
O2 statement on the mobile number issue - SandB0x
http://blog.o2.co.uk/home/2012/01/o2-mobile-numbers-and-web-browsing.html
======
mhw
So, a configuration snafu by the sound of it. But it's also drawn attention to
the fact that they share customers' phone numbers with 'selected trusted
partners' which will probably come as a surprise to many. If their audit
mechanisms and processes are so lax that sharing phone numbers with the whole
internet wasn't recognised, how well managed can we expect the 'trusted
partners' white list to be?

~~~
Torn
> "A: The only information websites had access to is your mobile number, which
> could not have been linked to any other identifying information we have
> about customers."

The problem here is not that it was only the mobile number, rather that these
sites are able to link your mobile number to the content that you have viewed.
There's a scenario here in which sites that had collected this information
could publish (or otherwise leak, i.e. through hacking) lists of mobile
numbers to URLs visited.

In an age of lax privacy protections and data-sharing it's not hard to obtain
people's mobile numbers. What would happen when a potential employer googles
your mobile phone number and finds the crawled data?

Steps we now need to take:

1) Some kind of request to get the full list (Subject Access Request under
DPA, as pointed out below?)

2) If there is no opt-out process, lodge a Data Protection complaint to the
ICO

~~~
alexmuller
> A Freedom of Information request to get the full list,

Although (as far as I know) the FOI Act only applied to public bodies
(government and organisations like universities). So O2 wouldn't need to
comply with a request under that act. Not sure if the ICO could force them to
disclose that info, but I doubt it.

[http://en.wikipedia.org/wiki/Freedom_of_Information_Act_2000...](http://en.wikipedia.org/wiki/Freedom_of_Information_Act_2000#Applicability)

~~~
bwarp
That is correct. You can issue Subject Access Request under the Data
Protection Act to find out information about an individual (yourself) and who
this has been shared to. You can only issue a SAR in writing and there is a
capped charge for £10 for the privilege.

------
jgroome
Firstly, hats off to O2 for going into crisis mode, responding to customer
complaints directly, and then resolving the issue and putting out a complete
statement on the same day the matter was brought up.

Secondly, however, this statement smells faintly of fluffy language and PR
speak:

> When you browse from an O2 mobile, we add the user's mobile number to this
> technical information, but only with certain trusted partners. This is
> standard industry practice.

Is it really industry practice? Can anybody in this field confirm this? I can
see why it would be useful for billing as they mention, but is this really an
effective way to do age verification?

> in addition to the usual trusted partners, there has been the potential for
> disclosure of customers’ mobile phone numbers to further website owners.

Woah, there's nothing "potential" about it - this was right there in the HTTP
headers. Saying "there has been the potential..." implies the website owner
would have had to do some hacking to get hold of this information, which is
not the case, right?

~~~
mooism2
I presume most websites that weren't expecting to find an O2 number in the
HTTP headers won't have looked for it, won't have logged it, etc.

If I send a secret to you in the post, and you put the envelope in the
recycling unopened, have I disclosed a secret to you?

~~~
civild
It's quite straightforward to dump the entire header in a web log or database,
and I'm sure some sites do.

They might have put the envelope in the recycling, but they never have it
emptied and someone just told them it contains a £20 note.

~~~
mooism2
It's quite straightforward to dump the entire header in a database, but most
sites don't. None of my sites do. Apache, lighttpd, thttpd, etc don't (maybe
they do with an appropriate plug-in).

People seemed to be reacting as if every website an O2 customer visited was
going to add their phone number to their files, and that's not the case.

------
weavejester
One of the principles of the Data Protection Act here in this UK is:

 _Personal data shall be obtained only for one or more specified and lawful
purposes, and shall not be further processed in any manner incompatible with
that purpose or those purposes._

In my view, mobile phone companies have my phone number so they can connect my
calls. Providing age verification with "trusted partners" would seem to be a
step beyond that specified purpose.

The act also says:

 _Personal data shall be adequate, relevant and not excessive in relation to
the purpose or purposes for which they are processed._

If you just want to verify age, or verify the customer uses O2, then providing
their entire phone number seems excessive to me. Even if they want to bill the
user, a UUID could be used that's unconnected to the user's phone number.

Even if O2 were just sharing the data with "trusted partners", it doesn't look
like they were acting legally.

~~~
Confusion
The 'excessive' angle seems hopeless to argue: that just leads to endless
debates about what is 'excessive'.

Instead, I'd rather argue about whether this piece of personal data is
'relevant'. It obviously isn't. As you say, they could easily replace it with
a UUID or, to use something permanent already at their disposal, your O2
customer-id (which might arguably also be personal information, but at least
not something anyone with wireshark can immediately use to get you on the
bloody phone).

It's an example of sheer laziness to send the telephone number itself instead
of doing a lookup and sending something less sensitive. I've dealt with a
similar situation with zipcode verification and you can bet I refused to send
the zipcode straight up or hashed (the number of zipcodes is rather limited).

------
jrockway
I don't understand how this "trusted partner" thing would work. It's HTTP and
phone numbers are not secret. Can I send an HTTP header with a "friend's"
phone number in it and have their account charged.

Sending your name in clear text is not a digital signature.

(There are so many good ways to authenticate users of a network that it makes
me sad to see "tack on a phone number" was even considered, much less
implemented, pushed to production, and accidentally turned on for the Entire
Internet. Doh.)

