Highlighting the privacy dangers of having user location data sold and resold, just one week after the abuse of Securus data emerged, a security researcher found that he was able to access the location of any mobile phone user through a one-line code hack on a "demo" website run by LocationSmart simply by entering their mobile number. The partnerships can power services like bank fraud prevention, emergency roadside assistance and marketing deals, which depend on knowing a customer's whereabouts.
The move to cut off access comes after an investigation by Senator Ron Wyden, an Oregon Democrat, into the commercial relationships between Verizon; a pair of obscure data vendors known as LocationSmart and Zumigo; and those companies' own corporate customers.
The background: In May, The New York Times reported that Securus Technologies, a prison call-monitoring company, offered a service that law-enforcement officials could use to track people's locations via their cellphones, without having a court order.
Major wireless carriers are allowed to sell real-time location data to third-parties, which is often used for targeted advertising from advertisers.
T-Mobile CEO John Legere took to Twitter to say that he has "personally evaluated this issue" and determined that the Un-carrier will no longer be selling "customer location data to shady middlemen".
It is the first major USA wireless carrier to step back from a business practice that has drawn criticism for endangering privacy.
But shortly after Verizon's announcement AT&T announced it would similarly stop third-party location data sales in a bid to prevent a deeper inquiry or tougher privacy guidelines.
After a thorough review of its program, Verizon notified LocationSmart and Zumigo, both privately held, that it intends to "terminate their ability to access and use our customers' location data as soon as possible", Zacharia wrote. How this will be done isn't entirely clear; in the company's letter to Wyden, Verizon said it'll create "alternative arrangements" to minimize the privacy risks.
Last month, Wyden revealed abuses in the lucrative but loosely regulated field.
Law enforcement officers are ostensibly required to have a good reason for requesting real-time location data of cellular customers.
For years wireless cell carriers have sold off consumer location data to everyone from urban planners to marketers without much in the way of oversight.
Moy said Verizon may have been motivated by a $1.4 million FCC fine for an earlier episode in which the company quietly tracked its wireless customers' online travels with a "supercookie" for at least 22 months beginning in December 2012.
In other words, Verizon was simply selling the data, failing to properly audit its use, and companies have been freely trading in user location data as a result.
Privacy advocates called the carriers' decision a small victory, but called for further safeguards on consumer data.
"Verizon deserves credit for taking quick action to protect its customers' privacy and security", Wyden said in a news release. He said Zumigo does not let its customers resell the location data and hopes to renegotiate with the carriers. "Chairman Pai's total abandonment of his responsibility to protect Americans' security shows that he can't be trusted to oversee an investigation into the shady companies that he used to represent", Wyden said.
"We're trying to do with right thing for our customers", he said.
Wyden had begun probing the largely unaccountable rabbit hole that is location data sharing.