The U.S. Federal Communications Commission said on Friday it was referring reports that a website flaw could have allowed the location of mobile phone customers to be tracked to its enforcement bureau to investigate.
A security researcher said earlier this week that data from LocationSmart, a California-based tech firm, could have been used to track AT&T, Verizon Communications, Sprint, and T-Mobile US mobile consumers within a few hundred yards of their location and without their consent.
Senator Ron Wyden, an Oregon Democrat, on Friday had urged the FCC to investigate, saying on Twitter that a "hacker could have used this site to know when you were in your house so they would know when to rob it. A predator could have tracked your child's cell phone to know when they were alone."
He later praised the FCC decision to investigate, as first reported by Reuters.
"I urge the FCC expand the scope of this investigation, and to more broadly probe the practice of third parties buying real-time location data on Americans, Wyden said.
Robert Xiao, a researcher at Carnegie Mellon University, said a flaw in a demo tool from LocationSmart could have been used to track anyone.
LocationSmart spokeswoman Brenda Schafer said on Friday the vulnerability "has been resolved and the demo has been disabled."
Prior to Xiao's efforts, which included locating up to two dozen users, Schafer said the company believes no one else exploited the vulnerability.
The company is committed to "continuous improvement of its information privacy and security measures," she said.
Last week, the New York Times reported that the former sheriff of Mississippi County, Missouri, used Securus Technologies to track mobile phones — including those of other police officers — without court orders, citing charges filed against him.
Several published reports said Securus is getting its data through an intermediary of LocationSmart.
Verizon spokesman Rich Young said Friday the company has "taken steps to ensure that Securus can no longer access location information about Verizon Wireless customers." He added the company has "initiated a review of this entire issue."
AT&T spokesman Mike Balmoris said the company does not "permit sharing of location information without customer consent or a demand from law enforcement. If we learn that a vendor does not adhere to our policy we will take appropriate action."
Sprint said it is conducting an internal review of the issue. T-Mobile US did not immediately comment.
Securus said later on Friday that access to location-based services "data has been disabled for the time being," out of an abundance of caution and in light of ongoing discussions with partners.
The company also said it has "no direct business relationship with LocationSmart," adding it is ready to work with law enforcement and vendors to reinstate the service as soon as possible.
Last week Wyden said that Securus, a major provider of correctional facility telephone services, was purchasing real-time location information from carriers and providing information "via a self-service web portal for nothing more than the legal equivalent of a pinky promise."
Wyden wrote all four of the U.S. major mobile carriers, saying the practice "exposes millions of Americans to potential abuse and unchecked surveillance by the government."