up here are already being adopted—quietly, unevenly, and often without public debate—in other states. Not because voters demanded it or because illegal voting is widespread, but because it fits—legally and operationally—into an expanding federal permission system for civic life. That architecture is built on SAVE.
For decades, SAVE — the Systematic Alien Verification for Entitlements — was sold as a narrow eligibility checker. A bounded system for a specific purpose: verifying immigration or citizenship status only when an agency had to make a benefits decision.
As detailed in Part III, Congress authorized this system in 1986 strictly to gate welfare access for non-citizens—never envisioning it would evolve into a permission layer for the American electorate. Transactional. Targeted. Politically containable. That’s the public story.
What exists now is different in kind, not just degree. Today, SAVE functions as something far more consequential: a digital eligibility backbone—an API-based permission layer that other systems can call to decide who gets cleared, who gets flagged, and who gets denied. When a “verifier” becomes infrastructure, it stops being a tool. It becomes a gate.
Verifiers don’t govern. Permission layers do
A verifier is supposed to answer a narrow question at a single moment: Does this record match what we need right now? If it’s wrong, the error is localized.
When did a benefits verifier become something that can gate a license, a job, or a ballot—and who authorized that expansion?
This is not semantics. It’s the danger. A database is passive; it waits for a question. A permissions layer is active; it sits between you and everything that matters.
Once SAVE is wired in as a dependency, the question is no longer “is this record correct?” but “did the system clear you?” Everything else becomes an implementation detail.
What a permission layer can decide:
Renew or suspend driver’s licenses.
Provide or deny benefits and services.
Grant or deny professional licenses (nursing, teaching, medicine — treated as benefits rather than earned credentials).
Determine eligibility for voter registration and continued enrollment.
Trigger downstream “integrity” checks that can delay or block routine transactions.
The public rarely sees why these decisions are made. There is no visible rationale — just a drop‑down menu, a status code, a “could not verify.”
In a democracy, eligibility is a policy choice; in an administrative state, it becomes a software dependency. Once policy is recoded as a dependency, the machine stops asking permission. That quiet, technical shift is what changes everything.
Iowa Matters Because it’s Compatible — Not Because it’s Extreme.
This is where Iowa becomes instructive. Not because it is uniquely anything, but because it proved the model can be operationalized quickly when a state is willing to align its systems, fields, and timelines to federal demands.
Iowa didn’t invent the machine. Iowa showed the machine can run. Once it runs in one state, the next steps are simple: replicate, scale, and enforce.
That is what the “Confidential MOU” represents—and why the lawsuits matter. They are not isolated fights. They are the mechanism for building a national system out of fifty separate election administrations. Put differently: Iowa is not the exception that proves the rule; it is the proof of concept that becomes the rule once Washington decides to stamp it onto every state.
From Iowa to National Standard
This isn’t how a democracy is openly rewritten. It’s how an administration is quietly re-architected.
What looked like a discrete state‑level decision in Iowa was actually the first visible node in a coordinated federal campaign to convert the SAVE database from a passive immigration tool into a proactive national voter‑clearance engine. The evidence for that coordination is no longer theoretical; it is written in court transcripts, federal press releases, and the text of confidential contracts state officials never expected the public to see.
The Network: Twenty-six States and the “Confidential” Pact
The scope of this network is now a matter of record because DOJ was forced to name names in federal court. On December 4, 2025, during a hearing in United States v. Weber, DOJ Trial Attorney Eric Neff identified the states that had accepted the federal terms.
The Confidential Pact: South Carolina, Nebraska, Montana, Mississippi, Missouri, Alabama, Texas, Virginia, Utah, Tennessee, and South Dakota.
The Voluntary Compliers: Wyoming, Kansas, Indiana, and Arkansas.
The Settlement States: Iowa, Florida, Indiana and Ohio.
Add legacy SAVE‑heavy states such as Arizona and Georgia, and the total matches USCIS’s November figure: twenty‑six states now integrated into a federal verification grid.
Subscribe for Free:
This investigation is independently funded.
