O2 mobile data networks reveal your phone number to all visited websites
January 25, 2012 1:01 AM   Subscribe

Orange seem OK. This is pretty dismal security from o2. Hope they get it fixed quick.
posted by seanyboy at 1:24 AM on January 25, 2012

Thankfully the only places I visit via 3g are Mefi and Google Maps, and I block ads in the hosts file.

I'll shoot a complaint to O2 all the same. And turn on the proxy in Opera Mobile.
posted by ArmyOfKittens at 1:29 AM on January 25, 2012

Their Twitter account is doing some quality copy & paste work to attempt to placate all the angry tweets. Seems both stupid and entirely unneccessary - why on earth would any site need your mobile number, never mind every site? Is this just a lazy way to confirm it's a mobile?
posted by Happy Dave at 1:32 AM on January 25, 2012

Disgraceful, but not surprising.
posted by gallagho at 1:34 AM on January 25, 2012

I've confirmed I'm affected and am rather unimpressed. As much as anything, it shows a sloppy approach to privacy & security which makes you wonder what else is leaking.

The proxy server issues Lewis mentions are also frustrating, they modify pages and in many cases break them. For example, last time I checked, O2's proxies completely broke jQuery when it was loaded from the same domain as the page. They save a bit of bandwidth by combining scripts & reducing image quality, but it means the user isn't getting a proper unfiltered web experience (and web developers get puzzling bug reports).
posted by malevolent at 1:34 AM on January 25, 2012

Is there a UK mobile provider that doesn't filter the web?
posted by pharm at 1:47 AM on January 25, 2012

I'm on GiffGaff, and just confirmed that my number is being passed along.

In all honesty, I'm finding it difficult to be outraged. It's probably some debug information that was left in by accident.

By the way, GiffGaff are brilliant. Cheap as chips, and great service.
posted by veedubya at 1:58 AM on January 25, 2012 [1 favorite]

At some stage we will get a reply saying something about "security is our top priority" and "please accept a complimentary download of Angrybirds". Then later they will be fined £900,000 by some acronym, (OFCAM, TOEFL or something) and nobody will every know where the fine went but you can be sure you will see nothing of it.
posted by priorpark17 at 1:59 AM on January 25, 2012 [5 favorites]

Wow, that's quite shocking. Suprised no one noticed it before.
posted by iotic at 2:05 AM on January 25, 2012

Also: this discovery may herald a slew of text spam for people on those networks.
posted by iotic at 2:06 AM on January 25, 2012

Nicola Green. Her promotion to director of comms and reputation for O2's parent company Telefónica UK was announced yesterday. Tough start to a new job.
posted by priorpark17 at 2:20 AM on January 25, 2012

I know someone who works there, and has been running around London with a 4G dongle "testing connectivity" with much smugness. He's going to take a while to live this one down.
posted by Leon at 2:32 AM on January 25, 2012

I'm not sure you could call GiffGaff and Tesco Mobile rebranded versions of O₂, more that they're resellers of O₂ services.

I'm interested to see what O₂'s doing about it, because it seems they're stalling answering their complainers on Twitter, and not everyone who looks is finding that header present.
posted by ambrosen at 2:49 AM on January 25, 2012

Well, at least O2 Germany doesn't seem to forward my cellphone number (but maybe they fixed it already?)
posted by SAnderka at 2:57 AM on January 25, 2012 [1 favorite]

ambrosen: "I'm not sure you could call GiffGaff and Tesco Mobile rebranded versions of O₂, more that they're resellers of O₂ services.
"

Giffgaff and Tesco Mobile are technically known as MVNOs (Mobile Virtual Network Operators) - they basically use all of O2's infrastructure (masts, switching, backhaul) but handle connections, billing and customer service themselves.
posted by Happy Dave at 2:58 AM on January 25, 2012

Interesting that under the UK Data Protection Act a mobile number isn't considered PII (personally identifying information). I always thought PII was usually considered to include any unique way of contacting an individual.
posted by fightorflight at 3:00 AM on January 25, 2012

still think they require consent to pass it to third parties ... I was wondering why I statred to receive spam texts recently, as I never give me number up to any crap like that, I guess now I have the answer

watching porn on the tube does have its downside afterall
posted by fistynuts at 3:24 AM on January 25, 2012

It turns out the problem was identified in an academic paper last year, and is widespread. Not just O2, and not just the UK. [Via Twitter's @wilstephens and @copyrightgirl.]
posted by rory at 3:39 AM on January 25, 2012

still think they require consent to pass it to third parties ...

Nah, all the operators pass the msisdn outside of themselves. You just have to be a "partner" and pay $$$.

In this case, someone probably just managed to get a wildcard into a rule somewhere.
posted by Leon at 3:47 AM on January 25, 2012

It is truly absurd that my address is covered under the DPA but not my mobile phone number.
posted by Virtblue at 3:49 AM on January 25, 2012

Just checked; vodafone UK isn't passing over my mobile number. Will check three tonight. Vodafone does filter, but you can ask for it to be turned off. Three doesn't appear to, at least on their data only plans.
posted by ArkhanJG at 4:13 AM on January 25, 2012

1. Using your information

1.1 You must let us know if you change your name, address, telephone number or bank details.

think they've rather shanked themselves with their own definition.

