Blog of a Long Distance Worker Tech

This morning a twitter comment alerted me to an issue with the O2 mobile phone broadband data service. In common with all broadband internet services, O2 passes its traffic from customers via a transparent proxy which can additionally do things like reduce the file size of pictures through compression. This is normally specified in the APN configuration of your phone. The ‘new information’ though was that it was making use of a feature of the Openwave WAP proxies to additionally tag a HTTP request header on to each transaction that gave away the subscriber’s mobile phone number. The HTTP request header is the very clear x-u-calling-line-id. You also need to know that this happens regardless of the client device you are using as it is built in to the Openwave proxy.

This is a serious breach of privacy for any mobile phone owner as EVERY SINGLE WEBSITE that the subscriber visits via the broadband connection will then have a copy of the subscribers mobile phone number. No opt-in or opt-out. Also it is quite likely that this has been happening for many years, in fact it could be as old as 3G Broadband from O2. To confirm if you are affected, I suggest you visit a site that displays all of your headers and look for your phone number or other personally identifiable information such as http://www.cylog.org/headers/.

Right now O2 is scrambling to deal with this PR and possible legal issue. I am personally offended that they do this as well. However you need to think wider than this. O2 is not necessarily the only company doing this, nor does it have to be via the same HTTP request header. After all, that header is something that Openwave provides which can be being used by any mobile operator in the world. Additionally other mobile operator WAP gateways manufacturers can and do use different methods of doing the same thing. The result is that privacy can be being breached worldwide, whenever you use your 3G Broadband connectivity.

This means that not only can someone personally identify you very easily, they can pair the informaton directly with the IP address that you are operating on which will also allow the identification of where you are.

If you are interested in background as to what you can be sharing when using your Mobile Broadband connectivity, please look at these two sites http://mobiforge.com/developing/blog/useful-x-headers and http://www.mulliner.org/collin/academic/publications/mobile_web_privacy_icin10_mulliner.pdf.