>Why do they have geolocation data in first place? For what and how do they use it?
Having set up a Coinbase account (although I haven't actually used it...yet), they required me to provide documentation about who I am, where I live and prove it with a government issued ID (in my case, a driver's license). As such, any transactions I process through my Coinbase account can be tied (and presumably information about them provided to law "enforcement") are tied to the identity details I provided when creating such an account.
I always use TOR when connecting to Coinbase, so their IP logs don't have any Geo-location information about me.
That said, once I actually purchase some crypto and use it to purchase stuff (cannabis) that's actually legal in my state, but transportation across state lines is illegal.
As such, if the recipient of crypto (even if -- and I will -- I move Coinbase purchased crypto to my own private wallet) is investigated/arrested and the wallet used to accept my crypto, the purchase side of that transaction can absolutely be traced back to me, from the "drug dealer's" wallet, to my private wallet and back to Coinbase.
Presumably that can be foiled through "mixers," but I'm not sure if that could obfuscate a single transaction as I describe -- perhaps someone more knowledgeable could comment on that.
That's (IIUC) how the blockchain is supposed to work -- all transactions are public. Assuming that some government entity wanted to prosecute the customers of the above hypothetical "drug dealer," obtaining court orders for Coinbase crypto accounts wouldn't be hard at all -- as the argument would be that there were illegal transactions and we need to identity of those involved in such a transaction.
IIRC, there was an article[0] (this isn't the one I read, but has the relevant info) a while back about HSI finding purveyors of CSAM[1], and those who paid them with crypto were traced through the public blockchain -- and arrested/charged.
Presumably, there are limits to how much manpower would be applied to a few packages of "Dope Rope"[2] or an ounce of "OG Kush"[3], but if you purchase crypto from a legal entity, they can (and under the right circumstances, will) be compelled to provide information about you when presented with a warrant/court order.
The upshot is that unless there's some way to obfuscate blockchain transactions (Mixers? See above), there's nothing to stop government entities from forcing legal exchanges from giving up their customers' PII, which they already have -- no special tools required.
