Name: Telefonica O2 UK
Address: 260 Bath Road
Postcode: SL1 4DX
Phone: 0800 089 0202
When users of their network visit a site O2 inject the mobile phone number of the user into the request. This is then available to the website host, which raises obvious data protection issues. O2 does this by modifying the HTTP request and inserting the number in the 'x-up-calling-line-id' HTTP header.
Alarmingly, it does this to all unencrypted site visits (i.e. 'http' not 'https'), and these end-sites can trivially harvest the mobile numbers of visitors and link these to content visited.
This can be verified by visiting http://lew.io/headers.php on an O2 mobile device. The site serves as a tool to show the visitor the HTTP headers received by the server when the user requests that particular page.
Online utility that will show you the headers sent in your page request: http://lew.io/headers.php
Discussion on technical forum 'hacker news': http://news.ycombinator.org/item?id=3508857
Official O2 Twitter responding to (and misunderstanding/misrepresenting) the problem: https://twitter.com/#!/O2/status/161872584634408960
COVERING LETTER WITH EMAIL TO firstname.lastname@example.org:
To whom it may concern,
Please find attached my complaint against O2 under the Data Protection Act.
When users of their network visits a site O2 inject the mobile phone number of the user into the request. This is then available to the website host, which raises obvious data protection issues.
> "Hi Lewis. The mobile number in the HTML is linked to how the site determines that your browsing from a mobile device #O2Guru"
They seem to have taken down the header now though.
The ICO can also prosecute the company and officers in the criminal courts under some situations, including: "unlawfully obtaining, disclosing, or procuring the disclosure of personal data;" (I don't know whether this would count as unlawful disclosure or not).
Make sure you have filled in the correct complaint forms and provided your personal details. Sending an email with a link to the lew.io site or this HN thread is useless to them.
Although I've been on O2 in the past, I don't have any evidence that the problem occurred during that time. I'm on Orange now, which appears to be unaffected.
It's a pain, because I'd been thinking about switching back to O2 to get Visual Voicemail, which no other UK provider appears to be able to support.
"When people visit a website via their mobile phone they would not expect their number to be made available to that website.
"We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed."
O2 are in trouble.
"The Information Commissioner's Office said it is considering whether to investigate further, although a spokesman said there was no immediate breach of the Data Protection Act. A mobile phone number on its own is not classed as "personally identifying information" (PII), because it does not identify an individual on its own; but the spokesman said the office would consider whether other personal data was being processed at the same time."
I just google my phone number and found all my other details though, better fix that.
I wonder if this was in the T&C when I signed the contract?
The system works!
We have reported it to them via various internal contacts we have. Hopefully they will fix this soon!
In such a circumstance, carriers may consider this "trusted".
People shouldn't really be surprised that ALL mobile web traffic is heavily proxied (and transformed, by default). You probably wouldn't want to experience a direct net connection as flaky as mobile ones actually are.
In terms of being made public or opt-outable, I'm not aware of any carriers that do this. I guess it depends on which 3rd party sites have negotiated agreements and obtained appropriate opt-ins from you and/or the carrier in various Terms of Agreements. For example, banking sites probably get a free pass when it comes to your mobile number because you may have entered it in to the banking application for verification purposes (just an example).
For instance with your banking example, yes, I may have given my number and probably have if I'm a customer. But what if I'm just browsing a banks website thinking about opening an account? Should they have my number then? (but of course banks are unlikely to abuse this for spam or anything.)
But can you see how people would think this is a grey area with potential for abuse? So basically, we just have to trust our carriers not to sell us out with no way of checking up on them?
Sorry I wasn't clearer. I was referring to the use-case where you have an HTTPS connection open with the banking site, and the carrier has agreed to send your mobile number to the banking site only under these conditions (perhaps for security/tracing/auditing purposes).
>Should they have my number then? (but of course banks are unlikely to abuse this for spam or anything.)
I'm not a carrier, but I'm pretty sure that we're on same page here when I say that ideally no egress HTTP request destined beyond/outside of the carrier network should contain a plaintext mobile number.
