/ Technology

Is O2 sharing your phone number with the sites you visit?

Like to do a little bit of web browsing on your mobile? Well, you could be giving out more information than you think. In fact, if you’re with O2, this provider could be sharing your phone number with the sites you visit.

You may not know it, but when you visit a website from your mobile, you’re sharing information about your phone in the HTTP header of your web browser. This includes what browser you’re using and what phone you own. This helps websites display content in the best way on your mobile.

However, what if your network provider was sharing more than that? What if it was handing out your phone number?

Your phone number is…

Well, on Twitter, Lewis Peckover (@lewispeckover) discovered that O2 is doing just that, albeit unwittingly. While you’re happily browsing your favourite sites (Which? Convo being one I hope) you could be unwittingly handing over your phone number. Well, that is, O2 is unwittingly giving out your number.

Most sites don’t record this type of information, and even if they do it’s unlikely that reputable sites are taking advantage of this phone number leak.

However, now that we know this information is being thrown about, malicious websites might not be so discerning. If you use your phone for a lot of browsing, you could receive spam texts galore and – even worse – scams.

You can see whether you’re affected by going to Lewis Peckover’s website from your phone. We’ve tested this in the office on phones using O2’s network, and even on GiffGaff which runs on the O2 network, and they both gave out the phone number.

When we did the same on Virgin, Vodafone, T-Mobile/Orange and 3 phones, a number was not recorded.

Is your provider giving out your number?

We’ll be very interested to see whether your phone is sharing your phone number too, so please try it out on Lewis’ website and tell us in the comments, along with the network provider you use. Dr Rob Reid, Which? scientific policy advisor, comments on the leak:

‘Phone numbers are personal data and as such O2 could be in breach of the Data Protection Act. As a result the Information Commissioner’s Office (ICO) should investigate how this has happened and if it feels O2 has breached the Act, the ICO should take enforcement action.

‘O2 needs to take action to resolve this immediately, inform all of those affected and advise them on the steps they should take to protect themselves.’

We’re in touch with O2, which has said on Twitter that it is looking into the problem, so we’ll share any statement with you as soon as we get it. Hopefully they’ll close this loophole soon – otherwise people might start switching mobile provider.

[UPDATE 12.10pm 25/01/12] – We contacted the Information Commissioner’s Office (ICO) about this, which makes sure companies adhere to data privacy laws in the UK, and it sent us this statement:

‘Keeping people’s personal information secure is a fundamental principle that sits at the heart of the Data Protection Act and the Privacy and Electronic Communications Regulations. When people visit a website via their mobile phone they would not expect their number to be made available to that website.

‘We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed.’

[UPDATE 3.45PM 25/01/12] – O2 has confirmed that it has fixed the problem, releasing the following statement along with an online Q&A:

‘Security is of the utmost importance to us and we take the protection of our customers’ data extremely seriously.

‘We have seen the report published this morning suggesting the potential for disclosure of customers’ mobile phone numbers to website owners.

‘We investigated, identified and fixed it this afternoon. We would like to apologise for the concern we have caused.’

Comments
Guest
Simon Parkyn says:
25 January 2012

I’ve just checked my phone on Lewis Peckover’s website above and yes my number was displayed in the headers. I’m on giffgaff and I’m quite annoyed!

Guest

Yes, it seems O2’s subsids GiffGaff and Tesco Mobile are affected. GiffGaff has told us on Twitter that they are also investigating.

Guest

Same here Simon – GiffGaff runs on the O2 network, so it is clearly added at some point in the chain when they both converge. I have been heretofore very pleased with both O2 and GiffGaff, so I’m quite disappointed to see such a blatant disregard for my privacy.

Guest

Hi folks,

I’m Craig from the giffgaff community team. As Patrick has said, we’ve been made aware of this and wanted to update you with some news from our side.

The privacy and security of our customers and community are really, really important to us – our utmost concern in fact. As a result, we’re looking into this as a top priority. Initial impressions are that this appears to be an O2 network issue, but of course we’ll need to confirm this.

If you’d like to keep a track of this on our side of things, we’ll be updating and discussing on our community this thread fgaff.com/t5/Service-Updates-Notice-board/Mobile-Number-Information-Issue-25-01-11/m-p/2854061/highlight/false#M25550) – and be back with news there as soon as we have info.

Many thanks,

Craig

Guest

Just checked on O2 and no number appears on either iPhone or iPad.

Guest

It appears to be only effecting users who are using the wap.o2.co.uk APN to access the internet. Changing these details to mobile.o2.co.uk and the username to o2web rather than o2wap will stop addition of the extra headers.

The iPhone 4S and the Galaxy Nexus both seem to default to these APNs which is why some users haven’t been seeing the issue.

It also seems that a number of o2 services only require phone number for security as detailed on http://blog.networksaremadeofstring.co.uk/2012/01/25/potential-social-engineering-avenues-resulting-from-the-o2-header-issues/ which could lead may scams against phone owners who don’t know about this leak.

Guest
Steve says:
25 January 2012

It appears to be more complicated than that.

My phone number is being passed to websites and my iPhone 4 APN is set to use idata.o2.co.uk

Guest
mister squirrel says:
25 January 2012

For once I am glad to say thank god I’m using BlackBerry as the O2 number giving out doesn’t affect BlackBerry users (I don’t say “thank god I’m using a BlackBerry” that often)

Guest

Hi everyone, it looks like O2 has closed this loophole, though we’ll let you know as soon as O2 confirms it’s fixed.