Blog Post

Update 2: Privacy Alert: O2 Fixes Hole That Shared Users’ Phone Numbers

Update: Mobile operator O2 says that as of 2pm Wednesday, it has fixed the part of its mobile web browsing service that was reporting mobile phone users’ telephone numbers to websites they visited via O2’s mobile data network.

In a blog post, it said that the phone numbers were revealed between January 10 and January 25, as a result of “technical changes” around “routine maintenance”. It was unintended.

The company further writes: “In addition to the usual trusted partners, there has been the potential for disclosure of customers’ mobile phone numbers to further website owners.” Who are the ‘usual trusted partners’? O2 writes that normally it shares numbers “only where absolutely required by trusted partners who work with us on age verification, premium content billing, such as for downloads, and O2’s own services,” but does not give more details of who exactly goes on that whitelist. It should be noted that this is also in contradiction to O2’s initial response, which implied that showing the number was a normal part of mobile web browsing, not an accident.

More disclosure about the whitelist, and how O2 shares a user’s phone number, may be forthcoming: O2 says it is now in conversation with the Information Commissioners’ Office and Ofcom about the matter — not to mention the many angry customers criticizing O2 on Wednesday and threatening to take their mobile business elsewhere.

Original post with more details on this story follows below.

O2, one of the largest mobile operators in Europe, says that it is currently investigating accusations that it is sharing its customers’ mobile numbers with websites visited while surfing on the carrier’s mobile data network.

The allegations come amid growing questions of user privacy both at the regulatory level and among consumers. These have been highlighted over a spread of cases in the last several months covering companies like Facebook, Google (NSDQ: GOOG) and Microsoft (NSDQ: MSFT) — as well as device makers and carriers working with companies like CarrierIQ.

And they come on the same day that the European Commission published new rules regarding data privacy, with companies that breach them facing fines of up to two percent of their annual turnover. These laws would only come into effect at the end of 2013.

Lewis Peckover, a web systems administrator in London, said he first noticed the issue on Tuesday, when he was looking for “ways to verify a user is on a mobile device/network” and discovered that his own mobile number was getting displayed as part of the header information.

To explore the matter further, he set up a simple website — which he named “Bad O2!” — that lets users see what information gets passed to that website when they visit it from a particular browser or device. He encouraged users to try this out for themselves.

The result has been that several other people have also found their number appearing on the site — meaning that there is a likelihood that others going to other websites via O2’s wireless data network were also having their numbers revealed elsewhere.

From what we have seen so far, it looks like it is only O2 and not other carriers sharing this information: a test with Three and another via T-Mobile did not yield our numbers showing up on the diagnostic page. O2 also runs MNVO services, such as its own GiffGaff, and Tesco Mobile, and their customers are also having their numbers revealed.

Nor does it seem like O2 numbers appear every time: some have pointed out that their O2 numbers are not coming up in their own header tests.

However, when it does pick up the number, it appears to be happening on both iPhones as well as Android devices. Here’s one example that we were sent:

Chris Welton, who sent us the image, noted that he turned off his WiFi before testing, so this does not seem to be connected to the free WiFi network that O2 rolled out last year, as part of its push into mobile advertising.

O2 last night told Peckover, via Twitter, “The mobile number in the HTML is linked to how the site determines that you’re browsing from a mobile device.”

But it’s not clear, still, why it would be that the numbers are appearing inconsistently, and why O2 is sharing this information when our tests with other mobile operators have not come up with the same results: that implies there are ways around this that O2 is not taking. We have reached out to O2 for a response to these allegations, and, if they prove accurate — why it is that this information is getting passed along, and for what purpose.

Alexander Hanff, a privacy advocate and consultant for Privacy International, tells paidContent that sharing information like a telephone number to indicate mobile browsing could be a “very serious breach” of privacy regulations:

“It indicates a fundamental lack of understanding of privacy and security within O2 as there are many other ways to illustrate that there is a mobile device accessing a web site (such as the User Agent string),” he told us via email. “This is a serious breach with potentially serious consequences with regards to the harvesting of these numbers and phishing (for example if you open an email on your device with images embedded, the second you open that email, your phone number will be sent to the server where those images are being sent from).”

He also points out that there could be a “real cost to consumers”: “I am currently overseas, if my cell number is harvested and I receive cold calls whilst overseas I have to pay roaming charges for those calls – furthermore, O2 would profit from those calls (if I were an O2 customer) and the numbers could be significant.”

Perhaps most damagingly he notes: “This is a clear breach of the Data Protection Act as phone numbers are classed as PII for legitimate reasons, it is also likely that this is a breach of Privacy and Electronic Communications (EC Directive) Regulations and possibly a criminal breach of Regulation of Investigatory Powers Act (RIPA) which since early 2011 has carried penalties for “unintentional” interception of communications.”

Given that O2 in the UK alone has several million customers this could become a very serious issue indeed. If you are an O2 customer outside the UK, please let us know if you are also finding similar results with your own test. You can use the link here to try it out.

The UK’s Information Commissioner’s Office (ICO) has told paidContent that a mobile number on its own is not a data breach per se, but when it is coupled with any other identifying information it can constitute a data breach. Also, she pointed out that because O2 is apparently revealing its own customers’ numbers, that raises questions. The ICO also emailed a prepared statement on the situation:

“Keeping people’s personal information secure is a fundamental principle that sits at the heart of the Data Protection Act and the Privacy and Electronic Communications Regulations. When people visit a website via their mobile phone they would not expect their number to be made available to that website. We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed.”

Meanwhile TNW takes a look at how this one bit of information — your number — can subsequently then get used for more serious activities, such as phishing and other spam practices.

2 Responses to “Update 2: Privacy Alert: O2 Fixes Hole That Shared Users’ Phone Numbers”

  1. According to @charlesarthur the ICO this morning claimed that mobile numbers are not personal data, and therefore no data protection issues. This contradicts with the ICO’s own guidance, which states (in relation to IP addresses) that an IP address is likely to be personal data if it is tied to a single personal (not shared) device. (cf an IP address for a PC that may be shared between multiple users).

    See page 9 of

    Given that a mobile phone number is clearly linked to a single, personal, device, I don’t understand why a different approach is being suggested by the ICO.

    That said, provided O2’s terms and conditions make it clear what is being disclosed, there may not be an issue. Has anyone reviewed these to see what they say?