It was revealed today that O2 has been voluntarily sharing its customers’ phone numbers with every website they visit. This is a serious privacy breach and has worried many of O2’s millions of mobile customers.
When you visit a website, your computer sends a small amount of information to the site to explain what browser you’re using and a few technical details about your computer. It’s very bland data and is useful so websites know if you need the desktop or mobile versions of their site and other technical tweaks. This information your computer sends at the top of its communication with a HTTP (aka “web”) server is known as the “HTTP Header”.
Computers can also add in extra bits of optional information if they think it might be useful or for bespoke arrangements with websites. What O2 are doing is getting a copy of the HTTP Header from your phone as it goes through their mobile internet servers on the way to the website you wish to view, and inserting an extra bit of information which includes your mobile phone number.
This was revealed today when Twitter user @lewispeckover set-up a website which would display all of the HTTP Header information it receives when you accessed the site. O2 users can visit this site on their phones (with wifi turned off) and see their phone number staring back at them.
Try it yourself:
http://lew.io/headers.php
Here’s what I see:
Every site visited on an O2 phone will receive this information and many of them will store this data for long periods of time. I was outraged as this complete disregard for private data by O2 and immediately voiced my concern on Twitter. I had the privilege of being the first person O2 finally responded to, with this message:
O2 in the UK @O2
@standupmaths Hi, we’re investigating this at the moment and will update everyone as soon as we can. Keep an eye on this feed for updates
http://twitter.com/#!/O2/status/162094696552865793
They have since been sending messages to countless people claiming that they are checking with their internal teams about what is going on. I feel sorry for whoever was in charge of their twitter account this morning as it fast become a PR disaster. Beyond that, a lot of customers claim to be reporting O2 to the Information Commissioner’s Office, claiming thsi behaviur is a data protection breach.
Not only do O2 need to fix this problem quickly, they need to explain why they actively chose to share their customers’ personal contact details in the first place. It seems likely that their system to insert phone numbers into HTTP Headers was not supposed to do so for every website visited and this is a technical error. But that raises the grave question of what exactly it was supposed to be doing had it been working correctly.
What has happened is the same as the Post Office writing to every shop you visit, or person you talk to, and sending them your home address. The audacity of what O2’s behaviour can not be allowed to be over-looked because what they did is shrouded in opaque computer-server language.
I’m very much looking forward to how they try to explain what happened to the general public.
Alternative blog-post title: “O2, Where’s Your Header At‽”
UPDATE01: It seems the “x-up-calling-line-id” line in a HTTP Header is nothing new. It was listed as a place to store the “End users phone number” over three years ago.
UPDATE02: Apparent some Tesco Mobile users are also seeing their numbers listed in their HTTP Headers. The problem doesn’t seem to impact BlackBerry phones on O2. We know how possessive Blackberry are over their servers.
UPDATE03: Which? Conversation got in touch with the Information Commissioner’s Office and have a comment from them in their article.
UPDATE04: If you have an O2 phone, you can avoid them messing with your header by changing your “Cellular Data” (or equivalent setting for mobile data) username to “bypass” from whatever it currently is. It worked a treat for me, however it also turns off server-end image compression and so may slow your connection and increase your data use. Idea from here.
In all likelihood it is not an error on o2′s part. When using a data connection and browsing to a website that is deemed “age-restricted” o2 show their age-verification page instead of the content. You are then required, I believe, to call them with credit card details to verify you’re over 18. In order to catch this access and go through the age-restriction process, I think they have intentionally sent through the mobile number. I don’t know of any other UK networks that do the same.
It’s worse if you’ve ever looked at a spam or phishing email with images on your mobile (or even a forum which allows external images). Your phone number (and IP address) is being handed out to the kind of people you’d not tell your name.
To use your metaphor, your phone number isn’t just been given to people you deal with directly, but the one holding the signpost in the town centre or busking, or collecting money – or just standing in the shadows in an alley waiting for someone who looks like a good target.
Nice one O2
I’m still waiting to find out from Vodafone whether they’re sending my phone number with internet headers. They’ve issued a hideously ambiguous statement that says they don’t, but then strongly implies that they do send it to “approved partners”.
I’ve been badgering them to clarify this on FB & Twitter, but they can only say they don’t know any more and are trying to find out. How hard can it be?