So, a configuration snafu by the sound of it. But it's also drawn attention to the fact that they share customers' phone numbers with 'selected trusted partners' which will probably come as a surprise to many. If their audit mechanisms and processes are so lax that sharing phone numbers with the whole internet wasn't recognised, how well managed can we expect the 'trusted partners' white list to be?
> "A: The only information websites had access to is your mobile number, which could not have been linked to any other identifying information we have about customers."
The problem here is not that it was only the mobile number, rather that these sites are able to link your mobile number to the content that you have viewed. There's a scenario here in which sites that had collected this information could publish (or otherwise leak, i.e. through hacking) lists of mobile numbers to URLs visited.
In an age of lax privacy protections and data-sharing it's not hard to obtain people's mobile numbers. What would happen when a potential employer googles your mobile phone number and finds the crawled data?
Steps we now need to take:
1) Some kind of request to get the full list (Subject Access Request under DPA, as pointed out below?)
2) If there is no opt-out process, lodge a Data Protection complaint to the ICO
> A Freedom of Information request to get the full list,
Although (as far as I know) the FOI Act only applied to public bodies (government and organisations like universities). So O2 wouldn't need to comply with a request under that act. Not sure if the ICO could force them to disclose that info, but I doubt it.
That is correct. You can issue Subject Access Request under the Data Protection Act to find out information about an individual (yourself) and who this has been shared to. You can only issue a SAR in writing and there is a capped charge for £10 for the privilege.
Firstly, hats off to O2 for going into crisis mode, responding to customer complaints directly, and then resolving the issue and putting out a complete statement on the same day the matter was brought up.
Secondly, however, this statement smells faintly of fluffy language and PR speak:
> When you browse from an O2 mobile, we add the user's mobile number to this technical information, but only with certain trusted partners. This is standard industry practice.
Is it really industry practice? Can anybody in this field confirm this? I can see why it would be useful for billing as they mention, but is this really an effective way to do age verification?
> in addition to the usual trusted partners, there has been the potential for disclosure of customers’ mobile phone numbers to further website owners.
Woah, there's nothing "potential" about it - this was right there in the HTTP headers. Saying "there has been the potential..." implies the website owner would have had to do some hacking to get hold of this information, which is not the case, right?
Yes this is industry standard practice. I worked on the official mobile appstore for AT&T Wireless (way back when it was known as Cingular) that handled ringtones/graphics/apps/games and we had access to that header as well for billing purposes. We used it to track purchase history on that site for recommendations/profiling and also used it for segmenting the mobile UI storefront.
> Is it really industry practice? Can anybody in this field confirm this? I can see why it would be useful for billing as they mention, but is this really an effective way to do age verification?
I'm in the field, and this is indeed standard industry practice. It is useful for many purposes, billing and age verification being just two, but the main root reason being that wireless carriers typically use the mobile number as the root identity for a subscriber profile that is shared across multiple backend systems.
It's an effective way to do age verification provided the carrier has implemented some type of process during sign-up or via some other (in)direct method, mainly by leveraging the identity of the subscriber and running a check against it.
A similar technique seems to be in use by at least one other UK network.
I'm with 3 (one of O2's rivals) and if I access my account information from my handset connected to their network, it takes me straight to the relevant info without a pesky login. (If I try the same via wi-fi, I get a page asking me to disconnect from the hotspot and go back online via 3G.)
I always did wonder how they achieved this--sending the mobile number in the HTTP headers is likely.
It's possible that they set the header at their gateway so that it will override whatever you set from your device. It's also possible that the app is firewalled to only be accessible directly from their mobile network.
Of course, it's also possible that at least one operator isn't following appropriate measures to make this secure.
A few years ago Verizon included an XID variable in the headers (essentially a unique subscriber code), but I'm not sure what the SOP is today.
Granted, there are still several ad-testing companies that store a variety of mobile cookies for tracking impressions, but this is much different from permanent, header-based tracking that used to occur with Verizon and possibly others.
It's quite straightforward to dump the entire header in a database, but most sites don't. None of my sites do. Apache, lighttpd, thttpd, etc don't (maybe they do with an appropriate plug-in).
People seemed to be reacting as if every website an O2 customer visited was going to add their phone number to their files, and that's not the case.
