RON WYDEN COMMITTEES:

OREGON COMMITTEE ON FINANCE
COMMITTEE ON BUDGET

RANKING MEMBER OF COMMITTEE ON COMMITTEE ON ENERGY 8: NATURAL RESOURCES
FINANCE tK tat?g En gtE SELECT COMMITTEE ON INTELLIGENCE

WASHINGTON, DC 205 1 0_3703 JOINT COMMITTEE ON TAXATION
221 DIRKSEN SENATE OFFICE BUILDING

WASHINGTON. DC 20510

(202) 224?5244 May 8, 20l8

Randall L. Stephenson

President and Chief Executive Of?cer
Inc.

208 South Akard Street

Dallas, TX 75202

Dear Mr. Stephenson:

I am writing to insist that take proactive steps to prevent the unrestricted disclosure and
potential abuse of private customer data, including real-time location information, by at least one
other company to the government.

I recently learned that Securus Technologies, a major provider of correctional?facility telephone
services, purchases real-time location information from major wireless carriers and provides that
information, via a self-service web portal, to the government for nothing more than the legal
equivalent of a pinky promise. Securus con?rmed to my of?ce that its web portal enables
surveillance of customers of every major US. wireless carrier. This practice skirts wireless
carrier?s legal obligation to be the sole conduit by which the government may conduct
surveillance of Americans? phone records, and needlessly exposes millions of Americans to
potential abuse and unchecked surveillance by the government.

Wireless carriers are prohibited from sharing certain customer information, including location
data, unless the carrier either has the customer?s consent or sharing is otherwise required by law.
When responding to law enforcement requests, wireless carriers must take af?rmative steps to
verify that a request is supported by appropriate legal authority. Further, wireless providers must
ensure surveillance of communications and call records using their facilities can only be
conducted with the direct and speci?c oversight of the provider.

The fact that Securus provides this service at all suggests that does not suf?ciently
control access to your customers? private information. Securus informed my of?ce that it
purchases real-time location information on customers?through a third party location
aggregator that has a commercial relationship with the major wireless carriers?and routinely
shares that information with its government clients. Correctional of?cers simply visit Securus?
web portal, enter any US. phone number, and then upload a document purporting to be an
?of?cial document giving permission? to obtain real-time location data. Senior of?cials from
Securus have con?rmed to my of?ce that it never checks the legitimacy of those uploaded
documents to determine whether they are in fact court orders and has dismissed suggestions that
it is obligated to do so.

911 NE 11TH AVENUE 405 EAST 8TH AVE SAC ANNEX BUILDING U.S. COURTHOUSE THE JAMISON BUILDING 707 13TH ST SE

SUITE 630 SUITE 2020 105 FIR ST 310 WEST 6TH ST 131 NW HAWTHORNE AVE SUITE 285 i

PORTLAND, OR 97232 EUGENE, OR 97401 SUITE 201 ROOM 118 SUITE 107 SALEM OR 97301

(503) 326?7525 (541) 431?0229 LA GRANDE, OR 97850 MEDFORD, OR 97501 BEND, OR 97701 (503) 589?4555
(541) 962?7691 (541) 858?5122 (541) 330?9142


PRINTED ON RECYCLED PAPER

Even if Securus carefully vetted each request from its law enforcement clients, it still should not
be able to provide customers? private information directly to law enforcement without
active oversight and direction. The law requires that your company be the sole conduit
for law enforcement surveillance of your customers? communications and call records. I have
written to the Federal Communications Commission asking that it investigate inability
or unwillingness to suf?ciently safeguard your customers? private information. Further, I have
asked the Commission to investigate whether companies involved in the commercial disclosure
of customer location data suf?ciently verify that targeted individuals have actually consented to
that disclosure. A copy of my letter to the Commission is enclosed.

With good reason, your customers expect to take seriously its commitment to protect
customers? private data. must deliver on that expectation. As such, I ask that you take the
following common-sense steps to ensure that your customers? personal information is not
abused:

undertake a comprehensive audit of each third party with which you share
customers? personal information and
0 determine how the third party uses that information,
0 ensure your customers in fact consented to that disclosure and use, and
notify customers whose location information you disclosed without their consent.

0 Immediately terminate your data-sharing relationships with all third parties that have
misrepresented customer consent or abused their access to sensitive customer data.

0 Provide a web portal for your customer so that, upon request, each customer can view a
list of the third parties with which you share or have previously shared that customer?s
private information. Americans should be able to obtain this information from wireless
carriers, just as they can obtain from the consumer credit agencies a list of the private
parties who have accessed their credit reports.

In addition, please provide me with full responses to the following questions no later than June
15, 201 8:

1. Please identify the third parties with which your company shares or has shared customer
information, including location data, at any time during the past ?ve years. For each third
party with which you share information directly, please also include a list of the ultimate
end users of that information, as well as all intermediaries.

2. For each of the third parties identi?ed in response to question one, please detail the types
of customer information provided to them and the number of customers whose
information was shared. For each of these, please detail whether the third party provided
proof of customer consent, and if so, how the third party demonstrated that they had
obtained customer consent.

3. Please describe in full your process, if any, for determining that each third party
identi?ed in response to question one has obtained appropriate customer consent before
your company shared that customer?s information with them. Speci?cally, please
describe what criteria and processes your company uses to review claims and evidence
that a third party has obtained consent.

4. Please describe any incidents known to your company or uncovered during your
responses to the above in which a third party with which your company shared customer
data misrepresented that they had customer consent.

If you have any questions about this request, please contact Chris Soghoian in my of?ce.

Sincerely,

Ron Wyden
United States Senator