Paid subscriptions support continued research, FOIA requests, primary-source verification, and the next phase of reporting in the Warrantless Surveillance Series. For readers who want to support this work, we’re offering 30% off paid subscriptions through January 31st here.
This is what federalization looks like in practice: integration by paperwork, expansion by litigation. More than half the country has effectively nationalized its voter‑verification process, bypassing state legislatures to link local rolls directly to a federal enforcement engine.
The Mechanism: A “Confidential” Contract
The instrument of this realignment is not a law passed by Congress; it is a private contract. The “Confidential Memorandum of Understanding” offered to states like Colorado lays out the terms.
Section XII.F declares the MOU and all related communications “confidential,” shielding the transfer of power from public scrutiny. Section VIII imposes a “clean” mandate: once DOJ reports “anomalies,” the state “will clean its VRL/Data by removing ineligible voters” within forty‑five (45) days.
This clause federalizes voter-list maintenance. When algorithms in Washington flag a voter in Iowa or Texas, local officials are contractually bound to act. The state is no longer the arbiter of eligibility; it is the executioner on a federal clock.
The Ultimatum: Compliance or Litigation
The Colorado ultimatum shows the contract’s posture: comply fast or litigate. What matters next is what the contract does once the file is ingested.
The message to the states was binary: voluntarily feed the federal machine, or be ordered to do so by a judge.
That escalation matters because systems at this scale do not get built to answer a few clerks’ questions. They get built to run constantly, at population scale. To understand what that means, you have to stop thinking in terms of “checks” and start thinking in terms of throughput. What happens when a benefits‑era tool is rebuilt to process entire voter rolls on deadline?
The answer shows up in the only place systems cannot hide: volume.
The Result: Industrial Scale Verification
For years, SAVE was a low‑volume system for specific benefit applications. In all of 2024, it processed about 25 million queries. By October 2025, after “optimization” for bulk voter checks, that number had exploded to 205 million.
Update (February 20, 2026): Part IV documents the scale of the verification system.
What it did not examine in detail is the funding architecture that makes that scale possible.
The interactive exhibit below maps the contract stack and funding pathways behind the architecture described here.
Figure 2 shows the scale; now we need the mechanism that makes that scale possible. A system doesn’t jump from “case-by-case verification” to large-scale throughput because states suddenly got curious—it jumps when the inputs and matching rules are redesigned for volume.
That’s what bulk upload and the SSN4 quietly accomplish: they collapse the distance between a targeted benefits check and a population-wide identity sweep. Once you can feed whole lists into SAVE and anchor matches on partial SSNs (instead of only immigration-specific identifiers), the universe of “checkable” people explodes—citizens included—because you’ve effectively handed the engine a universal key.
The moment you do that, the system’s weakest link becomes the thing that matters most: the upstream identity record it treats as authoritative. That’s where the trap snaps shut—because at scale, the machine isn’t verifying you; it’s verifying the version of you stored in SSA’s NUMIDENT, a static snapshot that was never built to govern eligibility across voting, licensing, and benefits in real time.
Iowa showed that a state could reclassify driver’s licenses as “public benefits” to bypass privacy laws. The federal government then took that logic, codified it in a confidential MOU, and rolled it out across half the union. The result is a national permission layer that treats the franchise as something to be renewed, not a right to be exercised.
That raises the next question: what kind of system can jump by millions of checks, and what did it have to become to do that?
From Alien File to National Registry
For decades, SAVE sat in the background of the bureaucracy, a narrow tool to verify the status of non‑citizens applying for specific public benefits like Medicaid or housing. It was a lookup service, not a grid.
In 2020, only immigrants and some naturalized citizens were eligible for SAVE benefits verification. To be checked, the system required an immigration ID.
In 2025, that changed. Through a series of technical overhauls and legal maneuvers, DHS turned SAVE from a “pull” system—one person at a time—into a “push” system capable of ingesting entire state populations.
From Immigration A-Number to SSN4
The critical technical shift came on November 3, 2025, when USCIS rolled out two new capabilities: Bulk Upload and SSN4 matching. Previously, SAVE required an immigration identifier such as an Alien Registration Number (A‑Number), which naturally limited queries to non‑citizens with immigration files.
