Wyden's investigation found that one of Verizon's indirect corporate customers, a prison phone company called Securus, had used Verizon's customer location data in a system that effectively let correctional officers spy on millions of Americans. In a letter to the Federal Communications Commission last month highlighting the probe, Wyden said prison officials using Securus's surveillance system could obtain real-time location data on Americans with little more than a "pinky promise" of propriety, leading to "activities wholly unrelated" to prison management.
To gain access to the data, prison officers simply visited an online portal and uploaded an "official document" showing they had permission to access the information. But, Wyden told the FCC, senior Securus officials admitted that the company did not review the requests for information or require that supporting documents reflect the decision of a judge or other legal authority.
Securus didn't immediately respond to a request for comment. Paul Sherer, a spokesman for LocationSmart, said the company does not buy or sell location information and only provides it “at the instant it is requested.”
“LocationSmart has maintained close communications with the wireless carriers about recent incidents,” LocationSmart said in a statement. “We are working with each of them to ensure that industry best practices and carrier guidelines are met and service is not interrupted for any of our customers as the carriers implement changes to their respective programs for use of location data.”
In the wake of questions from Wyden's staff, Verizon filed a letter Tuesday saying that it is suspending its data-sharing agreement with LocationSmart and Zumigo until further notice. It will also refrain from signing new data-sharing contracts with third parties.
"Our review of our location aggregator program has led to a number of internal questions about how best to protect our customers’ location data," Verizon wrote to Wyden. "We will not enter into new location aggregation arrangements unless and until we are comfortable that we can adequately protect our customers’ location data through technological advancements and/or other practices."
The decision brings telecom companies further into the debate over data privacy, which has intensified in recent months amid heightened scrutiny of data practices at Facebook, as well as the rise of a new European data protection law. Meanwhile, AT&T last week closed a landmark merger involving Time Warner, one that AT&T said will help turn it into a major player in customer data mining.
"Verizon did the responsible thing," Wyden said Tuesday in a statement. "In contrast, AT&T, T-Mobile, and Sprint seem content to continuing to sell their customers’ private information to these shady middle men, Americans’ privacy be damned.”
AT&T then said in a statement Tuesday that it also will be ending its relationship with location data aggregators "as soon as practical" while ensuring that location-based services that depend on data sharing, such as emergency roadside assistance, can continue to function. Sprint said in a statement that it cut ties with LocationSmart on May 25, and has begun cutting ties with the data brokers who received its customers' location data.
T-Mobile chief executive John Legere tweeted: “I’ve personally evaluated this issue & have pledged that @tmobile will not sell customer location data to shady middlemen.”
Under its program, known internally as Location Data Integration, Verizon shared rough location data on its customers — information the customers had previously agreed to share — to LocationSmart, which in turn provided the information to Securus. Typically, Verizon said, the data sharing helps car rental companies provide roadside assistance and allows financial services companies combat fraud.
Verizon's letter said that in addition to obtaining its own customers' consent before collecting the data, the company also looks at the third-party customers of its data vendors to be sure they have not violated consumer privacy or protection rules.
When Verizon learned of the Securus issue, it took "immediate steps" to stop the misuse of data, the company said in a statement Tuesday.
Verizon's decision does not mean that the company will suspend all uses of customer data. Verizon will continue to use customer data more generally for advertising purposes, said Rich Young, a company spokesman, but only after its customers opt into data sharing. In 2017, Verizon completed a deal to buy Yahoo for its digital audience, content and advertising opportunities. In 2015, it purchased AOL for its video advertising technology.
New privacy regulations from the FCC enacted in 2016 would have imposed greater restrictions on Internet providers and their handling of customer data. Those regulations were repealed early last year with a congressional resolution. Since then, the broadband industry has benefited from a wave of federal deregulation, including a decision by the FCC to repeal its net neutrality rules.