O2 sends users' phone numbers to web sites - Update 2

An O2 user, Lewis Peckover, found that the mobile phone company has been adding the phone number of any subscriber using its mobile network to the HTTP headers of web requests. The header, x-up-calling-line-id, appears to be inserted by the transparent proxies that O2 uses so it can downgrade images and insert JavaScript into the returned HTML. To experience the problem, a user on the O2 network needs to disable Wi-Fi and, without using a proxying browser such as Opera Mini, connect to Peckover's site which displays the headers received.

The issue isn't new: in 2010 Collin Mulliner presented a paper to the Security in Telecommunications conference on research that had found number leakage from numerous phone carriers. Mulliner offers the MNO Privacy Checker which examines HTTP request headers for the x-up-calling-line-id, and the many other added headers he found in use, and displays the results with a green, for clear, or red, for privacy leakage, page background. The x-up-calling-line-id header is documented in a 2009 blog posting of known telco HTTP headers.

Queries to the company's @O2 Twitter account have been responded to with variations of "we are investigating these reports and will provide more information as soon as possible". Which? reports that it tested Peckover's findings and found the header appeared when accessing the site with O2 and on GiffGaff, which runs on O2's network. Another O2 network user, Tesco Mobile, is also reportedly leaking subscriber phone numbers. The magazine says it contacted the Information Commissioners Office who told them they would be speaking to O2 to "remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed".

Update - According to Peckover, it appears that O2 have fixed the leak as the header is no longer visible. It has been suggested that the appearance of the header could be down to a whitelist matching too many sites; some carriers add the telephone number header but only for connections to their own sites so they can provide customer account information without asking for a user name and password. O2 have yet to make a statement on what caused the leakage of phone numbers or how long it has been going on for.

Update 2 - O2 has now released a statement on its blog. The problem, which affected 3G and WAP services, began on 10 January and was fixed at 14:00 GMT today. Changes implemented as part of routine maintenance had the "unintended effect of making it possible in certain circumstances for website owners to see the mobile numbers of those browsing their site" rather than only making that information available to "trusted partners who work with us on age verification, premium content billing, such as for downloads, and O2's own services". O2 says it is cooperating with the Information Commissioners Office (ICO) and has contacted the telecommunications regulator OFCOM.

(djwm)