

UK network o2 send your number to every site you visit - wgx
http://lew.io/headers.php

======
JonnieCache
Here's a statement from the Information Commissioner's Office:

 _"When people visit a website via their mobile phone they would not expect
their number to be made available to that website. "We will now speak to O2 to
remind them of their data breach notification obligations, and to better
understand what has happened, before we decide how to proceed."_

<http://news.sky.com/home/technology/article/16156276>

O2 are in trouble.

~~~
justincormack
Odd they said something different to the Guardian
[http://www.guardian.co.uk/technology/2012/jan/25/02-mobile-p...](http://www.guardian.co.uk/technology/2012/jan/25/02-mobile-
phone-users-privacy-breach-website)

"The Information Commissioner's Office said it is considering whether to
investigate further, although a spokesman said there was no immediate breach
of the Data Protection Act. A mobile phone number on its own is not classed as
"personally identifying information" (PII), because it does not identify an
individual on its own; but the spokesman said the office would consider
whether other personal data was being processed at the same time."

I just google my phone number and found all my other details though, better
fix that.

~~~
jiggy2011
Even if it doesn't technically violate the DPA there must be something this
violates?

I wonder if this was in the T&C when I signed the contract?

------
Torn
I'm filing a Data Protection complaint now. I'd encourage other UK HNers to do
the same: <http://www.ico.gov.uk/complaints/data_protection.aspx>

~~~
alexchamberlain
Can you post what you send and then we can all forward it?

~~~
Torn
Adjust as needed, here's roughly what I put:

\-------------------------

SECTION 4:

Name: Telefonica O2 UK Address: 260 Bath Road Postcode: SL1 4DX Phone: 0800
089 0202 email: peter.erksine@o2.com website: <http://www.o2.co.uk>

SECTION 6:

When users of their network visit a site O2 inject the mobile phone number of
the user into the request. This is then available to the website host, which
raises obvious data protection issues. O2 does this by modifying the HTTP
request and inserting the number in the 'x-up-calling-line-id' HTTP header.

Alarmingly, it does this to all unencrypted site visits (i.e. 'http' not
'https'), and these end-sites can trivially harvest the mobile numbers of
visitors and link these to content visited.

This can be verified by visiting <http://lew.io/headers.php> on an O2 mobile
device. The site serves as a tool to show the visitor the HTTP headers
received by the server when the user requests that particular page.

SECTION 10:

Online utility that will show you the headers sent in your page request:
<http://lew.io/headers.php>

Discussion on technical forum 'hacker news':
<http://news.ycombinator.org/item?id=3508857>

Official O2 Twitter responding to (and misunderstanding/misrepresenting) the
problem: <https://twitter.com/#!/O2/status/161872584634408960>

\-------------------------

COVERING LETTER WITH EMAIL TO casework@ico.gsi.gov.uk:

To whom it may concern,

Please find attached my complaint against O2 under the Data Protection Act.

When users of their network visits a site O2 inject the mobile phone number of
the user into the request. This is then available to the website host, which
raises obvious data protection issues.

Regards,

~~~
nandemo
The tweet:

> _"Hi Lewis. The mobile number in the HTML is linked to how the site
> determines that your browsing from a mobile device #O2Guru"_

Wow.

~~~
rmc
Their Twitter account ( <https://twitter.com/#!/O2> ) has a burst of new
activity. Looks like this has been passed up from Tier 1 support.

------
cornet
Firstly I don't work for O2 but I work in the mobile industry. O2 should only
be passing your number to trusted sites (and to get on that list is pretty
hard).

We have reported it to them via various internal contacts we have. Hopefully
they will fix this soon!

~~~
naz
No site served over unencrypted HTTP can be considered trusted. So there's no
circumstance under which they should insert this header, since they can't
modify HTTPS requests.

~~~
otoburb
Consider the circumstance where a carrier portal sits on subnets owned by the
carrier. In this case, unencrypted HTTP requests to the portal originating
from the carrier's proxy are usually considered trusted.

In such a circumstance, carriers may consider this "trusted".

~~~
naz
That's true. I imagine they'll be considering some third-party sites trusted
too.

