Verizon and AT&T have promised to stop selling their mobile customers' location information to third-party data brokers following a security problem that leaked the real-time location of US cell phone users.

Sen. Ron Wyden (D-Ore.) recently urged all four major carriers to stop the practice, and today he published responses he received from Verizon, AT&T, T-Mobile USA, and Sprint.

Wyden's statement praised Verizon for "taking quick action to protect its customers' privacy and security," but he criticized the other carriers for not making the same promise.

"After my investigation and follow-up reports revealed that middlemen are selling Americans' location to the highest bidder without their consent or making it available on insecure Web portals, Verizon did the responsible thing and promptly announced it was cutting these companies off," Wyden said. "In contrast, AT&T, T-Mobile, and Sprint seem content to continuing to sell their customers' private information to these shady middle men, Americans' privacy be damned."

AT&T changed its stance shortly after Wyden's statement. "Our top priority is to protect our customers' information, and, to that end, we will be ending our work with aggregators for these services as soon as practical in a way that preserves important, potential lifesaving services like emergency roadside assistance," AT&T said in a statement to Ars.

Sen. Wyden recognized AT&T's change on Twitter and called on T-Mobile and Sprint to follow suit.

Sprint told Ars that it has "nothing additional to share." We also asked T-Mobile for a response to Wyden's statement and will update this story if the carrier answers. T-Mobile told Wyden that it will continue the data aggregation program but that it has "appropriate controls" in place.

(UPDATE: Sprint announced that it is changing their data sharing practices about two hours after this story published. "Sprint is beginning the process of terminating its current contracts with data aggregators to whom we provide location data," Sprint told Ars. "This will take some time in order to unwind services to consumers, such as roadside assistance and fraud prevention services." Sprint said that it previously "suspended all data sharing" with LocationSmart, a data broker involved in the controversy. Sprint said that it stopped providing data to LocationSmart on May 25.)

Privacy invasion

It was revealed last month that prison phone company Securus offers a service enabling law enforcement officers to locate most American cell phones within seconds. Securus' service relies on data from LocationSmart. It was also reported that a LocationSmart bug could have allowed anyone to surreptitiously track the real-time whereabouts of cell phone users.

"To access this private data, correctional officers simply visit Securus' Web portal, enter any US wireless phone number, and then upload a document purporting to be an official document giving permission to obtain real-time location data," Wyden wrote in a letter to carriers on May 8. "Senior officials from Securus have confirmed to my office that it never checks the legitimacy of those uploaded documents to determine whether they are, in fact, court orders and has dismissed suggestions that it is obligated to do so."

All four carriers told Wyden that they suspended access to Securus. But T-Mobile hasn't promised to cut ties with data aggregators that Securus obtained data from. (T-Mobile and Sprint are attempting to merge but are still separate companies.)

(UPDATE: T-Mobile CEO John Legere wrote on Twitter that his company "will not sell customer location data to shady middlemen." But Legere's statement is vague and he did not specify whether T-Mobile will stop sharing data with LocationSmart or other aggregators. As detailed later in this article, T-Mobile's letter to Wyden on June 15 said that the company will continue sharing data with these aggregators. Since that letter, "our office has not received any updated response from T-Mobile about its policy with respect to location aggregators or other data brokers," a Wyden spokesperson told Ars.)

(FURTHER UPDATE: Several hours after Legere's tweet, T-Mobile provided this statement to Wyden's office: "We ended all transmission of customer data to Securus and will wind down our location aggregator agreements." Wyden's office passed T-Mobile's statement along to Ars.)

The Federal Communications Commission is investigating the matter, and Wyden called on FCC Chairman Ajit Pai to recuse himself because he represented Securus as an attorney in 2012.

"Chairman Pai's total abandonment of his responsibility to protect Americans' security shows that he can't be trusted to oversee an investigation into the shady companies that he used to represent," Wyden said. "If your location information falls into the wrong hands, you—or your children—can be vulnerable to predators, thieves, and a whole host of people who would use that knowledge to malicious ends."

