/ Technology

Is O2 sharing your phone number with the sites you visit?

30
Profile photo of Patrick Steen Patrick Steen Conversation Editor
Comments 30

Like to do a little bit of web browsing on your mobile? Well, you could be giving out more information than you think. In fact, if you’re with O2, this provider could be sharing your phone number with the sites you visit.

You may not know it, but when you visit a website from your mobile, you’re sharing information about your phone in the HTTP header of your web browser. This includes what browser you’re using and what phone you own. This helps websites display content in the best way on your mobile.

However, what if your network provider was sharing more than that? What if it was handing out your phone number?

Your phone number is…

Well, on Twitter, Lewis Peckover (@lewispeckover) discovered that O2 is doing just that, albeit unwittingly. While you’re happily browsing your favourite sites (Which? Convo being one I hope) you could be unwittingly handing over your phone number. Well, that is, O2 is unwittingly giving out your number.

Most sites don’t record this type of information, and even if they do it’s unlikely that reputable sites are taking advantage of this phone number leak.

However, now that we know this information is being thrown about, malicious websites might not be so discerning. If you use your phone for a lot of browsing, you could receive spam texts galore and – even worse – scams.

You can see whether you’re affected by going to Lewis Peckover’s website from your phone. We’ve tested this in the office on phones using O2’s network, and even on GiffGaff which runs on the O2 network, and they both gave out the phone number.

When we did the same on Virgin, Vodafone, T-Mobile/Orange and 3 phones, a number was not recorded.

Is your provider giving out your number?

We’ll be very interested to see whether your phone is sharing your phone number too, so please try it out on Lewis’ website and tell us in the comments, along with the network provider you use. Dr Rob Reid, Which? scientific policy advisor, comments on the leak:

‘Phone numbers are personal data and as such O2 could be in breach of the Data Protection Act. As a result the Information Commissioner’s Office (ICO) should investigate how this has happened and if it feels O2 has breached the Act, the ICO should take enforcement action.

‘O2 needs to take action to resolve this immediately, inform all of those affected and advise them on the steps they should take to protect themselves.’

We’re in touch with O2, which has said on Twitter that it is looking into the problem, so we’ll share any statement with you as soon as we get it. Hopefully they’ll close this loophole soon – otherwise people might start switching mobile provider.

[UPDATE 12.10pm 25/01/12] – We contacted the Information Commissioner’s Office (ICO) about this, which makes sure companies adhere to data privacy laws in the UK, and it sent us this statement:

‘Keeping people’s personal information secure is a fundamental principle that sits at the heart of the Data Protection Act and the Privacy and Electronic Communications Regulations. When people visit a website via their mobile phone they would not expect their number to be made available to that website.

‘We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed.’

[UPDATE 3.45PM 25/01/12] – O2 has confirmed that it has fixed the problem, releasing the following statement along with an online Q&A:

‘Security is of the utmost importance to us and we take the protection of our customers’ data extremely seriously.

‘We have seen the report published this morning suggesting the potential for disclosure of customers’ mobile phone numbers to website owners.

‘We investigated, identified and fixed it this afternoon. We would like to apologise for the concern we have caused.’

Comments
30
Simon Parkyn says:
25 January 2012

I’ve just checked my phone on Lewis Peckover’s website above and yes my number was displayed in the headers. I’m on giffgaff and I’m quite annoyed!

0
 |     Reply    Report
Share   
Hide replies ∧
Patrick Steen says:
25 January 2012

Yes, it seems O2’s subsids GiffGaff and Tesco Mobile are affected. GiffGaff has told us on Twitter that they are also investigating.

0
 |     Reply    Report
Share   
Rob says:
25 January 2012

Same here Simon – GiffGaff runs on the O2 network, so it is clearly added at some point in the chain when they both converge. I have been heretofore very pleased with both O2 and GiffGaff, so I’m quite disappointed to see such a blatant disregard for my privacy.

0
 |     Reply    Report
Share   
craig_t says:
25 January 2012

Hi folks,

I’m Craig from the giffgaff community team. As Patrick has said, we’ve been made aware of this and wanted to update you with some news from our side.

The privacy and security of our customers and community are really, really important to us – our utmost concern in fact. As a result, we’re looking into this as a top priority. Initial impressions are that this appears to be an O2 network issue, but of course we’ll need to confirm this.

If you’d like to keep a track of this on our side of things, we’ll be updating and discussing on our community this thread fgaff.com/t5/Service-Updates-Notice-board/Mobile-Number-Information-Issue-25-01-11/m-p/2854061/highlight/false#M25550) – and be back with news there as soon as we have info.