~~~
mdpye
I believe that in cases where the third party site lies outside the carrier
infrastructure and the header is plain text (some carriers encrypt the value),
a carrier<->site operator VPN is required.

People shouldn't really be surprised that ALL mobile web traffic is heavily
proxied (and transformed, by default). You probably wouldn't want to
experience a direct net connection as flaky as mobile ones actually are.

------
kgutteridge
A lot of mobile network operators wash this information about or have it
hashed into some other form (which means it can still be used as a unique
identifier)

Some popular headers to check

X-UP-CALLING-LINE-I

X_NOKIA_MSISDN

X_H3G_MSISDN

MSISDN

X_MSISDN

X_NETWORK_INFO

X-WAP-MSISDN

X-UP-SUBNO

~~~
perspective
I'm on 3 w/Samsung Galaxy SII & Cyanogenmod and it's not sending any phone-
specific headers.

~~~
biafra
It is not the phone that sends these headers. It is the internet gateway or
proxy at the carrier that inserts it.

------
dazbradbury
Glad this is being brought to attention finally (as it seems it's been
discovered before), but this is just yet another case of a UK mobile operator
losing my trust.

O2: Send number in plain-text to every website visited. [1]

Orange: Increase fixed contract price by RPI through use of dodgy contract
clause. [2]

Three: Place a non-payment flag on my credit report for no apparent reason.
When I realise years later, they remove it and don't even apologise.

I'm running out of operators which haven't negatively impacted me, and to be
honest, I think some of the blame must land with OFCOM.

[1] - <http://news.sky.com/home/technology/article/16156276>

[2] - <http://en.wikipedia.org/wiki/Orange_%28UK%29#Controversy>

~~~
alexmuller
Let's not forget Vodafone, who released an update for Android at about the
same time 2.2 was arriving. Only it wasn't 2.2, it was a whole load of
Vodafone-branded cruft for 2.1 that couldn't be removed.

[http://www.itpro.co.uk/625774/vodafone-no-froyo-android-
upda...](http://www.itpro.co.uk/625774/vodafone-no-froyo-android-update-
angers-customers)

------
edandersen
You should be able to bypass the proxy that inserts the HTTP headers with the
following APN on O2:

    
    
      apn: mobile.o2.co.uk
      username: bypass
      password: password
    

Worked in 2008 when I tried it
([http://www.edandersen.com/2008/07/13/iphone-o2-fix-the-
image...](http://www.edandersen.com/2008/07/13/iphone-o2-fix-the-image-
compression/)) as they used to screw with images on the App Store. I don't
have access to O2 anymore, can someone try this and see if it still works?

Edit: It still includes your phone number, thanks msmithstubbs.

~~~
msmithstubbs
Just tried it. The phone number header is still being included.

~~~
iamichi
Same for me.

------
edlea
I've built a simple Twilio script that shows how easy it is to exploit this
here: <http://edlea.net/>

Vistors on an O2 phone will receive an SMS on their first visit. An MD5 hash
of their MSISDN is kept in memory to prevent multiple SMS being sent.

------
jarofgreen
Confirmed on a Google Nexus.

In his webpage he also says "They downgrade all images and insert a javascript
link into the HTML of each page."

The image downgrading has been know about for ages, the JS I have not heard
about before. I have asked for more info on Twitter but will investigate
myself if I can find time today.

~~~
jarofgreen
<https://twitter.com/#!/O2/status/161872584634408960> says "@lewispeckover Hi
Lewis. The mobile number in the HTML is linked to how the site determines that
your browsing from a mobile device #O2Guru"

As Lewis replies, "@O2 User-agent header ID's the device. Passing mobile
number to third party sites is not ok! Seems like a data protection act breach
to me?"

Being charitable, that could be clueless support rather than official policy
response but hopefully the storm coming their way will get an official
response soon.

~~~
alexchamberlain
From the oracle (Wikipedia), Data must not be disclosed to other parties
without the consent of the individual whom it is about, unless there is
legislation or other overriding legitimate reason to share the information
(for example, the prevention or detection of crime). It is an offence for
Other Parties to obtain this personal data without authorisation.

It is in fact illegal for the website to obtain this information... Lew,
you're going down... Only joking.

------
peterclary
If an image is loaded from a third-party site then presumably that request's
header also includes the phone number. Can anyone confirm? That would mean
that it's not just the website you're visiting that's getting your phone
number, but advertisers too.

Here comes the SMS spam...

