When users of their network visit a site O2 inject the mobile phone number of the user into the request. This is then available to the website host, which raises obvious data protection issues. O2 does this by modifying the HTTP request and inserting the number in the 'x-up-calling-line-id' HTTP header.
Alarmingly, it does this to all unencrypted site visits (i.e. 'http' not 'https'), and these end-sites can trivially harvest the mobile numbers of visitors and link these to content visited.
This can be verified by visiting http://lew.io/headers.php on an O2 mobile device. The site serves as a tool to show the visitor the HTTP headers received by the server when the user requests that particular page.
COVERING LETTER WITH EMAIL TO casework@ico.gsi.gov.uk:
To whom it may concern,
Please find attached my complaint against O2 under the Data Protection Act.
When users of their network visits a site O2 inject the mobile phone number of the user into the request. This is then available to the website host, which raises obvious data protection issues.
-------------------------
SECTION 4:
Name: Telefonica O2 UK Address: 260 Bath Road Postcode: SL1 4DX Phone: 0800 089 0202 email: peter.erksine@o2.com website: http://www.o2.co.uk
SECTION 6:
When users of their network visit a site O2 inject the mobile phone number of the user into the request. This is then available to the website host, which raises obvious data protection issues. O2 does this by modifying the HTTP request and inserting the number in the 'x-up-calling-line-id' HTTP header.
Alarmingly, it does this to all unencrypted site visits (i.e. 'http' not 'https'), and these end-sites can trivially harvest the mobile numbers of visitors and link these to content visited.
This can be verified by visiting http://lew.io/headers.php on an O2 mobile device. The site serves as a tool to show the visitor the HTTP headers received by the server when the user requests that particular page.
SECTION 10:
Online utility that will show you the headers sent in your page request: http://lew.io/headers.php
Discussion on technical forum 'hacker news': http://news.ycombinator.org/item?id=3508857
Official O2 Twitter responding to (and misunderstanding/misrepresenting) the problem: https://twitter.com/#!/O2/status/161872584634408960
-------------------------
COVERING LETTER WITH EMAIL TO casework@ico.gsi.gov.uk:
To whom it may concern,
Please find attached my complaint against O2 under the Data Protection Act.
When users of their network visits a site O2 inject the mobile phone number of the user into the request. This is then available to the website host, which raises obvious data protection issues.
Regards,