Sen. Ron Wyden (D., Ore.) has asked the FCC to probe the tracking of cellphone customers’ location information by law enforcement officials who access the data from Securus Technologies, Inc., which provides inmate calling services (ICS) to correctional facilities. The senator also wrote major wireless carriers to get information on their practices for selling customers’ location information to other parties.

“I recently learned that Securus Technologies, a major provider of correctional-facility telephone services, purchases real-time location information from major wireless carriers and provides the information, via a self-service web portal, for nothing more than the legal equivalent of a pinky promise,” Mr. Wyden wrote in a letter to FCC Chairman Ajit Pai. “This practice skirts wireless [carriers’] legal obligation to be the sole conduit by which the government conducts surveillance of Americans’ phone records, and needlessly exposes millions of Americans to potential abuse and surveillance by the government.”

The senator added that top Securus officials “confirmed to my office that Securus takes no steps to verify that uploaded documents in fact provide judicial authorization for real-time location surveillance, or conduct any review of surveillance requests. Securus claimed, incorrectly, that correctional facilities, not Securus, must ensure that correctional officers don’t misuse the web portal.”

“It is incredibly troubling that Securus provides location data to the government at all — let alone that it does so without a verified court order or other legal process,” Mr. Wyden wrote. “This clear abuse is only possible because wireless carriers sell their customers’ private information to companies claiming to have consumer consent without sufficiently verifying those claims.”

Mr. Wyden asked the FCC to “promptly investigate Securus, the wireless carriers’ failure to maintain exclusive control over law enforcement access to their customers’ location data, and also conduct a broad investigation into what demonstration of customer consent, if any, each wireless carrier requires from other companies before the carriers provide them with customer location information and other data.”

The senator also wrote major wireless carriers to ask them if they have any safeguards to prevent the sale of location information without the consent of customers, what companies they sell such data to, what type of information they sell, and what proof of customer consent parties provide. He also asked for details on incidents where carriers have found companies misusing customer information.

Mr. Wyden also asked carriers to undertake an audit of each third party that gets information from the carriers to determine how the party uses the information and ensure that customers have agreed to have that information disclosed. Carriers should “notify customers whose location information you disclosed without their consent,” Mr. Wyden said. Carriers also should terminate agreements with parties that have mishandled customer information and launch web portals so customers can see which parties their information is shared with, the senator added.

In the letter to the carriers, Mr. Wyden said Securus told his office “that it purchases real-time location information … through a third party location aggregator that has a commercial relationship with the major wireless carriers — and routinely shares that information with its government clients. Correctional officers simply visit Securus’ web portal, enter any U.S. phone number, and then upload a document purporting to be an ‘official document giving permission’ to obtain real-time location data.”

Securus did not respond to a request for comment today.

An FCC spokesman said the agency has received Mr. Wyden’s letter and is reviewing it.

In response to Mr. Wyden’s letter, Sprint Corp. said in a statement, “Protecting our customers’ privacy and security is a top priority, and we are transparent about our Privacy Policy. To be clear, we do not share or sell consumers’ sensitive information to third parties. We share personally identifiable geo-location information only with customer consent or in response to a lawful request such as a validated court order from law enforcement. We will answer the questions raised in Sen. Wyden’s letter directly through appropriate channels. However, it is important to note that Sprint’s relationship with Securus does not include data sharing, and is limited to supporting efforts to curb unlawful use of contraband cellphones in correctional facilities.”

AT&T, Inc., said, “We have a best practices approach to handling our customers’ data. We are aware of the letter and will provide a response.”

“We’re still trying to verify, but if this company is, in fact, doing this with our customers’ data, we will take steps to stop it,” said Verizon Communications, Inc.

T-Mobile US, Inc., said, “We take the privacy and security of our customers’ data very seriously. We received Senator Wyden’s letter and are thoroughly investigating the issues he raises. As always, if we were to find any misuse of our customers’ data, we would take appropriate action.” —Paul Kirby, paul.kirby@wolterskluwer.com