There are plenty of guides available on how to protect your data, how to secure yourself online, and how to stop digital snoops from tracking you across the web and then profiting from that intrusion. (Sorry, “monetization”.) You should do these things. But if a cascading series of revelations this past week has taught us anything, it's that all of those steps amount to triage. The things you can control add up to very little next to the things you can’t.

It’s an obvious point, especially if you follow the privacy headlines. But a recent example of location-tracking gone wrong—in fairness, it rarely goes right—that unfolded over the last week or so underscores the severity of what you’re up against.

On May 10, a New York Times report detailed a service, called Securus, that allegedly allowed a former sheriff to track people’s location, practically in real time, without a court order. Securus technically requires legal documentation that authorizes use of its services. But US senator Ron Wyden (D–Oregon) says Securus told his office that the company “never checks the legitimacy of those uploaded documents” and that it does not feel obligated to do so. It offers a rubber stamp, then, to letting people know where virtually anyone in the US is standing at any given moment.

On the heels of that report, ZDNet detailed how all four major US carriers sell location data to companies you’ve never heard of, without your explicit permission. In this specific case, Securus bought its access from a location aggregator called LocationSmart, which in turn bought it from the telecoms. All of these corporate relationships are arguably legal.

"We don’t really have federal laws that are focused on that backend sale of personal data," says Alan Butler, senior counsel at the Electronic Privacy Information Center. "A lot this is just the Wild, Wild West, honestly. That’s why the companies do whatever they want."

'If they’re going to have this data and a claim to use it, then they absolutely have a responsibility to make sure it’s locked up tighter than Fort Knox.' Robert Xiao, Carnegie Mellon University

That alone would be cause enough for alarm. There’s no opt-out for any of this location sharing. It happens simply by dint of having a cell phone plan. In a very real sense, you’re powerless to prevent your location being used as chattel. Google knows where you are most of the time too, but at least it lets you turn off location tracking and delete your history. The company also ostensibly uses the information to help Google Maps, search, and other services that benefit consumers to some degree. The only value AT&T and Verizon create by selling location data to brokers lands on their bottom line.

Also, it gets worse.

By Wednesday, hackers breached Securus, passing some of the data on its servers—including usernames, email addresses, and hashed passwords—along to tech site Motherboard. On Thursday, security reporter Brian Krebs revealed that LocationSmart had a security meltdown of its own; while the company says it abides by privacy best practices, including a requirement that someone give consent before being tracked, Carnegie Mellon researcher Robert Xiao discovered that a bug on its website allowed anyone to locate around 200 million people in the US without their knowledge.

“LocationSmart is committed to continuous improvement of its information privacy and security measures and is incorporating what it has learned from this incident into that process,” the company said in a statement Friday. LocationSmart says also that the bug has been fixed, and that it had not been exploited prior to Xiao’s discovery. When asked how it could be sure that Xiao was the first to exploit the bug, LocationSmart told WIRED that it “reviewed its historical logs.”

Xiao urges some skepticism regarding that last claim. “I would be curious to know how they know that,” he says. “The attack flow looks fairly normal. If they looked at their server logs, it would be hard to distinguish what I was doing from normal use.”

Regardless, the absence of exploits wouldn’t excuse the sloppiness that created the bug in the first place. Xiao says it took only about 15 minutes of prodding to discover it, and that it stems from an unused feature that the company apparently never bothered to secure. It’s an unconscionable lapse, especially given the sensitive nature of LocationSmart’s business.