It gets worse. Telecoms are not required to keep track of who's requesting your geolocation data, why they're doing it, or what they're using it for. Unlike with wiretaps or orders that allow telecoms to share data about who you talked to (but not what you said), there are no laws requiring federal agencies to disclose this information.
Compared to a couple of thousand legal wiretaps that are approved each year by the courts, the number of requests for telecom data is in the tens of thousands -- and possibly much more, says Soghoian.
And it's not just telecoms. ISPs like Comcast and Cox and your favorite search engines and social networks receive thousands of requests for data from law enforcement -- also without the public's knowledge. Per Soghoian:
The reporting requirements for intercepts and pen registers only apply to the surveillance of live communications. However, communications or customer records that are in storage by third parties, such as email messages, photos or other files maintained in the cloud by services like Google, Microsoft, Yahoo Facebook and MySpace are routinely disclosed to law enforcement, and there is no legal requirement that statistics on these kinds of requests be compiled or published.
Ask Google, Yahoo, or Microsoft how many times the feds or the flatfoots come round asking for the goods, and they refuse to comment. AOL and Facebook are more forthcoming, though -- they get 1,000 requests (AOL) and 300 to 600 (Facebook) a month.
You don't have to be paranoid or a criminal to imagine the various ways this information can be abused. Telecoms could make huge profits by selling your location data to marketers. Divorce attorneys, insurance companies, and employers all would love to get their hands on information about where you've been. The only thing keeping this stuff from being shared or sold are the ever-mutable privacy policies of the companies that collect this data.
For the past five years I've asked companies that collect location-based data what protections I have against my data being shared with third parties. The answer I have always gotten: Companies that store this data must comply with legal orders (so if the cops want this info, they can have it); there are no laws that give me control over my location data or even let me find out who else has it; and private companies are free to abuse this data but would be fools to do so because they'd lose their customers' trust.
Personally, I don't buy that last argument. Yes, they'd be fools. But some would do it anyway and make as much money as they could until the FTC eventually got around to suing them, probably five years after the fact. That's no protection at all.
Sign up for CIO Asia eNewsletters.