~~~
MattBearman
Since using O2 I've been getting more SMS spam than ever. I often wondered how
they we're getting my number (I'm pretty careful). Maybe this is how...

------
JCB_K
I'm on Giffgaff, which is a daughter company of O2, same problem. Started a
support thread on the website, let's see what they say.

~~~
gerrit
On giffgaff too, any chance you could link to that thread?

~~~
SandB0x
[http://community.giffgaff.com/t5/Help-Ask-the-community-
got-...](http://community.giffgaff.com/t5/Help-Ask-the-community-got-
stuck/o2-sending-mobile-number-in-http-headers-of-mobile-internet-
page/td-p/2852253)

and

[http://community.giffgaff.com/t5/Contribute-Innovation-
Promo...](http://community.giffgaff.com/t5/Contribute-Innovation-
Promotion/Phone-number-being-sent-in-header-to-websites/m-p/2851947)

and

[http://community.giffgaff.com/t5/Contribute-Innovation-
Promo...](http://community.giffgaff.com/t5/Contribute-Innovation-
Promotion/Massive-Giffgaff-Privacy-Breach/td-p/2852711)

------
michaelfeathers
The link insertion reminds me of an ISP in another country that was rewriting
HTML before sending it. If we want to get very technical, if this happened in
the US, couldn't an ISP be dinged for creating a "derived work" of a
copyrighted page without permission?

~~~
ignoreme
I think that is opening up a can of worms I would rather not see opened.
Technically caching could be seen as copyright infringement.

Quite a few ISP's run transparent proxies for caching and technically every
time you visit a website you are creating a copy of it on your local drive. If
I disable javascript or run other scripts (like via grease-monkey) I am also
technically creating "derived work".

~~~
DanBC
English law has exemptions for caching.

------
wgx
Additional write-up on another site here:
[http://www.thinkbroadband.com/news/4990-o2-shares-your-
mobil...](http://www.thinkbroadband.com/news/4990-o2-shares-your-mobile-phone-
number-with-every-website-you-visit.html)

~~~
otoburb
The write-up is more charitable when it comes to the possible reason why this
may be happening. The specific quote: " Our suspicion is that the feature is
used by internal O2 websites to identify the user trying to make changes to
the account, but that one or more of O2's proxy servers have been
misconfigured."

x-up-calling-line-id (and similar headers from other gateway vendors) are
typically not meant to be sent in the clear beyond internal sites. Perhaps a
certain set/class of URL ACLs were (mis)configured during a maintenance window
that caused this to happen.

Similar to how websites leave cookies, carriers have always had the ability to
send certain identifying information to external sites. Usually, such
identifying information is munged in some way that doesn't make it possible to
determine the mobile number of the subscriber.

The funny thing is that people are often surprisingly willing to provide their
phone number on more and more sites, which then makes it trivial for such
services to link the anonymized identifier with the actual mobile number.

Regarding the customer support folks, it's highly unlikely that they know
anything about HTTP headers, since they are typically level 1 support. This
type of query/complaint would be filtered up to level 2 or 3 usually quite
quickly once enough customers start calling in, or if somebody happens to be
reading certain media outlets (e.g. HN).

~~~
jarofgreen
Some tweets claim it isn't happening for them any more so maybe this was a
mistake being fixed?

However, amusing it's a honest mistake being fixed, this still SHOULD NOT
HAPPEN in the first place. Companies dealing with personal data need to be
more careful when the ramifications of "honest mistakes" can be so serious.
It's right that people are making a fuss about this and pressuring O2 to fix
this.

> The funny thing is that people are often surprisingly willing to provide
> their phone number on more and more sites, which then makes it trivial for
> such services to link the anonymized identifier with the actual mobile
> number.

Sure, but that still doesn't excuse this.

