UK network O2 has found itself at the centre of an embarrassing data privacy storm after it emerged that it allows websites to see the mobile numbers of all subscribers that browse the Internet using its 3G data service.
The controversy was set off by a single O2 user, Lewis Peckover, who noticed that his mobile number was being sent to every website embedded in plain text as part of the http header.
Extraordinarily, the numbers appears to be forwarded by O2’s own servers when users connect to the Internet through its 3G service; anyone using a WiFi connection will not be affected because they are not traversing that infrastructure.
Given the potential for websites to capture numbers for text spamming, annoyed users have bombarded O2’s Twitter feed with complaints to which the network found itself responding with a stock tweet to every user who raised the issue.
“Hi there, we're looking into this as we speak - it's important to us. Once we've got an update, we'll share it,” tweeted O2.
It turns out that the issue is not new. Graham Cluley of Sophos points out that the issue was first made public in March 2010 at the CanSecWest conference in Vancouver by researcher Collin Mulliner.
The proxying by O2 is not particularly surprising, indeed all mobile networks probably do it to optimise web traffic to cross their hard-pressed 3G networks efficiently. The question is why O2 thinks it important to insert a sensitive piece of information such as a mobile phone number into data sent to websites.
It could just be inserted automatically without the intention having been to give websites the ability to see phone numbers.
So far rival networks – Vodafone, 3 and Orange/T-Mobile - don’t appear to be affected by the number forwarding issue.