Lawmakers warn data protection rules don’t protect key sites, including White House and CIA

WASHINGTON (AP) — The Biden administration spent almost a year crafting regulations to block U.S. adversaries from buying commercial data gathered from cell phones at the federal government’s most sensitive locations.

The resulting rules, however, have a few gaps. Left off the list of 736 sensitive locations were the White House, Congress and the CIA’s headquarters, among others, according to a warning issued Thursday by three congressional Democrats.

“The sale of Americans’ location data by data brokers poses a serious threat to U.S. national security, particularly when data about U.S. government employees is sold to foreign governments,” the lawmakers wrote in a letter to Trump administration officials. “Such data can reveal sensitive information that can be exploited for espionage purposes.”

The letter, which was signed by Sens. Ron Wyden of Oregon and Martin Heinrich of New Mexico, and Rep. Sara Jacobs of California, urged the Trump administration to address the oversights and create a “protection zone” that encompasses the entire Washington, D.C. region rather than choosing individual buildings. They also urged the Department to expand the list of countries of concern that were barred from acquiring data on Americans.

A spokesman for the Justice Department declined to comment. The office of the Director of National Intelligence did not respond to a request for comment.

Data brokers have long sold such information to help companies better target advertising, analyze consumer habits and assess investment opportunities. Governments have increasingly turned to these datasets to enforce laws and gather intelligence. Foreign spy agencies, for example, can use such data to map the patterns and activities of U.S. government personnel.

Such commercially available data has been used to identify sensitive U.S. facilities. In other instances, fitness apps have caused problems during military operations or at sensitive facilities, most recently when a French aircraft carrier deployed in the Mediterranean reportedly gave away its location when a crew member logged a running route on the ship’s deck.

The rules, which went into effect in April 2025, seek to curb the sale of such data to China, Russia, Iran, North Korea, Cuba and Venezuela. They broadly ban selling the location data on more than 1,000 American devices to those countries. But concerned that foreign governments might circumvent those restrictions by buying up small data sets, the rules singled out certain designated sites linked to the U.S. government where even the sale of information about a single device was forbidden.

The rule only identified those locations by GPS coordinates. Wyden’s staff, assisted by the Congressional Research Service, analyzed the GPS coordinates to identify which U.S. government facilities or places were included and which ones had been left out, according to a spokesman for the senator.