All four major cellular carriers in the U.S. today pledged to stop selling real-time location data of its cellular phone users to a collection of third-party data brokers, delivering a blow to what a U.S. Senator dubbed “shady middlemen.”
Verizon was the first cellular carrier to take action in response to an investigation instigated by Oregon Senator Ron Wyden that looked into how cellular companies sell customers’ real-time location data to data brokers. Wyden made the request following security incidents that his office helped bring to light.
That security incidents involved a pair of companies, including LocationSmart, a California data broker that claims to have a “direct connection” into cell carrier networks, and Securus Technologies, a Texas-based “prison technology” company that works with LocationSmart.
Securus develops a product called “Cell Defender” that prevents contraband cell phones from connecting to the cellular network. However, its technology can also be used to track people’s phones within seconds, according to a story in the New York Times.
Wyden documented how law enforcement officers were able to track the real-time location of users without proper documentation. Subsequent investigation demonstrated that anybody could potentially have accessed the same data.
Law enforcement officers are ostensibly required to have a good reason for requesting real-time location data of cellular customers. But according to Wyden, prison officers in Missouri were able to gain access by uploading an “official document” to a Web portal. Securus officials admitted to Wyden that the company did not review the requests or require supporting documents from a judge or other legal authority. The prison officer is now facing charges of unlawful surveillance in Missouri.
In May, Wyden asked the FCC to investigate the “abusive and potentially unlawful practices” of cell phone companies selling access to customers’ real-time location. Following Wyden’s letter, security researcher Brian Krebs revealed that LocationSmart was leaking the real-time data “to anyone via a buggy component of its Web site — without the need for any password or other form of authentication or authorization.”
Verizon was the first mobile carrier to announce an end to Wyden praised Verizon’s move in a note published today. AT&T quickly followed suit, while Sprint and T-Mobile made their announcements later in the day.
“Verizon deserves credit for taking quick action to protect its customers’ privacy and security,” Wyden said. “After my investigation and follow-up reports revealed that middlemen are selling Americans’ location to the highest bidder without their consent, or making it available on insecure web portals, Verizon did the responsible thing and promptly announced it was cutting these companies off.”
Verizon said it would stop providing data to LocationSmart and Zumigo, which bills itself as ” the only provider of mobile identity and location services across the globe.” Verizon also said it would not enter into any more data-sharing contracts with third parties.