Verizon is pledging to stop sales through intermediaries of data that pinpoints the location of mobile phones to outside companies, the Associated Press has learned.
It is the first major U.S. wireless carrier to step back from a business practice that has drawn criticism for endangering privacy. The data has allowed outsiders to track wireless devices without their owners' knowledge or consent.
Verizon, the nation's largest mobile carrier measured by subscribers, said that about 75 companies have obtained its customer data from two little-known California-based brokers that it supplies directly — LocationSmart and Zumigo.
The company made its disclosure in a letter to Sen. Ron Wyden, an Oregon Democrat who has been probing the phone location-tracking market. Last month, Wyden revealed abuses in the lucrative but loosely regulated field involving Securus Technologies and its affiliate 3C Interactive. Verizon says their contract was approved only for the location tracking of outside mobile phones called by prison inmates.
After a thorough review of its program, Verizon notified LocationSmart and Zumigo, both privately held, that it intends to "terminate their ability to access and use our customers' location data as soon as possible," wrote Verizon's chief privacy officer, Karen Zacharia.
Though Verizon is ending sales to brokers, Verizon stopped short of ending the practice completely. Zacharia said the company would be careful not to disrupt "beneficial services" such as fraud prevention and would "work with these aggregators to ensure a smooth transition for these beneficial services to alternative arrangements so as to minimize the harm to customers and end users."
In the interim, Verizon will not authorize any new uses of the location data, she said.
Location data from Verizon and other carriers makes it possible to identify the whereabouts of nearly any phone in the U.S. within seconds.
Popular commercial uses for so-called geolocation tracking include emergency roadside assistance; keeping tabs on packages, vehicles and employees; bank fraud prevention and targeted marketing offers.
The cutoff won't affect users' ability to share locations directly with apps and other services. Rather, it deals with the practice of selling data to third parties with which users have no direct connection.
Wyden wrote all four major U.S. wireless carriers on May 8 after learning that a former sheriff in Missouri had been accused of using Securus data for unauthorized surveillance of a judge, a sheriff and state highway patrol officers.
Days later, a Carnegie Mellon University security researcher discovered a security flaw in LocationSmart's website that could have allowed any reasonably sophisticated hacker to secretly track almost any phone in the U.S. or Canada.
Wyden asked the carriers to identify which third parties have been acquiring carrier location data and to provide details such as any third-party sharing of location data without customer consent. His office shared the companies' responses with The Associated Press.
None of the four carriers named any third parties, with two exceptions. One was Securus, which all four carriers have since cut off. The other was 3CInteractive, the reseller that supplied Securus. Only Verizon has pledged to end the sale of location data from its 116 million wireless subscribers through so-called "geolocation aggregators.
"Verizon did the responsible thing and promptly announced it was cutting these companies off," Wyden said in a statement. "In contrast, AT&T, T-Mobile, and Sprint seem content to keep selling their customers' private information to these shady middle men, Americans' privacy be damned."
Wyden has complained that people's physical security could be endangered if the information falls in the wrong hands.
"The big concern was that this was probably the tip of the iceberg," said Laura Moy, deputy director of the Georgetown Center on Privacy and Technology. She said Verizon's move "indicates that it cannot actually police this process, that it doesn't have the ability."
Nor can the other carriers, she said.
None of the carriers immediately responded to AP requests for comment Tuesday morning.
AT&T and T-Mobile , No. 2 and 3 in customers, said in letters to Wyden they only allow authorized third parties to access customer location data if the affected customers have given consent or if it is required by law — for instance, a court order. Verizon said the same.
Sprint said account holders must "generally be notified" if the data is to be used so they can decide whether they consent. T-Mobile has offered to buy Sprint for $26.5 billion.
The carriers left most of Wyden's questions unanswered — such as how many of their customers had been affected by location sharing they never agreed to.
Gigi Sohn, a former top advisor at the Federal Communications Commission in the Obama administration, said Verizon has lately proven itself a "shining example" on privacy.
"I think they understand that bad privacy practices are bad for business," she said.
But a Verizon pullout from the aggregator arrangement won't crater the market for this data, Sohn said.
AT&T, Sprint and T-Mobile, for one, jointly have nearly 200 million wireless customers who marketers want to reach.
Moy said Verizon may have been motivated by an FCC fine for an earlier episode in which the company surreptitiously tracked its wireless customers' online travels with a "supercookie" for at least 22 months beginning in December 2012.
The company subsequently signed a consent order with the FCC promising to restrict that tracking to customers who affirmatively agreed to it. It was fined $1.4 million.
The case also spurred FCC rules that would have required carriers to obtain consent for selling their customers' wireless location data. But the GOP-led Congress quashed those rules last year.—FRANK BAJAK, AP
Associated Press Technology Writers Matt O'Brien in San Francisco and Mae Anderson in New York contributed to this report.