The new architecture removes that limiter. States can now verify individuals using only a name, date of birth, and the SSN4. By switching the key identifier from an “A-Number” (which only immigrants have) to a SSN (which nearly every resident has), the federal government quietly converted an immigration database into a National Registry capable of scanning the electorate.
This is the system Iowa and twenty‑five other states have plugged into: one that uses stale data to generate erroneous flags, then uses confidential contracts to mandate purges based on those errors. Once a system like that exists, everyone who connects to it inherits the same logic: deny fast, correct slowly.
Ingestion, Not Inspection
The clearest proof that this system is built for permanent mechanical control, not human oversight, is in DOJ’s own filings. When states offered the traditional remedy—letting federal lawyers inspect rolls in person—DOJ refused.
In California, Secretary of State Shirley Weber invited officials to review a redacted voter database in her Sacramento office. DOJ rejected the offer and, in its motion to compel, demanded that the state “submit electronically” an unredacted file via the Justice Enterprise File Sharing (JEFS) system, including each voter’s driver’s license number and SSN4.
The distinction is critical. Those are not investigative leads; they are join‑keys—the unique identifiers needed to plug state records into the Person Centric Entity Resolution (PCER) engine. DOJ was not trying to see the list. It was trying to possess it.
The clock does not allow time for complex, human-led adjudication of citizenship, which is notoriously difficult to prove on a deadline. It forces the state to rely on the federal “flag.”
When Verification Becomes a Gate
Voter verification is the accelerant because it introduces two features benefits programs don’t always require: bulk processing and institutional urgency.
When those two features meet a federal permission layer, the result is predictable: more queries, more false positives, and less accountability.
The system doesn’t know who you are. It only knows whether you clear.
This repurposing changes the nature of the system because it transforms SAVE from a transactional lookup service into a mass ingestion pipeline. There is a fundamental difference between a tool that is occasionally consulted by a human clerk and a system that is queried in bulk by a state server.
The Skeleton Key: The SSN4 Shift
The most critical architectural change was not the volume of the queries, but the keys used to run them.
Under the 2020 rules, a state official literally couldn’t run SAVE on a typical U.S.‑born voter. The system required an immigration identifier—an A‑Number, I‑94, or similar—just to open the case. In May 2025, USCIS rewired the tool to accept searches by Social Security number specifically so agencies without immigration IDs could query the database anyway.
Then on November 3, 2025, USCIS loosened the Social Security enhancement further. The agency announced that states could now verify voters using only a name, date of birth, and the last four digits of a Social Security number (SSN4).
This technical shift had a profound structural consequence. While only non-citizens possess A-Numbers, nearly every American resident possesses a Social Security number. By switching the input key to the SSN, DHS technically unlocked the database to the general population.
The Static Snapshot Failure
The danger of this new architecture lies in the specific data it consumes. To perform these SSN-based checks, the overhauled SAVE system bypasses live immigration files and queries the Social Security Administration’s NUMIDENT file—a database the SSA itself has warned is not a definitive record of citizenship.
NUMIDENT is a "static snapshot." It records a person’s status at the time they applied for a Social Security card. It does not automatically update. If a lawful permanent resident becomes a naturalized citizen years later but does not update their Social Security record—a step not legally required for voting—SAVE will still flag them as a non-citizen.
The SSA’s Office of the Inspector General has estimated that 3.3 million U.S. citizens are misclassified as non-citizens in this database due to this "naturalization lag".
The Purge Clock
Under the "Confidential Memorandum of Understanding" sent to states like Colorado, this known data latency is weaponized.
Section VIII of the MOU does not merely provide data; it imposes a deadline. The agreement mandates that upon receiving notice of "anomalies" from the DOJ (generated by these static SSA records), the state "will clean its VRL/Data by removing ineligible voters" within "forty-five (45) days."
