Is O2 sharing your phone number with the sites you visit?

You may not know it, but when you visit a website from your mobile, you’re sharing information about your phone in the HTTP header of your web browser. This includes what browser you’re using and what phone you own. This helps websites display content in the best way on your mobile.

However, what if your network provider was sharing more than that? What if it was handing out your phone number?

Your phone number is…

Well, on Twitter, Lewis Peckover (@lewispeckover) discovered that O2 is doing just that, albeit unwittingly. While you’re happily browsing your favourite sites (Which? Convo being one I hope) you could be unwittingly handing over your phone number. Well, that is, O2 is unwittingly giving out your number.

Most sites don’t record this type of information, and even if they do it’s unlikely that reputable sites are taking advantage of this phone number leak.

However, now that we know this information is being thrown about, malicious websites might not be so discerning. If you use your phone for a lot of browsing, you could receive spam texts galore and – even worse – scams.

You can see whether you’re affected by going to Lewis Peckover’s website from your phone. We’ve tested this in the office on phones using O2’s network, and even on GiffGaff which runs on the O2 network, and they both gave out the phone number.

When we did the same on Virgin, Vodafone, T-Mobile/Orange and 3 phones, a number was not recorded.

Is your provider giving out your number?

We’ll be very interested to see whether your phone is sharing your phone number too, so please try it out on Lewis’ website and tell us in the comments, along with the network provider you use. Dr Rob Reid, Which? scientific policy advisor, comments on the leak:

‘Phone numbers are personal data and as such O2 could be in breach of the Data Protection Act. As a result the Information Commissioner’s Office (ICO) should investigate how this has happened and if it feels O2 has breached the Act, the ICO should take enforcement action.

‘O2 needs to take action to resolve this immediately, inform all of those affected and advise them on the steps they should take to protect themselves.’

We’re in touch with O2, which has said on Twitter that it is looking into the problem, so we’ll share any statement with you as soon as we get it. Hopefully they’ll close this loophole soon – otherwise people might start switching mobile provider.

[UPDATE 12.10pm 25/01/12] – We contacted the Information Commissioner’s Office (ICO) about this, which makes sure companies adhere to data privacy laws in the UK, and it sent us this statement:

‘Keeping people’s personal information secure is a fundamental principle that sits at the heart of the Data Protection Act and the Privacy and Electronic Communications Regulations. When people visit a website via their mobile phone they would not expect their number to be made available to that website.

‘We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed.’

[UPDATE 3.45PM 25/01/12] – O2 has confirmed that it has fixed the problem, releasing the following statement along with an online Q&A:

‘Security is of the utmost importance to us and we take the protection of our customers’ data extremely seriously.

‘We have seen the report published this morning suggesting the potential for disclosure of customers’ mobile phone numbers to website owners.

‘We investigated, identified and fixed it this afternoon. We would like to apologise for the concern we have caused.’