Many thanks,

Craig

0
 |     Reply    Report
Share   
Kelpie says:
25 January 2012

Just checked on O2 and no number appears on either iPhone or iPad.

0
 |     Reply    Report
Share   
Ben says:
25 January 2012

It appears to be only effecting users who are using the wap.o2.co.uk APN to access the internet. Changing these details to mobile.o2.co.uk and the username to o2web rather than o2wap will stop addition of the extra headers.

The iPhone 4S and the Galaxy Nexus both seem to default to these APNs which is why some users haven’t been seeing the issue.

It also seems that a number of o2 services only require phone number for security as detailed on http://blog.networksaremadeofstring.co.uk/2012/01/25/potential-social-engineering-avenues-resulting-from-the-o2-header-issues/ which could lead may scams against phone owners who don’t know about this leak.

0
 |     Reply    Report
Share   
Hide replies ∧
Steve says:
25 January 2012

It appears to be more complicated than that.

My phone number is being passed to websites and my iPhone 4 APN is set to use idata.o2.co.uk

0
 |     Reply    Report
Share   
mister squirrel says:
25 January 2012

For once I am glad to say thank god I’m using BlackBerry as the O2 number giving out doesn’t affect BlackBerry users (I don’t say “thank god I’m using a BlackBerry” that often)

0
 |     Reply    Report
Share   
Patrick Steen says:
25 January 2012

Hi everyone, it looks like O2 has closed this loophole, though we’ll let you know as soon as O2 confirms it’s fixed.

0
 |     Reply    Report
Share   
Hide replies ∧
wavechange says:
25 January 2012

Hope so. That’s a quick win if it works.

0
 |     Reply    Report
Share   
Ben says:
25 January 2012

Does closing this loophole also including fixing their services that only require your phone number to work?

I wonder if other providers in-house services work the same way as well…

0
 |     Reply    Report
Share   
Patrick Steen says:
25 January 2012

We contacted the ICO again about whether a phone number is considered personally identifiable information and thus would be in breach of the Data Protection Act. It told us:

‘In terms of this alleged breach, O2 seem to have mistakenly exposed people’s phone numbers. As they are legally required under the Data Protection Act to keep people’s details secure (of which people’s phone numbers are a component of customer information), then this could breach Data Protection and PECR rules.

‘As for whether a phone number in itself constitutes personal data – this depends on the circumstances, and we can’t say in this case until we have looked into it.

‘If a phone number was written on its own on a post it note with no other details and then discarded in the street then this may not be strictly personal data. However, if a phone number is coupled with other information – for instance IP addresses – then this may constitute it. In any case, the essential issue here is whether O2 has kept its customer information secure. In short, it’s not as simple as a yes or no answer and depends on the individual circumstances.’

0
 |     Reply    Report
Share   
Hide replies ∧
loones says:
25 January 2012

That is very interesting, because by definition your IP address is part of the request sent to any site you are accessing, strengthening the ICO case.

Also, this information is also sent to any sites who’s content is embeded in a page you are viewing. If you go to a page that has an advert in it which comes from another site, the advert provider gets the same information.

0
 |     Reply    Report
Share   
Alan Henness says:
26 January 2012

As far as I’m aware, for O2 at least, the IP address is not allocated to each individual phone, but is a generic one assigned to all or part of O2’s network. If this is right (and I may be wrong), then – to use Patrick’s Post-it note analogy – it would be your phone number on it with O2’s address. So having the IP address as well may not bring it within the ICO’s definition of personal data.

0
 |     Reply    Report
Share   
Scott A J Reynolds says:
25 January 2012

This is very bad for Telefonica Uk, Who run on O2 mobile network in the Uk, & Run such networks as, O2, Tesco Mobile PAYG & Monthly, GiffGaff.Co.Uk PAYG Online only.

How does one know if there mobile numbers been recorded using the above website?.

0
 |     Reply    Report
Share   
Patrick Steen says:
25 January 2012

O2 has confirmed that it has fixed the problem – I’ve added its statement as an update above.

0
 |     Reply    Report
Share   
sloany says:
25 January 2012

loones, Think you’ll find the IP address with be the IP Address of the server the handset is connected to as far as I know IP addresses are not used on the GPRS network, the routing from the server to the mobile is carried out by the networks servers. So it may not be as clear cut as you think.

source = http://en.wikipedia.org/wiki/GPRS_Core_Network

0
 |     Reply    Report
Share   
Bhoy Fett says:
26 January 2012

With this supposed breach of certain rules/regulations/guidelines, is there sufficient grounds to terminate your contract without penalty?

