Data Brokers and Threats to Government Employees

On Sept. 23, Politico reported on a newly published paper in which researchers bought geolocation data on officials at the U.S. Securities and Exchange Commission (SEC) and tracked them as they traveled to and from SEC buildings and to the offices of companies under investigation. It was a shocking demonstration of what happens when companies can freely harvest Americans’ geolocation data and sell it for their chosen price.

The incident speaks to a larger problem stemming from the unregulated data broker industry: threats to government employees. It holds lessons not just for Congress and for state legislators working on the problem, but also for the federal agencies and constituent workforces impacted by the data broker industry and its collection, aggregation, packaging, inference, and sale of data. In short, politicians should understand how they, their staff, and public servants are threatened by the sale of personal data—and constituent groups should realize that talk of data broker “controls” or “best practices” is designed by companies to distract from the underlying problems and the comprehensive privacy and security solutions.

Geolocation data is particularly dangerous because it allows the holder to find out where a person is physically located, enables the holder to derive or infer additional sensitive information, and is virtually impossible to “anonymize” or “deidentify” at the device level while preserving any degree of analytical utility (also known as, what companies want). For example, data brokers and geolocation data purchasers can use individuals’ geolocation data to infer their religion based on visits to churches, mosques, or synagogues; their sexual orientation based on visit to gay bars or event venues; their health conditions based on visits to drug addiction treatment centers, specialty cancer or HIV clinics, or reproductive health facilities; and even information about children, finances, immigration status, and military service. The recent paper covered in Politico highlights another risk area: tracking of government employees and inference of additional, sensitive information about them and their employers, including information about confidential agency activities.

Most imminently, data brokerage threatens federal employees’ physical safety and security. These risks originate from all kinds of data sale activities, from the digitization, aggregation, and sale of public records to the nonpublic sourcing and sale of phone geolocation pings.

The collection and sale of this data has real and, in some cases, deadly implications. In 2020, for example, a misogynistic lawyer and self-described “men’s rights” activist acquired information online about New Jersey federal Judge Esther Salas, went to her home, and, in a horrific act of violence, shot her husband and killed her 20-year-old son Daniel. In another context, the New York Times used geolocation datasets it acquired to track law enforcement officers as they bring their kids to school, demonstrating the risks of having this data, while criminals have already reportedly purchased data on police officers from data broker websites and used it to send them death threats. What’s more, individuals are increasingly targeting and doxing—leaking personal information for purposes of harassment, intimidation, and even violence—election workers around the country in the lead-up to the November presidential election. The same goes for domestic violent extremists increasingly doxing other prominent, publicly known individuals.

This data is easy to acquire through people search data brokers that sell people’s home address and other information online for as little as $5 or $10 (if that). And even data brokers that do not sell this information themselves often support lobbying to keep the digitization, aggregation, linkage, and sale of public records legal, thus enabling the practice to continue. All of this and more puts federal, state, and local government employees, their workspaces, and their families at physical risk.

The threat space extends far beyond this (noncomprehensive) list of examples and the recently published study focused on the SEC. Brokered geolocation data is widely available on the entire U.S. population as well as buildings and sites ranging from retail establishments to football stadiums, health clinics, religious centers, police stations, military bases, and other government facilities. For example, geolocation data broker X-Mode, according to the U.S. Federal Trade Commission’s (FTC’s) 2024 order, collected 10 billion location data points from around the world every day, including tracking millions of people in the United States. The breadth and depth of this data collection and sale means it necessarily encompasses employees at other regulators such as the FTC, the California Privacy Protection Agency, the Texas Office of the Attorney General, and the New York Department of Financial Services; people working at other agencies such as the U.S. departments of Justice, Commerce, and Treasury and a variety of state and local entities; and individuals serving in the U.S. military and the U.S. intelligence community.

It would be trivial for malicious actors, whether foreign or domestic, to acquire geolocation data to track government employees at any of these organizations—to hunt people down and harm them, discover information about confidential or even classified government activities, and otherwise interfere with agency missions. For example, a 2022 report for the Office of the Director of National Intelligence declassified in 2023 called attention to the fact that commercial data can pose counterintelligence risks. Further, industry reports have examined the ways in which the Chinese military and defense base are leveraging open-source information collection on the United States and other countries for their own security purposes, making it even more likely Beijing regularly exploits commercial data in the same vein. These are both privacy harms and U.S. national security threats.

For any politician, policymaker, or public servant worried about this problem, it may be tempting to suggest solutions that focus on protecting federal, state, or local government employees or buildings. And for individual executive agencies themselves, it is important to do what they can—whether setting up a program in response to Executive Order 14117 to attempt to curtail foreign adversaries’ purchase of certain personal data on U.S. persons, or developing agency employee security protocols for specific groups of individuals to attempt to minimize their risk. But building narrow(er) lists of people or buildings on which data sales are “off limits” not only ignores the way this impacts all Americans, it also doesn’t solve the problems at hand. Even if, say, public records sales on certain politicians were limited, malicious individuals could still purchase information on those politicians’ staff, their families, or their close acquaintances to discern where they live, pick their kids up from school, or eat or drink after work. Even if companies were prohibited from collecting and selling geolocation data on U.S. government buildings, the prohibition would fail to cover everywhere else those people go, everyone else they meet with, and everything else they do. Malicious actors might be even more interested in travel beyond government buildings, whether a federal or state regulator investigating a company, a national security official traveling to a sensitive meeting, or any government employee engaged in private activity such as religious worship or medical treatment.

The true solutions here are legislative, which is why states around the country should look to implement their own comprehensive regulations on data brokerage that restrict many forms of collection and sale in the first place (including weighing bans on device geolocation data sale completely). Policymakers and pundits should also be aware of how data brokers are attempting to frame these problems in light of heightened, bipartisan concerns about the risks. Many data brokers—particularly some of the largest data brokers in the country—are pushing to shape the public data broker conversation toward “controls,” “best practices,” and what is “reasonable” for data brokers to do to protect data they are collecting and selling. But these tactics deliberately shift the focus of this conversation away from the highly invasive collection and sale of this data in the first place, presuppose that the initial collection is not itself problematic, and avoid the fact that data brokers are to this day lobbying to keep all this conduct legal. (Just look at the intense fight over the DELETE Act in California, where brokers fought to block consumers from having any rights whatsoever to be able to request that a limited group of third-party data brokers delete a limited set of their personal data and stop selling it without their consent.)

This data broker industry line portrays the industry as riddled with good actors and plagued by bad press associated with the activities of a few “bad actors,” which are supposedly the only ones that should be regulated. It avoids these deeper conversations about harm and the fact that the only way to, for instance, protect government employees as well as people targeted by stalkers and abusers, children and teenagers, elderly Americans, and veterans and military service members is through comprehensive legislation and regulation. If the recent story about individuals tracking SEC officials is any indication, inaction will only permit surveillance of and threats to government workers and the country to persist.

– Justin Sherman is a contributing editor at Lawfare. He is also the founder and CEO of Global Cyber Strategies, a Washington, DC-based research and advisory firm; a senior fellow at Duke University’s Sanford School of Public Policy, where he runs its research project on data brokerage; and a nonresident fellow at the Atlantic Council. Published courtesy of Lawfare.