O2 has come under fire this morning after it was discovered that the carrier is sending mobile phone numbers to every website that is visited using a data connection on one of its devices. While most carriers send basic information — such as your IP address, referrer, and user-agent — just as a computer would, O2 also sends a full mobile number.
The issue was highlighted by Lewis Peckover, who created a simple website that displays the information your device is sharing when it visits. Though not all O2 subscribers seem to be affected, the feedback we’ve seen on Twitter this morning would suggest that the vast majority are — and they’re not happy about.
The Next Web used an iPhone connected to O2’s data network to test the issue, and just as reported, their number appeared next to the “x-up-calling-line-id” header.
And it’s not just O2 devices that are affected; those connected to GiffGaff and Tesco Mobile — both of which use O2 networks — are also having their number shared when visiting a website. Rival carriers, such as Vodafone, Orange, and T-Mobile, however, don’t appear to be doing the same thing.
Disgruntled subscribers who have complained to O2 on Twitter this morning have been told that “internal teams” are looking into it, and that the carrier “will come back with more as soon as we can.” If you’re worried about your number being shared, then it’s best to use a Wi-Fi connection for internet browsing on your device wherever possible, and avoid using your data connection for web browsing for the time being.
Think Broadband believes that O2 uses your number when you visit its own site to identify who you are, and that a misconfigured proxy server is causing it to be shared with any site you visit. Hacker News concurs, reporting that the “x-up-calling-line-id” is intended for internal use only:
x-up-calling-line-id (and similar headers from other gateway vendors) are typically not meant to be sent in the clear beyond internal sites. Perhaps a certain set/class of URL ACLs were (mis)configured during a maintenance window that caused this to happen.
Similar to how websites leave cookies, carriers have always had the ability to send certain identifying information to external sites. Usually, such identifying information is munged in some way that doesn’t make it possible to determine the mobile number of the subscriber.
The funny thing is that people are often surprisingly willing to provide their phone number on more and more sites, which then makes it trivial for such services to link the anonymized identifier with the actual mobile number.
Of course, it’s unlikely that many sites will use or even record your mobile number, but O2 still needs to rectify this issue promptly. Although it has responded to some users on Twitter, the carrier is yet to issue an official statement.
Is your O2 handset sharing your number with every site you visit?
[via The Next Web]