The Data Broker Loophole Is Bigger Than Washington Wants to Admit
Three Democratic lawmakers warned Thursday that federal rules meant to stop foreign adversaries from buying sensitive location data have major gaps, including the omission of the White House, Congress and CIA headquarters from a list of protected sites. The AP reported that the Biden-era rules, in effect since April 2025, restrict certain data sales to China, Russia, Iran, North Korea, Cuba and Venezuela and bar the sale of even single-device location data tied to designated sensitive sites. Sens. Ron Wyden and Martin Heinrich and Rep. Sara Jacobs urged the Trump administration to create a broader protection zone around Washington, D.C., rather than rely on a building-by-building list. Their warning highlights how data brokers, advertising markets and government surveillance incentives have blurred together: commercially available phone-location data can expose personnel patterns, sensitive facilities and operational habits without a traditional warrant or spy operation.
The data broker story is usually sold as a privacy story. That is too small. It is a sovereignty story. It is about whether a country can defend its own institutions after it allowed a market to grow around tracking everyone inside them.
The federal government spent almost a year writing rules to stop adversarial governments from buying commercial data tied to sensitive sites. Then lawmakers looked at the protected list and found obvious omissions: the White House, Congress, CIA headquarters and other core facilities were not included. That is not a minor clerical problem. It is a sign of a deeper failure. The system is trying to regulate one leak at a time after building an economy where the leak is the business model.
If a foreign intelligence service can buy location data, it does not need to recruit a source to learn patterns. It can map commutes, routines, meetings, relationships and habits. It can infer who works where, who visits whom, when a building gets unusual traffic, and which personnel may be vulnerable. The AP report notes that even fitness-app and consumer-location data can reveal sensitive activity. That is what happens when the surveillance layer becomes commercial first and national-security sensitive second.
Washington likes to present this as a problem of bad foreign actors. China, Russia, Iran and the rest are the named threat. They are real threats. But the uncomfortable truth is that the data exists because American institutions tolerated and benefited from the market that produces it. Advertising, app analytics, brokers, contractors and public agencies all found uses for this machinery. Now officials are shocked that adversaries might buy what domestic actors have been buying, selling and laundering for years.
That is the part citizens should pay attention to. The same location trail that can expose a CIA employee can expose a union organizer, a protester, a journalist, a patient visiting a clinic, or a whistleblower meeting a source. Once the market exists, protection becomes political. Some buildings get a special zone. Some people get carveouts. Everyone else is told to read the terms of service.
The proposed fix — protect the whole Washington region rather than a list of individual sites — is reasonable as far as it goes. But it also reveals the class structure of privacy. When the risk lands on national-security elites, the government suddenly understands that granular location data is dangerous. When the risk lands on ordinary people, the same data is often treated as innovation, personalization or law-enforcement efficiency.
A serious country would stop pretending that commercial surveillance is harmless until a foreign government buys it. It would ask why such precise tracking can be packaged and sold in the first place. It would separate genuine security needs from a private market that monetizes behavioral exhaust and then acts surprised when hostile actors shop there.
The loophole is not just that a few buildings were left off a list. The loophole is the belief that a free society can outsource the tracking of its population to data brokers and then patch the national-security consequences afterward. That is not sovereignty. That is dependency with better branding.