5. Sharing your information5.1 We may pass your information to other members of the Group. We will never pass your information to anyone-else, except where we have your permission, where we are required or permitted to do so by law, to other companies who provide a service to us and any successors in title to our business. Your information will never be released to companies outside the Group for their marketing purposes.

posted by fistynuts at 4:19 AM on January 25, 2012

O2 Ireland doesn't do it. I'm actually surprised by that.
posted by piearray at 4:29 AM on January 25, 2012

@lgladdy has knocked up a quick page to reports if you're proxied, any JS/CSS is modified or if your number is sent:

I'm all green on Orange UK
posted by Z303 at 4:32 AM on January 25, 2012

I appear to be OK here on AT&T in the US.
posted by Songdog at 4:46 AM on January 25, 2012

I'm amazingly surprised AT&T isn't mucking with my iThing web experience. I used a Tesco PAYG for my iThing when I visited the UK last year, and now the spam text messages I got make more sense.
posted by subbes at 4:56 AM on January 25, 2012

867-5309
posted by blue_beetle at 5:10 AM on January 25, 2012

07901-PHIS-HME
posted by MuffinMan at 5:15 AM on January 25, 2012 [1 favorite]

In all honesty, I'm finding it difficult to be outraged. It's probably some debug information that was left in by accident.

And you can be sure that if by some oversight millions of customers failed to pay their bill, they'd be just as lenient.
posted by DU at 5:27 AM on January 25, 2012 [3 favorites]

I can't comment on the O2 situation (for several reasons) but...

A few years ago I worked for a web services company that provided services for a UK mobile phone operator. As a result of having one or more of our services on their portal, we got people's mobile phone numbers in the headers of every single HTTP request. It was common enough that we even used to check for a collection of msisdn headers as a part of our attempt to check if a browser was a (then) smart phone or a dumb web browser.

One of the reasons to do it was that there was a time when you used different reverse billing APIs for different networks, and the only way to tell what network someone was one was to lookup their 'area' code against the lists of blocks owned by different operators. That died when they started letting you transfer phone numbers between operators.

I can't comment on if this was a stupid accidental debug command, but it wasn't very long ago that one or more operators in the UK were definitely doing it intentionally.
posted by sodium lights the horizon at 5:37 AM on January 25, 2012 [1 favorite]

Weird, just checked and O2 doesn't send my number.
posted by ersatz at 5:52 AM on January 25, 2012

Yeah O2 do seem to have fixed it. Glad they did so so quickly.
posted by edd at 6:03 AM on January 25, 2012

Fixed here too.
posted by Happy Dave at 6:06 AM on January 25, 2012

A few years ago I worked for a web services company that provided services for a UK mobile phone operator. As a result of having one or more of our services on their portal, we got people's mobile phone numbers in the headers of every single HTTP request. It was common enough that we even used to check for a collection of msisdn headers as a part of our attempt to check if a browser was a (then) smart phone or a dumb web browser.

I was an engineer for a partner company with a mobile phone operator and can confirm much the same. (Hey, we might even have worked together!)
posted by secretdark at 6:22 AM on January 25, 2012

Three doesn't seem to send the number.
posted by EndsOfInvention at 6:34 AM on January 25, 2012

Yeah, I'm on Tesco mobile and they're not currently sending my number. Cool.
posted by badmoonrising at 7:37 AM on January 25, 2012

T-Mobile is fine.
posted by Foosnark at 7:37 AM on January 25, 2012

O2 have a blog post up now, explaining what happened
posted by Z303 at 8:01 AM on January 25, 2012

Apparantly it was fixed one and a half hours ago :)
posted by Cogentesque at 8:48 AM on January 25, 2012

It doesn't explain what happened ("Technical changes"). But I'm hopeful that public pressure is going to squeeze a list of trusted partners out of O2, which can be used as a stick to beat the other providers with.
posted by Leon at 8:49 AM on January 25, 2012

Yes i should have put that in quotes
posted by Z303 at 9:07 AM on January 25, 2012

From O₂'s Q&A thing:

We share mobile numbers with selected trusted partners for 3 reasons: 1) to manage age verification, which manages access to adult content, 2) to enable third party content partners to bill for premium content such as downloads or ring tones that the customer has purchased [...]

So, if you happen to know someone's O₂ number, does that mean you can visit certain "trusted partner" sites with a corresponding x-up-calling-line-id header and get stuff charged to their account?

That would be... interesting.
posted by apatharch at 9:14 AM on January 25, 2012 [2 favorites]

apatharch: the content would be delivered to their phone. I assume there would be other safeguards in place... eg checking the originating IP.
posted by Leon at 10:04 AM on January 25, 2012

Is there a UK mobile provider that doesn't filter the web?

When I saw a Jacob Applebaum keynote last week, one point he made was that *all* the UK vendors filter to the extent that tools like Tor have been blocked in the past.
posted by rodgerd at 10:15 AM on January 25, 2012

fined £900,000 by some acronym, (OFCAM, TOEFL or something)

sorry, got thoroughly derailed by the giggles at the thought of the Test Of English as a Foreign Language (TOEFL) fining a British mobile operator - vat? your call centers have an accent?
posted by infini at 12:49 PM on January 25, 2012 [2 favorites]

Wouldn't that be the job of OFEFL?
posted by ArkhanJG at 2:47 PM on January 25, 2012