We'd like to remind Forumites to please avoid political debate on the Forum. This is to keep it a safe and useful space for MoneySaving discussions. Threads that are - or become - political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

EE Privacy Leak

PHK
PHK Posts: 1,959 Forumite
Seventh Anniversary 1,000 Posts Photogenic Name Dropper
I have discovered that EE is using 'selective header enrichment' to send my phone number (MSISDN) to web sites I visit on my phone using my mobile data.

I don't know if this is intentional or an error on their part but when O2 did this in 2012 there was some backlash. https://nakedsecurity.sophos.com/2012/01/25/smartphone-website-telephone-number/

As well as privacy concerns, it means that if you accidentally click on an advert, an unscrupulous site could sign you up to a subscription.

There's a link in the article to check if your provider is sending your details, but the worrying thing about EE is that they don't seem to be doing it all the time.

Comments

  • unforeseen
    unforeseen Posts: 7,354 Forumite
    Part of the Furniture 1,000 Posts Photogenic Name Dropper
    edited 31 December 2017 at 11:07AM
    So, are you saying they only do it for certain sites ? Or is there another criteria? I would think it is more a function of the browser you use rather than the phone. Simple answer, use a third party browser instead of the one built in to the OS that the provider mayor may not modified.
  • colin79666
    colin79666 Posts: 1,348 Forumite
    Part of the Furniture 1,000 Posts
    If you are concerned use https websites or a vpn as they can’t modify secure connections. You can also turn off 3rd party billing on your account.

    Thread running on the EE forums still awaiting a response from the company:
    https://community.ee.co.uk/t5/4G-and-mobile-data/Why-do-you-leak-my-phone-number-to-websites-when-browsing-on/m-p/650120/highlight/true

    Must say if this turns out to be true I’ll be pretty annoyed as an EE subscriber.
  • unforeseen wrote: »
    So, are you saying they only do it for certain sites ? Or is there another criteria? I would think it is more a function of the browser you use rather than the phone. Simple answer, use a third party browser instead of the one built in to the OS that the provider mayor may not modified.

    I was thinking the same thing, surely this is down to the browser, not the carrier?
  • PHK
    PHK Posts: 1,959 Forumite
    Seventh Anniversary 1,000 Posts Photogenic Name Dropper
    I was thinking the same thing, surely this is down to the browser, not the carrier?
    That's not right. Have a read of the article I quoted and the link colin79996 posted.
  • unforeseen
    unforeseen Posts: 7,354 Forumite
    Part of the Furniture 1,000 Posts Photogenic Name Dropper
    edited 31 December 2017 at 11:38PM
    PHK wrote: »
    That's not right. Have a read of the article I quoted and the link colin79996 posted.

    I've read it and it appears to be an HTTP header that contains it. These are a product of the browser. This is why I mentioned that the service provider may have modified the inbuilt browser
  • unforeseen wrote: »
    I've read it and it appears to be an HTTP header that contains it. These are a product of the browser. This is why I mentioned that the service provider may have modified the inbuilt browser

    Spot on again as far as I can see.
  • unforeseen
    unforeseen Posts: 7,354 Forumite
    Part of the Furniture 1,000 Posts Photogenic Name Dropper
    The only other conceivable option is that the service provider is intercepting every HTTP request and adding in the header. That begs the question of why? It is of no use to the service provider as it will be added either close to or at their border gateway to the internet in general.
  • PHK
    PHK Posts: 1,959 Forumite
    Seventh Anniversary 1,000 Posts Photogenic Name Dropper
    unforeseen wrote: »
    I've read it and it appears to be an HTTP header that contains it. These are a product of the browser. This is why I mentioned that the service provider may have modified the inbuilt browser

    Have a look into "Header Enrichment" and "Header Injection".
  • unforeseen
    unforeseen Posts: 7,354 Forumite
    Part of the Furniture 1,000 Posts Photogenic Name Dropper
    See #8 re header enrichment.

    As far as header injection is concerned, that is to do with modifying the headers sent to a server to enable or cause a security vulnerability. Nothing to do with the discussion
  • PHK
    PHK Posts: 1,959 Forumite
    Seventh Anniversary 1,000 Posts Photogenic Name Dropper
    I think you're wrong. It's routine for providers to connect you through a gateway or proxy where there are additions to the headers. Even ten years ago, X-Forwarded-For was being added.

    On a less technical note, your theory can't be correct because the problem affects people with SIM-Free handsets with their own choice of browser. Also, if you connect via Wi-Fi the header isn't added.

    Even if it was a "custom browser", then it's still the wrong thing to do.
This discussion has been closed.
Meet your Ambassadors

Categories

  • All Categories
  • 347.2K Banking & Borrowing
  • 251.6K Reduce Debt & Boost Income
  • 451.8K Spending & Discounts
  • 239.4K Work, Benefits & Business
  • 615.3K Mortgages, Homes & Bills
  • 175.1K Life & Family
  • 252.8K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16K Discuss & Feedback
  • 15.1K Coronavirus Support Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.