Data brokers sell the daily coordinates of the White House to Beijing. The federal rule meant to stop this, which took effect in April 2025 after nearly a year of interagency review, bars companies from selling location data gathered at sensitive sites to six named adversarial countries: China, Russia, Iran, North Korea, Cuba, and Venezuela. The list of protected sites is seven hundred and thirty-six coordinates long. It does not include the Executive Residence. It does not include the CIA headquarters in Langley. It does not include the United States Capitol.
It is true, in the narrow sense in which lawyers always are, that the rule represents progress. It is also true that Senator Ron Wyden, Senator Martin Heinrich, and Representative Sara Jacobs—all Democrats—identified genuine and embarrassing gaps in the list, using mapping work the Congressional Research Service performed for Wyden’s office. The trouble is that those gaps are not a bug. They are the shape of the whole regulatory approach, and the approach cannot be fixed by adding coordinates to a list.
The mechanics of the transaction are exactly what you would expect from an industry that has never met a dataset it refused to monetize. Mobile devices broadcast their GPS coordinates to the nearest cell tower, and the carrier logs the handshake. The advertising software development kits embedded in everyday apps collect the same coordinate, bundle it with a device identifier, and send it upstream to a location aggregator. The aggregator cleans the data, anonymizes it enough to bypass casual scrutiny, and sells it in bulk to anyone willing to pay. A foreign intelligence service queries the API, filtering for the bounding box of Langley, Virginia, and receives the daily movements of every person who works at the agency. The ad-tech stack does not distinguish between a retailer looking for foot-traffic patterns and an intelligence service looking for ingress-and-egress schedules. Surveillance is not a separate product; it is an add-on to the advertising API.
The federal rule says the broker cannot sell that file to China. It does not say the broker cannot collect the data. It does not say the app cannot transmit the data. It does not say the user cannot be tracked. It says the transaction at the end of the chain is illegal, provided the broker exceeds a thousand devices. This is a compliance patch on a fundamentally extractive architecture. The entire incentive structure of the data broker is to sell everything to everyone, and the only constraint is the threat of enforcement or a hard threshold—neither of which is architecturally present here.
Cory Doctorow’s enshittification framework applies directly to the data-broker supply chain. The platform becomes good to the user by offering a free service that relies on constant location telemetry. It becomes good to the business customer by offering hyper-targeted advertising based on that telemetry. Then it claws all the value back, degrading the user’s privacy and the advertiser’s targeting efficiency by selling the unrefined behavioral data to secondary markets—including law-enforcement data portals and, as the current rules acknowledge, state intelligence services. Doctorow has been identifying the underlying move for a decade under the frame of the “felony contempt of business model”: the criminalization of the user’s attempt to control their own device, while the platform extracts location data as a public good and resells it to the highest bidder. The federal rule is an attempt to block the final stage of value extraction while leaving the first two fully intact. It assumes the broker will respect the geopolitical boundary. The broker respects the volume of the data. If the broker can sell the movements of nine hundred and ninety-nine phones in the District to an adversarial government just under the threshold, the regulatory architecture produces a perverse incentive to bundle the sales smaller.
The deeper problem is not that the list is incomplete. The deeper problem is that the list exists at all, because it concedes that the commercial surveillance apparatus that produced the data is legitimate and merely needs its worst excesses walled off for a few thousand government employees. The data-broker industry harvests location data from the ad-tracking SDKs embedded in apps, from the cellular carriers that sell real-time position to aggregators, and from the Wi‑Fi beacons that map every shopper’s path through a mall. It collects, retains, and resells the movements of hundreds of millions of people without meaningful consent. The Biden-era rules carve out a narrow set of government buildings from an ocean of surveillance that is otherwise allowed to continue, unchecked, against the entire population. They do not ban the collection. They do not require deletion. They do not apply to any location that is not on the list, and they apply only to sales directed at a handful of adversarial countries. If a data broker in Virginia wants to sell the location history of every congressional staffer to a Canadian marketing firm, the rules are silent.
The United States has not enacted a consumer privacy law since the Video Privacy Protection Act of 1988—a statute written to govern video‑rental stores that no longer exist. The data‑broker industry has built a shadow financial system on the unrestricted sale of personal information in the decades since, and the government’s response has been to geofence a few buildings and declare the job done.
The Democrats’ proposal to create a “protection zone” covering the entire Washington, D.C., metropolitan area is an understandable reflex, but it is also a confession of failure. That does not mean the zone is pointless—a temporary cordon could interrupt the most brazen sales—but it concedes the game. If the only way to protect the nation’s most sensitive personnel from commercial surveillance is to wall off a single metropolitan region, then the regulatory framework has already collapsed. The rest of the country—military installations in Texas, defense contractors in California, field offices of the FBI in every major city, and the homes of every intelligence analyst who commutes from the Virginia suburbs—is left unprotected, because the logic of the protection zone is that protection is an exception granted to a few, not a right belonging to all.
Antitrust enforcement is shifting toward treating the concentration of consumer data as a monopolistic barrier that forecloses competition and harms consumer welfare. The U.S. federal government treats the same data exclusively as a national-security liability. The two frames measure the same architecture from different angles, and they arrive at the same conclusion: a concentrated data market is an unaccountable surveillance market. The same firms that sell targeted advertising to regional retailers sell demographic and movement data to the Department of Justice, and the rule that stops them from selling it to Beijing does not stop them from selling it to anyone else. The data broker is a monopsony holder of behavioral intelligence, and the government is attempting to negotiate with a market structure it has no intention of restructuring.
The solution is not a better list. The solution is to turn off the supply. A federal privacy law with a private right of action—something advocates have been demanding for years—would require data brokers to obtain explicit, opt-in consent before collecting or selling location information, and would give every person the ability to sue when that consent is violated. It would not need to know the GPS coordinates of the White House, because it would not permit the White House’s location to be bought and sold in the first place. Until that law exists, the regulation is a map. The data broker owns the territory. Every geofence the government draws is a line the brokers are already crossing. There is a portal, and it works structurally, and the work is to be done.