Feeds

Why O2 shared your mobile number with the world

And why they'll probably do similar again

Providing a secure and efficient Helpdesk

O2 has been sharing customers' phone numbers with every website they visited, but O2 isn't the only offender - it's just the one that slipped up and got caught.

The Information Commissioner will investigate, and O2 will be told it should be more careful in future. Punters will be outraged but actually suffer very little as few websites collect unknown HTTP headers like the one in which mobile numbers were embedded. O2 has provided a simplified FAQ, which explains almost nothing - specifically what the operator might do to prevent such a thing happening again.

To understand how, and why, O2 started leaking customer data one has to realise that mobile networks are very unlike their fixed contemporaries, that they routinely interfere with the web pages sent and received over data connections, and that if they didn't the UK government would step in and force them to do so.

Delivering customer phone numbers to every website, in the HTTP headers, wasn't a deliberate policy nor some form of conspiracy, just a badly configured proxy that should have removed the data before it left the company's network. Adding the information wasn't the mistake, failing to take it away is what caused the problem.

How it happened

Mobile web browsing is different from fixed browsing for one important reason - the network can absolutely, and securely, identify the customer from the SIM card, which opens up lots of opportunities unavailable to fixed ISPs. Once the customer has been identified then services can be automatically billed to that user, allowing seamless payments, and privileged information (such as billing or customer care) can be displayed without needing passwords or user names, most of which is genuinely very useful.

A mobile phone can't append its number to web requests: most mobile phones don’t know their own number, and even if they did they couldn't be trusted, so the network identifies the user in communication with the SIM, then appends that information to the HTTP headers for use by other servers within the operator's network.

There's no standard way of doing that. Back in 2010 researchers in Germany found the same information in about 20 different HTTP headers [PDF], sometimes replicated by different systems within one operator's network (two different routers adding the same information, under a different name, entirely unaware of each others' existence).

If the user is connecting to the billing system, or the operator's music shop, then that header is used to bill the services to the right account. The header might also be passed to partners such as those handling PayForIt transactions or selling services by agreement with the network operator - a good example being a Java application store selling games on behalf of the network operator.

But if the HTTP page request is routed out of the operator's network, and not to a contracted partner, then there's some router that is supposed to remove such data.

That's the gear which was wrongly configured at O2, and let the headers through.

What happens on other networks

O2's intended handling of HTTP requests is nothing compared to Vodafone, which routinely strips all the headers from those using featurephones making it impossible for sites to optimise content for such handsets. Vodafone even appends its own HTML to pages, adding a navigation bar highlighting their premium services.

Few operators are so brazen, but most will strip out comments and redundant code, and almost all of them compress images and videos for mobile consumption. Few users ever notice that, and in general it makes for a faster browsing experience.

Mobile operators in the UK have also taken it upon themselves to filter out pornography (under threat of legislation if they don't) until customers have proved their age (generally with a credit card authorisation, but dropping into a shop and looking old works too). They also, like the majority of fixed ISPs, use the Internet Watch Foundation's list to block access to the worst of the worst.

So when a website pops up on a mobile screen it has already been analysed, compressed, manipulated and mangled, headers have been appended and stripped – and that's assuming your operator thinks you're old enough to see the content anyway.

But what's really weird is that if you're on O2's 3G network then it will be busy blocking and managing the content you access, but switch to O2's Wi-Fi network - a mere 300MHz up the dial - and it's porno city and they wouldn't dare touch one's HTTP headers any more than they'd trust you are who you say you are.

So here we have two philosophies of internet access, separated by a few hundred megacycles. It will likely be the mobile model that ultimately prevails as everyone offering internet access sees the advantage in compressing and mutating content to suit their customers, which means more operators looking at ways to identify their users, and probably more leaks just like this one. ®

Security for virtualized datacentres

More from The Register

next story
TEEN RAMPAGE: Kids in iPhone 6 'Will it bend' YouTube 'prank'
iPhones bent in Norwich? As if the place wasn't weird enough
Consumers agree to give up first-born child for free Wi-Fi – survey
This Herod network's ace – but crap reception in bullrushes
Crouching tiger, FAST ASLEEP dragon: Smugglers can't shift iPhone 6s
China's grey market reports 'sluggish' sales of Apple mobe
Sea-Me-We 5 construction starts
New sub cable to go live 2016
New EU digi-commish struggles with concepts of net neutrality
Oettinger all about the infrastructure – but not big on substance
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
EE coughs to BROKEN data usage metrics BLUNDER that short-changes customers
Carrier apologises for 'inflated' measurements cockup
Comcast: Help, help, FCC. Netflix and pals are EXTORTIONISTS
The others guys are being mean so therefore ... monopoly all good, yeah?
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.