It was revealed today that O2 has been voluntarily sharing its customers’ phone numbers with every website they visit. This is a serious privacy breach and has worried many of O2’s millions of mobile customers.
When you visit a website, your computer sends a small amount of information to the site to explain what browser you’re using and a few technical details about your computer. It’s very bland data and is useful so websites know if you need the desktop or mobile versions of their site and other technical tweaks. This information your computer sends at the top of its communication with a HTTP (aka “web”) server is known as the “HTTP Header”.
Computers can also add in extra bits of optional information if they think it might be useful or for bespoke arrangements with websites. What O2 are doing is getting a copy of the HTTP Header from your phone as it goes through their mobile internet servers on the way to the website you wish to view, and inserting an extra bit of information which includes your mobile phone number.
This was revealed today when Twitter user @lewispeckover set-up a website which would display all of the HTTP Header information it receives when you accessed the site. O2 users can visit this site on their phones (with wifi turned off) and see their phone number staring back at them.
Try it yourself:
Every site visited on an O2 phone will receive this information and many of them will store this data for long periods of time. I was outraged as this complete disregard for private data by O2 and immediately voiced my concern on Twitter. I had the privilege of being the first person O2 finally responded to, with this message:
O2 in the UK @O2
@standupmaths Hi, we’re investigating this at the moment and will update everyone as soon as we can. Keep an eye on this feed for updates
They have since been sending messages to countless people claiming that they are checking with their internal teams about what is going on. I feel sorry for whoever was in charge of their twitter account this morning as it fast become a PR disaster. Beyond that, a lot of customers claim to be reporting O2 to the Information Commissioner’s Office, claiming thsi behaviur is a data protection breach.
Not only do O2 need to fix this problem quickly, they need to explain why they actively chose to share their customers’ personal contact details in the first place. It seems likely that their system to insert phone numbers into HTTP Headers was not supposed to do so for every website visited and this is a technical error. But that raises the grave question of what exactly it was supposed to be doing had it been working correctly.
What has happened is the same as the Post Office writing to every shop you visit, or person you talk to, and sending them your home address. The audacity of what O2’s behaviour can not be allowed to be over-looked because what they did is shrouded in opaque computer-server language.
I’m very much looking forward to how they try to explain what happened to the general public.
Alternative blog-post title: “O2, Where’s Your Header At‽”
UPDATE02: Apparent some Tesco Mobile users are also seeing their numbers listed in their HTTP Headers. The problem doesn’t seem to impact BlackBerry phones on O2. We know how possessive Blackberry are over their servers.
UPDATE04: If you have an O2 phone, you can avoid them messing with your header by changing your “Cellular Data” (or equivalent setting for mobile data) username to “bypass” from whatever it currently is. It worked a treat for me, however it also turns off server-end image compression and so may slow your connection and increase your data use. Idea from here.