AT&T for example fed Wyden the same line [PDF] that "despite AT&T's requirements to obtain customer consent, Securus did not in fact obtain customer consent before collecting customers' location information".
"Chairman Pai's total abandonment of his responsibility to protect Americans' security shows that he can't be trusted to oversee an investigation into the shady companies that he used to represent", Wyden said in a statement Tuesday. "In contrast, AT&T, T-Mobile, and Sprint seem content to continue to sell their customers' private information to these shady middle men, Americans' privacy be damned". But Securus Technologies Inc., which provides phone services to correctional facilities, was acquiring the data from phone companies and offering it via a web portal, he said.
Verizon also indicated it would not authorize any new uses of location data, but added it would work to maintain "beneficial services" from location data, such as fraud protection.
"When these issues were brought to our attention, we took immediate steps to stop it. Customer privacy and security remain a top priority for our customers and our company", Verizon spokesman Rich Young said in a statement.
On Tuesday, T-Mobile CEO John Legere said on Twitter that it too had ended partnerships with data aggregators. Both companies buy real-time access to this data from cell carriers, but a lack of oversight resulted in access to this data being routinely abused. Aggregators could then share location data with their own customers. It will come as no surprise to learn that the data was being misused across a number of brokers, and security researcher Brian Krebs even found that one data firm was enabling anyone to find location data on any cell number, for free.
Location data sales aren't going away completely, though.
None of the four carriers responded to questions from the AP on whether they plan to sell location data directly instead of relying on the two California companies and, if so, how.
AT&T, in a letter to Wyden, said they only allow authorized third parties to access the data when customers have given consent or when forced to via a court order.
The other carriers did not immediately respond Tuesday to emailed requests for comment.
The FCC announced an investigation into the LocationSmart leak last month, in the wake of reports about the LocationSmart data leak. "Nonetheless, we are reviewing these issues carefully to ensure the proper handling of all AT&T customer information".
Verizon is the first US wireless carrier to announce plans to break ties with these data brokers.
ZDNet previously asked how each carrier obtains consent from their customers, but none offered concrete answers.
Verizon disclosed its move in a letter to Oregon Sen.
Privacy advocates called the carriers' decision a small victory, but called for further safeguards on consumer data. And, of course, there is no guarantee that Verizon and AT&T won't set up a new program once the dust has settled and start selling user location data all over again.
Days later, a Carnegie Mellon University security researcher discovered a security flaw in LocationSmart's website that could have allowed any reasonably sophisticated hacker to secretly track nearly any phone in the USA or Canada.
The Federal Communications Commission is investigating the website flaw.