Just been looking into this and from the little info I can find, it looks like your phone number would be classed as personal information and so covered by the data protection act.
That page suggests you can only complain if you've been personally affected.
Although I've been on O2 in the past, I don't have any evidence that the problem occurred during that time. I'm on Orange now, which appears to be unaffected.
It's a pain, because I'd been thinking about switching back to O2 to get Visual Voicemail, which no other UK provider appears to be able to support.
I am in the process of doing this now, also my contract expires this month with them and I will be moving to another provider - do we know it if only affects 02?
Here's a statement from the Information Commissioner's Office:
"When people visit a website via their mobile phone they would not expect their number to be made available to that website.
"We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed."
Firstly I don't work for O2 but I work in the mobile industry. O2 should only be passing your number to trusted sites (and to get on that list is pretty hard).
We have reported it to them via various internal contacts we have. Hopefully they will fix this soon!
No site served over unencrypted HTTP can be considered trusted. So there's no circumstance under which they should insert this header, since they can't modify HTTPS requests.
Can you tell us more about the kind of people who count as a trusted site, how you get on this list, and if this is made public/opt-outable anywhere? (Thanks for reporting!)
Yes, where I am it's often used to direct-to-bill services such as purchasing ringtones. The user clicks on 'purchase ringtone / song etc' and doesn't have to enter any payment information. The partner site has access to the number that they have to bill to. Since this is not controlled for or re-checked, there have been incidents of billing fraud (just set the header yourself with someone else's number).
The same thing could be acheived using a one-way hashed version of the mobile number, which removes the personal information and still allows the carrier to identify the handset customer.
There's no good reason to include the actual mobile number in the headers, internal or not.
Glad this is being brought to attention finally (as it seems it's been discovered before), but this is just yet another case of a UK mobile operator losing my trust.
O2: Send number in plain-text to every website visited. [1]
Orange: Increase fixed contract price by RPI through use of dodgy contract clause. [2]
Three: Place a non-payment flag on my credit report for no apparent reason. When I realise years later, they remove it and don't even apologise.
I'm running out of operators which haven't negatively impacted me, and to be honest, I think some of the blame must land with OFCOM.
Let's not forget Vodafone, who released an update for Android at about the same time 2.2 was arriving. Only it wasn't 2.2, it was a whole load of Vodafone-branded cruft for 2.1 that couldn't be removed.
The only way to reliably work around operators messing around with what you access (inserting their own client side code and such) and potentially inserting stuff into the headers like this too is to use a VPN for all Internet traffic that isn't otherwise tamper proof (i.e. HTTPS with a properly signed cert).
I use OpenVPN when I have my netbook tethered to my phone (or when I use any other "untrusted" wireless network for that matter) and route all traffic through my home fibre (I'm with an ISP that I know doesn't mess with my traffic).
There are problems with that though:
* installing OpenVPN on Android is a faf (I've still not got around to it on my device) [see http://vpnblog.info/android-openvpn-strongvpn.html and similar] - most users are not going to want to mess around like that
* there is no garantee that it will even work (or work efficiently enough) on all networks, or they could classify all encrypted traffic in the same lump as encrypted P2P connections and shape/block accordingly
* any VPN adds overheads (at least a set of headers per packet, and keep-alive packets when the connection is otherwise inactive), so if you don't have a cheap data plan that could be a consideration
A lot of mobile network operators wash this information about or have it hashed into some other form (which means it can still be used as a unique identifier)
In his webpage he also says "They downgrade all images and insert a javascript link into the HTML of each page."
The image downgrading has been know about for ages, the JS I have not heard about before. I have asked for more info on Twitter but will investigate myself if I can find time today.
If an image is loaded from a third-party site then presumably that request's header also includes the phone number. Can anyone confirm? That would mean that it's not just the website you're visiting that's getting your phone number, but advertisers too.
The link insertion reminds me of an ISP in another country that was rewriting HTML before sending it. If we want to get very technical, if this happened in the US, couldn't an ISP be dinged for creating a "derived work" of a copyrighted page without permission?
I think that is opening up a can of worms I would rather not see opened. Technically caching could be seen as copyright infringement.
Quite a few ISP's run transparent proxies for caching and technically every time you visit a website you are creating a copy of it on your local drive. If I disable javascript or run other scripts (like via grease-monkey) I am also technically creating "derived work".
The write-up is more charitable when it comes to the possible reason why this may be happening. The specific quote: " Our suspicion is that the feature is used by internal O2 websites to identify the user trying to make changes to the account, but that one or more of O2's proxy servers have been misconfigured."
x-up-calling-line-id (and similar headers from other gateway vendors) are typically not meant to be sent in the clear beyond internal sites. Perhaps a certain set/class of URL ACLs were (mis)configured during a maintenance window that caused this to happen.
Similar to how websites leave cookies, carriers have always had the ability to send certain identifying information to external sites. Usually, such identifying information is munged in some way that doesn't make it possible to determine the mobile number of the subscriber.
The funny thing is that people are often surprisingly willing to provide their phone number on more and more sites, which then makes it trivial for such services to link the anonymized identifier with the actual mobile number.