In the world of database administration, 45 days is a blink of an eye. In the legal world, it is a suffocating window. By the time a voter receives a notice in the mail, the clock has already burned down. The MOU ensures that the system’s default setting is deletion.
The Financial Kill Switch
This fulfills the surveillance logic we first saw in Part I: the shift from punishing crimes to policing “patterns.”
Buried in SSA’s revised System of Records Notice is “Routine Use 50,” which authorizes sharing NUMIDENT data with Treasury’s Do Not Pay system. If the voter‑verification algorithm flags you as “unverified,” that anomaly does not stay in an elections database. It can propagate to Treasury, where the same flag can trigger Do Not Pay screening and additional review—delaying payments until the record is resolved.
This creates a structural trap. The federal system uses outdated data to generate a flag (the "anomaly"). The MOU then legally binds the state to act on that flag within a strict window. The burden of proof shifts instantly to the voter, who must now prove they are a citizen to a system that has already decided they are not.
The Leviathan — Not a Program, but a Dependency Stack
Public attention often fixates on "ImmigrationOS," the controversial analytics platform built by Palantir. But focusing on the dashboard misses the engine — a multi-billion-dollar "dependency stack" built to outlast any single administration.
The Engine: IBM and Your Digital Twin
While Palantir’s ImmigrationOS grabs headlines, the system that actually moves identity decisions is older, larger, and quieter. In May 2024, USCIS awarded IBM a $279 million “FALCON” task order to modernize the verification backbone—building and operating the Verification Information System (VIS), the transaction engine behind E-Verify and SAVE.
This isn't a file about you. In the eyes of the state, this file is you. If the flesh-and-blood voter says one thing, and the Golden Record says another, the machine is programmed to believe the record.
This is where “verification” stops being a lookup and becomes an identity model. Later in this report, I’ll show how that modernization enables a person-centric profile—your digital twin—to persist across systems long after the original query is over.
The Memory: HART and Peraton
If IBM provides the logic, Peraton provides the memory. Following its acquisition of Northrop Grumman’s IT division, Peraton manages the Homeland Advanced Recognition Technology (HART) system—the massive biometric database replacing the legacy IDENT system.
This matters because once a “verification” system has memory, it stops being a lookup tool. It becomes a national gate for anyone it can measure.
What does “Everywhere” Actually Mean?
When federal officials say this system will be deployed “nationwide,” they do not just mean it will be in every state. They mean it will be in every transaction.
The architecture of the Leviathan is designed to collapse the distance between a “voter check,” a “traffic stop,” and a “financial penalty.”
The Physical Enclosure
“Everywhere” also means the physical observation of movement is no longer local.
If you drive: Your movement is captured by ALPRs and fed into state fusion centers like the Texas FCIC, where it is legally reclassified as "intellectual property" to hide it from public records requests.
If you park: Your location is logged by private data aggregators like Verisk/ISO, which markets a "multi-billion-scan vehicle-location database" to insurance carriers to track where vehicles are garaged.
If you cross state lines: Your data is shared via Nlets, the same interstate law enforcement backbone we exposed in Part II. The same pipe that funnels your license plate scans to a fusion center is now being configured to route your driver’s license photo to the DHS.
The system doesn’t need to arrest you to control you. It simply needs to deny your transaction. In this architecture, eligibility is not a right you hold; it is a status code the system assigns.
SAVE isn’t where the data lives. SAVE is where the decision happens. And decisions are governance. Even when they’re disguised as “verification.”
The Transformation Is Measurable — In Volume, Ambition, and Intent
The shift from a passive benefits check to a proactive mass‑surveillance grid is not speculation; it is quantified in federal records.
In 2020, SAVE’s role in elections was buried as one of many “lawful purposes.” By 2025, “voter registration and voter list maintenance” appears in the opening justification: it is now a primary design target of the overhaul, not a hypothetical side case.
Under Section VIII of that confidential deal, the state does not just share data; it surrenders authority. The process is not a dialogue; it is a loop:
Ingest: The state uploads the voter roll to the federal system.
Match: The DOJ runs the data against federal databases (SSA Numident/DHS SAVE).
