Verizon says it will stop selling customers’ phone location information to companies that have exposed such data, as well as ultimately passed it on to low level law enforcement. Verizon’s data was included in products which allowed jail wardens and other officials to geolocate nearly any phone in the United States with minimal legal oversight.
The news signals what may be something of a shift in the telco industry, with a tightening of data that has been traded and exploited largely without customers’ direct knowledge.
“We are initiating a process to terminate our existing agreements for the location aggregator program,” a letter, dated June 15 and released by Senator Ron Wyden’s office on June 19, reads.
In May, Wyden and The New York Times exposed the practice of telcos selling customers location data. Specifically, they focused on Securus, a firm allowing prison staff to check where an inmate was calling to. But that system was open to abuse: one case documented by The New York Times showed a former sheriff in Mississippi County, Missouri, has used the service to monitor judges and other law enforcement officials. The system did not necessarily require a court order; only some form of document showing that users believed they had legal authority to monitor the device.
And as Motherboard reported, a hacker obtained user information from Securus’s own servers, further highlighting the carelessness of companies entrusted with such sensitive data.
Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on firstname.lastname@example.org, or email email@example.com.
“In the case of Securus Technologies, as soon as we determined that Securus was accessing location information for unauthorized purposes, we immediately blocked Securus’s access to customer location information through our vendor LocationSmart,” the letter from Verizon reads.
LocationSmart is the company that provided geolocation data to Securus. Shortly after the Times piece, security journalist Brian Krebs as well as ZDNet reported that LocationSmart’s website was open to a serious vulnerability, where anyone could look up the real-time location of nearly any phone in the United States, for free, without any authorization.
“Use of location information for investigative purposes was not an approved use case in our agreement with LocationSmart,” Verizon’s letter adds. Verizon said it was also ending arrangements with another location buyer called Zumigo.
Verizon’s letter to Wyden also spells out some other use cases of phone data, including financial institutions looking up a customer’s location when they apply for a new credit card to help confirm their identity, and vehicle rental companies doing it to “provide better assistance to customers who experience problems on the road.”
Verizon spokesperson Rich Young told Motherboard In a statement that “when these issues were brought to our attention, we took immediate steps to stop it. Customer privacy and security remain a top priority for our customers and our company. We stand-by [sic] that commitment to our customers.”
Responses from AT&T, Sprint, and T-Mobile that Wyden’s office also published indicate that those telcos have not yet ended their business relationships with LocationSmart.
Wyden said in a statement that Verizon “deserves credit for taking quick action to protect its customers’ privacy and security.”
“After my investigation and follow-up reports revealed that middlemen are selling Americans’ location to the highest bidder without their consent, or making it available on insecure web portals, Verizon did the responsible thing and promptly announced it was cutting these companies off,” Wyden said. “In contrast, AT&T, T-Mobile, and Sprint seem content to continuing to sell their customers’ private information to these shady middle men, Americans’ privacy be damned.”
UPDATE: After Verizon's announcement, AT&T also pledged to stop selling customer's information.
A Securus spokesperson sent the following statement:
"Securus Technologies takes privacy and security extremely seriously and we are supportive of efforts to ensure individual data is protected. Under our contract with a third party that accesses location data from LocationSmart, Securus is authorized to provide law enforcement and correctional officials the approximate location of a mobile telephone, based on either consent by the called party or lawful process such as a search warrant or affidavit. Securus adheres to the terms of our contract and requires customers to acquire all legal approvals needed to access an individual’s location. This information has been successfully used to locate missing children and adults suffering from dementia, as well preventing a planned escape attempt before it could be carried out. We believe that ending the ability of law enforcement to use these critical tools will hurt public safety and put Americans at risk."
Get six of our favorite Motherboard stories every day by signing up for our newsletter.