Regarding the customer support folks, it's highly unlikely that they know anything about HTTP headers, since they are typically level 1 support. This type of query/complaint would be filtered up to level 2 or 3 usually quite quickly once enough customers start calling in, or if somebody happens to be reading certain media outlets (e.g. HN).
Using Opera Mini seems to disable this "feature". Of course, doing so means all of my web traffic goes via Oslo. And of course, any apps using an http API are presumably affected too. I'm rather disappointed to hear about this.
That article is actually hilarious in how bad it is.
Lines like this one:
"The message was so convincing that the iPhone Anita was using believed it was genuine and listed it directly underneath the real message from that bank."
Show a complete misunderstanding of how SMS works. SMS is like email in that who it comes from is simply a type of header, which when sending from a mobile phone isn't editable - when a message arrives your phone can't verify where it actually came from. In particular given banks don't send from an official number, they send from a text name.
When using Skype messaging to a mobile number, you can enter your real mobile number as the 'from' address (In Skype settings). To do this Skype first sends you a confirmation message to the number you want to send from. I'm going to assume the confirmation message is Skype being curious, and that the same technology could be used without confirmation. Or is this an agreement with the mobile operators?
I disagree. SMS spoofing is a serious problem but not such a gigantic privacy issue as sending my phone number to every website I visit.
If it were merely some string that uniquely identifies me across different domains no matter how many times I reset my browse, it'd already be a privacy disaster. But making it my actual phone number? That's... just.. horrible.
Sadly I can say this is true for at least two US carriers.
One had obfuscated the number by padding it in a unique identifier header, and the other would send it along in some cases (i can't remember if it was on a partner by partner basis).
Also, almost every HTTP request on a mobile phone still passes through a HTTP Proxy. Generally, so avoiding opera, won't do any good. That is what the APN does.
What typically will get you off the carriers proxies is to use wi-fi, despite what the author says. They tend to get out of the loop if you're using someone else's network.
Wow, just tried this and my number is right there in plain text within the HTTP header.
I would never have signed the contract if I was aware that this would be happening.
Does anybody know if this is a new development or been happening forever?
Hopefully they fix this pronto, if not I'm not quite sure what to do since I'm really not comfortable using the service if this is happening and it's something I'm already signed up to pay for monthly for the next year at least!
It's quite unlikely that this has been going on forever. More likely that this was a gaffe or misconfiguration during some sort of operational maintenance.
[+] [-] Torn|14 years ago|reply
[+] [-] alexchamberlain|14 years ago|reply
[+] [-] iamichi|14 years ago|reply
[+] [-] bjnortier_hn|14 years ago|reply
[+] [-] davedevelopment|14 years ago|reply
[+] [-] peterclary|14 years ago|reply
Although I've been on O2 in the past, I don't have any evidence that the problem occurred during that time. I'm on Orange now, which appears to be unaffected.
It's a pain, because I'd been thinking about switching back to O2 to get Visual Voicemail, which no other UK provider appears to be able to support.
[+] [-] warehouse|14 years ago|reply
[+] [-] jiggy2011|14 years ago|reply
[+] [-] warehouse|14 years ago|reply
[deleted]
[+] [-] JonnieCache|14 years ago|reply
"When people visit a website via their mobile phone they would not expect their number to be made available to that website. "We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed."
http://news.sky.com/home/technology/article/16156276
O2 are in trouble.
[+] [-] cornet|14 years ago|reply
We have reported it to them via various internal contacts we have. Hopefully they will fix this soon!
[+] [-] naz|14 years ago|reply
[+] [-] jarofgreen|14 years ago|reply
[+] [-] sahirh|14 years ago|reply
[+] [-] glenjamin|14 years ago|reply
There's no good reason to include the actual mobile number in the headers, internal or not.
[+] [-] dazbradbury|14 years ago|reply
O2: Send number in plain-text to every website visited. [1]
Orange: Increase fixed contract price by RPI through use of dodgy contract clause. [2]
Three: Place a non-payment flag on my credit report for no apparent reason. When I realise years later, they remove it and don't even apologise.
I'm running out of operators which haven't negatively impacted me, and to be honest, I think some of the blame must land with OFCOM.
[1] - http://news.sky.com/home/technology/article/16156276
[2] - http://en.wikipedia.org/wiki/Orange_%28UK%29#Controversy
[+] [-] alexmuller|14 years ago|reply
http://www.itpro.co.uk/625774/vodafone-no-froyo-android-upda...
[+] [-] edandersen|14 years ago|reply
Edit: It still includes your phone number, thanks msmithstubbs.
[+] [-] dspillett|14 years ago|reply
I use OpenVPN when I have my netbook tethered to my phone (or when I use any other "untrusted" wireless network for that matter) and route all traffic through my home fibre (I'm with an ISP that I know doesn't mess with my traffic).
