Feeds

Why O2 shared your mobile number with the world

And why they'll probably do similar again

Beginner's guide to SSL certificates

O2 has been sharing customers' phone numbers with every website they visited, but O2 isn't the only offender - it's just the one that slipped up and got caught.

The Information Commissioner will investigate, and O2 will be told it should be more careful in future. Punters will be outraged but actually suffer very little as few websites collect unknown HTTP headers like the one in which mobile numbers were embedded. O2 has provided a simplified FAQ, which explains almost nothing - specifically what the operator might do to prevent such a thing happening again.

To understand how, and why, O2 started leaking customer data one has to realise that mobile networks are very unlike their fixed contemporaries, that they routinely interfere with the web pages sent and received over data connections, and that if they didn't the UK government would step in and force them to do so.

Delivering customer phone numbers to every website, in the HTTP headers, wasn't a deliberate policy nor some form of conspiracy, just a badly configured proxy that should have removed the data before it left the company's network. Adding the information wasn't the mistake, failing to take it away is what caused the problem.

How it happened

Mobile web browsing is different from fixed browsing for one important reason - the network can absolutely, and securely, identify the customer from the SIM card, which opens up lots of opportunities unavailable to fixed ISPs. Once the customer has been identified then services can be automatically billed to that user, allowing seamless payments, and privileged information (such as billing or customer care) can be displayed without needing passwords or user names, most of which is genuinely very useful.

A mobile phone can't append its number to web requests: most mobile phones don’t know their own number, and even if they did they couldn't be trusted, so the network identifies the user in communication with the SIM, then appends that information to the HTTP headers for use by other servers within the operator's network.

There's no standard way of doing that. Back in 2010 researchers in Germany found the same information in about 20 different HTTP headers [PDF], sometimes replicated by different systems within one operator's network (two different routers adding the same information, under a different name, entirely unaware of each others' existence).

If the user is connecting to the billing system, or the operator's music shop, then that header is used to bill the services to the right account. The header might also be passed to partners such as those handling PayForIt transactions or selling services by agreement with the network operator - a good example being a Java application store selling games on behalf of the network operator.

But if the HTTP page request is routed out of the operator's network, and not to a contracted partner, then there's some router that is supposed to remove such data.

That's the gear which was wrongly configured at O2, and let the headers through.

What happens on other networks

O2's intended handling of HTTP requests is nothing compared to Vodafone, which routinely strips all the headers from those using featurephones making it impossible for sites to optimise content for such handsets. Vodafone even appends its own HTML to pages, adding a navigation bar highlighting their premium services.

Few operators are so brazen, but most will strip out comments and redundant code, and almost all of them compress images and videos for mobile consumption. Few users ever notice that, and in general it makes for a faster browsing experience.

Mobile operators in the UK have also taken it upon themselves to filter out pornography (under threat of legislation if they don't) until customers have proved their age (generally with a credit card authorisation, but dropping into a shop and looking old works too). They also, like the majority of fixed ISPs, use the Internet Watch Foundation's list to block access to the worst of the worst.

So when a website pops up on a mobile screen it has already been analysed, compressed, manipulated and mangled, headers have been appended and stripped – and that's assuming your operator thinks you're old enough to see the content anyway.

But what's really weird is that if you're on O2's 3G network then it will be busy blocking and managing the content you access, but switch to O2's Wi-Fi network - a mere 300MHz up the dial - and it's porno city and they wouldn't dare touch one's HTTP headers any more than they'd trust you are who you say you are.

So here we have two philosophies of internet access, separated by a few hundred megacycles. It will likely be the mobile model that ultimately prevails as everyone offering internet access sees the advantage in compressing and mutating content to suit their customers, which means more operators looking at ways to identify their users, and probably more leaks just like this one. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Brits: Google, can you scrape 60k pages from web, pleeease
Hey, c'mon Choc Factory, it's our 'right to be forgotten'
Of COURSE Stephen Elop's to blame for Nokia woes, says author
'Google did have some unique propositions for Nokia'
FCC, Google cast eye over millimetre wireless
The smaller the wave, the bigger 5G's chances of success
It's even GRIMMER up North after MEGA SKY BROADBAND OUTAGE
By 'eck! Eccles cake production thrown into jeopardy
Mobile coverage on trains really is pants
You thought it was just *insert your provider here*, but now we have numbers
Don't mess with Texas ('cos it's getting Google Fiber and you're not)
A bit late, but company says 1Gbps Austin network almost ready to compete with AT&T
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.