O2 caught sending mobile numbers to websites
O2 has been caught out sending customers' mobile numbers to third-party websites, following an apparent configuration error.
Playing with code for monitoring the HTTP headers from various devices, O2 customer and security researcher Lewis Peckover spotted something odd: an x-up-calling-line-id header, which contained his entire mobile phone number in plain text.
Further research indicated that the code wasn't being generated on the client side: any mobile device connected to O2's network, whether an Android tablet, an iOS device or a BlackBerry smartphone, would happily send its user's contact details to any website that knew to monitor for the header.
Rather, the headers were being generated by a device on O2's network that proxied the traffic before it hit the network: disable the device's mobile data connection and use Wi-Fi instead, and the strange header disappears.
The problem appears related to a similar issue spotted by researcher Collin Mulliner back in 2010 and presented at the Security in Telecommunications Conference (PDF), and affects O2 and network-sharing operators including GiffGaff and Tesco Mobile.
In a statement regarding the matter, O2 blamed 'technical changes we implemented as part of routine maintenance [which] had the unintended effect of making it possible in certain circumstances for website owners to see the mobile numbers of those browsing their site.'
Although O2 claims that the flaw has now been fixed as of 1400 yesterday, there's a caveat: the company will still share your mobile number with 'selected trusted partners.'
Those partners, O2 explains, include sites that require age verification - including adult entertainment sites - and those who look to bill O2 customers for premium services such as content downloads or ring tones. In other words: if you're browsing porn on your O2 phone over a mobile connection, you should be aware that the site operator has your mobile number.
The Information Commissioner's Office (ICO) has indicated that it will be investigating the matter, while advising privacy activists that a mobile number in and of itself does not constitute 'personally identifiable information' under the Data Protection Act. O2 has promised to cooperate with ICO's investigation.
Are you disappointed in O2's decision to continue sharing customers' mobile numbers with 'trusted partners,' or more worried that ICO doesn't consider such information to be covered under the DPA? Share your thoughts over in the forums.
Previous Article
10 Comments
Discuss in the forums ReplyWhen I get phone calls from people/companies who I have not explicitly given my number to with permission to contact me, I always demand to speak to whoever is in charge and demand that I be removed from their database, after asking where they got the number from. I haven't yet taken legal steps against anyone, but am not against doing so when my contact details are given out willy nilly by some unauthorised ****. I value my privacy more than I value having a cheap phone contract :)
Of course, for this issue there is a work-round. If you want to (for example) download porn anonymously, just go request a new (free) SIM, and use that when accessing that sort of site :)
Thanks
Dan - O2 Social Media Team
Haha, skimreading fail! What a bunch of knobbers. Totally unneeded.
Cheers. That answered my question/s.
I use giffgaff that in turn uses O2 there proxy servers do have issues with (pages Stop mid way when loading) also all the phones get NAT ip's, where you get an real one on Orange and i think t-mobile (not really checked)
I like this bit: "This is standard industry practice." Is it? Can anyone confirm or deny this, as i was under the impression that o2 was the only one doing it...