~~~
tommyd
If it's anything like the systems I've come across, there is a proxy server on
the mobile data network with a whitelist of either IPs or URL patterns that
will have the number added as a HTTP header ("header enrichment"), then the
endpoints (so the third party systems) must be configured to only accept this
header from the IP range of the proxies, so that should avoid spoofing if
correctly configured. I'd have thought this IP restriction requirement would
be part of the contract they'd have to sign to get the data.

------
sc00ter
It seem O2 may not be the only one up to this:

    
    
      Headers that can be used to identify the end user:
    
      Header name 	 	What it means
      x-drutt-portal-user-msisdn 	The mobile phone number.
      x-h3g-msisdn 	 	the phone number.
      x-imsi: 	 	The imsi number. Identifies the end user.
      x-msisdn 	 	The end users phone number
      x-wsb-identity 	End users phone number
      x-wte-msisdn: 	Indicates that the value is a phone number. Does not look like that...
      x-nokia-imsi: 	Imsi value
      x-nokia-alias 	The end users phone number. encrypted.
      x-nokia-msisdn: 	The users phone number in plain text.
      x-up-calling-line-id: 	End user identifier
    

Gleaned from: [http://mobiforge.mobi/developing/blog/useful-x-
headers?dm_sw...](http://mobiforge.mobi/developing/blog/useful-x-
headers?dm_switcher=true)

Edit: fixed the formatting.

~~~
sc00ter
Detailed white-paper: "Privacy Leaks in Mobile Phone Internet Access"

<http://news.ycombinator.com/item?id=3510520>

------
kolektiv
Predictable, nothing too surprising. I think they're going to have a lot of
questions to answer around age verification though, seeing as they put in an
age verification program without customer request or warning over the last
year or so.

From this I'm assuming that the company they used for this (Bango I believe)
would have been sent my mobile number in the past if I ever tried to access
content they thought should have been verified. There has not previously been
any messaging from o2 around this. Disquieting indeed. I would not have agreed
to that transfer of information (nothing to hide, but it's MY information).

------
talkingquickly
It's a shame they've come so close to an open and honest response and then
detract from from it with phrases such as "possible in certain circumstances
for other websites to see the mobile number." From what I understand it wasn't
really certain circumstances, it was in almost all circumstances that the data
was made available; whether the site knew it was available or chose to do
anything about it was another matter.

I wonder if this means that Age verification can be spoofed by changing that
header or if it's just one of several methods they use.

~~~
jodrellblank
Certain circumstances presumably meaning you use 3G, don't use a company VPN
or Proxy, are not abroad and roaming.

~~~
extension
In other words, the general circumstance. There is no reason to say "potential
in certain circumstances" other than deception.

~~~
jodrellblank
Its only the general circumstance because you are considering only this
circumstance. I know you mean "all websites not some", but this is a non-
technical public note for all O2 customers, to say "all circumstances" is
wrong and misleading.

O2 also sell data plans for iPads, do email/webmail services, sell home ADSL
connections, as well as provide cellphones. It would be bad if they left
people believing their phone number was sent out on their O2 broadband when
web browsing (are tethering users affected?), or perhaps it is only parts of
the country which are affected, maybe some infrastructure was acquired from
buyouts and phones connected to that weren't affected?

Covering their ass is a non-deceptive reason to say that - it's not all so
they shouldn't say it. Maybe "many".

------
executive
I work with major carriers in North America - This is not industry standard
practice here.

At most, we will send area code to partners (mostly for ad targeting) but this
is never exposed in wap headers.

If we are doing age verification, we send age range to partners.. likewise
never exposed in headers.

Never full phone number. If for some reason a partner needs access to this,
they would have a local database corresponding to scrambled wap signatures -
which ARE sent in headers.

~~~
otoburb
This is where the interpretation of the statement comes into play. It's
certainly commonplace throughout the wireless carrier industry to send the
mobile number to "trusted sites" within the carrier network (such as a
ringtone/download portal), or over a pre-arranged VPN tunnel.

And when I say "commonplace", I'm referring to multiple carriers around the
world, including North America.

However, the level of trust that a site qualifies for may necessitate a more
nuanced or out-of-band approach similar to what you've experienced, where a
3rd party partner may receive the scrambled identifier and request the mobile
number mapping for billing purposes.

There are lots of ways to skin a cat. My only point here is that there are
multiple carriers around the world that routinely use this method of sending
the mobile number in plaintext to sites they trust, typically over
communication channels that they trust (i.e. over network gear they either own
or have secured). I've seen this from both sides (working at and with
carriers).

But there are a heck of a lot more 3rd party partner sites that do _not_
usually receive full mobile numbers in the clear, so from that perspective,
there is a point to be said about this not being "industry practice".
Semantics.

------
philjackson
Why do they need to give out numbers to anyone, ever? How does a mobile number
help with age verification?

