O2 is facing a major privacy backlash from its customers – and those on Tesco Mobile, which uses its network – after claims that the company was sharing subscribers’ mobile numbers with websites they visit.
The threat has been exposed by web systems administrator Lewis Peckover, who posted details of how he spotted mobile phone number details when visitors went to his website from their handsets.
He said: “If you’re on O2’s UK mobile network, you’ll (probably) see a line beginning with x-up-calling-line-id – followed by your mobile phone number in plain text. It is logical to conclude that this same information is sent to all other websites too.”
The numbers are included as plan text in the header information sent by the phone to the website. The data would be easy for a website owner to collect and use for sending SMS messages or making marketing calls.
Peckover said that the problem did not seem to affect all users but was not confined to any one mobile handset or operating system. Customers of other mobile networks were not affected.
But Graham Cluley, of security firm Sophos, said the problem had been known for at least two years. He said it was mentioned at a conference in Vancouver in March 2010.
Cluley added: “My guess is that it’s more likely to be a cock-up than malice which caused this data to be leaked – but what’s worse is that the problem is still present almost two years after it was first discovered.”
O2 said it was investigating the reports.