------
MrKurtHaeusler
Just tested on o2 Germany, and no such header was inserted. It would probably
be illegal here anyway.

~~~
jarofgreen
I would sodding hope it's illegal in the UK to! Altho as IANAL I can't think
of which law exactly would cover it. Anyone know? I'm envious, you Germans
have great privacy laws.

~~~
rmc
_you Germans have great privacy laws._

A lot of these laws are from EU Directives, which the UK would have
implemented aswell. Brussles isn't all bad! :P

~~~
jarofgreen
You mean " _should_ have implemented". It's left to member countries to make
the laws to match the directives, and if the EU thinks the law doesn't match
the directive it's a very long legal process to sort it out.

The example in the UK I can think about is the detention in prison without
trial for terrorism case. When the European court said "Ah, no." they scrapped
it. And instead brought in house arrest without trial. Cue another long legal
process.

But yes, I agree the EU has some great bits :-)

(Again, IANAL, and I worry I'm confusing the EU, European Commission and
European court here ...)

------
richardburton
As bad as this may seem, SMS spoofing is way, way worse.

[http://www.bbc.co.uk/blogs/watchdog/2010/04/mobile_spoofing....](http://www.bbc.co.uk/blogs/watchdog/2010/04/mobile_spoofing.html)

Nothing has been done about it.

~~~
samarudge
When using Skype messaging to a mobile number, you can enter your real mobile
number as the 'from' address (In Skype settings). To do this Skype first sends
you a confirmation message to the number you want to send from. I'm going to
assume the confirmation message is Skype being curious, and that the same
technology could be used without confirmation. Or is this an agreement with
the mobile operators?

~~~
richardburton
That is right: <http://news.ycombinator.com/item?id=3509228>

------
danbee
The header is no longer being inserted for me. I think O2 must have fixed the
problem.

~~~
mseebach
It's also gone for me.

------
Leynos
Using Opera Mini seems to disable this "feature". Of course, doing so means
all of my web traffic goes via Oslo. And of course, any apps using an http API
are presumably affected too. I'm rather disappointed to hear about this.

~~~
mhw
> Of course, doing so means all of my web traffic goes via Oslo.

Which probably means that your phone number is going to Oslo instead. At least
it's not being proxied onwards from there.

~~~
pmjordan
Opera Mini uses its own protocol to talk to the proxy. HTTP is quite chatty,
so there's a lot of mileage in reducing the headers by simply omitting a lot
of unneeded information and compressing the rest.

------
gpapilion
Sadly I can say this is true for at least two US carriers.

One had obfuscated the number by padding it in a unique identifier header, and
the other would send it along in some cases (i can't remember if it was on a
partner by partner basis).

Also, almost every HTTP request on a mobile phone still passes through a HTTP
Proxy. Generally, so avoiding opera, won't do any good. That is what the APN
does.

What typically will get you off the carriers proxies is to use wi-fi, despite
what the author says. They tend to get out of the loop if you're using someone
else's network.

------
mattyohe
Well, their twitter guy just woke up: <https://twitter.com/#!/o2>

~~~
jarofgreen
9.21am in the UK, the office just opened. This will be a fun day for the poor
workers on level-1 support :-)

------
rix0r
I'm using Vodafone and I'm seeing an "X-VF-ACR" header in my headers that
contains a very long base64-encoded string.

Anyone any idea what it is?

(Edit: Looks like a big bunch of binary)

------
jiggy2011
Wow, just tried this and my number is right there in plain text within the
HTTP header.

I would never have signed the contract if I was aware that this would be
happening.

Does anybody know if this is a new development or been happening forever?

Hopefully they fix this pronto, if not I'm not quite sure what to do since I'm
really not comfortable using the service if this is happening and it's
something I'm already signed up to pay for monthly for the next year at least!

~~~
Torn
> I'm not quite sure what to do

File a Data Protection complaint, see below:
<http://news.ycombinator.org/item?id=3509096>

------
jsvaughan
I'm on o2 business / htc desire / cyanogen and my phone number is in the
header. wtf.