We contacted Pai's office for a response and will update this story if we get a reply.

The Obama-era FCC voted to impose privacy rules that would have required carriers to get consumers' consent before selling or sharing personal data, including location information. But Congress last year voted to prevent implementation of those rules, with Pai's support. Pai also took action to halt implementation of data security requirements that were part of the Obama-era FCC's privacy rulemaking.

Verizon ending contracts with two aggregators

Verizon's response to Wyden said that it "contracts with two aggregators, LocationSmart and Zumigo, in our location aggregator program." The data sharing is supposed to be used for legitimate business purposes, such as a truck rental company "us[ing] the location data to provide better assistance to customers renting trucks who experience problems on the road," Verizon said. Credit card companies may also use the data to "approximate a user's proximity to their home address when applying for a credit card online to help conﬁrm their identity and reduce fraud."

But "it appears that Securus and/or its affiliate 3C Interactive impermissibly permitted law enforcement agencies to request location information through LocationSmart for investigative purposes," Verizon told Wyden. "Use of location information for investigative purposes was not an approved use case in our agreement with LocationSmart."

The location aggregators receive "the customer's approximate latitude and longitude, as well as the error radius and other error information for location queries," letting them locate a customer to within 1,000 meters, Verizon said. Verizon's deal with the aggregators requires the aggregators to get customers' permission to access location information.

Verizon told Wyden that it has suspended Securus and 3C Interactive's access to Verizon customer location information. Secondly, Verizon "decided to end our current location aggregation arrangements with LocationSmart and Zumigo. Verizon has notified these location aggregators that it intends to terminate their ability to access and use our customers' location data as soon as possible."

The shutoff is not happening immediately because it "must be completed in careful steps so as not to disrupt beneficial services being provided using customer-location data," Verizon said.

"In the interim, Verizon will not authorize any new uses of location information by either LocationSmart or Zumigo or the sharing of location information with any new customers of these existing aggregators," Verizon said.

AT&T, T-Mobile, and Sprint

AT&T told Wyden that it "never authorized the use of its customer data for the Securus Web portal" that provided location data to law enforcement. AT&T did approve the sharing of location information with prison officials through Securus' prison telecommunications service, however.

Under this approved use, "When a wireless customer receives a call from an inmate, the customer hears an IVR [Interactive Voice Response] message requesting affirmative consent to share phone-location information for investigative purposes," AT&T said.

But Securus provided further, unapproved services to law enforcement officials and did not seek consumers' consent for this unapproved use of their location data, AT&T wrote:

We now understand that, despite AT&T's requirements to obtain customer consent, Securus did not in fact obtain customer consent before collecting customers' location information for its On-Demand Service. Instead, Securus evidently relied upon law enforcement's representation that it had appropriate legal authority to obtain customer location data, such as a warrant, court order, or other authorizing document as a proxy for customer consent.

"We are actively investigating the extent to which Securus may have obtained unauthorized access to AT&T customer location data, and we are pressing Securus to provide greater cooperation than they have to this point," AT&T also wrote. "Our top priority is to protect our customers' information, and, to that end, we have suspended all access by Securus to AT&T customer location data."

Sprint noted that it began an investigation after receiving Sen. Wyden's letter. "We suspended the provision of location data to Securus, and our investigation continues," Sprint wrote to Wyden.

T-Mobile told Wyden that it sells data to two aggregators, LocationSmart and Zumigo. T-Mobile shares cell tower location information for customers' phone numbers in response to requests made via these aggregators.

"[R]ecords of customer consent must be provided to the location aggregator (including the time the consent was provided) before the location aggregator provides the service provider with the requested location," T-Mobile wrote.

Securus' program for law enforcement "was never approved by T-Mobile and we quickly shut down any transmission of our customers' location data to Securus," T-Mobile wrote. But T-Mobile told Wyden that it will continue to work with data aggregators in general.

"We have also reviewed the program more broadly, and, while we believe the program has appropriate controls already in place, we are working with our location aggregators and will be taking additional steps to help ensure that an incident like this one does not happen in the future," T-Mobile wrote.