O2 has been sharing customers' phone numbers with every website they visited, but O2 isn't the only offender - it's just the one that slipped up and got caught. The Information Commissioner will investigate, and O2 will be told it should be more careful in future. Punters will be outraged but actually suffer very little as few …
"...as few websites collect unknown HTTP headers like the one in which mobile numbers were embedded..."
Although I'm sure if left unfixed, the various websites that host the world's banner ads would very quickly modify their logging to record the contents of this header if provided, and store phone numbers alongside whatever behavioural stats are being recorded and what ads have been served/clicked.
"a badly configured proxy that should have removed the data before it left the company's network"
Not quite. By O2's own admission, they fully intend to leave the phone number HTTP header in, but only for 'trusted partners'. It is this filter that wasn't working, not a catch-all removal.
And it's not quite as cut and dried as a badly configured proxy:
What they haven't told us yet is who the 'trusted partners' are. This becomes a data protection issue, as a phone number counts as personal contact data. If they have to share information with 'trusted partners' it should be a unique identifier, not contact data.
"Personal contact data"
Apparently phone numbers inexplicably *don't* count as personal data, and so aren't covered by the DPA..
Perfectly explicable, it's called a "telephone directory". The information is already in the public domain by default opt-in when signing up for telephone services.
Now, if they've done this for anyone who's opted out of the directory - i.e. made the point that their number is to be treated as confidential information..........(!)
Last time I looked, if it is information which could reasonably be expected to appear on a business card, which includes name, phone number and email, it's not private information. It didn't appear to make the distinction between personal and work information.
"Information on a business card"
This is not an adequate test, as I may choose to talk with someone without giving them my business card.
Except of course that mobile numbers don't appear in any telephone directory in the UK and so are not in the public domain. Therefore my mobile number is confidential until I choose to give it to you.
And I don't.
Overall I thought a well written article that nicely explains what happened and why...
Until I got to this comment..."Vodafone even appends its own HTML to pages, adding a navigation bar highlighting their premium services."...and now i'm questioning all the "facts".
I've been on vodafone for 11years now . I've had many different handsets from various manufactuers including Sony, Nokia and HTC. I've regularly used my phone for web browsing for 5years. I have never seen this premium services bar and my fellow vodafoners in the office haven't either.
I should have linked to our coverage of Vodafone's modification to delivered pages:
...it does depend on the phone being used (or, more accurately, the APN) and is aimed at feature phones rather than smartphones.
What legal justification is there for censoring internet connections? It's all very well saying that they would face legislation from the government if they didn't, but surely such legislation would likely fall foul of the authorities at the European level as has happened in the past in regards to Phorm and the lack of a proper implementation of PECR?
'Break the law voluntarily or we'll force you to anyway'. Is that really such a convincing threat?
Why downvote this? Isn't it right to ask by what right the government think they have to censor our connections, either through legislation or with the active cooperation of the mobile industry?
And if people are worried about the children, then why is nothing done to stop them from buying the damned things to start with? Limit sales to adults, get them to decide if filtering, interception and sharing of personal communications is wanted. Not only are children still protected but adults are also never going to be caught out by filtering that they never asked for nor wanted. Job done.
Of course the mobile phone companies would seem to prefer to throw their customers privacy under the bus just so they can make more money from our children...
Why downvote this?
"Why downvote this?"
There's a serial comment moderator on here, who's self appointed task is to tag unsound opinion. I guess it's some retired old f**t with too much time on his hands. The Reg should show who modded what and for what reason.
"What legal justification is there for censoring internet connections?"
To protect you from the terrorists, after all if you've done nothing wrong, then you've got nothing to hide <sarcasm>
The EULA when you get the phone. You have a commercial contract with the company, they can do anything that's in the contract - if you don't like it get another phone.
@Yet Another Anonymous coward
Except that 3 make no reference to filtering in their own terms and conditions. And in addition where the likes of Bluecoat is concerned they claim that any data processing will occur with the same protections in place as in the UK.
I would assume that this is a promise that can't be kept - and should never have been made in the first place - as I imagine that Bluecoat are unlikely to turn away the likes of the FBI when they come calling, promise or no promise.
Anyone know if using the Blackberry network gets around this? My BB on O2 wasn't showing anything - would love to know if due to being on the BB network or just a coincidence
Bb goes though RIMs proxies so was unaffected
Top tip for journalists
Send an HTTP request to O2 that already contains the internal phone number header. See if the O2 systems will give up billing data for random users.
Good article, as an O2 customer and an employee I was following todays events regarding this with interest, I was pretty shocked about it and it was a bit of a WTF moment when I came across tweets about it in my twitter feed before it clicked to why we'd be putting a mobile number in the header.
As usual we were kept complete in the dark what was going on, but I don't really think it mattered as I only know of one call about it in my team, I think the majority of consumers don't care about these things, they were up in arms when the VAT went up to 20% and they were paying a little extra and if everyone was overcharged a few pennies they'd go nuts about that, but mobile numbers being leaked to websites isn't a big deal as most of them will put their mobile number on facebook, share it with the world then "like" those sites and friend strangers for extra sheep in farmville anyway.
I'd love to know who those trusted partners are too, the only information released to the front line staff pretty much mirrors what's on the blog, there's a few obvious ones such as O2 sites and 3rd party companies such as bango.net (who we use for payments for our age verification system) and a promotions company who were dealing out Amazon vouchers for people taking certain deals. As a mobile number is not seen as PII then I suspect they'll keep us in the dark, but it would be good to know especially if any of the "trusted partners" are social networking sites and although a mobile number is not deemed to be PII it can quite easily be used for billing someone when it comes to premium SMS.
