AT&T says it will end its practice of selling real-time user location data to third-party brokers after its primary competitor Verizon agreed to do the same earlier today. “Our top priority is to protect our customers’ information, and, to that end, we will be ending our work with aggregators for these services as soon as practical in a way that preserves important, potential lifesaving services like emergency roadside assistance,” reads a statement from an AT&T spokesperson given to The Verge.
Following pressure from lawmakers, specifically Sen. Ron Wyden (D-OR), Verizon said this morning that it would end the controversial, industry-wide practice. This is after Wyden revealed that the brokers who purchased the data were not verifying if its users had legal permission to track cellphone users through its service. It was then providing that data to other companies, notably Securus Technologies, a company that mainly monitors phone calls to prison inmates. Securus, it turns out, also sells real-time location data to law enforcement agencies without checking the validity of warrants. A former sheriff in Missouri has now been accused of using that data for unlawful surveillance of a judge and other police officers.
Effectively, because Verizon had little oversight into two California-based data brokers — LocationSmart and Zumigo — more than 75 companies had access to real-time user location data, and Verizon had little to no control over how those companies used that data. As the Associated Press put it, “Location data from Verizon and other carriers makes it possible to identify the whereabouts of nearly any phone in the US within seconds.” Even more dire was a free demo tool on LocationSmart’s website that, according to security reporter Brian Krebs last week, allowed any reasonably adept hacker to secretly track pretty much every phone in the entire US. The tool has since been shut down.
All four major carriers have cut off access to Securus, but only AT&T and Verizon have said they will stop sharing data with third-party brokers that facilitated the abuse in the first place. T-Mobile and Sprint, both of which have yet again entered into merger talks, were not immediately available for comment.