The UK's privacy watchdog is putting O2 under scrutiny, after customers complained the mobile operator is revealing their phone numbers to website owners when they browse.
O2 has come under scrutiny from the Information Commissioner's Office after customers complained it is revealing their phone numbers to website owners when they browse.Image credit: O2
The mobile operator's insertion of the phone numbers into HTTP headers emerged
on Tuesday, in a blog post by Lewis Peckover, a web systems administrator and O2
customer, who detected the behaviour. The number is added to the headers used to set up connections between a user's browser and a website's
servers when using the operator's mobile broadband service, he said.
"O2 seem to be transparently proxying HTTP traffic and inserting
this header," said Peckover, who provided a script for others to see whether
their own mobile ISP is manipulating their traffic this way. In O2's case, the header will contain 'x-up-calling-line-id: 447726900XXX'.
UK privacy authority the Information Commissioner's Office (ICO) said it is looking
into O2's activities in response to complaints from customers. The question of whether the Data Protection Act has been breached hinges on two points:
which other information is transmitted alongside the phone number, and
whether the process could allow a third party to identify
the surfer by combining the data revealed.
"Keeping people's personal information secure is a fundamental principle that sits at the heart of the Data Protection Act and the Privacy and Electronic Communications Regulations," the ICO said in a statement.
This is a serious mistake that exposes hundreds of thousands of people to the risk of exposing their phone numbers to anyone with a website.– Alex Hanff, Privacy International
"When people visit a website via their mobile phone, they would not expect their number to be made available to that website. We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed," the privacy watchdog added.
Privacy campaigners argue O2 was wrong to route
its traffic through proxies, inserting the surfer's mobile phone
number along the way, without telling the customer they are doing this.
"This is a serious mistake that exposes hundreds of thousands of
people to the risk of exposing their phone numbers to anyone with a
website," Privacy International's Alex Hanff told ZDNet UK. "Phone
number lists sell for large quantities of money. People with unlisted
phone numbers have been exposed."
In his blog post, Peckover noted other problems arising from the traffic manipulation. "Another annoying feature of
links into the HTML of
O2 and its mobile virtual network operators (MVNOs) appear to be
the only operators inserting phone numbers into HTTP headers. The
MVNOs reselling O2's connectivity include Giffgaff and Tesco
There is no suggestion as yet that rival operators Three, T-Mobile,
Orange and Vodafone do the same, although none of those operators had
responded to a request for clarification at the time of writing.
Tests by ZDNet UK on a German MVNO that resells O2 Deutschland's connectivity show the same thing
is not happing on O2's German network, suggesting it may only be
taking place in the UK.
ZDNet UK's Tom Espiner contributed to this report.
Get the latest technology news and analysis, blogs and reviews
delivered directly to your inbox with ZDNet UK's