O2 – brown stuff spreads from whirring object

I don’t normally jump on a bandwagon although sometimes working for an ISP I get wind of juicy bits of network issues such as an exchange catching fire and might try and get in before the bandwagon has started to roll.

On this occasion the bandwagon is trundling down the hill at pace carrying news that O2 is including people’s mobile phone numbers in header information provided to websites visited by mobile users.

This was discovered by Lewis Peckover who has created a web page that tells you that kind of info is being left by your browser when you visit a site.

I took a look myself and drew a blank as you can see below

=========================================================================

O2 send your phone number to every site you visit using their mobile data network?

This page is a simple little script which prints out all the information I receive about you when you visit. It is logical to conclude that this same information is sent to all other websites too. I’m a nice guy, and I’m not storing anything other than the basic information about your visit that my server logs by default – date/time/ip address etc. But there is nothing stopping me collecting everything you see below.

If you’re on O2’s UK mobile network (not ADSL), you’ll (probably) see a line beginning with x-up-calling-line-id – followed by your mobile phone number in plain text. Other operators may use different headers, or hopefully none at all – let me know – I’m interested to know if other networks are doing it too.
To see it in action, remember to disable wifi on your device, and don’t use a proxying browser like opera mini.

Headers received:

Accept-Encoding: gzip
Referer: http://www.slashgear.com/o2-sharing-phone-numbers-for-mobile-surfers-but-not-everyone-25210620/
Accept-Language: en-GB, en-US
x-wap-profile: http://wap.samsungmobile.com/uaprof/GT-I9100.xml
User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.3; en-gb; GT-I9100 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Charset: utf-8, iso-8859-1, utf-16, *;q=0.7
Host: lew.io
X-Forwarded-For: 82.132.248.188
_________________________________________

To answer some questions and responses I’ve seen – no, it’s not anything client-side. O2 seem to be transparently proxying HTTP traffic and inserting this header.
Another annoying feature of O2 is that they interfere with the responses from servers too. They downgrade all images and insert a javascript link into the HTML of each page. I’ve talked to customer service about this lovely feature several times, but they never have a clue what I’m talking about, let alone any idea how to opt out/disable it.

– Lew
@lewispeckover

===================================================

back to me

My phone number is not being shown in the above script but it seems that others’ is (are?) As the brown stuff spreads from the whirring thing O2 are looking in to the problem and I’m sure will respond.

Couple of observations here.

Firstly the internet is a hugely “open” place. Not only can you find almost anything on the web but you can see its intimate innermost workings.  Right click on a web page for example and you will see the source code for that page. This is not necessarily a great feature when it comes to protecting your intellectual property or privacy but it is what it is.

This doesn’t mean to say that O2 has to deliver phone numbers in the header but there is a lot of information generally available to view.  The O2 PR department is at this point showing up on satellite images of earth as a hotspot as they get their response lined up. I’m sure they will cope – O2 is an enlightened organisation and we are all feeling our way forward in a world that has so many variables that to have them all right always is nigh on impossible. It is how the situation is responded to that is important right now.

My second point is a purely self centered sales pitch. Timico, as well as being an O2 service provider also provides customers with private mobile networking services based on our Ethernet pipe into the O2 network. This service, based on what is called a Mobile APN (Access Point Name – seems a non name to me but it is a generic industry description) allows customers to control access to the internet via their mobile estate through their corporate firewalls.

This APN  is normally used to apply corporate internet access policies to mobile devices  and to protect the privacy of the mobile client behind the firewall – just like you would do with a fixed network. In this case the mobile service often acts as a Disaster Recovery failover mechanism in the event of a fixed line outage but it is used from handsets as well as routers.

So if you are worried about the security of your information when browsing using your mobile client you need to talk to Timico – more details here.

Published by Trefor Davies

Liver of life, father of four, CTO of trefor.net, writer, poet, philosopherontap.com

Join the Conversation

2 Comments

  1. It claims to have been fixed now, but while it was occuring it seemed to be happening for 3G mobiles on O2’s network, and those networks that piggy-back onto O2 such as Tesco and giffgaff. If you have a BlackBerry or you were using WiFi, this did not happen as your data bypassed the O2 proxy that appeared to be injecting your mobile number.

    I suspect there will be some serious fallout over this. No doubt they’ll claim it was an honest mistake (a la Google wifi data collection), but you have to wonder whether this was the case.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.