In what is a serious misstep in terms of user privacy, O2 appears to be sending out each user’s phone number to every site they visit in a header titled x-up-caller-line-id as discovered by web administrator Lewis Pecker.
The user’s phone number appears to be being sent unencrypted with each request for a page sent through O2’s mobile network, with Pecker setting up a page that demonstrates the issue (switch off WiFi on your phone and visit the page). Whilst the majority of sites will not process this data, it could easily be collected by spammers who could then sign users up to premium rate text and phone services.
This issue is affecting O2 customers as well as those using mobile virtual operators (MVNOs) that piggyback onto O2’s network such as GiffGaff and Tesco Mobile. O2 have acknowledged the issue and are investigating, but there is no ETA on a fix at this moment and we don;t know if this is simply a human error in setting up the O2 network proxies, or a major flaw.
After the recent privacy controversy about CarrierIQ tracking how people use their smartphones, this will come as another unwelcome surprise for users as their details are being left scattered across the web. Here’s a screenshot of what O2 users see when visiting Pecker’s page:
UPDATE: It appears that Blackberry users are unaffected by this with their mobile number kept under wraps when browsing the mobile web.
UPDATE 2: The problem does indeed appear to be a result of some misconfigured proxy servers as you can remove the problem by switching to the O2 APN proxy. If you want to do this now – you need to enter the following in to your APN settings (via ThinkBroadband):
APN: mobile.o2.co.uk
Username: bypass
Password: password
UPDATE 3: …and O2 have fixed the problem. User phone numbers were apparently being leaked for the past two weeks, but what is more interesting is that O2 does share this data (your phone number) with “trusted partners” where required for “age verification, premium content billing,…and O2’s own services”. I am sure O2 is not alone in doing this, and sharing this data within O2’s own services is fine, but I for one did not know that my phone number was being shared with external websites and services whether they are “trusted” or not – this is something mobile networks should make more clear.