Pervasive government surveillance might be virtually expected by this point, but in theory, there’s a robust legal system to deal with cops surveilling citizens. Law enforcement agencies are supposed to get a warrant and serve that to cellphone companies, who then provide the data.

But according to a New York Times report, a company that primarily deals with prison phone systems has leveraged a data-sharing service offered by phone carriers to allow cops to track any cellphone number, with no legal checks in place to stop it being abused.

According to the report, a former sheriff of Mississippi County, Missouri, used a service called Securus to surveil targets’ cell phones, including a judge and other police officers. Securus used a data system that cell phone companies typically offer to marketers who want to micro-target consumers based on data, including their location. But in this case, Securus tapped into the system and offers its subscribers virtually uncontrolled access to nationwide location tracking.

The NYT claims that Securus, primarily known for its prison phone services, offers location tracking to its law enforcement and prison clients as an additional service. The company cited examples like helping a drug rehab center find a patient who left as a reason for having the system. However, it doesn’t vet requests to ensure that a warrant or other legal instrument has been issued for the tracking; instead, it makes the user tick a box saying that their tracking is all above-board.

“Securus is neither a judge nor a district attorney, and the responsibility of ensuring the legal adequacy of supporting documentation lies with our law enforcement customers and their counsel,” a Securus spokesman said in a statement to the NYT. “Securus offers services only to law enforcement and corrections facilities, and not all officials at a given location have access to the system,” the spokesman told the newspaper. Senator Ron Wyden has already sent letters to the FCC and telecoms companies requesting details about the program, according to Motherboard. “I am writing to insist that AT&T take proactive steps to prevent the unrestricted disclosure and potential abuse of private customer data, including real-time location information, by at least one other company to the government,” the letter to AT&T reads.