One of the principles of the Data Protection Act here in this UK is:
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
In my view, mobile phone companies have my phone number so they can connect my calls. Providing age verification with "trusted partners" would seem to be a step beyond that specified purpose.
The act also says:
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
If you just want to verify age, or verify the customer uses O2, then providing their entire phone number seems excessive to me. Even if they want to bill the user, a UUID could be used that's unconnected to the user's phone number.
Even if O2 were just sharing the data with "trusted partners", it doesn't look like they were acting legally.
The 'excessive' angle seems hopeless to argue: that just leads to endless debates about what is 'excessive'.
Instead, I'd rather argue about whether this piece of personal data is 'relevant'. It obviously isn't. As you say, they could easily replace it with a UUID or, to use something permanent already at their disposal, your O2 customer-id (which might arguably also be personal information, but at least not something anyone with wireshark can immediately use to get you on the bloody phone).
It's an example of sheer laziness to send the telephone number itself instead of doing a lookup and sending something less sensitive. I've dealt with a similar situation with zipcode verification and you can bet I refused to send the zipcode straight up or hashed (the number of zipcodes is rather limited).
I don't understand how this "trusted partner" thing would work. It's HTTP and phone numbers are not secret. Can I send an HTTP header with a "friend's" phone number in it and have their account charged.
Sending your name in clear text is not a digital signature.
(There are so many good ways to authenticate users of a network that it makes me sad to see "tack on a phone number" was even considered, much less implemented, pushed to production, and accidentally turned on for the Entire Internet. Doh.)
If it's anything like the systems I've come across, there is a proxy server on the mobile data network with a whitelist of either IPs or URL patterns that will have the number added as a HTTP header ("header enrichment"), then the endpoints (so the third party systems) must be configured to only accept this header from the IP range of the proxies, so that should avoid spoofing if correctly configured. I'd have thought this IP restriction requirement would be part of the contract they'd have to sign to get the data.
The man-in-the-middle proxy adds the phone number based on your IMEI. You could probably send someone else's number down and it'd change the header back to yours in the proxy.
The SMS spoofing issue (which has been around forever) is far worse as it's not proxied anywhere. Some SMS-controlled devices use the SMS from number as an authentication scheme which is much much more dangerous as that can be spoofed easily.
It's all about trust and it appears that trusting proprietary networks is an issue.
Headers that can be used to identify the end user:
Header name What it means
x-drutt-portal-user-msisdn The mobile phone number.
x-h3g-msisdn the phone number.
x-imsi: The imsi number. Identifies the end user.
x-msisdn The end users phone number
x-wsb-identity End users phone number
x-wte-msisdn: Indicates that the value is a phone number. Does not look like that...
x-nokia-imsi: Imsi value
x-nokia-alias The end users phone number. encrypted.
x-nokia-msisdn: The users phone number in plain text.
x-up-calling-line-id: End user identifier
Predictable, nothing too surprising. I think they're going to have a lot of questions to answer around age verification though, seeing as they put in an age verification program without customer request or warning over the last year or so.
From this I'm assuming that the company they used for this (Bango I believe) would have been sent my mobile number in the past if I ever tried to access content they thought should have been verified. There has not previously been any messaging from o2 around this. Disquieting indeed. I would not have agreed to that transfer of information (nothing to hide, but it's MY information).
It's a shame they've come so close to an open and honest response and then detract from from it with phrases such as "possible in certain circumstances for other websites to see the mobile number." From what I understand it wasn't really certain circumstances, it was in almost all circumstances that the data was made available; whether the site knew it was available or chose to do anything about it was another matter.
I wonder if this means that Age verification can be spoofed by changing that header or if it's just one of several methods they use.
Its only the general circumstance because you are considering only this circumstance. I know you mean "all websites not some", but this is a non-technical public note for all O2 customers, to say "all circumstances" is wrong and misleading.
O2 also sell data plans for iPads, do email/webmail services, sell home ADSL connections, as well as provide cellphones. It would be bad if they left people believing their phone number was sent out on their O2 broadband when web browsing (are tethering users affected?), or perhaps it is only parts of the country which are affected, maybe some infrastructure was acquired from buyouts and phones connected to that weren't affected?
Covering their ass is a non-deceptive reason to say that - it's not all so they shouldn't say it. Maybe "many".
I work with major carriers in North America - This is not industry standard practice here.
