Browsing on Your Mobile Should Not Disclose Your Phone Number

In the past day or three, it’s come to light that O2 – a major mobile phone provider in the UK – made the very serious error of disclosing its users’ phone numbers in HTTP headers (i.e. the headers that are part of every single communication with a website). The researcher who discovered this – Lewis Peckover – has made available a site that will check whether your phone is disclosing its phone number when visiting websites. You don’t need to be an O2 customer to double check that your mobile provider is doing things (im)properly.

This significant release of information occurred because:

“Technical changes we [O2] implemented as part of routine maintenance had the unintended effect of making it possible in certain circumstances for website owners to see the mobile numbers of those browsing their site,” the company wrote.

However, the company added that it had previously disclosed this information, but only when “absolutely required by trusted partners”.

“When you browse from an O2 mobile, we add the user’s mobile number to this technical information, but only with certain trusted partners.”

The company said this was needed to manage “age verification, premium content billing, such as for downloads, and O2’s own services”.

However the technical glitch meant the sharing went further it said: “In addition to the usual trusted partners, there has been the potential for disclosure of customers’ mobile phone numbers to further website owners.”

In light of this ‘glitch’ I would hope that a more secure way of confirming age/purchasing credentials is rapidly rolled out. Significantly, not only every website visited had access to mobile phone numbers but every advertising server potentially had access to this information as well. This would include Google, Quantcast, and so forth.

It will be incredibly curious to see how the ICO treats this data leak. I think that core failures like the O2 phone leak demonstrate just how linked many of our communications systems and identifiers are, and speak volumes to the need for significantly better evaluation of network upgrades before they are rolled out to live environments.