> But can you see how people would think this is a grey area with potential for abuse?
Yes. This is the same grey area with the potential for abuse that every single company must deal with whenever we hand them our personal information (Google, Facebook, etc).
> So basically, we just have to trust our carriers not to sell us out with no way of checking up on them?
I'm not sure why you're implying that I hold this opinion. It seems we're in violent agreement here.
EDIT: In essence, we do trust carriers not to sell our data and "sell us out" too much. Given the amount of personal data and habits that telecom companies have on us, I'm surprised that they haven't sold our records, logs and patterns to marketing firms. For all we know, they might be doing that already. </tinhat>
I'm confused, how do they insert headers in to HTTPS?
> Yes. This is the same grey area with the potential for abuse that every single company must deal with whenever we hand them our personal information (Google, Facebook, etc).
Of course, and in all these cases having a way to check up on what is done would be good.
> I'm not sure why you're implying that I hold this opinion. It seems we're in violent agreement here.
I wasn't trying to imply anything about your opinions at all, sorry, bad grammar. I was strictly talking about my own opinions.
A few of possible methods of inserting a mobile number into a HTTPS connection:
1) Instead of negotiating a TLS end-to-end tunnel with the banking site, have the device negotiate the tunnel with the proxy, and then the proxy initiates a second tunnel with the banking site. This require[d|s] a lot of finangling with the trusted certs on the device (usually burned in via firmware for older phones). I don't know anybody that does this today; I only list it here as a possibility.
2) Believe it or not, some older devices actually sent the mobile number as part of the HTTP headers originating from the device browser user-agent. For these devices, content sites using HTTPS connections were almost always guaranteed to receive the mobile number (the irony is rich). In these scenarios, carrier proxies would actually strip the mobile number or other identifying characteristics from the outbound HTTP requests.
3) More straight-forward, a bank installs a native user-agent on the device (e.g. banking app) that injects the mobile number after negotiating an e2e TLS tunnel.
#2 didn't admittedly answer your question, but I threw it in there for the sake of completeness.
There's no good reason to include the actual mobile number in the headers, internal or not.
O2: Send number in plain-text to every website visited. 
Orange: Increase fixed contract price by RPI through use of dodgy contract clause. 
Three: Place a non-payment flag on my credit report for no apparent reason. When I realise years later, they remove it and don't even apologise.
I'm running out of operators which haven't negatively impacted me, and to be honest, I think some of the blame must land with OFCOM.
 - http://news.sky.com/home/technology/article/16156276
 - http://en.wikipedia.org/wiki/Orange_%28UK%29#Controversy
Edit: It still includes your phone number, thanks msmithstubbs.
I use OpenVPN when I have my netbook tethered to my phone (or when I use any other "untrusted" wireless network for that matter) and route all traffic through my home fibre (I'm with an ISP that I know doesn't mess with my traffic).
There are problems with that though:
* installing OpenVPN on Android is a faf (I've still not got around to it on my device) [see http://vpnblog.info/android-openvpn-strongvpn.html and similar] - most users are not going to want to mess around like that
* there is no garantee that it will even work (or work efficiently enough) on all networks, or they could classify all encrypted traffic in the same lump as encrypted P2P connections and shape/block accordingly
* any VPN adds overheads (at least a set of headers per packet, and keep-alive packets when the connection is otherwise inactive), so if you don't have a cheap data plan that could be a consideration
Some popular headers to check
Vistors on an O2 phone will receive an SMS on their first visit. An MD5 hash of their MSISDN is kept in memory to prevent multiple SMS being sent.
The image downgrading has been know about for ages, the JS I have not heard about before. I have asked for more info on Twitter but will investigate myself if I can find time today.
Our boss saw errors loading the site on his iPad, but whenever we brought him into the office to try and replicate it, the problems disappeared.
We finally figured out it only happened when he was out the office, so on 3G not WiFi, and then managed to find the stackoverflow post you mention.
As Lewis replies, "@O2 User-agent header ID's the device. Passing mobile number to third party sites is not ok! Seems like a data protection act breach to me?"