Until I know for sure who's got access to my mobile number I think I'll go back to tunnelling all my mobile traffic through a VPN which will take up extra bandwidth as they wont be able to compress and cache every site I visit and downscale every image I view.
Anon for obvious reasons, usual disclaimers about views being my own blah blah blah...
Thanks for sharing. It's always nice to see the view from inside.
I'm on O2. Bango.net never works. Been trying to remotely AV this connection for flipping months now and it never gets through.
Just imagine your mailman would fiddle around with your mail, changing your letters. Imagine your phone company would change and alter your phone calls or faxes.
There is a reason why such service traditionally require a license: To stop anyone to mess around with such things. Unfortunately by now, companies which we put our trust into, start messing around with the traffic themselves. The logical way would be to suspend or withdraw the license.
If the license doesn't get withdrawn, why do we even need licenses?
Although they've fixed the mobile number being sent in the HTTP request, there's still a gateway/proxy header transmitted which has london in the address in my case. To me that raises the concern of possible coarse location tracking, especially when the user might be under the impression that location sharing has been disabled on the handset. Ok so it's hardly GPS level of location accuracy and maybe all connections in the UK transmit that same gateway address in the headers. But that still shouldn't happen.
HTTPS and SPDY both solve this problem. Personally, all of the Internet traffic leaving my mobile phone goes over a VPN to my server, so I get a clean connection.
"Mobile web browsing is different from fixed browsing for one important reason - the network can absolutely, and securely, identify the customer from the SIM card..."
I'm sorry, so you are saying that my fixed broadband provider can't identify who I am? Does that mean that I can just stop paying them, but still get service, because although they know I've stopped paying, they don't know I am still using it? I mean OK, so they don't use a SIM card, they use my account number and password stored in my modem, but how is that really any different?
No that's not what he's saying at all
In fact you've answered your own question if you think about if for a moment.
The fixed line service cannot identify the computer you are using. That's why you have to authenticate using a login and password in order to, say, post on El Reg. That's why every service you are billed for by a third party requires some form of authentication. You have provided that information by programming your router.
In the case of a mobile you don't need to put that password because the network can authenticate the device from it's SIM. Thus services that can read the header info can also authenticate you for billing purposes.
Both use an authentication mechanism: the former a login and password, the latter the unique identifier for the SIM.
One slight wrinkle to this...
.. is that modern smartphones can act as a Wi-Fi proxy for other devices (effectively acting as a router).
Now granted as the phone owner is paying the bill they will probably be picky about what devices are allowed to connect via this method. But there are certain situations where it might not be the phone owner visiting some site, if say they are helping out a friend use their laptop in a cafe.
Wait a minute,
They know my IP address. They gave me the IP address. What do they need my phone number for??
Basic networking. You can't use an IP for billing purposes if it is dynamically assigned because:
1 it won't always belong to the same person.
2 public IPs only identify the router not the source and destination of the packets
3 you need to be authenticated before an IP can be assigned.
Multiple punctuation (personal peeve of mine) makes you look like an excitable fruitcake!!!111!
General Comment not aimed at Mr Carnegie: El Reg needs an Assumed Knowledge section. Maybe a series of icons on stories linking to background / technical / how-it-works info required to understand the article.
On the contrary
A mobile telco can use GGSN RADIUS accounting data to link an IP address to a subscriber's MSISDN for billing, or any other service they choose to offer subscribers, within the confines of their own network.
The PDP context can be used to establish a link between the current IP address and MSISDN/IMSI.
Account data is used for billing, not http traffic.
Bear in mind, unless encrypted, inserting the MSISDN into unencrypted http traffic will also make it visible to every other shady network provider on the route between the mobile telco and the partner network.
Seems a bit of a crude way of doing things.
If I were to use headers I'd probably go down the route of inserting a hash of the number which can be looked up somewhere. That way if it does make its way into the wild at least it's gibberish.
Yes but you can presumably also find your arse with both hands - this is a mobile phone company we are talking about!
What about PAYG?
"Mobile web browsing is different from fixed browsing for one important reason - the network can absolutely, and securely, identify the customer from the SIM card,"
What about PAYG SIMs, purchased with cash?
Then they'll filter your connection (theoretically to filter out 'adult' material but the filter seems to catch much more than that - including pages that are critical of the network in question).
If you're not careful in your choice of network this interception of your personal communications will also involve sharing it with other people who will follow you on your online activities (and completely outside of the control of the regulators here).
What lawful right...
does any teleco have to inspect or modify the content of a private/confidential third party communication?
Or censor content without the explicit consent of the subscriber?
What UK mobile telcos are doing is entirely *illegal*.
One more reason to use SSL by default
I always use SSL when building apps because of this.
Hmm. A little lost with all the acronyms. Are you saying that if you use SSL, no uniquely identifying data is sent to 3rd party websites? If not, what does get sent? IP? MSISDN? anything else?
Does you answer hold for the carrier's 'partners'?
Turn about is fair play. If they leak any of our information, then it's just as fair to leak their information.
After finding the age restriction block on my phone stopped me visiting security related websites, I installed TOR on my mobile. So now they don't see most of my mobile traffic and can't add my number to the packets.
The more they interfere, the more you want to hide info from them.