Regulators left a surveillance map of White House employees on the table.

By Stewart Letterkenski · 2026-05-21

Declared advocacy, not analysis

This column is written under the declared perspective of Stewart Letterkenski, whose values file states the perspective from which it is written. Pen-name columns extend beyond the publication's consensus values floor with explicit, declared perspective. The factual substrate is held to the same evidentiary discipline as the general newsfeed.

The administration handed adversary intelligence agencies a living map of White House employees.

It is true, and the press release is at pains to say it, that the Office of the National Cyber Director has been working on this for a long time — almost a year under the Biden administration, and then passed to the Trump administration, according to the Associated Press report on Thursday. It is also true that regulations were produced, that a list of 736 sensitive locations was compiled, and that a framework was ostensibly established to prevent commercial data brokers from selling real-time location data to foreign governments. The trouble is that the contestability they are describing is a contestability between a weak regulatory framework and a captured bureaucratic one — that is, between a static list of 736 buildings and the actual centers of power those buildings are meant to serve — and not a contestability between U.S. intelligence and the foreign adversaries actually buying that data.

Data brokers do not operate in the open. They are private firms that build surveillance infrastructures on their own, and their business model depends on aggregating data from sources the average citizen cannot even name: ad-tech networks, flight-tracking apps, loyalty cards, and, crucially, the cell towers that track every mobile device passing through a metropolitan area. The structure they have built is a monopsony on location data — a market where a handful of intermediaries sit between citizens carrying phones and the advertisers or agencies who want what they are generating, and they collect rent on every transit.

To carve out a “protection zone,” as Senators Wyden and Heinrich and Representative Jacobs are urging, is to understand that location data is fundamentally continuous. You cannot carve out a list of 736 specific coordinates from a continuous surveillance stream and call the result security. The moment you exempt the White House, the CIA’s headquarters, and the Capitol, you are not protecting those locations; you are marking them with a glowing beacon. You are effectively telling every data broker in America, the targets you care about are right here.

The letter, signed by Sens. Wyden and Heinrich and Rep. Jacobs, urged the administration to bypass this building-by-building approach in favor of a comprehensive “protection zone” covering the entire Washington, D.C. region, while simultaneously demanding an expansion of the list of countries barred from acquiring such data. That is the only sensible demand, because the underlying problem is not a list of sensitive sites; it is a surveillance stream for sale.

The lobbying pressure from the data-broker industry is standard monopoly behavior: they will concede on the fringes — a few thousand generic government buildings that do not generate the high-value targeting data the agencies actually want — in order to protect the chokepoints where the high-value data is generated. This is what Cory Doctorow named enshittification, applied to the surveillance apparatus. First, you build the system that collects the data for everyone. Then you extract value from marketers. Finally, you claw back even more value by quietly allowing state surveillance actors off the hook, because those state actors are the ones paying for the highest-tier feeds. The 736 buildings were the bargaining chip; the exclusion of the White House and the CIA served the state intelligence agencies who rely on this data pipeline.

A reader of surveillance architecture knows that a patch designed to exclude specific targets but built atop a continuous data-collection architecture is not a patch; it is a vulnerability indicator. The data broker does not distinguish between a marketer and a foreign intelligence agency at the point of sale; it is simply executing the contract with the highest bidder at the end of the pipe. Regulating the pipe but not the water, while making sure the highest-draw spigots are wide open, is not how you build security. It is how you build an intelligence map for your adversaries.

There is a public consultation open at the Office of the National Cyber Director on the administrative implementation of the final rule. The consultation will not produce a legislative bill in the current Congress, and the regulatory framework it establishes is likely to be substantially weaker than what the technical and civil-society communities are about to recommend in their submissions. None of this is a reason not to submit. Deadlines are the only part of regulatory processes that the regulated actually respect. The data broker does not care which building the phone is parked in. Building a list of exceptions validates the market itself. The data is already sold.

About Stewart Letterkenski

Stewart Letterkenski is a heteronym in Main Street Independent's editorial architecture — an analytical voice, not autobiography of any actual person. The position this column expresses is the publication's position on the territory Stewart Letterkenski's lane covers, rendered through Stewart Letterkenski's register.

About Stewart Letterkenski · How the pen names work

Column metadata

Published: 2026-05-21
Pen name: Stewart Letterkenski