In a small victory for your privacy, the nation’s four largest telecom companies announced Tuesday that they will stop providing customer location information to companies that aggregate data on their customers.
The move comes just over a month after Sen. Ron Wyden of Oregon raised the issue in a letter to Federal Communication Commission chairman Ajit Pai.
Wyden’s May 8 letter also called on wireless carriers to investigate the issue after his own investigation revealed questionable data handling practices by a company called Securus Technologies. The Texas-based company helps prisons monitor inmate phone calls, and Wyden said the company’s technology allowed it to easily track any cell phone. A web portal allowed correctional officers to enter any US phone number and obtain real-time location data on consumers.
In a letter that Wyden released Tuesday, Verizon (VZ) said it found that Securus did “misuse” data gleaned from LocationSmart, one of two data aggregators with which it worked. Verizon said it will terminate its agreements with the two firms, LocationSmart and Zumibo, “as soon as possible.”
Verizon’s decision to choke off data aggregators was applauded by Wyden, who issued a statement: “After my investigation and follow-up reports revealed that middlemen are selling Americans’ location to the highest bidder without their consent, or making it available on insecure web portals, Verizon did the responsible thing and promptly announced it was cutting these companies off.”
LocationSmart pushed back against Wyden’s characterization, insisting in a statement that it “does not buy or sell location information, nor does it permit the sharing of location information about any mobile device without a user’s consent. LocationSmart provides data only at the instant it is requested by a service like roadside assistance and user consent has been obtained. The company does not warehouse or track a mobile user’s historic identity and location information.”
The company said it disabled Securus’ access to location data in the wake of Wyden’s report, and that “use of location information for investigative purposes was not an approved use case in our agreement with LocationSmart.”
Aggregators typically work with third-party companies on things like verifying a user’s identity or directing roadside assistance providers. But Karen Zacharia, Verizon’s chief privacy officer, said in the letter that Securus “impermissibly permitted law enforcement agencies to request location information” for investigative purposes.
Within hours of Verizon’s announcement, AT&T (T), Sprint (S) and T-Mobile (TMUS) — made similar promises to safeguard customers’ location data. In a tweet, T-Mobile CEO John Legere told Wyden he “personally evaluated” the issue, pledging not to sell customer location to “shady middlemen.” Sprint said that it is “beginning the process of terminating its current contracts with data aggregators to whom we provide location data,” noting that it suspended data sharing with LocationSmart at the end of May.
“We are taking this further step to ensure that any instances of unauthorized location data sharing for purposes not approved by Sprint can be identified and prevented if location data is shared inappropriately by a participating company,” a Sprint spokesperson said.
In a statement to CNNMoney, an AT&T spokesperson said, “Our top priority is to protect our customers’ information, and, to that end, we will be ending our work with aggregators for these services as soon as practical in a way that preserves important, potential lifesaving services like emergency roadside assistance.” CNN is a unit of AT&T.
Privacy advocates called the carriers’ decision a small victory, but called for further safeguards on consumer data.
“It’s positive that the carriers have taken steps to halt the sharing of customers’ location information with third party data brokers. But, the Securus revelations shined a powerful light on a major privacy gap that must still be addressed,” Neema Singh Guliani, legislative counsel with the American Civil Liberties Union Washington Legislative Office, said in a statement to CNNMoney.
“The government and companies need to investigate the systemic failures that led to the improper access, provide customers with information regarding how and to whom their information has been shared, and ensure that customer data is not improperly shared with other entities.”