A senator has strongly criticized three of the US' largest cell carriers that have not promised to stop selling their customers' real-time location data to third party companies.
Sen. Ron Wyden (D-OR) welcomed Verizon's move to end its agreements with data aggregators, including LocationSmart, which sold location data to a prison tech company that claimed to be able to track any cell phone in the US "within seconds."
But the senator rebuked AT&T, T-Mobile, and Sprint for continuing the practice.
"Verizon did the responsible thing and promptly announced it was cutting these companies off," said Wyden in a statement Tuesday, following an investigation by his office.
"In contrast, AT&T, T-Mobile, and Sprint seem content to continuing to sell their customers' private information to these shady middle men, Americans' privacy be damned," he said.
Following Wyden's statement, AT&T said it was also cutting off access to third-parties.
"We will be ending our work with aggregators for these services as soon as practical in a way that preserves important, potential lifesaving services like emergency roadside assistance," said a spokesperson.
Sprint said later Tuesday that the company is "beginning the process of terminating its current contracts with data aggregators to whom we provide location data."
"This will take some time in order to unwind services to consumers, such as roadside assistance and fraud prevention services," the company said, but did not provide a specific timeline.
Hours later, T-Mobile chief executive John Legere tweeted his company's commitment to "not sell customer location data to shady middlemen."
Letters from the four cell giants were published Tuesday after Wyden demanded last month to know why millions of Americans' real-time location data was being shared with so-called aggregators, which manage data requests for customer data across the carriers.
The phone giants say it's "common" to share data, such as when motorists are stranded or as part of workforce and fleet tracking, but said that customer data should have more tightly controlled.
The carriers partnered with LocationSmart, which claimed it had "direct connections" to the cell giants' cache of location data. Aggregators could then share location data with their own customers.
But the carriers found that one of LocationSmart's customers, 3Cinteractive, shared location data with another company, Securus, a prison technology company, which used the data in violation of the carriers' policies.
Aggregators must obtain consent from the customer before their location data can be used, such as by sending a one-time text message or allowing a user to hit a button in an app. But The New York Times found that police and correctional officers could track anyone's location without their consent, because Securus turned over the data without verifying that a warrant had been obtained.
The phone giants said they took "prompt steps to protect customer data and shut down" location data access to 3Cinteractive and Securus.
A spokesperson for 3Cinteractive did not respond to a request for comment.
LocationSmart said in a statement Tuesday that it was reviewing the letters from the carriers, and denied that it buys and sells location data. "The company does not warehouse or track a mobile user's historic identity and location information," said the company.
But the phone giants remained vague on exactly how the companies obtained customers' consent to provide data to LocationSmart in the first place.
ZDNet previously asked how each carrier obtains consent from their customers, but none offered concrete answers.
Customers, unable to opt out of the phone giants' privacy policies, may be locked in to sharing their location data with aggregators.
"I don't believe that there is anything consumers can do to opt-out of having their location data shared with third-parties like LocationSmart," said Stephanie Lacambra, staff attorney at the Electronic Frontier Foundation, in an email.
LocationSmart was later forced to pull part of its website offline after a vulnerability allowed a security researcher to obtain real-time location data without obtaining consent from the user.
Robert Xiao said that the company had "no security oversight" before the site served location data.
LocationSmart said that "did not result in any customer information being obtained without their permission" beyond the researcher's queries.
The Federal Communications Commission is investigating the website flaw.
Updated at 4pm ET: Added a statement from Sprint and 4:22pm ET with comment from T-Mobile's chief executive.