Prison phone company Securus was allowing law-enforcement agencies to track Americans' phones without reviewing the requests. Securus purchased location information which had been sold by the data broker LocationSmart. Following that revelation, KrebsOnSecurity reported that major location aggregator LocationSmart offered access to track any American's mobile phone via an insecure website.
The FCC announced an investigation into the LocationSmart leak last month, in the wake of reports about the LocationSmart data leak.
Verizon first announced it was cutting these companies off. AT&T said it was also cutting off access to third-parties, while Sprint said later Tuesday that the company is "beginning the process of terminating its current contracts with data aggregators to whom we provide location data." Hours later, T-Mobile chief executive John Legere tweeted his company's commitment to "not sell customer location data to shady middlemen."
The phone giants say it's "common" to share data, such as when motorists are stranded or as part of workforce and fleet tracking, but said that customer data should have more tightly controlled.
The carriers partnered with LocationSmart, which claimed it had "direct connections" to the cell giants' cache of location data. Aggregators could then share location data with their own customers.
But the carriers found that one of LocationSmart's customers, 3Cinteractive, shared location data with another company, Securus, a prison technology company, which used the data in violation of the carriers' policies.
Aggregators must obtain consent from the customer before their location data can be used, such as by sending a one-time text message or allowing a user to hit a button in an app.
LocationSmart denied that it buys and sells location data. The company said that it disabled Securus' access on May 10.