June 19 (UPI) -- Verizon and AT&T said Tuesday they will suspend sharing customer's data with third-party companies after an investigation found inappropriate use.
The probe launched by Sen. Ron Wyden, D-Ore., found correctional officers were potentially able to use Verizon's real-time location data and spy on customers through a prison phone company called Securus.
Wyden wrote a letter to the Federal Communications Commission last month outlining his concerns about Securus' "unrestricted access" to customer location data.
Wyden said Securus provides the location data through "a self-service web portal, to the government for nothing more than the legal equivalent of a pinky promise. This practice skirts wireless carrier's legal obligation to be the sole conduit by which the government conducts surveillance of Americans' phone."
Correctional officers can visit the portal by uploading a falsely "official document," without verification to "conduct activities wholly unrelated to correctional-facility telephone services," the letter said.
Wyden called for an immediate FCC investigation of Securus and for the "wireless carriers to investigate their own practices," and "obvious potential for abuse."
After the revelation, KrebsOnSecurity reported a major location aggregator, LocationSmart, offered access to track any American's AT&T, Sprint, T-Mobile or Verizon phone through an insecure website.
In response, Verizon released a letter Tuesday saying the company would end its location data-sharing contracts with two third parties, LocationSmart and Zumigo "as soon as possible," "so as not to disrupt beneficial services," including fraud prevention and call routing.
"In the meantime, Verizon will not authorize any new use of location information by LocationSmart and Zumigo," Verizon Chief Privacy Officer Karen Zacharia said.
AT&T responded that it never authorized the use of customer data for the Securus portal but would investigate any unauthorized access. The company also followed Verizon's lead and said it would end contracts with major location aggregators. T-Mobile and Sprint also provided responses to Wyden's letter, but declined to offer a similar pledge to stop selling customer location data to third parties.
"While @Verizon & @ATT have now pledged to stop selling customer location data to shady middlemen, @TMobile & @sprint seem content to keep selling customers' private information, Americans' privacy be damned," Wyden tweeted Tuesday.
The decision comes on the heels of scrutiny over data privacy issues after Facebook sold the user data of more than 87 million users to Cambridge Analytica, a British data firm.
The FCC launched its investigation into LocationSmart last month, but Wyden has called on FCC Chairman Ajit Pai to recuse himself.
"Chairman Pai's total abandonment of his responsibility to protect Americans' security shows that he can't be trusted to oversee an investigation into the shady companies that he used to represent," Wyden said.