Harsh words from Sen. Wyden apparently compelled rival carriers to act, as AT&T, Sprint, and T-Mobile later pledged to wind down partnerships with third-party data aggregators, too.
Verizon announced today it would scale back a program that can expose cell phone location data of millions of customers without their consent. After some back and forth and a little public shaming courtesy of a US senator, AT&T, Sprint, and T-Mobile pledged to do the same.
The move comes after prison IT firm Securus Technologies was found to be using location data to let police look up cell phone locations without a warrant. Last month, Sen. Ron Wyden of Oregon sent letters to all four major US wireless carriers, demanding answers about why this sensitive data was in the hands of a third party.
In response, Verizon is cracking down on partners that enabled the abuse by ending its data-sharing agreements with two companies, LocationSmart and Zumigo, which specialize in processing location data from US wireless carriers and letting corporate customers access it.
« Our review of our location aggregator program has led to a number of internal questions about how best to protect our customers’ location data, » Verizon told Wyden in a June 15 letter .
According to the letter, Securus was among 75 corporate customers with access to Verizon’s customer data from either LocationSmart or Zumigo. The partnerships can power services like bank fraud prevention, emergency roadside assistance and marketing deals, which depend on knowing a customer’s whereabouts. However, the location sharing was supposed to only take place with a customer’s consent.
This wasn’t happening in the case of Securus, which obtained the data from LocationSmart. After an investigation, Verizon pulled the plug on the prison technology company’s access to its sensitive information.
Last Friday, AT&T and T-Mobile also told Wyden’s office that they cut off location data access to Securus, but refrained from ending their data-sharing agreements with LocationSmart and Zumigo. Sprint’s letter to Wyden didn’t explicitly mention any action against Securus or third-party companies.
« Verizon deserves credit for taking quick action to protect its customers’ privacy and security, » Wyden said in a statement on Tuesday. « In contrast, AT&T, T-Mobile, and Sprint seem content to continue to sell their customers’ private information to these shady middle men, Americans’ privacy be damned. »
The harsh statement appears to have gotten the carriers’ attention. On Tuesday, AT&T and Sprint told PCMag that they too were winding down the partnerships with third-party data aggregator companies.
On Twitter, T-Mobile CEO’s also chimed in, and said the data-sharing was coming to an end. Originally, the company told Wyden it had proper safeguards in place to prevent any abuse. But the carrier has now changed its tune.
Sounds like word hasn’t gotten to you, @ronwyden. I’ve personally evaluated this issue & have pledged that @tmobile will not sell customer location data to shady middlemen. Your consumer advocacy is admirable & we remain committed to consumer privacy. https://t.co/UPx3Xjhwog
Nevertheless, the carriers say ending the data sharing will take time. The goal is to stop it without disrupting the « beneficial » location-based services such as bank fraud prevention and call routing. How this will be done isn’t entirely clear; in the company’s letter to Wyden, Verizon said it’ll create « alternative arrangements » to minimize the privacy risks.
AT&T told PCMag in a statement: « Our top priority is to protect our customers’ information, and, to that end, we will be ending our work with aggregators for these services as soon as practical in a way that preserves important, potential lifesaving services like emergency roadside assistance. »
On Tuesday, a LocationSmart spokesman responded to the scrutiny of its business, saying: « There has been a lot of wildly misleading information published about this situation, » and provided a link to an FAQ about the company. However, so far LocationSmart hasn’t responded to questions about why it was allowing Securus Technologies to use its data for warrant-less police searches.
Last month, LocationSmart was also found accidentally exposing the location data online. A company-made demo contained a software bug that let anyone search for real-time cell phone locations from millions of devices.