------
jgrahamc
It's not just O2 in the UK. This happens all over the place. See this talk
done in 2010: <http://mulliner.org/security/httpheaderprivacy.php>

It mentions: Orange (UK), Rogers (Canada), H3G (Italy), Vodafone/BILDmobil
(Germany), Pelephone (Israel), and on and on...

~~~
swombat
Three (UK) don't do it, and it's worth also noting that @O2 has been in
overdrive about trying to contain the twitter outrage. Good to see a large
corp paying attention for once.

~~~
jgrahamc
Have you examined all the Three headers to ensure that they are not sending a
hashed version of the phone number?

~~~
adhipg
Three's headers contain my phone make and model as a wap profile header -
nothing personal apart from that.

~~~
perspective
Just tested this on SGSII and can confirm the same.

------
ukgent2
UK South Iphone 4s Headers in plain sight

Called o2 support, stating I believe this is a breach of contract and wish to
cancel my contract. The guy on the phone was not really sure how to handle
this. Does anyone had any luck forcing o2 to cancel their contract based on
this information? I kinda like Orange, no headers, and orange wednesdays

------
doismellburning
So apparently this has been going on for some time - see this paper from
October 2010:
[http://www.mulliner.org/collin/academic/publications/mobile_...](http://www.mulliner.org/collin/academic/publications/mobile_web_privacy_icin10_mulliner.pdf)

------
wgx
Tried it on my iPhone using o2's network and my number was indeed inserted
into the headers.

~~~
chitabox
Confirmed with Samsung S2, Additionally, x-wap-profile provides phone model
(GT-I9100)

Additionally, confirmed on HTC HD2 on Tesco Mobile - Custom ROM (ICS 4.03),
thinks its a Nexus HD2 - Stock browser display phone number, Dolphin Mini also
displays number!

------
ploureiro
I don't find my number. Galaxy Nexus with a contract on O2 (uk) using HDSPA
connection.

1.2.3.50/ups/ shows just "This is a personalization server index page created
by Bytemobile" but the rest of the page is blank. Nothing to setup...

~~~
justincormack
I do on mine. What apn have you got set? Mine is mobile.o2.co.uk username
o2web. Maybe some apns are different?

------
dvd03
To stop your o2 iPhone exposing your number through http headers, go to
Settings > General -> Network -> Cellular Data Network, and change both APN to
mobile.o2.co.uk and username to o2web (leaving password as is).

------
DrJokepu
Apart from the obvious data protection issues, perhaps an even more
interesting and frightening aspect of the issue is that that phone number is
probably there for a reason. It's entirely possible that some O2 or O2 partner
sites use that header field to associate a visitor with an O2 customer.

It would be interesting to see if that could be abused somehow, e.g. fake a
phone number header to see if it's possible to "prank your friends" who use O2
or do something ever more malicious. (I'm not advocating anything like that,
it's illegal and immoral and bad, I'm just curious if that would really work.)

~~~
fpp
This is done inside the TelCom core - you have no control over that on the
device.

That's also why headers from normal (non-mobile) endpoints including WiFi are
considered unreliable for such information.

All that might soon change with the use of IP6 addresses.

------
jarofgreen
Unrelated story from yesterday but slightly funny in it's timing:

"Head of PR for O2 Nicola Green has been promoted to director of comms and
reputation for O2's parent company Telefónica UK."
[http://www.prweek.com/news/1113672/Head-PR-O2-Nicola-
Green-b...](http://www.prweek.com/news/1113672/Head-PR-O2-Nicola-Green-
becomes-TelefOnica-UKs-director-comms/?DCMP=ILC-SEARCH)

Wonder if this means they have no head of PR in place at the moment? Ouch.

------
birger
Isn't this information used as an extra security layer when using your mobile
phone for payments or bank transactions? Here in The Netherlands when I want
to use my mobile phone to log in to my bank account and do transactions, I
first need to confirm my phone number and a special code. I can imagine that
then they need the phone number in the header to verify it is my phone.

And how is this information different then an IP adress that they also have
with each request?

~~~
alexchamberlain
Headers are too easily spoofed to carry security information without a
signature.

~~~
mooism2
It's like security through obscurity: on its own it's inadequate, but as an
extra layer it can be helpful.

