Smartphone Privacy Snafu: U.K. Carrier Broadcasts Numbers - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Smartphone Privacy Snafu: U.K. Carrier Broadcasts Numbers

Mobile provider O2 said it has patched problem that shared phone numbers with websites. But users of the Orange network in Spain report similar issues.

10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)

Is your mobile phone carrier disclosing your smartphone's telephone number to every website you visit?

The short answer was yes, at least for subscribers to O2 in the United Kingdom who were accessing data via a 3G or WAP--although not Wi-Fi--connection. O2 is Britain's second-largest mobile network operator, part of Telefonica, which is the world's fourth-largest mobile network operator.

The telephone number-sharing problem was first disclosed Wednesday by system administrator Lewis Peckover on Twitter: "User-agent header ID's the device. Passing mobile number to third party sites is not ok! Seems like a data protection act breach to me?" Users of other services that piggyback on the O2 network, for example from GiffGaff and Tesco, were also affected.

On Wednesday, O2 said via Twitter it was investigating the issue. Later in the day, it then said that it had fixed the problem, which dated to January 10, 2012. It also released a statement acknowledging that there had been "potential for disclosure of customers' mobile phone numbers to further website owners." The company said the error stemmed from routine network maintenance, reported Wired.

"Security is of the utmost importance to us and we take the protection of our customers' data extremely seriously," said the O2 statement.

[ Mobile carrier security concerns aren't limited to the U.K. Read Carrier IQ: Mobile App Crap Must Stop. ]

The U.K. Information Commissioner, which enforces the country's data protection and privacy laws, released a statement Wednesday saying that it's investigating the alleged breach. "When people visit a website via their mobile phone they would not expect their number to be made available to that website," it said. "We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed."

Meanwhile, O2 Wednesday also provided a detailed overview of the incident, which it characterized as a "one-off." The company also said that it was "putting in additional measures to prevent a reoccurrence," and was working with the Information Commissioner, as well as Britain's communications regulator. But O2 said customers would only be compensated for the telephone-number-sharing error if they could "demonstrate material loss."

Graham Cluley, senior technology consultant at Sophos, said in a blog post Wednesday that he'd confirmed the telephone-number-sharing problem prior to O2 fixing it, after he tested a colleague's iPhone that operates on the O2 mobile network. "Sure enough, his mobile number was being secretly communicated to websites he visited, embedded inside an http header called HTTP_X_UP_CALLING_LINE_ID."

"It's hard to understand why a mobile phone network operator would think it is necessary to transmit their customers' mobile phone numbers to the website they visit," said Cluley, noting that the information could easily be abused by spammers. "If your mobile phone number is scooped up, it could then be used to SMS text-spam you," he said.

O2, however, has clarified that in two types of cases it continues to share telephone numbers. The first is with "trusted partners"--for example, when customers purchase add-on ringtones, wallpaper, or other content that gets delivered straight to devices. "We carefully vet these sites and only work with them under contractual obligation, to ensure your mobile phone number is only used to bill you," said O2.

The telephone numbers are also used for age-verification purposes, to comply with Britain's child-protection regulations. "For those customers who have not verified with us that they are over 18, we share your number with and, who then verify your age before you are able to access sites with over-18 content," according to O2. "Your number is not shared further than these two partners."

But Cluley also questioned why such a privacy breach occurred, two years after a security researcher disclosed these exact types of issues. Indeed, the underlying problem was first detailed in 2010 by Collin Mulliner, then a student in Berlin, in "Privacy Leaks in Mobile Phone Internet Access," a paper he presented at the CanSecWest conference in Vancouver. Notably, Mulliner was one of the first researchers to use fuzzing--submitting random or unexpected data to applications or devices--to find vulnerabilities in mobile phones.

Worried that your phone might also be disclosing private data? Mulliner has created a privacy checker for mobile phone users (be sure to disable Wi-Fi before browsing to the site), which assesses whether a device is over-sharing (triggers a red page) or seems to be okay (cues a green page).

Thanks to that tool, people have found that O2 in Britain hasn't been the only mobile network operator inappropriately disclosing private data. Notably, elEconomista reported Wednesday that two owners of Samsung-built Android smartphones that use the mobile network operator Orange in Spain had discovered a similar data privacy issue. But a user of an iPhone on the same network reported no inappropriate data disclosure, suggesting that the problem, at least there, may be somewhat device-specific.

The right forensic tools in the right hands are just a start. The new Digital Detectives issue of Dark Reading shows you how to better apply the lessons they teach. (Free registration required.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
COVID-19: Using Data to Map Infections, Hospital Beds, and More
Jessica Davis, Senior Editor, Enterprise Apps,  3/25/2020
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
Flash Poll