Purge: Upon receiving notice of “anomalies,” the state “will clean its VRL/Data by removing ineligible voters” within “forty-five (45) days”.
As earlier mentioned, this is ingestion, not inspection. The demanded fields are join-keys.
The MOU mandates that upon receiving notice of “anomalies” from the DOJ, the state “will clean its VRL/Data by removing ineligible voters” within “forty-five (45) days”.
This effectively federalizes the administration of state elections. Local discretion collapses into a federal clock.
Because 205 million queries is not a “benefits tool.” That is national in scale.
That is the scale of something designed to be called constantly by other systems—until “verification” becomes so routine it stops looking like politics and starts looking like administration.
The Demand for Full Ingestion
The Department of Justice is no longer asking states to participate; it is suing them for total submission — demanding the electronic transfer of entire unredacted voter files.
When USCIS officials state, "We encourage all federal, state, and local agencies to use the SAVE program," they are describing a default. They are describing a future where "verification" becomes the connective tissue between every agency—so normalized that it no longer looks like surveillance, but simply looks like modern governance.
This is not red vs. blue; it is administrative alignment—the quiet construction of a national permission layer.
In practice, SAVE is no longer “a database.” It functions more like a federal verification gateway — an eligibility switchboard other systems call, quietly, at scale. That matters because the system scales larger through interfaces, contracts, and “optimization” work that rarely comes with a press conference.
And when the verification engine itself is being modernized — from distributed lookups to cached identity profiles and probabilistic match scoring — the question stops being what SAVE was designed to do.
This isn’t oversight—DOJ wants the electronic file because license numbers and SSN4s are the join‑keys the PCER engine needs.
The question becomes: what does this system become once it’s built to verify everyone, everywhere, all the time?
The Statutory Shell Game
The transformation of the American voter from a citizen into a “record” required more than just new software; it required a new legal theory. To build a national verification grid without passing a National ID law, the executive branch had to repurpose existing statutes that were designed to do the exact opposite of what they are being used for today.
Weaponizing the Civil Rights Act
To build this system, the DOJ had to weaponize a law designed to stop Jim Crow. In its lawsuits against California and Colorado, the government cites Title III of the Civil Rights Act of 1960—a statute passed to preserve records so federal prosecutors could prove registrars were suppressing Black voters.
Congress passed this law for a specific, historical purpose: to preserve election records in the Deep South so federal prosecutors could prove that registrars were systematically discriminating against Black voters. It was a tool for enfranchisement—a way to catch officials who were throwing away the registration forms of minority citizens.
Today, the DOJ is inverting that purpose — using the same statute to demand unredacted voter rolls that feed a computerized purge engine. They are using a civil rights law to build a surveillance list.
In its lawsuits against California and Colorado, the government explicitly cites Title III not to investigate discrimination, but to enforce “list maintenance”—a bureaucratic euphemism for purging voters. By invoking a civil rights statute to demand “unredacted” voter files, the DOJ is using a law meant to protect voters from the state as a tool to expose voters to the federal government.
“List Maintenance” As Data Capture
The government’s legal filings reveal that “compliance” is the pretext for data acquisition.
In United States v. Weber, the DOJ argues that it cannot verify whether California is properly “removing ineligible voters” unless the state turns over the “driver’s license number” and “last four digits of the social security number” for every registered voter.
This is the statutory shell game:
The Hook: The DOJ claims it is enforcing the National Voter Registration Act (NVRA) and Help America Vote Act (HAVA).
The Trap: HAVA requires states to maintain accurate lists but contains no provision forcing states to surrender those lists to the Feds.
The Switch: The DOJ uses the Civil Rights Act to demand the data, arguing that “list maintenance” is a federal right that requires federal oversight.
As the NAACP and League of Women Voters noted in their motion to intervene in the California case, this legal theory transforms the Attorney General from a guardian of voting rights into a “national voter registration administrator,” centralizing power in Washington that the Constitution explicitly delegated to the states.
The “Backdoor” ID Requirement
This legal maneuvering creates a functional National ID system without Congress ever voting for one.
