Why O2 shared your mobile number with the world O2 has been sharing customers' phone numbers with every website they visited, but O2 isn't the only offender - it's just the one that slipped up and got caught. The Information Commissioner will investigate, and O2 will be told it should be more careful in future. Punters will be outraged but actually suffer very little as few …
"...as few websites collect unknown HTTP headers like the one in which mobile numbers were embedded..."
Although I'm sure if left unfixed, the various websites that host the world's banner ads would very quickly modify their logging to record the contents of this header if provided, and store phone numbers alongside whatever behavioural stats are being recorded and what ads have been served/clicked.
Not quite. By O2's own admission, they fully intend to leave the phone number HTTP header in, but only for 'trusted partners'. It is this filter that wasn't working, not a catch-all removal.
And it's not quite as cut and dried as a badly configured proxy:
What they haven't told us yet is who the 'trusted partners' are. This becomes a data protection issue, as a phone number counts as personal contact data. If they have to share information with 'trusted partners' it should be a unique identifier, not contact data.
Perfectly explicable, it's called a "telephone directory". The information is already in the public domain by default opt-in when signing up for telephone services.
Now, if they've done this for anyone who's opted out of the directory - i.e. made the point that their number is to be treated as confidential information..........(!)
Overall I thought a well written article that nicely explains what happened and why...
Until I got to this comment..."Vodafone even appends its own HTML to pages, adding a navigation bar highlighting their premium services."...and now i'm questioning all the "facts".
I've been on vodafone for 11years now . I've had many different handsets from various manufactuers including Sony, Nokia and HTC. I've regularly used my phone for web browsing for 5years. I have never seen this premium services bar and my fellow vodafoners in the office haven't either.
What legal justification is there for censoring internet connections? It's all very well saying that they would face legislation from the government if they didn't, but surely such legislation would likely fall foul of the authorities at the European level as has happened in the past in regards to Phorm and the lack of a proper implementation of PECR?
'Break the law voluntarily or we'll force you to anyway'. Is that really such a convincing threat?
Why downvote this? Isn't it right to ask by what right the government think they have to censor our connections, either through legislation or with the active cooperation of the mobile industry?
And if people are worried about the children, then why is nothing done to stop them from buying the damned things to start with? Limit sales to adults, get them to decide if filtering, interception and sharing of personal communications is wanted. Not only are children still protected but adults are also never going to be caught out by filtering that they never asked for nor wanted. Job done.
Of course the mobile phone companies would seem to prefer to throw their customers privacy under the bus just so they can make more money from our children...
"Why downvote this?"
There's a serial comment moderator on here, who's self appointed task is to tag unsound opinion. I guess it's some retired old f**t with too much time on his hands. The Reg should show who modded what and for what reason.
"What legal justification is there for censoring internet connections?"
To protect you from the terrorists, after all if you've done nothing wrong, then you've got nothing to hide <sarcasm>
Except that 3 make no reference to filtering in their own terms and conditions. And in addition where the likes of Bluecoat is concerned they claim that any data processing will occur with the same protections in place as in the UK.
I would assume that this is a promise that can't be kept - and should never have been made in the first place - as I imagine that Bluecoat are unlikely to turn away the likes of the FBI when they come calling, promise or no promise.
Good article, as an O2 customer and an employee I was following todays events regarding this with interest, I was pretty shocked about it and it was a bit of a WTF moment when I came across tweets about it in my twitter feed before it clicked to why we'd be putting a mobile number in the header.
As usual we were kept complete in the dark what was going on, but I don't really think it mattered as I only know of one call about it in my team, I think the majority of consumers don't care about these things, they were up in arms when the VAT went up to 20% and they were paying a little extra and if everyone was overcharged a few pennies they'd go nuts about that, but mobile numbers being leaked to websites isn't a big deal as most of them will put their mobile number on facebook, share it with the world then "like" those sites and friend strangers for extra sheep in farmville anyway.
