O2 closes number leak loophole [Update: Official comment]

UK carrier O2 has apparently fixed the loophole that exposed subscribers' mobile numbers to websites they visited using their handset's data connection, though there's still no official explanation as to how the issue arose. Controversy sparked earlier today, when one O2 subscriber realized browsing sites via his phone's data connection transmitted his number in among the header data; a proof-of-concept site prompted the expected outcry against the carrier. Update: O2 has commented officially on the issue; more after the cut.

However, over the past few hours, evidence of the header gaffe has disappeared, suggesting someone at O2 has flicked the right switch to deactivate the inadvertent privacy breach. The relatively swift action may not be sufficient to save the carrier from censure, though.

The UK Information Commissioners Office (ICO) told paidContent that, while revealing a number in itself does not officially count as a data breach, revealing that plus other personally-identifiable information would do. The government organization said it would be discussing the matter with O2:

"Keeping people's personal information secure is a fundamental principle that sits at the heart of the Data Protection Act and the Privacy and Electronic Communications Regulations. When people visit a website via their mobile phone they would not expect their number to be made available to that website. We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed" ICO

There are indications, however, that O2 has been using mobile numbers to help sites identify users surfing on their handset. Last night, the company tweeted whistleblower Lewis Peckover with the explanation that "the mobile number in the HTML is linked to how the site determines that your browsing from a mobile device."

Update: O2 has responded to the issue with an apology and the following Q&A. The carrier blames "technical changes" made as part of "routine maintenance" that accidentally shared users' phone numbers with not only "trusted partners who work with us on age verification, premium content billing, such as for downloads, and O2's own services" but all sites.

Q: What's happened with O2 mobile numbers when I browse the internet on my mobile?

A: Every time you browse a website (via mobile or desktop), certain technical information about the machine you are using, is passed to website owners. This happens across the internet, and enables website owners to optimise the site you see. When you browse from an O2 mobile, we add the user's mobile number to this technical information, but only with certain trusted partners. This is standard industry practice. We share mobile numbers with selected trusted partners for 3 reasons: 1) to manage age verification, which manages access to adult content, 2) to enable third party content partners to bill for premium content such as downloads or ring tones that the customer has purchased 3) to identify customers using O2 services, such as My O2 and Priority Moments. This only happens over 3G and WAP data services, not WiFi.

Q: How long has this been happening?

A: In between the 10th of January and 1400 Wednesday 25th of January, in addition to the usual trusted partners, there has been the potential for disclosure of customers' mobile phone numbers to further website owners.

Q: Has it been fixed?

A: Yes. It was fixed as of 1400 on Wednesday 25th January 2012.

Q: Which of my information can website owners access?

A: The only information websites had access to is your mobile number, which could not have been linked to any other identifying information we have about customers.

Q: Why did this happen?

A: Technical changes we implemented as part of routine maintenance had the unintended effect of making it possible in certain circumstances for website owners to see the mobile numbers of those browsing their site.

Q: Which customers were affected?

A: It affected customers accessing the internet via their mobile phone on 3G or WAP services, but not WIFI, between 10th of January and 1400 on Wednesday the 25th of January.

Q: Which websites do you normally share my mobile number with?

A: Only where absolutely required by trusted partners who work with us on age verification, premium content billing, such as for downloads, and O2's own services, have access to these mobile numbers.

Q: The Information Commissioner said he is investigating – what are you doing as part of this?

A: We are in contact with the Information Commissioner's office, and we will be co-operating fully. We have also contacted OFCOM.