By Drew FitzGerald and Sarah Krouse

Verizon Communications Inc., AT&T Inc. and Sprint Corp. pledged to stop selling the locations of individual customers to two middlemen amid accusations that one of the firms mishandled the information.

The carriers said they will wind down data-sharing agreements with LocationSmart and Zumigo Inc., which buy access to the real-time locations of users from major U.S. carriers and allow other businesses to tap into it. The data are used for everything from marketing nearby shops to preventing credit-card fraud.

Ending the partnerships will take several weeks to a few months, a Verizon spokesman said Tuesday.

"We will not enter into new location aggregation arrangements unless and until we are comfortable that we can adequately protect our customers' location data," Verizon privacy chief Karen Zacharia wrote in a June 15 letter to Sen. Ron Wyden (D., Ore.), who wrote all four national wireless operators last month asking them about their privacy practices.

The inquiry followed revelations that one of the companies with access to LocationSmart's system, a prison phone provider, created a website that let law-enforcement agencies find the location of any cellphone user without obtaining a court order.

In a statement, AT&T said it "will be ending our work with aggregators for these services as soon as practical in a way that preserves important, potential lifesaving services like emergency roadside assistance."

Sprint "suspended all services with LocationSmart" last month and "is beginning the process of terminating its current contracts with data aggregators to whom we provide location data." A spokeswoman said that effort "will take some time in order to unwind services to consumers, such as roadside assistance and fraud prevention services."

The U.S. phone carriers are the latest corporate giants promising to improve their privacy standards after embarrassing revelations about their handling of customer data. Facebook Inc. continues to face questions from government authorities in several countries after the social network revealed that data firm Cambridge Analytica obtained data on as many as 87 million of its users without the company's permission.

LocationSmart and Zumigo have contracts with the four U.S. wireless companies that allow them to pull cellphone users' locations in real time and share them with other businesses. For example, the carriers say truck-rental firms use the data to better assist customers on the road and banks use the data to determine proximity to a caller's home to help confirm their identity.

All four carriers said their agreements with the data aggregators required them to get users' consent to use their location information. Some users consent to sharing their cellphone-location information when they do business with financial institutions or other companies from which they are buying services. Those firms often include that request for permission in lengthy terms and conditions policies.

It is unclear whether consumers will notice a change after the partnerships end. It wouldn't affect location data that customers agree to share with applications such as Uber Technologies Inc. and Google Maps through their cellphone's operating system. Software on Apple Inc.'s iPhones and Google's Android smartphones help those mobile apps identify users' locations. Wireless carriers also sell anonymized location data to marketers.

Chirag Bakshi, Zumigo's founder and chief executive, said Verizon told his company it has until November to agree on a solution that more tightly controls customer data. Mr. Bakshi said the San Jose, Calif., company handles fewer than 100,000 location requests a day, mostly on behalf of financial institutions seeking to root out fraud and of shipping companies tracking truck movements.

"We're very careful in who we select as customers and we only do this for companies who are very well known," Mr. Bakshi said in an interview. "This is to protect consumers."

More than 100 companies ranging from truck fleet operators to online lotteries draw on location data that ultimately flows from LocationSmart, Mario Proietti, the company's chief executive, said in a May interview.

He said LocationSmart logs each location request made through its system. "All our location is on request," except for developers testing the system, he said. "There's not tracking going on."

The wireless providers took action after the New York Times reported that a prison telephone company called Securus Technologies had expanded a service designed to monitor inmate calls with a website that let sheriffs and corrections officers find any cellphone user's location without a court order.

The carriers said that service was unauthorized and had accessed the information through another third-party, 3cinteractive Corp., that in turn obtained the data from LocationSmart. Representatives from 3cinteractive didn't respond to requests to comment.

Securus spokesman Mark Southland said in a statement that the company adheres to its contract, adding that cutting off law-enforcement access to location tools "will hurt public safety and put Americans at risk."

Sen. Wyden first questioned carriers' location-sharing practices in a May 8 letter that accused Securus of skirting requirements for law-enforcement records requests. Verizon said in its June 15 response that Securus or its partner 3cinteractive "impermissibly permitted law enforcement agencies to request location information through LocationSmart for investigative purposes," adding that was "not an approved use case in our agreement with LocationSmart."

All four carriers said in separate letters to Sen. Wyden that they curtailed Securus's access to customer-location data. T-Mobile US Inc. stopped short of cutting off

LocationSmart, though its chief executive said on Twitter the company "will not sell customer location data to shady middlemen."

A LocationSmart spokesman on Tuesday said the Carlsbad, Calif., company isn't a data broker that buys and sells customer records. "LocationSmart is an 'aggregator' only in the sense that it provides an interface that enables service providers to request location information from wireless carriers," he said.

Wireless companies typically share their customers' locations with emergency responders in specific situations. The operators say other uses are subject to customers' explicit consent. Wireless carriers also share anonymized location data with marketers. They often require that users explicitly opt out of those programs.

Securus wasn't the only company accused of mishandling location information. A Carnegie Mellon University researcher in May found similar data potentially exposed via LocationSmart's website.

Robert Xiao, the researcher who discovered the flaw on LocationSmart's website, said wireless companies often say they only share customer information with their consent. This incident "calls that assumption into question," he said.

Write to Drew FitzGerald at andrew.fitzgerald@wsj.com and Sarah Krouse at sarah.krouse@wsj.com

(END) Dow Jones Newswires

June 19, 2018 19:54 ET (23:54 GMT)

Copyright (c) 2018 Dow Jones & Company, Inc.
Verizon Communications (NYSE:VZ)
Historical Stock Chart
From Mar 2024 to Apr 2024 Click Here for more Verizon Communications Charts.
Verizon Communications (NYSE:VZ)
Historical Stock Chart
From Apr 2023 to Apr 2024 Click Here for more Verizon Communications Charts.