Until 2019, Verizon “ran a ‘location-based services’ program that sold access to certain kinds of wireless customer location data,” the ruling said. “As part of that program, Verizon contracted with ‘location information aggregators,’ which collected customer data and resold it to third-party location-based services providers. Verizon had arrangements with two aggregators, LocationSmart and Zumigo, which in turn contracted with 63 third-party entities.”
Instead of providing notice to customers and obtaining or verifying customer consent itself, Verizon “largely delegated those functions via contract,” the court said. This system and its shortcomings were revealed in 2018 when “the New York Times published an article reporting security breaches involving Verizon’s (and other major carriers’) location-based services program,” the court said.
Securus Technologies, a provider of communications services to correctional facilities, “was misusing the program to enable law enforcement officers to access location data without customers’ knowledge or consent, so long as the officers uploaded a warrant or some other legal authorization,” the ruling said. A Missouri sheriff “was able to access customer data with no legal process at all” because Securus did not review the documents that law enforcement uploaded.