I'd love to know who those trusted partners are too, the only information released to the front line staff pretty much mirrors what's on the blog, there's a few obvious ones such as O2 sites and 3rd party companies such as bango.net (who we use for payments for our age verification system) and a promotions company who were dealing out Amazon vouchers for people taking certain deals. As a mobile number is not seen as PII then I suspect they'll keep us in the dark, but it would be good to know especially if any of the "trusted partners" are social networking sites and although a mobile number is not deemed to be PII it can quite easily be used for billing someone when it comes to premium SMS.
Until I know for sure who's got access to my mobile number I think I'll go back to tunnelling all my mobile traffic through a VPN which will take up extra bandwidth as they wont be able to compress and cache every site I visit and downscale every image I view.
Anon for obvious reasons, usual disclaimers about views being my own blah blah blah...
Just imagine your mailman would fiddle around with your mail, changing your letters. Imagine your phone company would change and alter your phone calls or faxes.
There is a reason why such service traditionally require a license: To stop anyone to mess around with such things. Unfortunately by now, companies which we put our trust into, start messing around with the traffic themselves. The logical way would be to suspend or withdraw the license.
If the license doesn't get withdrawn, why do we even need licenses?
O2 do (or did when I last checked) also modify the content that's downloaded. There's a link to an external javascript file inserted into the head section of HTML pages which appears to downsample images to low res versions. I first noticed this when using my phone as a modem tethered by bluetooth to my laptop a few years ago, and wondered why the images were coming through quite pixellated in Firefox. Not sure whether they still do this though.
Although they've fixed the mobile number being sent in the HTTP request, there's still a gateway/proxy header transmitted which has london in the address in my case. To me that raises the concern of possible coarse location tracking, especially when the user might be under the impression that location sharing has been disabled on the handset. Ok so it's hardly GPS level of location accuracy and maybe all connections in the UK transmit that same gateway address in the headers. But that still shouldn't happen.
"Mobile web browsing is different from fixed browsing for one important reason - the network can absolutely, and securely, identify the customer from the SIM card..."
I'm sorry, so you are saying that my fixed broadband provider can't identify who I am? Does that mean that I can just stop paying them, but still get service, because although they know I've stopped paying, they don't know I am still using it? I mean OK, so they don't use a SIM card, they use my account number and password stored in my modem, but how is that really any different?
In fact you've answered your own question if you think about if for a moment.
The fixed line service cannot identify the computer you are using. That's why you have to authenticate using a login and password in order to, say, post on El Reg. That's why every service you are billed for by a third party requires some form of authentication. You have provided that information by programming your router.
In the case of a mobile you don't need to put that password because the network can authenticate the device from it's SIM. Thus services that can read the header info can also authenticate you for billing purposes.
Both use an authentication mechanism: the former a login and password, the latter the unique identifier for the SIM.
.. is that modern smartphones can act as a Wi-Fi proxy for other devices (effectively acting as a router).
Now granted as the phone owner is paying the bill they will probably be picky about what devices are allowed to connect via this method. But there are certain situations where it might not be the phone owner visiting some site, if say they are helping out a friend use their laptop in a cafe.
Basic networking. You can't use an IP for billing purposes if it is dynamically assigned because:
1 it won't always belong to the same person.
2 public IPs only identify the router not the source and destination of the packets
3 you need to be authenticated before an IP can be assigned.
Multiple punctuation (personal peeve of mine) makes you look like an excitable fruitcake!!!111!
General Comment not aimed at Mr Carnegie: El Reg needs an Assumed Knowledge section. Maybe a series of icons on stories linking to background / technical / how-it-works info required to understand the article.
A mobile telco can use GGSN RADIUS accounting data to link an IP address to a subscriber's MSISDN for billing, or any other service they choose to offer subscribers, within the confines of their own network.
The PDP context can be used to establish a link between the current IP address and MSISDN/IMSI.
Account data is used for billing, not http traffic.
Bear in mind, unless encrypted, inserting the MSISDN into unencrypted http traffic will also make it visible to every other shady network provider on the route between the mobile telco and the partner network.
Then they'll filter your connection (theoretically to filter out 'adult' material but the filter seems to catch much more than that - including pages that are critical of the network in question).
If you're not careful in your choice of network this interception of your personal communications will also involve sharing it with other people who will follow you on your online activities (and completely outside of the control of the regulators here).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