~~~
alexchamberlain
How is this helpful? We have proved it's inconsistent... Do you check IP
addresses for security too?

~~~
mooism2
I can imagine a bank fraud detection system being more suspicious of unusually
large transactions if they originate from an unusual phone number or ip
address, yes.

------
jarofgreen
I just checked again and it's not there any more. Anyone else seen the same
pattern of seeing it in the past but not now? Hopefully that means fixes are
being rolled out.

------
rheeseyb
This doesn't appear to be happening with the Samsung Galaxy Nexus

*edit scratch that it is happening now. Both attempts were on 3G only. Seems it doesn't always happen.

------
mike-cardwell
Mobile networks seem to do all sorts of horrendous shit to peoples Internet
connections. I found out this morning that T-Mobile UK's transparent web proxy
breaks web sockets. They also break some websites by minifying javascript
badly.

This is exactly why my phone has a VPN to my Linode server and routes out all
Internet traffic over it. Mobile phone companies don't provide a clean
Internet connection.

~~~
fpp
What they do is traffic shaping / policy management / caching to reduce the
amount of traffic delivered to the device via the mobile network.

The issues here are part of the overall network neutrality theme besides
privacy & user experience issues.

Key technologies used are DPI (deep packet inspection) and PCRF (policy &
charging rule function) within their IMS and even on the edge of their
networks (mostly caching plus location capture etc). There are whole
application ecosystems around these providing specialized solutions depending
on the infrastructure (provider) used by the TelCom.

Leaders of the pack providing such technology are Sandvine, Ericsson, NSN,
Cisco, Procera, Allot & Arbor Networks. CDN providers like Akamai or Level3
are tmk also active here.

Beyond the above there are pure HW players that e.g. provide TCP/ IP
processing equipment which allows real-time inspections of 10/100Gbps streams
together with development stacks - typical development providers include
Continuous Computing (they have some nice posters to familiarize you with
normal TelCom infrastructure) and smaller ones like Cavium Networks.

Besides all of the above commercial tools there is the so-called Lawful-
Inspection where who-god-knows is peeking into the telcom traffic with special
installations (now also in almost all western countries) so that even the
Telcos don't know where the data is going to.

To get an overview what is happening in that industry segment have a look at
<http://broabandtrafficmanagement.blogspot.com/> \- be aware that the TelComs
are using a special lingo and acronym soup!

------
sambenson
Someone hit the damage control button @O2: <https://twitter.com/#!/O2>

------
wr1472
My colleague just tried it with Tesco Mobile which runs on O2 on his Galaxy S2
and his number was in the header.

~~~
JosephRedfern
I concur - this is also happening on an iPhone 4 on Tesco.

------
bjnortier_hn
They have a twitter bot that responds to everyone who tweets about the issue -
"we are investigating these reports and will provide more information as soon
as we can.'

Their twitter account is a disaster zone: <https://twitter.com/#!/o2>

------
c_mac
I must say I am encouraged to see that some media coverage and, what seems to
be an influx of emails to 02 by worried customers has managed to prompt a
response from the company. Sadly, the concerns of who these nameless "trusted
partners" are will no doubt have some people concerned.

------
1880
A similar thing happened in 2010 with Orange Spain:
[http://certificateerror.blogspot.com/2010/08/orange-spain-
di...](http://certificateerror.blogspot.com/2010/08/orange-spain-disclosing-
user-phone.html?m=1)

It looks like it was fixed immediately.

------
mseebach
This does not happen on giffgaff, a MVNO owned by and operating on O2s
network.

~~~
philjones88
Actually it does for me. Perhaps its the handset that determines this issue? I
have a O2 PAYG HTC HD7 WP7.5 device that I use with GiffGaff and the page
clearly lists the header and my phone number.

~~~
mseebach
Perhaps I should turn off wifi. Facepalm. Yes, it happens on Giffgaff too.

------
Pr1sm
Apparently now fixed: [http://blog.o2.co.uk/home/2012/01/o2-mobile-numbers-
and-web-...](http://blog.o2.co.uk/home/2012/01/o2-mobile-numbers-and-web-
browsing.html)

------
mpunaskar
As per statement from O2 - They share data with their "trusted partners" for
age verification purpose.

Does that mean they share my birth date with their "trusted" partners?