Being charitable, that could be clueless support rather than official policy response but hopefully the storm coming their way will get an official response soon.
It is in fact illegal for the website to obtain this information... Lew, you're going down... Only joking.
...and for people using iPod Touches or similar?
This tag is inserted in the head:
This is inserted at the end:
The external JS is here: http://pastebin.com/rv3k4meX
Analysis please. At an initial glance it seems to just be about the image compression.
My quick glace at it agrees with you, it looks like it replaces the URLs of the images, presumably to load compressed versions.
Here comes the SMS spam...
x-up-calling-line-id (and similar headers from other gateway vendors) are typically not meant to be sent in the clear beyond internal sites. Perhaps a certain set/class of URL ACLs were (mis)configured during a maintenance window that caused this to happen.
Similar to how websites leave cookies, carriers have always had the ability to send certain identifying information to external sites. Usually, such identifying information is munged in some way that doesn't make it possible to determine the mobile number of the subscriber.
The funny thing is that people are often surprisingly willing to provide their phone number on more and more sites, which then makes it trivial for such services to link the anonymized identifier with the actual mobile number.
Regarding the customer support folks, it's highly unlikely that they know anything about HTTP headers, since they are typically level 1 support. This type of query/complaint would be filtered up to level 2 or 3 usually quite quickly once enough customers start calling in, or if somebody happens to be reading certain media outlets (e.g. HN).
However, amusing it's a honest mistake being fixed, this still SHOULD NOT HAPPEN in the first place. Companies dealing with personal data need to be more careful when the ramifications of "honest mistakes" can be so serious. It's right that people are making a fuss about this and pressuring O2 to fix this.
> The funny thing is that people are often surprisingly willing to provide their phone number on more and more sites, which then makes it trivial for such services to link the anonymized identifier with the actual mobile number.
Sure, but that still doesn't excuse this.
A lot of these laws are from EU Directives, which the UK would have implemented aswell. Brussles isn't all bad! :P
The example in the UK I can think about is the detention in prison without trial for terrorism case. When the European court said "Ah, no." they scrapped it. And instead brought in house arrest without trial. Cue another long legal process.
But yes, I agree the EU has some great bits :-)
(Again, IANAL, and I worry I'm confusing the EU, European Commission and European court here ...)
The courts have interpreted this privacy as applying not only to the carrier, but also as a duty each end of the communication has to the other. I understand that if someone outside Germany were to call me (in Germany), I could not legally record the conversation until I had informed you of what I was about to do.
Cf. (in fairly straightforward German) http://www.gesetze-im-internet.de/gg/art_10.html
However, I think it is generally percieved as personal.
Which probably means that your phone number is going to Oslo instead. At least it's not being proxied onwards from there.
Nothing has been done about it.
Lines like this one:
"The message was so convincing that the iPhone Anita was using believed it was genuine and listed it directly underneath the real message from that bank."
Show a complete misunderstanding of how SMS works. SMS is like email in that who it comes from is simply a type of header, which when sending from a mobile phone isn't editable - when a message arrives your phone can't verify where it actually came from. In particular given banks don't send from an official number, they send from a text name.
If it were merely some string that uniquely identifies me across different domains no matter how many times I reset my browse, it'd already be a privacy disaster. But making it my actual phone number? That's... just.. horrible.
One had obfuscated the number by padding it in a unique identifier header, and the other would send it along in some cases (i can't remember if it was on a partner by partner basis).
Also, almost every HTTP request on a mobile phone still passes through a HTTP Proxy. Generally, so avoiding opera, won't do any good. That is what the APN does.
What typically will get you off the carriers proxies is to use wi-fi, despite what the author says. They tend to get out of the loop if you're using someone else's network.
I would never have signed the contract if I was aware that this would be happening.
Does anybody know if this is a new development or been happening forever?
Hopefully they fix this pronto, if not I'm not quite sure what to do since I'm really not comfortable using the service if this is happening and it's something I'm already signed up to pay for monthly for the next year at least!
File a Data Protection complaint, see below: http://news.ycombinator.org/item?id=3509096
Anyone any idea what it is?