At most, we will send area code to partners (mostly for ad targeting) but this is never exposed in wap headers.
If we are doing age verification, we send age range to partners.. likewise never exposed in headers.
Never full phone number. If for some reason a partner needs access to this, they would have a local database corresponding to scrambled wap signatures - which ARE sent in headers.
This is where the interpretation of the statement comes into play. It's certainly commonplace throughout the wireless carrier industry to send the mobile number to "trusted sites" within the carrier network (such as a ringtone/download portal), or over a pre-arranged VPN tunnel.
And when I say "commonplace", I'm referring to multiple carriers around the world, including North America.
However, the level of trust that a site qualifies for may necessitate a more nuanced or out-of-band approach similar to what you've experienced, where a 3rd party partner may receive the scrambled identifier and request the mobile number mapping for billing purposes.
There are lots of ways to skin a cat. My only point here is that there are multiple carriers around the world that routinely use this method of sending the mobile number in plaintext to sites they trust, typically over communication channels that they trust (i.e. over network gear they either own or have secured). I've seen this from both sides (working at and with carriers).
But there are a heck of a lot more 3rd party partner sites that do not usually receive full mobile numbers in the clear, so from that perspective, there is a point to be said about this not being "industry practice". Semantics.
You don't have the believe them. Numerous people have found it clear that they are not sharing it with only trusted parties, but were in fact sharing it with everyone.
This is a factual inaccuracy in the statement from O2.
O2's position is clearly that they normally only share mobile numbers with these unspecified "trusted partners". However, this configuration glitch has led to the mobile number being shared with everyone.
I think most people reading the statement would understand that.
"Q: Which websites do you normally share my mobile number with?
A: Only where absolutely required by trusted partners who work with us on age verification, premium content billing, such as for downloads, and O2's own services, have access to these mobile numbers."
But those trusted partners may share your mobile phone number with their "trusted" partners. I know Ericsson IPX does this at least in Germany.
It usually works via several http redirects and is unnoticeable even to the client application using the usual http client APIs.
"2) to enable third party content partners to bill for premium content such as downloads or ring tones that the customer has purchased"
Does anyone else get the feeling this could be exploited to make unauthorized purchases which would be billed to <random_O2_customer>. I've want to think they have this covered, but with a config glitch leaking your phone number on the net who knows what kind of security they have in place.
Surly this is hugely open to abuse. I could curl requests at a O2 partners site to purchase a ringtone and pass along any O2 number I like, setting the aforementioned headers. Unless the partner site does some sort of extra verification (I have seen no mention of this anywhere), then the O2 number I use will run up a massive bill... Have I missed something?
Those blog comments are pretty dismal; aside from the didn't read/don't understand/just angry, the repeated calls for a total list of trusted partners - is a blog comment really the right place to ask that? Does anyone expect O2 to answer those?
And how many people think such a list is going to be useful at all? It won't be three companies you've heard of, it will be pages and pages of sites and background services companies and test sites and so on.
Mr or Mrs "I want to make a considered decision, I might not trust them", are you really going to make a considered decision if your number is passed to, say, "TechElbonia UK Services, O2 portal processing for connections passing through dept 17 routes, and URLs matching the following 10 line regex (..)"?
The list of trusted partners is interesting to see what happens if you spoof mobile phone numbers. They've already said that it's involved in payment in some way...
A: The only information websites had access to is your mobile number, which could not have been linked to any other identifying information we have about customers.
But it is used for age verification and billing...
I suppose that O2 gives their trusted partners a way to check age and make billings through a private API or similar. Any other site which is not affiliated with them wouldn't have access to that API so they can't get any other information.
I think it means that only phone numbers were exposed, not other identifying information. The billing and age verification systems (into which presumably the phone number is a key) were not compromised.
I use O2 with my iPad 2, and this really doesn't surprise me. The 'adult payment' restriction on half of the Internet made me quickly find out that VPNs offer a practical workaround.
I don't trust O2 as a bearer, so I use a VPN instead, which also comes in handy for hotel room/café wireless hotspots.
This seems to be quite a simple fix; SMS spoofing's a much more complicated problem I think because it requires co-operation across carriers.
There are also a lot of services which rely on "legitimate spoofing" e.g. skype allowing you to send text messages from it's service which appear to be from your actual mobile number (so they can be replied to etc).
