O2 and your phone number...

pulliptears

Read this earlier, twitter is seemingly abuzz with it:

http://thenextweb.com/mobile/2012/01/25/uk-mobile-operator-o2-sends-your-phone-number-to-every-website-you-visit/?awesm=tnw.to_1Cw2U&utm_campaign=social%20media&utm_medium=share%20button&utm_source=Twitter&utm_content=UK%20mobile%20operator%20O2%20sends%20your%20phone%20number%20to%20every%20website%20you%20visit

If you reside in the UK and you are one of the millions of subscribers to mobile operator O2, you may be alarmed to learn that the carrier is sending your mobile number to every website you visit on your mobile phone.

The issue was brought to our attention to Lewis Peckover, who created a simple webpage to check the information that a mobile browser would send to a website when it requested data.

Whilst most of the data was to be expected, including the Host, User Agent, Referrer and Encoding, there was also another field in the results — x-up-calling-line-id.

What is x-up-calling-line-id? Your mobile phone number.

We tested it on an O2-connected mobile device and received the following results (number blurred for privacy):

I've tried it on my mobile and it does appear to be correct, this is the website you need to access from your O2 mobile:

http://lew.io/headers.php

Whilst interesting, it doesn't especially alarm me, though could possibly offer an answer as to how some callers get your number?

Worth noting if you do feel strongly about this be wary where you surf from an O2 mobile!

fluffnutter

Security in general is appalling on smartphones. It's time the industry starting putting in place the same kind of protection that you have when you surf via an ISP on a computer.

I don't have a smartphone. More trouble than they're worth.

pulliptears

fluffnutter wrote: »

Security in general is appalling on smartphones. It's time the industry starting putting in place the same kind of protection that you have when you surf via an ISP on a computer.

I don't have a smartphone. More trouble than they're worth.

Its interesting though, I wonder if it breaches DPA too?

I don't tend to browse a great deal on my iPhone so It doesn't concern me too much but its amusing to see O2 in a tizz on twitter trying to resolve and explain the flaw

fluffnutter

pulliptears wrote: »

Its interesting though, I wonder if it breaches DPA too?

Depends on how the DPA's interpreted. Unfortunately it's not actually that black and white about passing data on. There are all sorts of things about only storing pertinent data, making sure it's accurate, allowing access to it storing it properly etc. but it's not great on saying 'You can't pass on data to a third party'.

Typically though, this would be interpreted as a breach, unless an individual had given permission. The problem is whether that permission is tacit or not, i.e. do you opt in or out? Does O2 believe it has your tacit agreement to pass on data to a site that you're accessing yourself? Probably.

TBH, in this rapidly moving world of data movement, a world where it's becoming increasingly easy and common for data to be passed between companies and organisations through people's use of smartphones, social media etc. it's time the DPA was revisited.

pulliptears

fluffnutter wrote: »

Depends on how the DPA's interpreted. Unfortunately it's not actually that black and white about passing data on. There are all sorts of things about only storing pertinent data, making sure it's accurate, allowing access to it storing it properly etc. but it's not great on saying 'You can't pass on data to a third party'.

Typically though, this would be interpreted as a breach, unless an individual had given permission. The problem is whether that permission is tacit or not, i.e. do you opt in or out? Does O2 believe it has your tacit agreement to pass on data to a site that you're accessing yourself? Probably.

TBH, in this rapidly moving world of data movement, a world where it's becoming increasingly easy and common for data to be passed between companies and organisations through people's use of smartphones, social media etc. it's time the DPA was revisited.

I just quizzed my lad about this, he works in customer care for a phone company. He says that they would certainly treat it as a DPA, but that is in house, they may possibly be more stringent. He's not looking forward to fielding phone calls about this on Friday I add and praying its all blown over before then

I agree though, the DPA is sorely lacking for the Digital/technological age.

esuhl

...the carrier is sending your mobile number to every website you visit on your mobile phone.

If that's true, regardless of the country in which the web server is based, it looks like it could, in some cases, contravene this part of the Data Protection Act:

Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

http://www.ico.gov.uk/for_organisations/data_protection/the_guide/principle_8.aspx

pulliptears

A similar breach is reportedly affecting users on O2 MVNOs Tesco Mobile and GiffGaff, but no similar breach has so far been identified on Vodafone, Everything Everywhere or Three.

From here:

http://www.mobilenewscwp.co.uk/2012/01/o2-accused-of-sharing-mobile-numbers-with-websites/