~~~
jrockway
It lets them charge your account without you knowing when, which is good for
them.

I also wonder what use "age verification" is on the Internet. There's no
shortage of "adult content" up on the torrent sites.

------
christoph
"but only with certain trusted partners."

Hmmm.... not sure I believe them on that part.

~~~
rmc
You don't have the believe them. Numerous people have found it clear that they
are not sharing it with only trusted parties, but were in fact sharing it with
everyone.

This is a factual inaccuracy in the statement from O2.

~~~
alexchamberlain
Erm... they admitted they were sharing it with everyone due to a bug, but now
they've fixed it...

------
biafra
"Q: Which websites do you normally share my mobile number with?

A: Only where absolutely required by trusted partners who work with us on age
verification, premium content billing, such as for downloads, and O2's own
services, have access to these mobile numbers."

But those trusted partners may share your mobile phone number with their
"trusted" partners. I know Ericsson IPX does this at least in Germany.

It usually works via several http redirects and is unnoticeable even to the
client application using the usual http client APIs.

You can prevent this by using a http proxy.

------
masenf
"2) to enable third party content partners to bill for premium content such as
downloads or ring tones that the customer has purchased"

Does anyone else get the feeling this could be exploited to make unauthorized
purchases which would be billed to <random_O2_customer>. I've want to think
they have this covered, but with a config glitch leaking your phone number on
the net who knows what kind of security they have in place.

Does anyone know how this billing process works?

------
guyht
Surly this is hugely open to abuse. I could curl requests at a O2 partners
site to purchase a ringtone and pass along any O2 number I like, setting the
aforementioned headers. Unless the partner site does some sort of extra
verification (I have seen no mention of this anywhere), then the O2 number I
use will run up a massive bill... Have I missed something?

------
jodrellblank
Those blog comments are pretty dismal; aside from the didn't read/don't
understand/just angry, the repeated calls for a total list of trusted partners
- is a blog comment really the right place to ask that? Does anyone expect O2
to answer those?

And how many people think such a list is going to be useful at all? It won't
be three companies you've heard of, it will be pages and pages of sites and
background services companies and test sites and so on.

Mr or Mrs "I want to make a considered decision, I might not trust them", are
you really going to make a considered decision if your number is passed to,
say, "TechElbonia UK Services, O2 portal processing for connections passing
through dept 17 routes, and URLs matching the following 10 line regex (..)"?

~~~
mjs
The list of trusted partners is interesting to see what happens if you spoof
mobile phone numbers. They've already said that it's involved in payment in
some way...

------
DougBTX
_A: The only information websites had access to is your mobile number, which
could not have been linked to any other identifying information we have about
customers._

But it _is_ used for age verification and billing...

~~~
gjulianm
I suppose that O2 gives their trusted partners a way to check age and make
billings through a private API or similar. Any other site which is not
affiliated with them wouldn't have access to that API so they can't get any
other information.

~~~
justincormack
But a hash of the number, or a random id would work for this too.

~~~
biafra
You are right. This is how its done in countries or with carriers that require
this.

------
iuguy
I use O2 with my iPad 2, and this really doesn't surprise me. The 'adult
payment' restriction on half of the Internet made me quickly find out that
VPNs offer a practical workaround.

I don't trust O2 as a bearer, so I use a VPN instead, which also comes in
handy for hotel room/café wireless hotspots.

------
richardburton
I am still stunned that they respond so swiftly to this but have not dealt
with SMS spoofing in years:

<http://news.ycombinator.com/item?id=3509228>

This is certainly bad, but SMS spoofing has the potential to do a lot more
damage. People trust SMS too much.

~~~
talkingquickly
This seems to be quite a simple fix; SMS spoofing's a much more complicated
problem I think because it requires co-operation across carriers.

There are also a lot of services which rely on "legitimate spoofing" e.g.
skype allowing you to send text messages from it's service which appear to be
from your actual mobile number (so they can be replied to etc).

~~~
richardburton
Just because it is complicated does not mean it should not be dealt with.
Fast.

~~~
mooism2
It's complicated, so fast is the last thing you want --- unless you're happy
with a high risk of inadvertently introducing new loopholes.

~~~
richardburton
Currently they are doing nothing. So I stand corrected. Faster than 0mph.

~~~
mooism2
I agree it needs fixing, and that the phone companies should try to fix it.
Just not in haste.

------
rmoriz
maybe it just happend this way:

"Hello o2, this is your trusted partner acme!

Can you please add our ips to the MSISDN whitelist? It's 0.0.0.0/0

thanks"

