25 Jan 2012, 9:41 p.m.

Your Mobile Phone Number is not Safe with your Mobile Operator

There has been a lot of fuss today about mobile network O2 handing out the mobile numbers of its customers to websites that they visit.

That's clearly an unfortunate occurrence, and O2 users as well as the web in general were understandably outraged. But what surprised me was not that it happened at all, it was the fact that the public really don't understand quite how widely it was happening already.

I used to work in the "mobile personalisation" arena (ringtone subscriptions, to you and me) so I have a little experience in this area. What I say will necessarily be fairly vague, mainly because it was a few years ago, but partly because I don't have time for legal proceedings right now.

The long and the short of it is that depending on what country you live in and the operator you are on, websites you visit using your phone can get your phone number. The difference is that they typically have to pay hefty amounts of money to your operator for it.

There are several ways for sites to get your number (called an "MSISDN" in the trade) once they have the necessary relationship with your operator.

Sometimes the MSISDN comes through in the HTTP request headers, as in today's incident. It won't always be the x-up-calling-line-id header. That's a common choice, but it could be, for example, x-nokia-msisdn if you have that make of phone [1]. Another possibility is that the MSISDN is sent in a cookie added by the operator's gateway.

Another option is for the website to sign up with what's known as an "aggregator", such as Bango (who helpfully provide a unique ID so that you can be tracked even if your number isn't available) or Ericsson IPX.

These services typically require your mobile browser to be redirected to a third-party site which has a special relationship with your operator. The third-party then passes the number back to the website you are visting behind the scenes.

There are several other methods, but as I say, it was some time ago, and I think you get the point. I should also add that some operators do not allow this, and in some countries it's banned outright either by law or by industry regulations.

The point is that you, the customer, do not know. And it's big business for some of the operators who are essentially selling their customers' identities. Today O2 simply gave it away for free.

[1] http://mobiforge.com/developing/blog/useful-x-headers

Posted by Simon at 01:53:00 PM
26 Jan 2012, 4:29 p.m.

Ciaran McNulty

Hm, I'd always assumed the *operator*'s portal would have this information, I never realised they sold it to third parties!

Presumably this is something that I agreed to in the endless Ts and Cs when signing my contract.