(Edit: Looks like a big bunch of binary)
It mentions: Orange (UK), Rogers (Canada), H3G (Italy), Vodafone/BILDmobil (Germany), Pelephone (Israel), and on and on...
Called o2 support, stating I believe this is a breach of contract and wish to cancel my contract. The guy on the phone was not really sure how to handle this. Does anyone had any luck forcing o2 to cancel their contract based on this information? I kinda like Orange, no headers, and orange wednesdays
Additionally, confirmed on HTC HD2 on Tesco Mobile - Custom ROM (ICS 4.03), thinks its a Nexus HD2 - Stock browser display phone number, Dolphin Mini also displays number!
It would be interesting to see if that could be abused somehow, e.g. fake a phone number header to see if it's possible to "prank your friends" who use O2 or do something ever more malicious. (I'm not advocating anything like that, it's illegal and immoral and bad, I'm just curious if that would really work.)
That's also why headers from normal (non-mobile) endpoints including WiFi are considered unreliable for such information.
All that might soon change with the use of IP6 addresses.
126.96.36.199/ups/ shows just "This is a personalization server index page created by Bytemobile" but the rest of the page is blank. Nothing to setup...
And how is this information different then an IP adress that they also have with each request?
Unscrupulous marketers can't do much with your IP address. They can do a lot more evil with your mobile number: SMS spam, cold calls, re-sell your data, etc, etc...
Also, just because this can be used for good does not mean
A) it can't be used for bad
B) it is sharing private data that should only happen with your knowledge and consent
"Head of PR for O2 Nicola Green has been promoted to director of comms and reputation for O2's parent company Telefónica UK."
Wonder if this means they have no head of PR in place at the moment? Ouch.
*edit scratch that it is happening now. Both attempts were on 3G only. Seems it doesn't always happen.
This is exactly why my phone has a VPN to my Linode server and routes out all Internet traffic over it. Mobile phone companies don't provide a clean Internet connection.
The issues here are part of the overall network neutrality theme besides privacy & user experience issues.
Key technologies used are DPI (deep packet inspection) and PCRF (policy & charging rule function) within their IMS and even on the edge of their networks (mostly caching plus location capture etc). There are whole application ecosystems around these providing specialized solutions depending on the infrastructure (provider) used by the TelCom.
Leaders of the pack providing such technology are Sandvine, Ericsson, NSN, Cisco, Procera, Allot & Arbor Networks. CDN providers like Akamai or Level3 are tmk also active here.
Beyond the above there are pure HW players that e.g. provide TCP/ IP processing equipment which allows real-time inspections of 10/100Gbps streams together with development stacks - typical development providers include Continuous Computing (they have some nice posters to familiarize you with normal TelCom infrastructure) and smaller ones like Cavium Networks.
Besides all of the above commercial tools there is the so-called Lawful-Inspection where who-god-knows is peeking into the telcom traffic with special installations (now also in almost all western countries) so that even the Telcos don't know where the data is going to.
To get an overview what is happening in that industry segment have a look at http://broabandtrafficmanagement.blogspot.com/ - be aware that the TelComs are using a special lingo and acronym soup!
Their twitter account is a disaster zone:
It looks like it was fixed immediately.
Does that mean they share my birth date with their "trusted" partners?
You can read more
This article seems to agree with us too:
I wonder what the (de)selection criteria is then?
Q: How long has this been happening?
A: In between the 10th of January and 1400 Wednesday 25th of January, in addition to the usual trusted partners, there has been the potential for disclosure of customers’ mobile phone numbers to further website owners.
Q: Has it been fixed?
A: Yes. It was fixed as of 1400 on Wednesday 25th January 2012.
[edited to add]
I find this a bit weaselly:
Q: Which websites do you normally share my mobile number with?
A: Only where absolutely required by trusted partners who work with us on age verification, premium content billing, such as for downloads, and O2's own services, have access to these mobile numbers.
List of the Payforit intermediaries
(Albeit they need to give permission to access the HTML5 location APIs.)