I recall many leaving O2 after call charges were restructured a few years ago and they could not penalise customers wishing to sever their contract early.

After this data breach, it does leave me considering how reliable my network operator is.

0
 |     Reply    Report
Share   
Hide replies ∧
Patrick Steen says:
27 January 2012

Hello Bhoy Fett, it’s a good question. I spoke to senior Which? solicitor Joanne Lezemore, who said that it depends on the individual situation:

‘Many firms actually state that they will share your information with others, unless you opt out of this (usually an opt out/opt in button). However, where you have opted out, then forwarding any of your personal data will be a breach of the Data Protection Act.

‘If you want to cancel a contract you have to show there has been a fundamental breach of contract i.e. a serious breach. Where there is a breach of the Data Protection Act, it could be argued this would be sufficient for customers to cancel their contract, regardless of how or why the breach occurred.’

I hope that’s of some use, but we are looking a bit closer at O2’s contract to see how clear it is that they share your data with trusted third parties.

0
 |     Reply    Report
Share   
Nikki Whiteman says:
26 January 2012

I’m really curious about the reason they need to share my phone number with trusted partners anyway. They say that it’s for checking that I’m over 18 – but this kind of identification can surely be done by sending a binary value (over 18? yes/no). Sending my entire number would seem irrelevant.

It also contradicts the initial part of their statement (which has now been edited to add more detail) where they said that your phone number wasn’t linked to any other identifying information about you. If that’s the case, how can it be used to tell that I’m over 18? or to provide me with ‘download and paid-for services’ for billing purposes? I don’t really understand, and would appreciate some more clarity on this.

I’m actually not with O2, but with giffgaff, and I think we’re affected in almost exactly the same way.

0
 |     Reply    Report
Share   
Hide replies ∧
tpoots says:
26 January 2012

Extremely good point about the binary value for the age control.

Also, for billing purposes, they could send a unique billing ID rather than your mobile number…a number which is meaningless to anybody outside O2.

0
 |     Reply    Report
Share   
Nikki Whiteman says:
26 January 2012

Yes – a unique ID would work well too.

0
 |     Reply    Report
Share   
daffieduck says:
26 January 2012

I would be very grateful if someone could provide the instructions on how to check if my telephone number has been compromised

0
 |     Reply    Report
Share   
Hide replies ∧
Patrick Steen says:
26 January 2012

Hello Daffie, the loophole appears to have been closed now. There are currently no reports that any phone numbers have been taken by a malicious website.

However, if you’d like check for yourself that your number is not being shared please type this URL into your smartphone’s web browser: http://lew.io/headers.php You’ll see your phone number highlighted in red towards the bottom of the page if it is. If not, you’ll see nothing. Thanks.

0
 |     Reply    Report
Share   
Baz Cleaver says:
30 January 2012

Can I claim compensation from O2 for divulging my personal details?
And if so, how much would they likely pay out?
I’m seriously not happy with this breach of security.
It’s disgusting.

0
 |     Reply    Report
Share   
Hide replies ∧
Patrick Steen says:
30 January 2012

Hello Baz, breaches of data protection are dealt with by the Information Commissioner’s Office, but it cannot award compensation. However, it has made a comment:

‘We’ve received a large number of complaints about an alleged data breach on the O2 mobile phone network. We now have enough information to take this matter further, so there is no need for customers to complain to us.’

So the ICO will investigate and take action if it thinks it needs to. If you do want to claim compensation, you could bring a claim in the county court for breach of the Data Protection Act: http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/claiming_compensation.pdf

Also, it’s worth noting that Which? called for the right to compensation for consumers in data breaches to be added to EU data protection laws. The good news is that this right has been added, but it could take as long as three years for the changes to be implemented. We’ve published a Conversation about this if you’re interested: https://conversation.which.co.uk/consumer-rights/eu-data-protection-rules-personal-data-european-commission/

0
 |     Reply    Report
Share   
Baz Cleaver says:
30 January 2012

Cheers Patrick! Thank you!
Your a good un!

0
 |     Reply    Report
Share   
KE says:
16 April 2012

Which Conversation-Comment-Is O2 Sharing Your Phone Number-16Apr2012


The more I look into this supposed mishap, the more suspicious I become. Indeed, the O2 official statement confirms that the only true accident was that the data were shared with every Website, rather than just a selected list of ‘partners,’ with whom Telefónica UK Limited (a.k.a. O2 UK) has commercial agreements. These partners are not defined or listed anywhere! O2 are likely building a loyalty scheme of partners who share personal data for marketing and product development with each other. If so, when did we join this scheme?

