WASHINGTON — Federal officials developed new regulations over nearly 12 months designed to prevent foreign enemies from purchasing commercial location information collected from mobile devices near the government’s most critical facilities.
But the final regulations contain significant omissions, according to a Thursday alert from three congressional Democrats. Notable facilities missing from the 736 protected locations include the White House, Congress, and CIA headquarters.
“The sale of Americans’ location data by data brokers poses a serious threat to U.S. national security, particularly when data about U.S. government employees is sold to foreign governments,” the lawmakers wrote in a letter to Trump administration officials. “Such data can reveal sensitive information that can be exploited for espionage purposes.”
The correspondence, bearing signatures from Sens. Ron Wyden of Oregon and Martin Heinrich of New Mexico, along with Rep. Sara Jacobs of California, called on the Trump administration to fix these omissions and establish a comprehensive “protection zone” covering the entire Washington, D.C. area instead of selecting specific buildings. The lawmakers also pushed for expanding the roster of restricted countries prohibited from obtaining Americans’ data.
Justice Department representatives declined to provide comment. Officials from the Director of National Intelligence’s office did not return requests for comment.
Commercial data brokers have historically sold this type of information to assist businesses with targeted marketing, consumer behavior analysis, and investment research. Government agencies have increasingly relied on these information sources for law enforcement and intelligence gathering. Foreign intelligence services can utilize such data to track movement patterns and activities of U.S. government workers.
This type of commercially accessible information has previously been employed to locate sensitive U.S. installations. Fitness tracking applications have also created security issues during military missions or at classified locations, including a recent incident when a French aircraft carrier operating in the Mediterranean allegedly revealed its position after a crew member recorded a jogging route on the vessel’s deck.
The regulations, effective April 2025, aim to restrict data sales to China, Russia, Iran, North Korea, Cuba and Venezuela. They generally prohibit selling location information from more than 1,000 American devices to these nations. However, recognizing that foreign governments could potentially bypass these limitations by purchasing smaller datasets, the rules specifically designated certain government-linked sites where even single-device data sales are prohibited.
The regulation identified these locations only through GPS coordinates. Staff members working for Wyden, with assistance from the Congressional Research Service, examined the GPS coordinates to determine which U.S. government facilities were covered and which were overlooked, according to a representative for the senator.