The Fair Elections Center warns that by wiring the SAVE database (an immigration tool) into the voter registration process, the government has imposed a “backdoor documentary proof of citizenship” requirement.
Under this regime, a voter does not need to show a passport at the polls to be flagged; they simply need to have an “anomaly” in a federal file they cannot see. If a naturalized citizen’s Social Security record hasn’t updated to reflect their citizenship—a common “naturalization lag” acknowledged by the SSA—the SAVE system will flag them as a non-citizen. The state, bound by the DOJ’s “list maintenance” mandate, is then pressured to purge them.
The statute meant to stop registrars from purging eligible voters is now being used to feed a system that automates their removal.
To see how that became possible, you have to stop looking at the statute and start looking at the input tray.
The Technical Tell: Bulk Processing
Now that SSN-based queries removed the limiter; entire voter rolls are checkable.
This technical update fundamentally altered the system’s logic.
Before: The system answered the question, "Is this specific applicant eligible?"
Now: The system answers the question, "Who in this population is ineligible?"
The impact of this switch was immediate and explosive. When a system jumps into the hundreds of million transactions in a single year, it is no longer performing the same function. It has graduated from an administrative tool to a mass screening system.
The Scope Jump: SSA Integration Changes the Universe of Targets
If Bulk Upload provided the scale, the integration with the Social Security Administration (SSA) provided the targets.
Historically, SAVE required an Alien Registration Number (A-Number) to run a query. This acted as a structural safety valve: the system could generally only be used on individuals who had already interacted with the immigration system. U.S.-born citizens do not have A-Numbers; therefore, they were largely invisible to the database.
On November 3, 2025, USCIS removed that safety valve. The agency announced that states could now verify voters using only a name, date of birth, and the SSN4 alone.
That many people do not end up in the crosshairs by accident. To see how they got there, you have to stop looking at individual records and start looking at the machinery that is sorting them.
The Machine Behind the Screen (VIS, PCER, HART, ImmigrationOS)
To understand what the twenty-six states plugged into, you have to look past the acronyms. Public attention often fixates on "SAVE" or "ImmigrationOS" because they appear in headlines. But focusing on the dashboard misses the engine.
SAVE is merely the customer-service window. The actual machine is a multi-billion-dollar dependency stack built by private defense contractors to outlast any single administration.
From Verification to Identity Construction
In 2020, DHS’s own privacy documentation limited SAVE to immigrants, non‑immigrants, and certain naturalized citizens. U.S.‑born citizens sat outside the system’s official scope. By October 2025, that limiter was gone: the updated PIA explicitly authorizes SAVE to ingest and retain Social Security numbers for U.S.‑born citizens when agencies submit them for voter‑roll checks.
While Palantir’s $30 million contract for "ImmigrationOS" drew headlines, it functions largely as a user interface. The real scale of the system lies in the plumbing beneath it.
In May 2024, USCIS awarded IBM a $279 million task order known as FALCON to modernize the verification backbone. IBM is building and operating the Verification Information System (VIS), the central transaction engine that powers both E-Verify and SAVE.
Crucially, this modernization creates a new architectural component called the Person Centric Entity Resolution (PCER) microservice.
In the older model, verification was a momentary pull: the system checked a record, returned a result, and moved on.
Under PCER, the logic shifts toward cache and resolve—consolidating identifiers from multiple sources into a persistent identity profile. Inside the system, that profile is called a Golden Record. In plain language, it is your digital twin.
That shift matters because the system no longer just verifies who you are at a moment in time. It constructs an authoritative version of you—and, by design, that version can persist beyond the original purpose of the query. Once that digital twin exists, the system doesn’t ask whether the record is right. It asks whether it clears.
This is the point where “verification” stops being a check and becomes a model.
The Memory: HART and Relationship Mapping
If VIS provides the logic, HART provides the memory.
Managed by Peraton (following its acquisition of Northrop Grumman’s IT division), the Homeland Advanced Recognition Technology (HART) system is the massive biometric database replacing the legacy IDENT system.
