UK mobile operator O2 has responded to reports this morning that it was delivering customer phone numbers to third-party websites, noting that it has fixed the issue, adding that it was caused by “technical changes [it] implemented as part of routine maintenance.”
The issue was brought to our attention to Lewis Peckover, who created a simple webpage to check the information that a mobile browser would send to a website when it requested data. Whilst most of the data was to be expected, including the Host, User Agent, Referrer and Encoding, there was also another field in the results — x-up-calling-line-id — or to the layman, your mobile phone number.
Whilst website owners would need to match the phone number to a visitor on its website and then maybe an account, The Next Web learned that the issue could also allow spammers to conduct increasingly targeted phishing scams on unsuspecting users.
O2 has now fixed the error, explaining in a blog post that between the 10th of January and 2pm today, in addition to the usual trusted partners, there had “been the potential for disclosure of customers’ mobile phone numbers to further website owners”.
It also detailed the issue itself, offering a similar explanation to comments we had posted in our original article:
Every time you browse a website (via mobile or desktop), certain technical information about the machine you are using, is passed to website owners. This happens across the internet, and enables website owners to optimise the site you see. When you browse from an O2 mobile, we add the user’s mobile number to this technical information, but only with certain trusted partners. This is standard industry practice. We share mobile numbers with selected trusted partners for 3 reasons: 1) to manage age verification, which manages access to adult content, 2) to enable third party content partners to bill for premium content such as downloads or ringtones that the customer has purchased 3) to identify customers using O2 services, such as My O2 and Priority Moments. This only happens over 3G and WAP data services, not WiFi.
O2 aims to be as transparent as it can be as to how it shares its customer information, declaring that it only offers data to “trusted partners who work with us on age verification, premium content billing, such as for downloads, and O2’s own services,” making it easier for the company to bill and effectively restrict information to minors on its networks.
In response to a statement from the Information Commissioner’s Office, O2 says that it will “be co-operating fully” and that it has also contacted OFCOM.
Whether this will be enough to appease O2 users remains to be seen, many customers have been outraged that websites and also advertisers have been able to collect their phone numbers (should they have been aware that they could do so).
If you try to access the logging sites, your number should not appear on the website, so you will be able to rest easy tonight. But that doesn’t mean your number isn’t residing on a server that logged headers between January 10 and 2pm today.