25 
O2′s facing a bit of a PR nightmare today! You may have noticed a storm of tweets, Facebook messages and articles already. It’s because O2 is in some potentially very hot water right now; having sent its customers’ phone numbers to the sites they visit over its network. And that’s not good in anyone’s book. But how bad is it really?
It seems that not everyone’s number is being exposed by O2. We’ve tested it and we can confirm that O2 sends our phone number to the websites we visit. Others haven’t seen it, so perhaps it’s only a certain subset of O2 customers that are affected. But it does seem that the majority of O2 users are seeing their number sent out.
Your number is apparently included in the HTTP header data that’s sent out every time you request something from a server, like a site, image or video. You can check to see if you’re affected by going to Lewis Peckover’s handy header reporting site, IsMyNumberVisible (warning: this might be a scam according to commenters below), or the MNO Privacy Checker.
O2 only sends out your number when you’re on its network. That means if you’re on Wi-Fi on an O2 phone, you’re not broadcasting your number like you would be if you were on 2/3G. It also doesn’t seem to be affecting dongles, at least those of the 4G variety.
Other MVNOs running on the O2 network, like GiffGaff and Tesco mobile for instance, also seem to be exposing your number. That’s not really a surprise considering O2 provides the infrastructure on which they run. Anything that affects O2 should also affect anything else using O2’s network.
It was first assumed to be something to do with the phone and browser you were using, but that doesn’t seem to be the case. Various users have reported seeing their numbers on Android, iOS and Windows Phone devices. The only devices that seem to be excluded from the number-sharing party are BlackBerrys. That’s probably because all data, including web browsing, email and anything else, is funnelled through RIM’s servers, which potentially protects you from this kind of thing.
The problem won’t be the majority of sites; they don’t generally capture header data. It’ll be the nefarious sites; the ones that are after your personal data that’ll be the problem. It’s apparently been happening for various networks for a while now, but the issue has now been blown out to the wind, so there’s no reason number phishing sites won’t crop up, if they’re not out there already. Now is the time to be super careful about that shortened link someone just sent you, if you’re an O2 customer.
The problem of sending your number out in the HTTP header isn’t just about sites being able to grab it. Any advert on a site you visit will also get access to that data. So you could see legitimate sites poisoned by an advert that captures that data, ending up with you getting spammed.
It doesn’t just stop with web browsing either; images in emails are downloaded from servers and as your phone contacts the server to pull down the image, O2 will send over your header information, so you’re being exposed there too.
Exposing your number via email is potentially worse, from a phishing point of view at least. The good old spammers can now get in on the act too, as they only have to include an image in their emails to you to grab your phone number if you download it while on O2’s cellular network.
Some private person getting your phone number is one thing. They’re probably not going to ring it, and even if they do they’ll probably get bored trying to harass you and give up. The spammers though, they feel no such thing as boredom. If a spammer gets your number, you could be inundated by spam texts, cold calls, recorded messages, you name it. Unfortunately, although that kind of thing is illegal in the UK without consent, there’s not much in the way of recourse when it’s got that far. You’ll probably just have to change your number.
The Information Commissioner’s Office has got involved now too, and is in the process of investigating the issue to see what’s really happening. In a statement sent to Which? ICO said:
“Keeping people’s personal information secure is a fundamental principle that sits at the heart of the Data Protection Act and the Privacy and Electronic Communications Regulations. When people visit a website via their mobile phone they would not expect their number to be made available to that website.”
“We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed.”
So it looks like it’s not just customers that are getting mad about this. Then again there’s a debate over whether your phone number without your name is personally identifiable information, and whether this is a matter for ICO in the first place.
O2 is currently investigating the issue, calling it a “top priority”, and by golly it should be. It’s probably nothing malicious on O2’s part; just a balls-up somewhere. I can’t see a reason why O2 would want to send out your number, apart from to its own websites to help identify you as a customer. It’s possible that your number is only meant to go to O2 sites, and someone somewhere has flicked a switch to always send it out, or failed to screen out every other site.
Whatever happens, perhaps now would be a good time to stick to Wi-Fi browsing if you are on O2 and not using a BlackBerry. I would also check to see if your number is being broadcast using one of the three sites mentioned above, because it seems not everyone is afflicted and you might be lucky.
That was quick. It looks like O2′s fixed or is in the process of fixing the bug that was broadcasting your number. Tweets and status updates are coming in that O2 users’ phone numbers are no longer being shown. We can corroborate that too:
Same phone, same site, no number. Let’s hope that’s the end of the number leak, but O2 might face some stiff repercussions if the ICO deems the leak to be a breach of privacy. If you’re an O2 customer, I would still stay clear of using 2/3G until O2 comes out and confirms its fixed the problem — better safe than sorry. Then again you can always check for yourself.
O2′s written up an apology, of sorts. It’s apparently been sharing user’s numbers with any and all sites browsed over its network since the 10th of January, but managed to shut it off today at 2pm. Apparently it was routine maintenance that caused the problem.
