Furious this morning to see that O2 are apparently providing my phone number to every website I visit from my mobile while connected to their network. If you’re connected from your mobile you can see what is being sent out in the header using this website’s tool. When I tried it, while connected to the mobile network (not wifi) it showed my mobile number.
It appears O2 are doing this deliberately, because in response to a concern being raised, they tweeted
But when I got onto their customer services the representative I spoke to denied it was even happening, refused to address it, and said they were happy I raise it with the Information Commisioner’s Office.
info: Welcome to O2. Someone will be with you soon.
info: You’re through to O2 – Maria.
O2 – Maria: Hi I’m O2 – Maria. How can I help?
Simon Wood: Hi Maria, I have seen that O2 are giving out my phone number in http headers of sites I visit while using my iPhone on O2’s data network – I haven’t authorised this and I’m concerned it’s a breach of data protection. Advice here: suggests I give you a chance to put it righthttp://www.ico.gov.uk/complaints/data_protection/supporting_evidence.aspx#disclosure
O2 – Maria: I’ll check this for you.
Simon Wood: Thanks. There’s some info here http://lew.io/headers.php and your Twitter team appear to have confirmed it’s deliberate:http://twitter.com/#!/O2/status/161872584634408960.
O2 – Maria: Thanks for the info, please give me a minute while I check this for you.
Simon Wood: Okay.
O2 – Maria: Can you please give the website address on which your mobile number is included.
Simon Wood: This is the site: http://lew.io/headers.php but if it is in the header sent to this site, is there any reason to suppose you’d just be doing it for this site in particular?
O2 – Maria: I’ve check this and this is not our website, I request you to please don’t refer this website.
Simon Wood: I know it’s not your website. I don’t understand your request – what do you mean “refer this website”?
O2 – Maria: We don’t share any information about our customers with anyone.
O2 – Maria: I mean please don’t go to this website.
Simon Wood: So you are saying you are not giving out the mobile phone numbers of your customers in HTTP headers?
O2 – Maria: Yes, you are correct.
Simon Wood: Despite the evidence that you are – you won’t put this right?
O2 – Maria: I request you to ignore this site and please be assure that we don’t share our customer’s information on any websites. Our own website is safe and secure to access from a phone or a computer/laptop.
Simon Wood: Yes, but I am paying you to provide me with a mobile internet service – I want to be able to visit websites without you telling them my phone number. I want to give you a chance to put this right before I raise it with the Information Commissioner’s Office.
O2 – Maria: If you want you can contact Information Commissioner’s Office. If you find your number on any website then you need to contact the owner of the website and ask them about this.
Simon Wood: It’s not that the number is *ON* a website, it is that O2 are sending that information *TO* the website when requesting a webpage. I take it from your last reply that you are unwilling to address this, and I will have to go to the ICO?
O2 – Maria: I can just assure that we’re not sending your number or details to any website when you visit a webpage. If you want you can contact Information Commissioner’s Office and let them know about the information that you have got on the website.
Simon Wood: I would hope you are not, and I would like to believe your assurances, but the evidence suggests otherwise. I will certainly bring to the ICO’s attention the demonstration that website provides that this information is being sent by O2 in web page requests. Thank you.
info: We’ll email a copy of your chat transcript to firstname.lastname@example.org.
O2 – Maria: From my end I can assure you about this, yes you can go and contact them about this.
O2 – Maria: Is there anything else I can help you with?
Simon Wood: No, thank you.
I’ve asked followers on other networks to let me know if their network is doing this too – because I’m looking to switch if this is not sorted. So far I’ve heard T-Mobile are in the clear, I’d be pleased to hear about the other networks if anyone’s tried them?
Update (18.14): O2 (almost) fixed the problem and posted an explanation this afternoon. First of all, credit where it’s due. They were quick, and this is an (almost) full explanation. I’ll come back to those almosts. They’ve also been very active on Twitter letting people know what they were doing, which is also to be commended. Indeed I’m inclined to overlook the fact that the “apology” they tweeted wasn’t really an apology at all:
We're sorry about the concern re mobile numbers and web browsing, which is now fixed. Here's what happened + Q&A. http://t.co/Dm5bb5d5
Being “sorry about the concern” is not the same as being sorry for giving out our mobile numbers without permission.
Thanks to @ptr10001, @SphericalN and all the commenters for confirming that T-Mobile, Vodafone and Virgin were not affected, while GiffGaff (which uses O2’s network) was. I’m not sure about Orange, but it transpires that this kind of problem has been known about for a couple of years, and there has been an instance of Orange sharing numbers.
Here’s the outstanding problem: O2 are still sharing my number and I don’t know who with.
When you browse from an O2 mobile, we add the user’s mobile number to this technical information, but only with certain trusted partners. This is standard industry practice.
O2 almost gave a full explanation, but they haven’t said who the “trusted partners” are. It’s almost a fix, but a true fix would allow us to opt out of any sharing. And because it’s only “trusted partners” websites like the one linked above that revealed the problem this morning (being, presumably, untrusted) won’t show it’s happening. How do we tell which other networks are doing this? O2 says it’s “standard industry practice”.
O2 need to publish a list of who they are sharing my phone number with, and explain how I can opt out.