The Biden administration has taken significant steps to bolster U.S. national security by crafting regulations aimed at preventing adversaries from acquiring sensitive commercial data collected from cell phones. After almost a year of deliberation, the resulting rules are designed to restrict data sales to certain foreign governments, but notable gaps in coverage have raised concerns among members of Congress.
The newly established regulations, which are set to take effect in April 2025, specifically target data sales to countries identified as threats to national security, including China, Russia, Iran, North Korea, Cuba, and Venezuela. This ban encompasses the location data of over 1,000 American devices, aiming to prevent potentially harmful foreign surveillance. However, a warning from three congressional Democrats revealed that prominent U.S. locations, such as the White House, Congress, and the CIA headquarters, were not included in the designated list of sensitive sites, which consists of only 736 locations.
Senators Ron Wyden of Oregon and Martin Heinrich of New Mexico, along with Representative Sara Jacobs of California, expressed their concerns in a letter, emphasizing the risks associated with the sale of Americans' location data by brokers. They highlighted that the sale of such data to foreign governments poses a serious risk of espionage, as it could reveal sensitive information about U.S. government employees and their activities. The lawmakers have called for the inclusion of the entire Washington, D.C. area as a “protection zone,” instead of singling out specific buildings, and urged for a broader list of countries to be restricted from acquiring American data.
The Justice Department did not provide comments, and the Office of the Director of National Intelligence also did not respond to outreach regarding this issue. The scrutiny over these regulations signifies the increasing awareness of the potential threats that commercial data poses, particularly in the hands of foreign governments.
Data brokers, who have historically sold location information to better target advertising and analyze consumer habits, have become focal points for concerns over privacy and security. Governments have increasingly leveraged these datasets to enforce laws and gather intelligence. Foreign spy agencies can utilize such information to track patterns and activities of U.S. government personnel, thus highlighting the necessity for stringent regulations.
Alarmingly, commercially available data has the potential to expose sensitive U.S. facilities. Events like fitness apps inadvertently revealing military locations underline the dangers posed by unregulated data access. For instance, a recent incident involving a French aircraft carrier highlighted how a crew member’s logged running route could potentially disclose operational specifics.
The regulatory measures were strategically structured to mitigate the risk of foreign governments bypassing restrictions through small data purchases by explicitly prohibiting the sale of information tied to certain government sites. However, criticism arises from the fact that these regulations solely rely on GPS coordinates to identify the included locations, which resulted in several significant government buildings being overlooked. This oversight raises questions about the efficacy of the regulations in ensuring comprehensive national security.
Wyden's team, with assistance from the Congressional Research Service, analyzed the GPS designations to clarify which U.S. government facilities were omitted from the protective measures. The implications of these gaps have triggered urgent calls for policy revisions to enhance security protocols and limit data accessibility to unauthorized entities, reinforcing the narrative of safeguarding U.S. interests in an increasingly data-driven world.
