Feeds

Why O2 shared your mobile number with the world

And why they'll probably do similar again

Beginner's guide to SSL certificates

O2 has been sharing customers' phone numbers with every website they visited, but O2 isn't the only offender - it's just the one that slipped up and got caught.

The Information Commissioner will investigate, and O2 will be told it should be more careful in future. Punters will be outraged but actually suffer very little as few websites collect unknown HTTP headers like the one in which mobile numbers were embedded. O2 has provided a simplified FAQ, which explains almost nothing - specifically what the operator might do to prevent such a thing happening again.

To understand how, and why, O2 started leaking customer data one has to realise that mobile networks are very unlike their fixed contemporaries, that they routinely interfere with the web pages sent and received over data connections, and that if they didn't the UK government would step in and force them to do so.

Delivering customer phone numbers to every website, in the HTTP headers, wasn't a deliberate policy nor some form of conspiracy, just a badly configured proxy that should have removed the data before it left the company's network. Adding the information wasn't the mistake, failing to take it away is what caused the problem.

How it happened

Mobile web browsing is different from fixed browsing for one important reason - the network can absolutely, and securely, identify the customer from the SIM card, which opens up lots of opportunities unavailable to fixed ISPs. Once the customer has been identified then services can be automatically billed to that user, allowing seamless payments, and privileged information (such as billing or customer care) can be displayed without needing passwords or user names, most of which is genuinely very useful.

A mobile phone can't append its number to web requests: most mobile phones don’t know their own number, and even if they did they couldn't be trusted, so the network identifies the user in communication with the SIM, then appends that information to the HTTP headers for use by other servers within the operator's network.

There's no standard way of doing that. Back in 2010 researchers in Germany found the same information in about 20 different HTTP headers [PDF], sometimes replicated by different systems within one operator's network (two different routers adding the same information, under a different name, entirely unaware of each others' existence).

If the user is connecting to the billing system, or the operator's music shop, then that header is used to bill the services to the right account. The header might also be passed to partners such as those handling PayForIt transactions or selling services by agreement with the network operator - a good example being a Java application store selling games on behalf of the network operator.

But if the HTTP page request is routed out of the operator's network, and not to a contracted partner, then there's some router that is supposed to remove such data.

That's the gear which was wrongly configured at O2, and let the headers through.

What happens on other networks

O2's intended handling of HTTP requests is nothing compared to Vodafone, which routinely strips all the headers from those using featurephones making it impossible for sites to optimise content for such handsets. Vodafone even appends its own HTML to pages, adding a navigation bar highlighting their premium services.

Few operators are so brazen, but most will strip out comments and redundant code, and almost all of them compress images and videos for mobile consumption. Few users ever notice that, and in general it makes for a faster browsing experience.

Mobile operators in the UK have also taken it upon themselves to filter out pornography (under threat of legislation if they don't) until customers have proved their age (generally with a credit card authorisation, but dropping into a shop and looking old works too). They also, like the majority of fixed ISPs, use the Internet Watch Foundation's list to block access to the worst of the worst.

So when a website pops up on a mobile screen it has already been analysed, compressed, manipulated and mangled, headers have been appended and stripped – and that's assuming your operator thinks you're old enough to see the content anyway.

But what's really weird is that if you're on O2's 3G network then it will be busy blocking and managing the content you access, but switch to O2's Wi-Fi network - a mere 300MHz up the dial - and it's porno city and they wouldn't dare touch one's HTTP headers any more than they'd trust you are who you say you are.

So here we have two philosophies of internet access, separated by a few hundred megacycles. It will likely be the mobile model that ultimately prevails as everyone offering internet access sees the advantage in compressing and mutating content to suit their customers, which means more operators looking at ways to identify their users, and probably more leaks just like this one. ®

Remote control for virtualized desktops

More from The Register

next story
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
Broadband sellers in the UK are UP TO no good, says Which?
Speedy network claims only apply to 10% of customers
Virgin Media struck dumb by NATIONWIDE packet loss balls-up
Turning it off and on again fixes glitch 12 HOURS LATER
Fujitsu CTO: We'll be 3D-printing tech execs in 15 years
Fleshy techie disses network neutrality, helmet-less motorcyclists
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
Soz, web devs: Google snatches its Wallet off the table
Killing off web service in 3 months... but app-happy bonkers are fine
Ofcom tackles complaint over Premier League footie TV rights
Virgin Media: UK fans pay the most for the fewest matches
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The hidden costs of self-signed SSL certificates
Exploring the true TCO for self-signed SSL certificates, including a side-by-side comparison of a self-signed architecture versus working with a third-party SSL vendor.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.