I have been digging into the terms and conditions in O2’s latest (2011) Pay-Monthly Contracts and its official Privacy Policy. The data sharing practices mentioned in these documents might make you shudder.

First, there is the basic contradiction regarding whether you opt-out or opt-in to sharing data with these non-specific partners and others. The Contracts outline an Opt-Out approach, i.e. as soon as the new contract applies (e.g. upgrade, purchase a new service plan or SIM, purchase an add-on [?], account migration [?]) your data can be immediately distributed; you must notify O2 (and wait) if you do NOT wish your details, including phone number, other personal identifying information, and usage data being shared for marketing and other purposes. The Privacy Policy outlines an Opt-In approach. Which is to be believed?

Second, O2 seems to be aggressively migrating accounts over to their latest in-house O2 billing system, i.e. if, like me, you had an account via a retailer such as Carphone Warehouse or Phones 4u, you may find that, without notice or consent (unlawful?), your account has been migrated directly onto O2. This may imply a different contract being forced upon you, as the retailer is no longer the billing company. I also discovered that a different phone plan had been forced upon me (fraud?); but a search of the net reveals that I am far from alone in seeing this ‘migration’ apparently used when O2 suddenly makes a service plan or feature obsolete, e.g. pay-upfront-for-life [PUFFL] or rollover minutes. A legal test is whether this results in “material detriment.” Well, changing contract terms, changing service plans, and, in my case, I now have no working SIM… seem to meet that definition. Worse, O2 has thus far refused to deal with my contractual or migration questions, insisting I continue to pay what had become a non-competitive rate (twice going price) for my ‘new’ monthly service (years since my initial 12-month ‘sentence’ was completed), de facto consenting to the new contract without discussion. In any case, the migration had failed and would not allow me to pay, so my SIM was barred. And that treatment is after more than a decade as a loyal O2 customer (a.k.a. ‘muppet’)!

Third, I have reviewed statements in the industry press, by various O2 executives, confirming their intentions to build a huge customer relationship management (CRM) database in the Czech Republic to exploit our data for marketing and other purposes.

Fourth, the O2 official explanation ( http://blog.o2.co.uk/home/2012/01/o2-mobile-numbers-and-web-browsing/ ) refers to “trusted partners who work with us on age verification…premium content…” But why should merely landing upon a site, which could be accidental, result in automatic disclosure of your phone number? I can see if you click on some upfront ‘age confirm’ panel or at the point of purchase (although other identifiers could and should be used), but not until those conscious decision points had been reached. Also, as of 02 January 2012, and despite many commenters (on the O2 official statement), O2 has refused to identify the list of ‘trusted partners’, let alone any other ‘partners’. We have a right to know with whom our personal data are being shared.

I am not buying the O2 official explanation. The comments on the O2 board suggest many customers remain sceptical. IMHO consumer watchdogs like Which? and the various regulators, Otelo (8 weeks of delay), Ofcom (toothless?), and the Information Commissioner, should continue to investigate.

Oh, and this O2 data sharing policy applies to all Telefónica Group subsidiaries (that’s worldwide, including regions without EU or strong data protection laws!) and ‘their’ partners. It also includes subsidiaries not obviously O2 or Telefónica, e.g. GiffGaff is a wholly-owned (with shared staff) O2 subsidiary not an independent MVNO as many of its customers (I nearly fell for it) still believe. Start shuddering!

0
 |     Reply    Report
Share   
Patrick Lee says:
4 July 2012

I use a phone paid for but never used by my partner. today, I received a spam text addressed directly to her using her name. I am with O2. as she has never used this phone or this number, I can only assume that her details came from O2. In dialogue they have denied that they have handed out the number and details associated with it and suggested that I complete a long and tedious online form so that they could pursue this despite knowing, the number, my name, my email address. Is O2 handing out information? what can I do about this?

0
 |     Reply    Report
Share   
Hide replies ∧
Patrick Steen says:
4 July 2012

Hello Patrick, we’re covering spam texts in this latest Conversation: https://conversation.which.co.uk/consumer-rights/nuisance-phone-calls-bbc-panorama-telephone-preference-service-ico/ You can report the text to the ICO, which is linked to from the Conversation.

0
 |     Reply    Report
Share   
 

Related discussions