Security news that informs and inspires

Verizon, Other Carriers, Pledge to End Sale of Location Data

After revelations that several wireless carriers have been selling customer location information to third party aggregators, leading to public outrage and rebukes from lawmakers, Verizon, T-Mobile, and AT&T all say they will stop that practice in the near future.

But don’t take those announcements to mean that the carriers won’t be collecting location information anymore; they certainly will be. These decisions only affect the carriers’ relationships with a couple of location data aggregators, LocationSmart and Zumigo, which provide information to a company called Securus, which in turn provides data to law enforcement agencies for use in a prison phone system program. However, some law enforcement agencies were using the process established with Securus to get location information for investigations, as well, apparently without the knowledge of the wireless carriers.

News reports about this program earlier this year prompted an investigation by Sen. Ron Wyden (D-Ore.), who requested information from Verizon, AT&T, Sprint, and T-Mobile about what kind of location data they sell to third parties and who those buyers are. In its response to Wyden, released this week, Verizon said that it would be ending its relationships with LocationSmart and Zumigo as soon as possible. Verizon said it did a review of the program it has with the aggregators to see why the unauthorized use of location data wasn’t identified during regular audits, and found that there were no clear red flags.

Still, Verizon said that program will now end.

“We have decided to end our current location aggregation agreements with LocationSmart and Zumigo. Verizon has notified these location aggregators that it intends to terminate their ability to access and use our customers’ location data as soon as possible,” Verizon Chief Privacy Officer Karen Zacharia wrote in the letter to Wyden.

“In the interim, Verizon will not authorize any new uses of location information by either LocationSmart or Zumigo or the sharing of location information with any new customers of these existing aggregators.”

“We have decided to end our current location aggregation agreements."

Soon after Wyden released the Verizon letter, AT&T officials announced the company would end its data aggregation sales program, and T-Mobile did likewise.

“I’ve personally evaluated this issue & have pledged that @tmobile will not sell customer location data to shady middlemen,” T-Mobile CEO John Legere said on Twitter.

Wyden, a constant voice on consumer privacy, encryption issues, and cybersecurity policy, said Verizon’s move was a good start.

“Verizon deserves credit for taking quick action to protect its customers’ privacy and security,” Wyden said. “After my investigation and follow-up reports revealed that middlemen are selling Americans’ location to the highest bidder without their consent, or making it available on insecure web portals, Verizon did the responsible thing and promptly announced it was cutting these companies off,” Wyden said.

The collection, storage, and sale of customer location data has become a highly controversial topic in an era when people can be tracked not only across the web but down to the meter in their daily lives, as well. Although mobile apps are supposed to ask for affirmative consent in order to access a user’s location, it’s not always clear what the apps or the carriers are doing with that data once they have it. As with the vast network of large data brokers, most consumers also were likely unaware that location data aggregators even exist, let alone that they are purchasing information from the carriers.

The FCC opened an investigation into this situation last month.