The interesting bit, however, is that O2 shares your phone number with “trusted partners” for “age verification, premium content billing, such as for downloads, and O2′s own services”, which is a “standard industry practice”. That may not come as a surprise to anyone, but it would be nice if we were made aware of this at the time and with whom we’d be sharing our number with.
I’m sure that any network that uses the adult content filter that requires a credit card to prove you’re over 18 to remove for instance, probably does this on the basis of your phone number as an identifier. I suspect there’ll be repercussions coming out of this phone number sharing balls up, not necessarily just limited to O2, now that we know they give out our phone numbers as we browse particular sites. It certainly would be nice to know who these ”trusted partners” are.
Amazon Hypes Its Kindle Success Without Actually Naming Any Numbers. Again.
Five of Physics's Greatest Sex Scandals
Scandalous: The First On-Screen Kiss
Just tried the script and mine’s all clear. I’m running iOS on 5.0.1. Tried with both Wifi On and over 3G only, no caller ID is sent. Strange.
Hopefully O2′s fixed it.
Excellent stuff. It seems that everyone who has visited ismyphonenumbervisible.co.uk on 02 just gave out their phone number to a scammer.
It’s been reported that this was just a quick exploit to collect phone numbers and it worked. Nearly a million o2 numbers collected in a morning.
Scamception.
Some fast work there by some sneaky ass hole
You sort of have to admire the chutzpa. Grudgingly, perhaps, but that’s pretty nimble.
Where have you seen that report by the way? Search google for the link and the only page it finds is this one.
Interesting although would like to see proof…
How do you know it is a scam site?
How do you know it’s not?
Don’t be such a knob Mikje. You have publicly called the coder of that site a scammer, and now need to back up those claims!
If it is, the decent thing to do would be to link to this report you claim exists, if it isn’t or you don’t you’re just being a dick. Frankly I see no evidence of the former and plenty of the latter.
Its MikJe’s site. Quick thinking Mik!
Whois Lookup on the domain:
ismyphonenumbervisible.co.uk
A-Record :159.22.3.45
Host:45-Link.bethere.co.uk
Primary Contact:MikJe
Technical Contact:MikJe
Interestingly enough. MikeJe owns this 419 scam site registered to the same primary above: http://www.dafk.net/what/
Erm, sorry?
I made that site. My name’s at the bottom of it. I can assure you NO DATA HAS BEEN COLLECTED. None. At all. I don’t particularly like the assumption either.
I made the website in 20 minutes this morning to help people out, and I get called out as a spammer?
Yeah. Thanks.
A failed attempt at me being facetious.
Please excuse Token, It would appear he has, against his doctors orders, cut down on his medication. He was trying to be humorous I’m sure. MikJe on the other hand I cannot speak for.
I do not use O2 at the moment, but I want to thank for doing this anyway and for posting it here on Giz.
Tried earlier on 3G and just tried over non 3g network and both result in my number being sent.
Just tried on my iPhone 4, running 5.0.1 on 3G – and yep – there it is – my full number! Sort it out O2
Should have been fixed as of 2pm according to O2.
iPhone = Contract – Not being sent.
iPad = Prepay – Not being sent
Galaxy S II = Prepay – Definitely sending my number.
Sort it out Android!
It’s nothing to do with android.
Even the screenshot on this post shows it happening on an iOS device.
I’ve confirmed it happening on iOS too.
I have a feeling that it is just token teasing Darrell
#trollfail
Nope. Definitely an Android issue. Still happening on my S II.
Android baiting, love it.
At least its cleaner than iPad-baiting: http://www.gizmodo.co.uk/2012/01/confirmed-fleshlight-developing-ipad-case-you-can-bone/
He is a master…….
Of his art
As an O2 customer, I’m not that bothered by this. Maybe I should be, but nothing that has been mentioned so far has made me panic or worry. Am I missing something here?
Didn’t check this morning but as of now, I don’t seem to have the problem:
Nexus S = Prepay O2 – Not being sent
RAZR = Contract Tesco – Not being sent
WP7 = prepay GiffGaff – Not being sent
Thanks for the article Sam.
I didn’t get a chance to check earlier either but now it seems fine.
SG2 on Tesco contract.
No repeat on my phone either. Good to see they have fixed it.
I think some people are missing the point. All well and good checking your phone now and saying, mine isn’t sending it. The point is O2 has been sending this information out in the headers since 10th January until it fixed it today, so either way the damage has already been done (potentially).
Also it has openly admitted to sharing this information with “trusted” third-parties, which I certainly would not have opted in for. Yet I don’t see them offering an opt-out option which is in direct violation of our rights under the Data Protection Act.
I don’t think people are missing this, they were responding to the initial awareness of the problem and it’s fix. Action against O2 for this breach of customer confidentiality and data leakage is a matter for the authorities. I think a follow up article on the “trusted partners” is a good idea along with information on where people can complain about this.