Why O2 shared your mobile number with the world
And why they'll probably do similar again
O2 has been sharing customers' phone numbers with every website they visited, but O2 isn't the only offender - it's just the one that slipped up and got caught.
The Information Commissioner will investigate, and O2 will be told it should be more careful in future. Punters will be outraged but actually suffer very little as few websites collect unknown HTTP headers like the one in which mobile numbers were embedded. O2 has provided a simplified FAQ, which explains almost nothing - specifically what the operator might do to prevent such a thing happening again.
To understand how, and why, O2 started leaking customer data one has to realise that mobile networks are very unlike their fixed contemporaries, that they routinely interfere with the web pages sent and received over data connections, and that if they didn't the UK government would step in and force them to do so.
Delivering customer phone numbers to every website, in the HTTP headers, wasn't a deliberate policy nor some form of conspiracy, just a badly configured proxy that should have removed the data before it left the company's network. Adding the information wasn't the mistake, failing to take it away is what caused the problem.
How it happened
Mobile web browsing is different from fixed browsing for one important reason - the network can absolutely, and securely, identify the customer from the SIM card, which opens up lots of opportunities unavailable to fixed ISPs. Once the customer has been identified then services can be automatically billed to that user, allowing seamless payments, and privileged information (such as billing or customer care) can be displayed without needing passwords or user names, most of which is genuinely very useful.
A mobile phone can't append its number to web requests: most mobile phones don’t know their own number, and even if they did they couldn't be trusted, so the network identifies the user in communication with the SIM, then appends that information to the HTTP headers for use by other servers within the operator's network.
There's no standard way of doing that. Back in 2010 researchers in Germany found the same information in about 20 different HTTP headers [PDF], sometimes replicated by different systems within one operator's network (two different routers adding the same information, under a different name, entirely unaware of each others' existence).
If the user is connecting to the billing system, or the operator's music shop, then that header is used to bill the services to the right account. The header might also be passed to partners such as those handling PayForIt transactions or selling services by agreement with the network operator - a good example being a Java application store selling games on behalf of the network operator.
But if the HTTP page request is routed out of the operator's network, and not to a contracted partner, then there's some router that is supposed to remove such data.
That's the gear which was wrongly configured at O2, and let the headers through.
What happens on other networks
O2's intended handling of HTTP requests is nothing compared to Vodafone, which routinely strips all the headers from those using featurephones making it impossible for sites to optimise content for such handsets. Vodafone even appends its own HTML to pages, adding a navigation bar highlighting their premium services.
Few operators are so brazen, but most will strip out comments and redundant code, and almost all of them compress images and videos for mobile consumption. Few users ever notice that, and in general it makes for a faster browsing experience.
Mobile operators in the UK have also taken it upon themselves to filter out pornography (under threat of legislation if they don't) until customers have proved their age (generally with a credit card authorisation, but dropping into a shop and looking old works too). They also, like the majority of fixed ISPs, use the Internet Watch Foundation's list to block access to the worst of the worst.
So when a website pops up on a mobile screen it has already been analysed, compressed, manipulated and mangled, headers have been appended and stripped – and that's assuming your operator thinks you're old enough to see the content anyway.
But what's really weird is that if you're on O2's 3G network then it will be busy blocking and managing the content you access, but switch to O2's Wi-Fi network - a mere 300MHz up the dial - and it's porno city and they wouldn't dare touch one's HTTP headers any more than they'd trust you are who you say you are.
So here we have two philosophies of internet access, separated by a few hundred megacycles. It will likely be the mobile model that ultimately prevails as everyone offering internet access sees the advantage in compressing and mutating content to suit their customers, which means more operators looking at ways to identify their users, and probably more leaks just like this one. ®
Sponsored: RAID: End of an era?