If you own a cell phone, you've probably had an app ask for permission to access your location. Most of the time, you probably don't think twice about granting it — after all, how is your Lyft driver going to find you if the app doesn't know where you are?
But last month, a U.S. senator, Ron Wyden (D-OR), voiced his concern that Verizon, AT&T, Sprint, and T-Mobile were giving certain government officials a way to access your location illegally without you even knowing about it. Today, all four carriers announced plans to put a stop to the practice, according to a press release on Wyden's website.
While some companies request your location directly from your phone carrier, others use middlemen known as "location aggregators." These aggregators pay phone carriers for bulk access to users' locations. Carriers leave it up to the aggregator to ensure their clients have permission to access location information and that their requests abide by all laws.
On May 8, Wyden sent letters to Verizon, AT&T, Sprint, and T-Mobile asking about their relationships with Securus Technologies, a client of LocationSmart, a location aggregator in a data-sharing agreement with all four carriers.
Securus's primary business is providing and monitoring inmate phone calls, but it also offers a secondary service: providing law enforcement and corrections officials with the locations of people not incarcerated. All officials have to do is upload a legal document authorizing the location request, such as a warrant, and Securus lets them know the person's location.
Here's the problem with that: Securus never actually reviewed any of these documents.
The company wrote in a statement to the New York Times that "the responsibility of ensuring the legal adequacy of supporting documentation lies with our law enforcement customers and their counsel.” At least one person, Cory Hutcheson, former sheriff of Mississippi County, Missouri, allegedly used the service to locate people illegally, prompting Wyden to take action.
"This practice skirts wireless carrier's legal obligation to be the sole conduit by which the government may conduct surveillance of Americans' phone records, and needlessly exposes millions of Americans to potential abuse and unchecked surveillance by the governments," he wrote in his letter to AT&T.
Today, all four carriers, starting with Verizon, announced some form of severance from two location aggregators: LocationSmart and Zumigo.
“We conducted a comprehensive review of our location aggregator program,” Verizon CTO Karen Zacharia wrote in a response to Wyden. “As a result of this review, we are initiating a process to terminate our existing agreements for the location aggregator program.”
In addition to sending letters to the carriers themselves, Wyden also wrote a letter to the Federal Communications Commission (FCC) asking it to look into the carriers' oversight.
The good news is that means the issue of location aggregators is at least on the agency's radar. The not-so-great news? FCC Chairman Ajit Pai represented Securus as its attorney in 2012, and has thus far ignored Wyden's request to recuse himself from the FCC's investigation.
Ultimately, this decision by Verizon and the other carriers is a positive step forward, but only time will tell if they'll actually face any consequences for playing fast and loose with users' privacy.