O2 apologizes for 'unintended' number-leak cockup O2 has issued a public apology for leaking the phone numbers of some 3G customers in header information sent to website managers. “We would like to apologize for the concern we have caused,” the company said in a statement. The cellco said it was standard industry practice to send out user’s phone number information in this …
This post has been deleted by its author
Given that Phorm-style technology can work both ways, a careful read of the article would seem to indicate so: According to the article, O2 customers who were surfing the web on their phones via Wi-Fi were not affected, but those who were surfing through the O2 network were affected.
Given that two given HTTP requests to identical static URLs/pages hosted by the same web server should be semantically identical, the fact that they are not indicates that O2 is doing some on-the-fly request header rewriting.
So if O2 is rewriting outgoing requests, how do we know that it's not rewriting inbound responses?
The stuff that ired the fixed line users in Phorm has been the Norm in mobile ever since mobile broadband packages and internet data bundles appeared 5+ years ago.
Initially there would have been no way to deliver anything sensible without it. In the days of GPRS (and Edge here and there) the bandwidth of an average mobile connection pretty much required re-writing web pages.
The "other uses" came later.
"Initially there would have been no way to deliver anything sensible without it. In the days of GPRS (and Edge here and there) the bandwidth of an average mobile connection pretty much required re-writing web pages. The "other uses" came later."
Not quite. Initially there was WAP/wml which the sooner we forget about, the better, but that was designed to create custom "web" pages on small screens with the bandwidth limit on GPRS. It wasn't http/html so can't really be considered interfering or rewriting (although that technically happened - wml was converted/compressed to bytecode by the WAP gateway).
All the while though, GPRS/EDGE was also capable (and did) provide a "pure" net connection, with no proxies or interference on internet connections. Using IRDA or Bluetooth I regularly used my mobile as a modem - initially as "dial-up" (you could use it as a 9.6K dial-up modem to any ISPs numbers), then as a pure GPRS or EDGE connection directly through an APN, you even had your own IP address and it would permit any traffic. Part of the reason Opera Mini took off was because it would compress images/html etc. I'd say it was around the time of 3G taking off when network operators started introducing the closed model with Opera-esque NATed/proxied content with content re-writing.
The Information Commissioner doesn't consider this to be a breach of DPA, as apparently a mobile telephone doesn't constitute personal data. Quite how the &^%* they come to that conclusion, I've no idea, but O2 are free to give it out to whichever "trusted parties" they choose, regardless of your permission.
Yes, Colin Mulliner @ CanSecWest 2010 his presentation is at
https://www.mulliner.org/security/feed/random_tales_mobile_hacker.pdf
basically he found nearly everyone sending extended http headers and he collected a whole bunch of mobile phone data on a popular site that he hosted.
stuff like HTTP_USER_AGENT: Mozilla/5.0 (SymbianOS/9.3; U; ... HTTP_X_NOKIA_MUSICSHOP_BEARER: GPRS/3G
HTTP_X_NOKIA_REMOTESOCKET: HTTP_X_NOKIA_LOCALSOCKET: HTTP_X_NOKIA_GATEWAY_ID: HTTP_X_NOKIA_BEARER:
HTTP_X_NOKIA_MSISDN: HTTP_X_NOKIA_SGSNIPADDRESS: 194.33.27.146
HTTP_X_NETWORK_INFO: HTTP_X_ORANGE_RAT:
3G, 10.45.28.146, 4479801754XX, 194.33.27.146, unsecured 1
from Orange UK in 2010
RAT in this case could mean radio access technology - which just happens to include the phone number - but for many years we have been told that the IMSI/IMEI and the phone number will never be cross-correlated as to do so is an invasion of privacy. It's not an invasion it is a spanish inquisition, that nobody expected!
It's pretty criminal if you ask me to so carelessly identify users like that.
I'd expect not only a whopping great fine from the ICO, but a renewed debate on Net Neutrality for mobile (should be no different to fixed) and also a kick-back to all O2 customers with a smartphone.
Given that it is worth about $17 for a website to know the identity of a user, tripling this to $51 worth of kick back to all smartphone customers should be the minimum. I'd expect that should be some a break from monthly charges, though O2 will probably think some free apps or other totally useless 'value-back' will suffice. It won't.
O2 should be in real trouble here.
Sadly... when you discover how lazy, corrupt, incompetent, and powerless the ICO are... you will be very disappointed.
For example; BT/Phorm - no action. ACS/Law leaked emails - no action against BT, £800 fine for Crossley. TalkTalk/Huawei - no action against TalkTalk or Huawei.
And so on, and so on.
They said “We would like to apologize for the concern we have caused" - this sounds like they're apologising for causing concern, not for the data breach itself. It implies that o2 don't think people should have been concerned. Like they're apologising for not having educated their user base better about this sort of thing, and had the user base been better educated they never would have been concerned about this type of technical error.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
