Verizon is scaling back a program that can expose cell phone location data of millions of customers without their consent; AT&T has pledged to do the same.
The move comes after prison IT firm Securus Technologies was found to be using the data to let police look up cell phone locations without a warrant. Last month, Sen. Ron Wyden of Oregon sent letters to all four major US wireless carriers, demanding answers about why the sensitive data was in the hands of a third party.
In response, Verizon is cracking down on partners that enabled the abuse by ending its data-sharing agreements with two companies, LocationSmart and Zumigo, which specialize in processing location data from US wireless carriers and letting corporate customers access it.
"Our review of our location aggregator program has led to a number of internal questions about how best to protect our customers' location data," Verizon told Wyden in a June 15 letter.
According to the letter, Securus was among 75 corporate customers with access to Verizon's customer data from either LocationSmart or Zumigo. The partnerships can power services like bank fraud prevention, emergency roadside assistance and marketing deals, which depend on knowing a customer's whereabouts. However, the location sharing was supposed to only take place with a customer's consent.
This wasn't happening in the case of Securus, which obtained the data from LocationSmart. After an investigation, Verizon pulled the plug on the prison technology company's access to its sensitive information.
Last Friday, AT&T and T-Mobile also told Wyden's office that they cut off location data access to Securus, but refrained from ending their data-sharing agreements with LocationSmart and Zumigo. Sprint's letter to Wyden doesn't explicitly mention any action against Securus or third-party companies.
"Verizon deserves credit for taking quick action to protect its customers' privacy and security," Wyden said in a statement on Tuesday. "In contrast, AT&T, T-Mobile, and Sprint seem content to continue to sell their customers' private information to these shady middle men, Americans' privacy be damned."
The harsh statement appears to have gotten AT&T's attention. On Tuesday, the carrier told PCMag it was winding down its partnerships with third-party data aggregator companies. However, AT&T and Verizon say the process will take time. Both carriers still want to power "beneficial" location-based services such as bank fraud prevention and call routing.
"Our top priority is to protect our customers' information, and, to that end, we will be ending our work with aggregators for these services as soon as practical in a way that preserves important, potential lifesaving services like emergency roadside assistance," AT&T told PCMag in a statement.
T-Mobile, on the other hand, told Wyden that it has proper safeguards in place to prevent abuse. "To the extent that a company deviates from protocol, T-Mobile will take action, as it did with Securus," the carrier said in its letter to Wyden.
Sprint told PCMag the company is still investigating the matter, but suspended all services with LocationSmart on May 25.
On Tuesday, a LocationSmart spokesman responded to the scrutiny of its business, saying: "There has been a lot of wildly misleading information published about this situation," and provided a link to an FAQ about the company. However, so far LocationSmart hasn't responded to questions about why it was allowing Securus Technologies to use its data for warrant-less police searches.
Last month, LocationSmart was also found accidentally exposing the location data online. A company-made demo contained a software bug that let anyone search for real-time cell phone locations from millions of devices.