Verizon and AT&T said Tuesday that they would sharply limit arrangements that give marketers and other businesses access to cellphone customers’ location data, after disclosures that the information was used to track people without their consent.
Verizon announced its change in a letter to Senator Ron Wyden, an Oregon Democrat, who has been investigating location privacy issues. He had asked Verizon, AT&T, Sprint and T-Mobile to audit their relationships with companies that buy and sell access to consumer location data, known as location aggregators.
“As a result of this review, we are initiating a process to terminate our existing agreements for the location aggregator program,” Verizon’s chief privacy officer, Karen Zacharia, wrote in the letter. Some data sharing, such as for fraud prevention and call routing, will continue, she wrote.
An AT&T spokesman, Michael Balmoris, said the company would end work with the data companies “as soon as practical in a way that preserves important, potential lifesaving services like emergency roadside assistance.”
A Sprint spokeswoman said the company had suspended services with one location aggregator, LocationSmart, and was reviewing its relationship with another. T-Mobile, the nation’s third-largest wireless company, behind Verizon and AT&T and ahead of Sprint, did not immediately respond to a request for comment.
Last month, The New York Times reported that Securus Technologies, a company that provides phone services to prisons and allows them to monitor inmate calls, had a separate service that let government officials track the location of almost any cellphone in the country within seconds, using the location aggregation system. In one case, a former sheriff in Missouri was charged with tracking people’s cellphones, including those of other officers, without court orders.
Location aggregators generally sell access to cellphone carriers’ data for advertising, fraud prevention and other business purposes. They say their clients must get consumer consent before getting access to a person’s location.
The cellphone carriers said that they relied on contracts and audits of companies to ensure that consumers had given consent for the data collected, but that those safeguards had failed to catch Securus’s activity. Securus said it required its customers to upload a legal document, such as a warrant or affidavit, before finding a phone’s location, but it also said it did not check the validity of those documents.
The gathering of location data, and the lapses in the system protecting it, have raised concerns about privacy as more people carry phones that can easily relay such information. It also presented a security problem. Researchers found that LocationSmart, the location aggregator Securus used, had flaws on its website that allowed widespread access to people’s location information.
A LocationSmart spokesman, Paul Sherer, said the company was working with the wireless carriers and did not “anticipate adverse impact to current services in the near future.” He said LocationSmart had disabled Securus’s ability to get location data.
In an email, a Securus representative, Mark Southland, maintained that the company had followed its contract, which was with a marketing company that worked with LocationSmart.
“We believe that ending the ability of law enforcement to use these critical tools will hurt public safety and put Americans at risk,” he said.