Location data loophole leaves White House, CIA off US protection list
Synopsis
Key Takeaways
Democratic lawmakers have warned that US Justice Department rules meant to block the sale of sensitive mobile phone location data to foreign adversaries contain critical gaps — leaving the White House, CIA headquarters, Congress, the Supreme Court, and nuclear weapons laboratories outside any protected zone. The alarm was raised in a sharply worded letter dated 22 May addressed to Director of National Intelligence Tulsi Gabbard and Acting Attorney General Todd Blanche.
What the Lawmakers Found
The letter, signed by Senator Ron Wyden, Senator Martin Heinrich, and Representative Sara Jacobs, warns that commercially available location data — when processed through artificial intelligence tools — can expose the identities and movements of federal employees in ways that individual datasets alone would not reveal. The lawmakers said the sale of such data to foreign governments 'poses a serious threat to US national security' and 'can reveal sensitive information that can be exploited for espionage purposes.'
Their concern centres on a list of 736 sensitive US government-related locations identified under rules finalised in January 2025, where even data from a single device cannot legally be sold to foreign adversaries. Despite its breadth, the list omits some of the most consequential national security sites in the country.
Which Sites Were Left Unprotected
According to the lawmakers, the protected list excludes the headquarters of the CIA, the National Reconnaissance Office, and the National Geospatial-Intelligence Agency. Continuity-of-government facilities and federal laboratories involved in designing nuclear weapons were also reportedly left off. Notably, the White House, Congress, and the Supreme Court are absent from the restrictions — even as the Vice President's residence at the Naval Observatory and Fort McNair, where several senior administration officials reportedly reside, are covered.
Background: Biden's 2024 Executive Order
The current framework traces back to a 2024 executive order issued by then-President Joe Biden, which directed the Justice Department to regulate the sale of sensitive personal data to countries identified as national security threats — specifically China, Russia, Iran, North Korea, Cuba, and Venezuela. The rules were finalised in January 2025, but the lawmakers argue the resulting list is structurally incomplete and inconsistently applied.
The letter also cited warnings embedded in Biden's executive order that AI systems could combine multiple datasets to identify US officials and government personnel whose connections to federal agencies 'would be otherwise obscured in a single dataset' — a direct reference to the kind of AI-enabled deanonymisation that adversaries such as China and Iran are believed to be pursuing.
What the Lawmakers Are Demanding
Wyden, Heinrich, and Jacobs urged the Justice Department and the Director of National Intelligence to replace the 'incomplete list' with a broad protection zone covering the entire National Capital Region around Washington. They also criticised the department for limiting restrictions to only six countries, arguing that nations with weak privacy laws or those known to conduct surveillance against Americans should be included — since data brokers could otherwise resell location information to hostile governments through intermediaries.
'Given the serious national security threat posed by the ongoing sale of data to foreign adversaries from sensitive US government facilities, we urge DOJ and the DNI to promptly act to address these problems,' the lawmakers wrote.
The Broader Context
Concerns over data brokers and AI-enabled surveillance have grown sharply in Washington amid rising tensions with China and increased scrutiny of foreign cyber and intelligence operations targeting the United States. Lawmakers from both parties have repeatedly flagged that commercially available location data can expose military personnel, intelligence officers, and government officials to tracking, blackmail, and espionage. This latest letter underscores that the regulatory response, while significant, has not yet caught up with the threat landscape.