Location data loophole leaves White House, CIA off US protection list

Share:
Audio Loading voice…
Location data loophole leaves White House, CIA off US protection list

Synopsis

A bipartisan data-protection rule meant to shield sensitive US government sites from foreign surveillance has a glaring blind spot: the White House, CIA headquarters, Congress, the Supreme Court, and nuclear weapons labs are all off the protected list. Three Democratic lawmakers are now demanding a fix — and their letter exposes how AI tools can stitch together commercially available location data to unmask federal employees that a single dataset would never identify.

Key Takeaways

Senators Ron Wyden and Martin Heinrich and Representative Sara Jacobs wrote to DNI Tulsi Gabbard and Acting AG Todd Blanche on 22 May flagging critical gaps in location data rules.
The Justice Department's list of 736 protected sites , finalised in January 2025 , excludes the White House , CIA headquarters , Congress , the Supreme Court , and nuclear weapons laboratories.
Lawmakers warn that AI tools can combine multiple datasets to identify federal employees whose government ties 'would be otherwise obscured in a single dataset.' The current rules restrict data sales to only six countries — China, Russia, Iran, North Korea, Cuba, and Venezuela — which the lawmakers say is too narrow.
The three lawmakers are urging a broad protection zone covering the entire National Capital Region rather than a fixed list of individual sites.

Democratic lawmakers have warned that US Justice Department rules meant to block the sale of sensitive mobile phone location data to foreign adversaries contain critical gaps — leaving the White House, CIA headquarters, Congress, the Supreme Court, and nuclear weapons laboratories outside any protected zone. The alarm was raised in a sharply worded letter dated 22 May addressed to Director of National Intelligence Tulsi Gabbard and Acting Attorney General Todd Blanche.

What the Lawmakers Found

The letter, signed by Senator Ron Wyden, Senator Martin Heinrich, and Representative Sara Jacobs, warns that commercially available location data — when processed through artificial intelligence tools — can expose the identities and movements of federal employees in ways that individual datasets alone would not reveal. The lawmakers said the sale of such data to foreign governments 'poses a serious threat to US national security' and 'can reveal sensitive information that can be exploited for espionage purposes.'

Their concern centres on a list of 736 sensitive US government-related locations identified under rules finalised in January 2025, where even data from a single device cannot legally be sold to foreign adversaries. Despite its breadth, the list omits some of the most consequential national security sites in the country.

Which Sites Were Left Unprotected

According to the lawmakers, the protected list excludes the headquarters of the CIA, the National Reconnaissance Office, and the National Geospatial-Intelligence Agency. Continuity-of-government facilities and federal laboratories involved in designing nuclear weapons were also reportedly left off. Notably, the White House, Congress, and the Supreme Court are absent from the restrictions — even as the Vice President's residence at the Naval Observatory and Fort McNair, where several senior administration officials reportedly reside, are covered.

Background: Biden's 2024 Executive Order

The current framework traces back to a 2024 executive order issued by then-President Joe Biden, which directed the Justice Department to regulate the sale of sensitive personal data to countries identified as national security threats — specifically China, Russia, Iran, North Korea, Cuba, and Venezuela. The rules were finalised in January 2025, but the lawmakers argue the resulting list is structurally incomplete and inconsistently applied.

The letter also cited warnings embedded in Biden's executive order that AI systems could combine multiple datasets to identify US officials and government personnel whose connections to federal agencies 'would be otherwise obscured in a single dataset' — a direct reference to the kind of AI-enabled deanonymisation that adversaries such as China and Iran are believed to be pursuing.

What the Lawmakers Are Demanding

Wyden, Heinrich, and Jacobs urged the Justice Department and the Director of National Intelligence to replace the 'incomplete list' with a broad protection zone covering the entire National Capital Region around Washington. They also criticised the department for limiting restrictions to only six countries, arguing that nations with weak privacy laws or those known to conduct surveillance against Americans should be included — since data brokers could otherwise resell location information to hostile governments through intermediaries.

'Given the serious national security threat posed by the ongoing sale of data to foreign adversaries from sensitive US government facilities, we urge DOJ and the DNI to promptly act to address these problems,' the lawmakers wrote.

The Broader Context

Concerns over data brokers and AI-enabled surveillance have grown sharply in Washington amid rising tensions with China and increased scrutiny of foreign cyber and intelligence operations targeting the United States. Lawmakers from both parties have repeatedly flagged that commercially available location data can expose military personnel, intelligence officers, and government officials to tracking, blackmail, and espionage. This latest letter underscores that the regulatory response, while significant, has not yet caught up with the threat landscape.

Point of View

But omitting the White House, CIA, and nuclear labs from a national security data-protection regime is not a technical oversight — it is a structural failure. The deeper problem is that a list-based approach is inherently brittle: adversaries do not need data from a protected building if they can triangulate the movements of its occupants from nearby unprotected zones. The lawmakers are right to push for a regional protection model, but the more urgent question is why the Justice Department drew the perimeter this narrowly in the first place — and whether the six-country restriction reflects genuine threat assessment or political convenience. With AI-enabled deanonymisation now a documented capability of state adversaries, the gap between the rule's intent and its actual coverage is a vulnerability that cannot wait for the next executive order.
NationPress
6 Jul 2026

Frequently Asked Questions

What is the location data protection gap near the White House?
US Justice Department rules finalised in January 2025 ban the sale of mobile phone location data from 736 sensitive government sites to foreign adversaries, but the list omits the White House, CIA headquarters, Congress, the Supreme Court, and nuclear weapons laboratories. Three Democratic lawmakers have written to the Director of National Intelligence and Acting Attorney General demanding the gap be closed.
Why is location data considered a national security threat?
Location data sold by commercial data brokers can, when processed through AI tools, reveal the identities and movement patterns of government employees even if their names are not attached to the data. According to the lawmakers' letter, AI systems can combine multiple datasets to identify US officials whose connections to federal agencies 'would be otherwise obscured in a single dataset,' enabling foreign adversaries to conduct espionage or blackmail.
Which countries are currently restricted from buying this data?
Under the January 2025 rules, data sales are restricted with respect to six countries: China, Russia, Iran, North Korea, Cuba, and Venezuela. Lawmakers argue the list is too narrow and should include any nation conducting surveillance against Americans or with weak privacy laws that could allow data to be resold to hostile governments.
What are the lawmakers asking the Justice Department to do?
Senators Ron Wyden and Martin Heinrich and Representative Sara Jacobs are urging the Justice Department and the Director of National Intelligence to replace the current site-specific list with a broad protection zone covering the entire National Capital Region around Washington, and to expand the country restrictions beyond the current six.
How did this data protection framework come about?
The framework originates from a 2024 executive order issued by then-President Joe Biden, which directed the Justice Department to regulate the sale of sensitive personal data to countries identified as national security threats. The resulting rules were finalised in January 2025, but critics argue the implementation fell short of the order's stated intent.
Nation Press
The Trail

Connected Dots

Tracing the thread behind this story — newest first.

8 Dots
  1. Latest 1 week ago
  2. 3 weeks ago
  3. 3 weeks ago
  4. 1 month ago
  5. 1 month ago
  6. 1 month ago
  7. 1 month ago
  8. 1 month ago
Google Prefer NP
On Google