HART is not just a digital fingerprint repository. It is a cloud-native platform hosted on AWS GovCloud designed to fuse "multimodal" biometrics: face, iris, and fingerprint data.
The DHS technical specifications confirm that HART is designed to store and map "Relationship Patterns". By linking biographic data, encounter locations, and third-party data, the system builds a social graph of individuals—moving the question from “Who is this?” toward “How is this person connected?”
That shift is the tell. Once a system can model relationships, it stops being a records tool and becomes an operational instrument. And operational instruments don’t live in spreadsheets—they live behind dashboards, where complex pipelines get turned into simple choices: flag / route / detain / remove.
The Dashboard: ImmigrationOS
Sitting on top of this stack is ImmigrationOS, the platform built by Palantir Technologies under a $30 million contract awarded in April 2025.
ImmigrationOS is not the database; it is the lens. It creates a digital twin of the immigration lifecycle, fusing data from the IRS, SSA, and local police to track individuals through the deportation pipeline. It is designed to provide "near real-time visibility" into targets, utilizing the data lakes filled by the systems below it.
Seen from above, the full structure looks like this:
Once you see the stack, the marketing language about “simple verification” reads differently. This is not a lookup; it is a rules engine with a memory, built to be called again and again by other systems that depend on its decisions.
The last question is who controls that engine—because once verification becomes national, whoever owns the stack effectively owns the rules of citizenship.
The Privatization of Sovereignty
The most dangerous feature of this stack is not its power, but its ownership. The core logic of American identity verification is now wrapped in the intellectual property rights of private vendors.
Peraton holds the biometric keys.
IBM manages the verification logic.
NEC Corporation provides the "black box" facial recognition algorithms.
Amazon (AWS) hosts the data.
You cannot FOIA an algorithm owned by Peraton. You cannot vote out the board of IBM. The "Intellectual Property" laws—like those passed in Texas—protect their trade secrets, which happen to be your movements and biometrics.
The government has outsourced the machinery of the Fourth Amendment to companies that view your identity as a renewable contract.
Permanence Without Consent
The architecture of this system was not debated in Congress. It was not authorized by a specific ballot initiative. It was assembled through a series of administrative agreements and vendor contracts designed to survive political turnover.
Here’s the tell: the pipes were connected before the public was even told the pipes existed.
The durability of the Leviathan relies on three specific mechanisms: retroactive legalization, contractual lock-in, and the inversion of the burden of proof.
Retroactive Legalization: The SORN Maneuver
The most telling detail in the construction of this network is the timeline of its authorization. The federal government built the data pipelines first and asked for legal permission second.
The Act: On May 15, 2025, DHS, USCIS, and the Social Security Administration (SSA) signed a "Letter Agreement" to begin bulk-matching voter rolls against the SSA Numident file.
The Cover: The agencies did not publish the legally required System of Records Notice (SORN) describing this new surveillance capability until October 31, 2025—five months after the data sharing began.
By the time the public was invited to comment on the system, millions of records had already been processed. The "comment period" was a formality for a system that was already operational. This is known as "policy laundering": implementing a capability in secret, then codified it as a "routine use" once it is too entrenched to remove.
Contractual Lock-In: The Long Horizon
Even if a future administration wanted to dismantle this system, they would face a firewall of private contracts and binding settlements.
The settlement agreement announced by Iowa Attorney General Brenna Bird does not just authorize data sharing; it mandates it for 20 years. By entering into this agreement, Iowa, Florida, Ohio, and Indiana have legally bound future governors and legislatures to a federal data-sharing regimen that extends well into the 2040s.
For the other states signing the "Confidential MOU," the lock-in is technical rather than contractual. Under the Department of Homeland Security’s retention protocols, once a state feeds its voter rolls into the SAVE system, that data is retained for 10 years—meaning the federal government maintains the digital dossier long after any single election cycle has passed.
Whether by a 20-year contract or a 10-year retention policy, the result is the same: the data checks in, but it doesn't check out.
