O2 have been revealing your mobile phone number to every website you visit.
O2 claim "This is standard industry practice", and http://sophosnews.files.wordpress.com/2010/03/random_tales_mobile_hacker.pdf
(page 11+) supports them [source: http://www.annaraccoon.com/politics/o2-to-be-a-fly-on-the-wall/
]. The author provides a privacy checker: http://www.mulliner.org/pc.cgi
- it's green for me after O2's fix so I can't say if it works.
O2's official response is here: http://blog.o2.co.uk/home/2012/01/o2-mobile-numbers-and-web-browsing.html
. It's a pretty vacuous piece of PR, unfortunately. I was going to comment but O2 aren't responding and I couldn't find any other way to send my comments to them so... I'm going to post them as publicly as possible.
O2 say: "Every time you browse a website (via mobile or desktop), certain technical information about the machine you are using, is passed to website owners. [...] When you browse from an O2 mobile, we add the user's mobile number to this technical information, but only with certain trusted partners."
Many people asked to see the list or be given an opt-out. So far O2 hasn't responded.
So, the "trusted partners" are so trustworthy their identities can't be revealed. But ours can, without us knowing to whom. That's a bit Orwellian.
O2: "In between the 10th of January and 1400 Wednesday 25th of January, in addition to the usual trusted partners, there has been the potential for disclosure of customers’ mobile phone numbers to further website owners."
News reports indicate that it was not just a "potential for disclosure" - phone numbers WERE being disclosed.
O2: "The only information websites had access to is your mobile number, which could not have been linked to any other identifying information we have about customers."
However, it could easily have been linked to other identifying information the visited websites have, such as your login details, your home address, which pages you visit, who your friends are, etc. It can also be used to make unwanted calls to you and send you spam text messages.
It's disingenuous to avoid mentioning that. This blog post is not a straightforward and honest attempt to answer the obvious questions. Rather, it evades them. It reads like it was written by a spin-doctor.
O2: "Why did this happen? Because of a maintenance change"
That's not actually an answer. It must surely have happened because (at a minimum):
1) O2 didn't test the new software thoroughly enough.
2) O2 didn't do enough monitoring to notice the breach until it became a news story.
3) O2 didn't encrypt the data or use surrogate data to make it impossible for non-trusted parties to read it if it was ever inadvertantly revealed.
O2 had few or no measures in place to prevent this happening. They've probably got nothing in place to prevent the next security breach either.
O2 doesn't take security seriously. I waited months for a fix for the security hole in O2 wireless boxes which allowed "drive-by" hacking by a malicious website. Several times customer services gave me a date on which the fix would be deployed, and it never was. This was despite the fix being available - they just had to deploy it! I gave up waiting and replaced my O2 router with a Draytek ADSL router in the end.
"Security through PR" ought to be O2's mission statement.