> So if DOGE have security clearances (unclear if the have) then their audit is legal?

They're also responsible liable for keeping the data safe, which has already been broken at least once:

* https://news.ycombinator.com/item?id=43052432

Possibly violating:

> Whoever knowingly and willfully communicates, furnishes, transmits, or otherwise makes available to an unauthorized person, or publishes, or uses in any manner prejudicial to the safety or interest of the United States or for the benefit of any foreign government to the detriment of the United States any classified information— […]

* https://www.law.cornell.edu/uscode/text/18/798

Clearance does not allow indiscriminate access, it just means you are theoretically trustable. You still need a reason to access the data, usually negotiated with the data owners, who is legally responsible for protecting the data. DOGE has bypassed all of that to just hoover up whatever they can.

IANAL, but there are other laws governing what DOGE is doing that they are violating, such as transparency laws.