There are problems with that though:
* installing OpenVPN on Android is a faf (I've still not got around to it on my device) [see http://vpnblog.info/android-openvpn-strongvpn.html and similar] - most users are not going to want to mess around like that
* there is no garantee that it will even work (or work efficiently enough) on all networks, or they could classify all encrypted traffic in the same lump as encrypted P2P connections and shape/block accordingly
* any VPN adds overheads (at least a set of headers per packet, and keep-alive packets when the connection is otherwise inactive), so if you don't have a cheap data plan that could be a consideration
[+] [-] kgutteridge|14 years ago|reply
Some popular headers to check
X-UP-CALLING-LINE-I
X_NOKIA_MSISDN
X_H3G_MSISDN
MSISDN
X_MSISDN
X_NETWORK_INFO
X-WAP-MSISDN
X-UP-SUBNO
[+] [-] edlea|14 years ago|reply
Vistors on an O2 phone will receive an SMS on their first visit. An MD5 hash of their MSISDN is kept in memory to prevent multiple SMS being sent.
[+] [-] jarofgreen|14 years ago|reply
In his webpage he also says "They downgrade all images and insert a javascript link into the HTML of each page."
The image downgrading has been know about for ages, the JS I have not heard about before. I have asked for more info on Twitter but will investigate myself if I can find time today.
[+] [-] peterclary|14 years ago|reply
Here comes the SMS spam...
[+] [-] MattBearman|14 years ago|reply
[+] [-] JCB_K|14 years ago|reply
[+] [-] gerrit|14 years ago|reply
[+] [-] chalgo|14 years ago|reply
[+] [-] michaelfeathers|14 years ago|reply
[+] [-] ignoreme|14 years ago|reply
Quite a few ISP's run transparent proxies for caching and technically every time you visit a website you are creating a copy of it on your local drive. If I disable javascript or run other scripts (like via grease-monkey) I am also technically creating "derived work".
[+] [-] wgx|14 years ago|reply
[+] [-] otoburb|14 years ago|reply
x-up-calling-line-id (and similar headers from other gateway vendors) are typically not meant to be sent in the clear beyond internal sites. Perhaps a certain set/class of URL ACLs were (mis)configured during a maintenance window that caused this to happen.
Similar to how websites leave cookies, carriers have always had the ability to send certain identifying information to external sites. Usually, such identifying information is munged in some way that doesn't make it possible to determine the mobile number of the subscriber.
The funny thing is that people are often surprisingly willing to provide their phone number on more and more sites, which then makes it trivial for such services to link the anonymized identifier with the actual mobile number.
Regarding the customer support folks, it's highly unlikely that they know anything about HTTP headers, since they are typically level 1 support. This type of query/complaint would be filtered up to level 2 or 3 usually quite quickly once enough customers start calling in, or if somebody happens to be reading certain media outlets (e.g. HN).
[+] [-] MrKurtHaeusler|14 years ago|reply
[+] [-] danbee|14 years ago|reply
[+] [-] Leynos|14 years ago|reply
[+] [-] mhw|14 years ago|reply
Which probably means that your phone number is going to Oslo instead. At least it's not being proxied onwards from there.
[+] [-] ntmartin|14 years ago|reply
[+] [-] mattyohe|14 years ago|reply
[+] [-] jarofgreen|14 years ago|reply
[+] [-] richardburton|14 years ago|reply
http://www.bbc.co.uk/blogs/watchdog/2010/04/mobile_spoofing....
Nothing has been done about it.
[+] [-] corin_|14 years ago|reply
Lines like this one:
"The message was so convincing that the iPhone Anita was using believed it was genuine and listed it directly underneath the real message from that bank."
Show a complete misunderstanding of how SMS works. SMS is like email in that who it comes from is simply a type of header, which when sending from a mobile phone isn't editable - when a message arrives your phone can't verify where it actually came from. In particular given banks don't send from an official number, they send from a text name.
[+] [-] samarudge|14 years ago|reply
[+] [-] michh|14 years ago|reply
If it were merely some string that uniquely identifies me across different domains no matter how many times I reset my browse, it'd already be a privacy disaster. But making it my actual phone number? That's... just.. horrible.
[+] [-] gpapilion|14 years ago|reply
One had obfuscated the number by padding it in a unique identifier header, and the other would send it along in some cases (i can't remember if it was on a partner by partner basis).
Also, almost every HTTP request on a mobile phone still passes through a HTTP Proxy. Generally, so avoiding opera, won't do any good. That is what the APN does.
What typically will get you off the carriers proxies is to use wi-fi, despite what the author says. They tend to get out of the loop if you're using someone else's network.
[+] [-] jiggy2011|14 years ago|reply
I would never have signed the contract if I was aware that this would be happening.
Does anybody know if this is a new development or been happening forever?
Hopefully they fix this pronto, if not I'm not quite sure what to do since I'm really not comfortable using the service if this is happening and it's something I'm already signed up to pay for monthly for the next year at least!
[+] [-] Torn|14 years ago|reply
File a Data Protection complaint, see below: http://news.ycombinator.org/item?id=3509096
[+] [-] otoburb|14 years ago|reply
[+] [-] jsvaughan|14 years ago|reply