Furthermore, the physical infrastructure of the system is owned by private vendors. The $17.1 million contract between the Texas Department of Public Safety and Flock Safety includes a provision that data uploaded to the state LPR database must be retained for a minimum of three years. Because this data is legally designated as the "intellectual property" of the state intelligence center under recently enacted Texas SB 1499, it is insulated from standard public records requests and legislative oversight. The state cannot simply "delete" the data, because contractually, the data has become a permanent asset.
The Inversion of the Burden
The final mechanism of permanence is the shift in legal burden. In the traditional justice system, the state must prove you are ineligible. In the Leviathan, the algorithm presumes you are ineligible until you prove otherwise.
The "Confidential MOU" codifies this inversion. Under Section VIII, once the federal PCER engine flags a "data anomaly," the clock starts. The state must "clean its VRL/Data" within 45 days.
There is no pause button for the voter to hire a lawyer. There is no requirement for a judge to sign a removal order. The machine generates a flag, and the contract mandates an execution. If the citizen cannot navigate the bureaucracy of three different federal agencies (SSA, DHS, USCIS) to correct the Golden Record within that window, their rights are administratively deleted.
The system is designed to be fast, mechanical, and permanent. The appeals process is designed to be slow, manual, and rare.
That is not a glitch; it is a theory of governance. Once eligibility is delegated to a timed, opaque flag, the country is effectively ruled by whatever the red light on the dashboard says.
Republic of the Red Flag
We were raised to think the most dangerous government power comes from laws passed in public, debated by legislatures, and signed by governors.
In reality, the most dangerous power comes from systems built as “administration,” expanded as “modernization,” and then normalized as “best practice”— until the public wakes up one day and discovers the country is running on a permission layer they never consented to.
The 45 day "clean" mandates are not requests for accuracy; they are algorithmic purge orders.
A system that defines eligibility before it corrects errors is not neutral. It is decisive. And it is already running.
This is governance by database: a regime where eligibility is decided first, and error correction — if it happens at all — comes too late to matter.
The system does not know who you are.
And when the system decides you don't clear, there is no one left to call.
Want to see the contract for yourself?
A copy of the “Confidential Memorandum of Understanding” discussed in this piece—filed as a public court exhibit in United States v. Griswold—is available as a PDF in our interactive web exhibit. It is the same version entered into the federal docket.
Documentation note: Key terms and quotes come from filed federal exhibits and public records (PACER). A full reference list and primary-document vault are available to paid subscribers.
References & Primary Documents
Department of Homeland Security. (2025, October 31). Privacy Act of 1974; System of Records (DHS/USCIS-004 Systematic Alien Verification for Entitlements). Federal Register, 90(209), 48948–48953.
Department of Homeland Security. (2025, October 31). Privacy impact assessment for the Systematic Alien Verification for Entitlements (SAVE) program (DHS/USCIS/PIA-006(d)).
Department of Justice. (2025). Confidential memorandum of understanding regarding participation in the SAVE program for voter registration and voter list maintenance purposes. (Exhibit 2 in United States v. Griswold).
Neff, E. (2025, December 1). Voter registration list request follow up [Email to Andrew Kline, Colorado Deputy Secretary of State]. U.S. Department of Justice, Civil Rights Division.
Reynolds, K. (2025, October 8). Executive order number 15. State of Iowa Executive Department.
Social Security Administration. (2025, February 20). Privacy Act of 1974; System of Records (Master Files of Social Security Number (SSN) Holders and SSN Applications). Federal Register, 90(34), 10025–10029.
Social Security Administration, Office of the Inspector General. (2006). Congressional response report: Accuracy of the Social Security Administration’s Numident file (A-08-06-26100).
U.S. Citizenship and Immigration Services. (2025, November 3). USCIS enhances voter verification systems [Press release].
United States v. Griswold. (2025). Complaint (Case No. 1:25-cv-03967). U.S. District Court for the District of Colorado.
United States v. Weber. (2025). Transcript of proceedings (Motion Hearing, Dec. 4, 2025) (Case No. 2:25-cv-09149-DOC-ADS). U.S. District Court for the Central District of California.