O2 phone number revealing "scandal". A common sense perspective
[Short link to this post if you need it: http://goo.gl/ayGcB or retweet me]
Yesterday @lewispeckover published an article about the fact that O2 were putting an HTTP header (x-up-calling-line-id) with the user's phone number in place on every non-encrypted web request put through their network by their proxies. This also affected MVNOs using O2, such as GiffGaff and Tesco Mobile. The proxies are used, amongst other things, to reduce image quality to improve page load times and other things. The injection of the HTTP header with the phone number is something they do to give the number to "trusted parties" who provide certain age-related services, where they can verify the number with the provider. This only happens when using O2's data network where the proxies are used, and not over any other connection such as your home wifi. Also some browsers, such as Opera and the BlackBerry ones make use of their own proxes and bypass O2's ones, and will therefore not be subject to the HTTP header injection. Right, now the description is out of the way I'll get to the point.
Now clearly, distributing everyone's phone numbers in this way was not smart - it was a huge cock-up on part of someone at O2 to be sending this to all sites over the course of around two weeks - no-one is attempting to defend that. But what I find more interesting is the "Daily Mail" type of response that an awful lot of people have had to this. If you look at O2's official statement on it (which, to their credit, they have answered some of the more sensible questions on, and updated the original article accordingly). I personally pushed them (OK I had to ask twice but they did then respond to fix the "under certain circumstances your mobile number would be made available" wording - since O2 were sending it to everyone, so the "circumstances" were whether the website bothered to read the appropriate header, not something determined by O2 for that period. However most of the comments to their article are bordering on what can best be described as "noise".
The vast majority of the comments that have been added are along the lines of this one asking for a list of O2's "trusted parties", or this one saying their lying about the numbers only being sent to trusted parties (O2 have admitted a breach caused it to be sent to everyone - this is not in dispute - as I and one or two others have suggested - people should read and understand the article before posting gibberish). This comment asking for logs of who got my information was particularly optimistic. There are several comments suggesting they are in breach of T&C by sending it to anyone at all where they probably aren't and more importantly the number of people asking for a list of the sites that the details are sent to, and asking for contract cancelations and phone unlocking probably aren't aware that other phone networks also do similar things to send your number to selected parties according to the BBC article on the subject. Besides, O2 have already said in the thread that they're looking into the trusted parties list so give them some time to put a response together on that. Or even better, spend your time asking the other networks about their lists instead of giving O2 so much abuse for it. There have been some comments from people saying they've been exposed to "spam" texts. While the leak may have been the cause, it's hard to prove given that many people get such texts. It may be coincidence,
If anything good comes out of this, it might be that people just finally might think twice about accepting T&C without reading them. But I suspect most people will have forgotten it in a couple of weeks time and continue as normal - as happens every time facebook changes the layout of its site. The simple fact is that we now seem to live in a goldfish generation. But then we don't need to remember anything any more, we just google it. I'm going off topic, so I'll stop :-)
But consider this: Are you sure you know what your favorite social networking sites are doing with the mobile numbers you provide to them? Did you read all the T&C for them or are you just jumping on the O2-bashing bandwagon because of something that other people have told you about, but which you didn't care about when you signed up for your new shiny mobile? Honestly, if you don't consider internet security at the best of times, why complain now? As for the two-week leak, I'm not entirely sure I care too much anyway now that it's been plugged. Although I hope the ad agencies/porn sites that people were visiting didn't pick up on it quickly for direct marketing purposes. Frankly the number in itself probably isn't too useful - what are they going to do? Cold call someone without knowing their name? If they send a text offering services of their web site then that's probably not going to be good for their PR to have exploited O2's mistake.
So it doesn't bother me. I wouldn't care about my home address being made public either - someone can drive down the street to get that but it won't necessarily map it back to me. It can be used for direct marketing, true, but that doesn't mean it's easy to map that back to who I am without further information (unless it's a business) - whereas if you go down my street you might find my name if you went through my bins - much easier. In the grand scheme of things, it's low on the list of security problems on the internet. I'd rather spend time educating people on SecureCode / VerifiedByVisa properly to allow them to shop online safely for example ...
