O2 has issued a public apology for leaking the phone numbers of some 3G customers in header information sent to website managers. “We would like to apologize for the concern we have caused,” the company said in a statement. The cellco said it was standard industry practice to send out user’s phone number information in this way …
So, Phorm's offspring has gone mobile, then?
Given that Phorm-style technology can work both ways, a careful read of the article would seem to indicate so: According to the article, O2 customers who were surfing the web on their phones via Wi-Fi were not affected, but those who were surfing through the O2 network were affected.
Given that two given HTTP requests to identical static URLs/pages hosted by the same web server should be semantically identical, the fact that they are not indicates that O2 is doing some on-the-fly request header rewriting.
So if O2 is rewriting outgoing requests, how do we know that it's not rewriting inbound responses?
Yawn. All mobile cos modify web requests from their cell networks
The most obvious symptom being bad quality imags.
It has been mobile for ages
The stuff that ired the fixed line users in Phorm has been the Norm in mobile ever since mobile broadband packages and internet data bundles appeared 5+ years ago.
Initially there would have been no way to deliver anything sensible without it. In the days of GPRS (and Edge here and there) the bandwidth of an average mobile connection pretty much required re-writing web pages.
The "other uses" came later.
Norm in mobiles?
"Initially there would have been no way to deliver anything sensible without it. In the days of GPRS (and Edge here and there) the bandwidth of an average mobile connection pretty much required re-writing web pages. The "other uses" came later."
Not quite. Initially there was WAP/wml which the sooner we forget about, the better, but that was designed to create custom "web" pages on small screens with the bandwidth limit on GPRS. It wasn't http/html so can't really be considered interfering or rewriting (although that technically happened - wml was converted/compressed to bytecode by the WAP gateway).
All the while though, GPRS/EDGE was also capable (and did) provide a "pure" net connection, with no proxies or interference on internet connections. Using IRDA or Bluetooth I regularly used my mobile as a modem - initially as "dial-up" (you could use it as a 9.6K dial-up modem to any ISPs numbers), then as a pure GPRS or EDGE connection directly through an APN, you even had your own IP address and it would permit any traffic. Part of the reason Opera Mini took off was because it would compress images/html etc. I'd say it was around the time of 3G taking off when network operators started introducing the closed model with Opera-esque NATed/proxied content with content re-writing.
And thats numberwang
Was this just O2 or all the virtual prodivers like Tesco and GiffGaff that also use the O2 network?
all of them
The missing kicker
The Information Commissioner doesn't consider this to be a breach of DPA, as apparently a mobile telephone doesn't constitute personal data. Quite how the &^%* they come to that conclusion, I've no idea, but O2 are free to give it out to whichever "trusted parties" they choose, regardless of your permission.
Wheres the fucking refund you cunning linguists
So you compromise MY browsing AND fucking bill me for it.
Unintended? "Honestly, officer...
...I was just standing here with this knife, and this guy just ran into me -- twelve times -- backwards."
So they do intend to give your number to certain people...
...just that they were caught doing it.
"Unintended" (alternative definition)
"We didn't mean to get found out"
are they going to be offering us all new numbers now then?
been a while
If I remember correctly a guy gave a presentation on this at a privacy conferenece in 2010. An then created a website that you could go to to see if your phone operator was doing it.
Yes, Colin Mulliner @ CanSecWest 2010 his presentation is at
basically he found nearly everyone sending extended http headers and he collected a whole bunch of mobile phone data on a popular site that he hosted.
stuff like HTTP_USER_AGENT: Mozilla/5.0 (SymbianOS/9.3; U; ... HTTP_X_NOKIA_MUSICSHOP_BEARER: GPRS/3G
￼HTTP_X_NOKIA_REMOTESOCKET: HTTP_X_NOKIA_LOCALSOCKET: HTTP_X_NOKIA_GATEWAY_ID: HTTP_X_NOKIA_BEARER:
HTTP_X_NOKIA_MSISDN: HTTP_X_NOKIA_SGSNIPADDRESS: 18.104.22.168
3G, 10.45.28.146, 4479801754XX, 22.214.171.124, unsecured 1
from Orange UK in 2010
RAT in this case could mean radio access technology - which just happens to include the phone number - but for many years we have been told that the IMSI/IMEI and the phone number will never be cross-correlated as to do so is an invasion of privacy. It's not an invasion it is a spanish inquisition, that nobody expected!
“certain trusted partners”
ie those who we trust to pay us for giving them your mobile number...
Gonna need more than an apology...
It's pretty criminal if you ask me to so carelessly identify users like that.
I'd expect not only a whopping great fine from the ICO, but a renewed debate on Net Neutrality for mobile (should be no different to fixed) and also a kick-back to all O2 customers with a smartphone.
Given that it is worth about $17 for a website to know the identity of a user, tripling this to $51 worth of kick back to all smartphone customers should be the minimum. I'd expect that should be some a break from monthly charges, though O2 will probably think some free apps or other totally useless 'value-back' will suffice. It won't.
O2 should be in real trouble here.
"..Given that its worth about $17 for a website to know the identity of a user.."
Where is that figure from?
Also, a mobile phone number is personal information (despite what the ICO says) but its not a name...
"I'd expect not only a whopping great fine from the ICO"
Sadly... when you discover how lazy, corrupt, incompetent, and powerless the ICO are... you will be very disappointed.
For example; BT/Phorm - no action. ACS/Law leaked emails - no action against BT, £800 fine for Crossley. TalkTalk/Huawei - no action against TalkTalk or Huawei.
And so on, and so on.
They said “We would like to apologize for the concern we have caused" - this sounds like they're apologising for causing concern, not for the data breach itself. It implies that o2 don't think people should have been concerned. Like they're apologising for not having educated their user base better about this sort of thing, and had the user base been better educated they never would have been concerned about this type of technical error.
So you don't have to apologise for an intended leak
Orange have sent my number out in requests using 3G and I have been spammed by the websites visited.
Technology is hard.