Lawmakers have issued a stark warning that new U.S. data protection regulations fail to safeguard some of the nation's most sensitive locations, including the White House, Congress, and the CIA headquarters. The rules, crafted over nearly a year by the Biden administration, were designed to prevent U.S. adversaries from purchasing commercially available cell phone location data from federal government sites.
Gaps in the Regulations
Despite listing 736 sensitive locations, the regulations omitted several critical sites. In a letter sent Thursday to Trump administration officials, three congressional Democrats highlighted these oversights. The letter was signed by Senators Ron Wyden of Oregon and Martin Heinrich of New Mexico, along with Representative Sara Jacobs of California.
“The sale of Americans’ location data by data brokers poses a serious threat to U.S. national security, particularly when data about U.S. government employees is sold to foreign governments,” the lawmakers wrote. “Such data can reveal sensitive information that can be exploited for espionage purposes.”
Call for Expanded Protections
The lawmakers urged the administration to address the gaps and create a “protection zone” covering the entire Washington, D.C. region, rather than selecting individual buildings. They also called for expanding the list of countries barred from acquiring such data. The Justice Department declined to comment, and the Office of the Director of National Intelligence did not respond to a request for comment.
Data brokers have long sold location information for advertising, consumer analysis, and investment purposes. Governments increasingly use these datasets for law enforcement and intelligence gathering. Foreign spy agencies can exploit such data to map the movements and activities of U.S. personnel.
Risks of Commercial Data
Commercially available location data has previously been used to identify sensitive U.S. facilities. In one notable incident, a fitness app revealed the location of a French aircraft carrier in the Mediterranean when a crew member logged a running route on the ship’s deck.
The rules, effective April 2025, aim to curb data sales to China, Russia, Iran, North Korea, Cuba, and Venezuela. They broadly prohibit selling location data from over 1,000 American devices to these countries. However, to prevent circumvention through small data sets, the rules specifically forbid selling data from a single device at designated U.S. government sites.
Analysis of GPS Coordinates
The regulations identify protected locations only by GPS coordinates. Wyden’s staff, with assistance from the Congressional Research Service, analyzed these coordinates to determine which facilities were included and which were omitted, according to a spokesman for the senator.