~~~
kgutteridge
Due to the code of practice in the UK the mobile network operators do at share
"over 18 yes/no" with some sites

You can read more

[http://www.aimelink.org/docs/UK_MNO_Age_Verification_Procedu...](http://www.aimelink.org/docs/UK_MNO_Age_Verification_Procedures.pdf)

------
iamichi
I had the header at 9.30 this morning. I just refreshed the page and my number
has gone, so either they've fixed it or I'm using a different proxy that
doesn't have the issue.

------
MattBearman
I got the header inserted on my iPhone 3Gs, not happy about this.

------
shocks
Orange UK here - nothing in my headers. Clean as a whistle.

------
vibrazy
This might be useful <http://mobiforge.com/developing/blog/useful-x-headers>

------
Dexec
Just tested on o2 Ireland (iPhone 4S), no header inserted.

------
J_Darnley
Now that is how a web page should look! It uses my preferred font at the
preferred size and fills the entire width of the page with text.
Congratulations!

------
neave
Here's a demo I made to better illustrate the issue:
<http://neave.com/temp/phone-headers/>

------
ffffruit
T-Mobile UK, no phone number in HTTP headers.

------
webmonkeyuk
Tested using a HTC HD2 (Windoze Mobile) device in Opera and IE. No IP or
location information sent in the headers.

------
bravolima
I'm not seeing the header - HTC Desire.

~~~
samwilliams
I am not seeing it on the HTC Sensation either.

This article seems to agree with us too: [http://www.slashgear.com/o2-sharing-
phone-numbers-for-mobile...](http://www.slashgear.com/o2-sharing-phone-
numbers-for-mobile-surfers-but-not-everyone-25210620/)

I wonder what the (de)selection criteria is then?

------
atomicdog
My number didn't show up in the header but I think my data might be going
through Blackberry, not o2.

------
declan_traynor
Confirmed on iPhone. Have received generic O2 response after mentioning this
thread on twitter...

------
jiggy2011
This _seems_ to be fixed for me now, anybody else still getting issues?

------
alexchamberlain
Not inserted on Dell Streak.

------
yankcrime
O2 / iPhone here. My number doesn't appear in the HTTP headers sent.

------
VMG
slightly OT: there was a page that displays your full http request but I
forgot the name. It was on the HN front page not too long ago. (I'm curious to
see what my phone/provider sends)

------
hm2k
It doesn't seem to send it if you're going over wifi.

------
netmute
Just tested this on O2 Germany. They don't do it.

------
alexchamberlain
I think we should write to the ICO about this.

------
urbanjunkie
O2 have responded

[http://blog.o2.co.uk/home/2012/01/o2-mobile-numbers-and-
web-...](http://blog.o2.co.uk/home/2012/01/o2-mobile-numbers-and-web-
browsing.html)

Selected highlights:

Q: How long has this been happening?

A: In between the 10th of January and 1400 Wednesday 25th of January, in
addition to the usual trusted partners, there has been the potential for
disclosure of customers’ mobile phone numbers to further website owners.

Q: Has it been fixed?

A: Yes. It was fixed as of 1400 on Wednesday 25th January 2012.

[edited to add]

I find this a bit weaselly:

Q: Which websites do you normally share my mobile number with?

A: Only where absolutely required by trusted partners who work with us on age
verification, premium content billing, such as for downloads, and O2's own
services, have access to these mobile numbers.

~~~
eps
When you browse from an O2 mobile, we add the user's mobile number to this
technical information, but only with certain trusted partners. _This is
standard industry practice._

~~~
urbanjunkie
It's more alarming that this is 'standard industry practice', implying all the
UK mobile telcos are doing this.

------
urbanjunkie
Tested an iPhone 4S on Three (UK)'s mobile network - no phone number passed in
the HTTP headers.

------
burnsie_la
Good to see the power of social networking used for good
<https://twitter.com/#!/search/%40o2>

------
mbrit
Here's a proof-of-concept to get the user's location too:
<http://mbrit.com/o2numberandlocation.aspx>.

(Albeit they need to give permission to access the HTML5 location APIs.)

~~~
davej
What's wrong with this? This is a browser feature which requires permission
from the user. Am I missing something?

