Privacy watchdog to probe O2 over phone number leaks

The UK's privacy watchdog is putting O2 under scrutiny, after customers complained the mobile operator is revealing their phone numbers to website owners when they browse.

O2 has come under scrutiny from the Information Commissioner's Office after customers complained it is revealing their phone numbers to website owners when they browse. Image credit: O2

The mobile operator's insertion of the phone numbers into HTTP headers emerged on Tuesday, in a blog post by Lewis Peckover, a web systems administrator and O2 customer, who detected the behaviour. The number is added to the headers used to set up connections between a user's browser and a website's servers when using the operator's mobile broadband service, he said.

"O2 seem to be transparently proxying HTTP traffic and inserting this header," said Peckover, who provided a script for others to see whether their own mobile ISP is manipulating their traffic this way. In O2's case, the header will contain 'x-up-calling-line-id: 447726900XXX'.

The operator itself has not yet commented on the allegations, which have been backed up by customers visiting Peckover's page.

Privacy concerns

UK privacy authority the Information Commissioner's Office (ICO) said it is looking into O2's activities in response to complaints from customers. The question of whether the Data Protection Act has been breached hinges on two points: which other information is transmitted alongside the phone number, and whether the process could allow a third party to identify the surfer by combining the data revealed.

"Keeping people's personal information secure is a fundamental principle that sits at the heart of the Data Protection Act and the Privacy and Electronic Communications Regulations," the ICO said in a statement.

This is a serious mistake that exposes hundreds of thousands of people to the risk of exposing their phone numbers to anyone with a website.

– Alex Hanff, Privacy International

"When people visit a website via their mobile phone, they would not expect their number to be made available to that website. We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed," the privacy watchdog added.

Privacy campaigners argue O2 was wrong to route its traffic through proxies, inserting the surfer's mobile phone number along the way, without telling the customer they are doing this. 

"This is a serious mistake that exposes hundreds of thousands of people to the risk of exposing their phone numbers to anyone with a website," Privacy International's Alex Hanff told ZDNet UK. "Phone number lists sell for large quantities of money. People with unlisted phone numbers have been exposed."

In his blog post, Peckover noted other problems arising from the traffic manipulation. "Another annoying feature of O2 is that they interfere with the responses from servers too," he said, noting this downgrades all images as well as inserting JavaScript links into the HTML of each page.

MVNOs

O2 and its mobile virtual network operators (MVNOs) appear to be the only operators inserting phone numbers into HTTP headers. The MVNOs reselling O2's connectivity include Giffgaff and Tesco Mobile.

There is no suggestion as yet that rival operators Three, T-Mobile, Orange and Vodafone do the same, although none of those operators had responded to a request for clarification at the time of writing.

Tests by ZDNet UK on a German MVNO that resells O2 Deutschland's connectivity show the same thing is not happing on O2's German network, suggesting it may only be taking place in the UK.

ZDNet UK's Tom Espiner contributed to this report.