Yesterday @lewispeckover published an article about the fact that O2 were putting an HTTP header (x-up-calling-line-id) with the user's phone number in place on every non-encrypted web request put through their network by their proxies. This also affected MVNOs using O2, such as GiffGaff and Tesco Mobile. The proxies are used, amongst other things, to reduce image quality to improve page load times and other things. The injection of the HTTP header with the phone number is something they do to give the number to "trusted parties" who provide certain age-related services, where they can verify the number with the provider. This only happens when using O2's data network where the proxies are used, and not over any other connection such as your home wifi. Also some browsers, such as Opera and the BlackBerry ones make use of their own proxes and bypass O2's ones, and will therefore not be subject to the HTTP header injection. Right, now the description is out of the way I'll get to the point.
Now clearly, distributing everyone's phone numbers in this way was not smart - it was a huge cock-up on part of someone at O2 to be sending this to all sites over the course of around two weeks - no-one is attempting to defend that. But what I find more interesting is the "Daily Mail" type of response that an awful lot of people have had to this. If you look at O2's official statement on it (which, to their credit, they have answered some of the more sensible questions on, and updated the original article accordingly). I personally pushed them (OK I had to ask twice but they did then respond to fix the "under certain circumstances your mobile number would be made available" wording - since O2 were sending it to everyone, so the "circumstances" were whether the website bothered to read the appropriate header, not something determined by O2 for that period. However most of the comments to their article are bordering on what can best be described as "noise".
The vast majority of the comments that have been added are along the lines of this one asking for a list of O2's "trusted parties", or this one saying their lying about the numbers only being sent to trusted parties (O2 have admitted a breach caused it to be sent to everyone - this is not in dispute - as I and one or two others have suggested - people should read and understand the article before posting gibberish). This comment asking for logs of who got my information was particularly optimistic. There are several comments suggesting they are in breach of T&C by sending it to anyone at all where they probably aren't and more importantly the number of people asking for a list of the sites that the details are sent to, and asking for contract cancelations and phone unlocking probably aren't aware that other phone networks also do similar things to send your number to selected parties according to the BBC article on the subject. Besides, O2 have already said in the thread that they're looking into the trusted parties list so give them some time to put a response together on that. Or even better, spend your time asking the other networks about their lists instead of giving O2 so much abuse for it. There have been some comments from people saying they've been exposed to "spam" texts. While the leak may have been the cause, it's hard to prove given that many people get such texts. It may be coincidence,
If anything good comes out of this, it might be that people just finally might think twice about accepting T&C without reading them. But I suspect most people will have forgotten it in a couple of weeks time and continue as normal - as happens every time facebook changes the layout of its site. The simple fact is that we now seem to live in a goldfish generation. But then we don't need to remember anything any more, we just google it. I'm going off topic, so I'll stop :-)
But consider this: Are you sure you know what your favorite social networking sites are doing with the mobile numbers you provide to them? Did you read all the T&C for them or are you just jumping on the O2-bashing bandwagon because of something that other people have told you about, but which you didn't care about when you signed up for your new shiny mobile? Honestly, if you don't consider internet security at the best of times, why complain now? As for the two-week leak, I'm not entirely sure I care too much anyway now that it's been plugged. Although I hope the ad agencies/porn sites that people were visiting didn't pick up on it quickly for direct marketing purposes. Frankly the number in itself probably isn't too useful - what are they going to do? Cold call someone without knowing their name? If they send a text offering services of their web site then that's probably not going to be good for their PR to have exploited O2's mistake.
So it doesn't bother me. I wouldn't care about my home address being made public either - someone can drive down the street to get that but it won't necessarily map it back to me. It can be used for direct marketing, true, but that doesn't mean it's easy to map that back to who I am without further information (unless it's a business) - whereas if you go down my street you might find my name if you went through my bins - much easier. In the grand scheme of things, it's low on the list of security problems on the internet. I'd rather spend time educating people on SecureCode / VerifiedByVisa properly to allow them to shop online safely for example ...
Hi there, we now have a blog that will provide all the info you need. You can also ask any further questions you have on the blog: http://j.mp/MPNblog
ReplyDeleteThanks
Dan - O2 Social Media Team
Thanks Dan, although given that most of the hyperlinks in this article are to comments in that blog, and the fact I've applauded the fact you've been updating the original article as questions come in, it's fairly clear that I'd already seen it ;-)
Delete