RICHARD FAWCETT'S WEBSITE

ABOUT     CONTACT     RSS


25 January 2012
O2 Disclose Mobile Numbers to Websites

Yesterday lunchtime, Lewis Peckover (@lewispeckover) noticed that mobile browsers on O2's UK network were sending the phone's number to websites as an HTTP header, resulting in this information being available to the websites browsed.  This information is not present when browsing over WiFi, indicating that it is probably added in transit by O2.

The story gained momentum on Wednesday morning on Twitter, and as the image below shows, O2's Twitter account was being inundated with people complaining about this.
image

Around lunchtime today, the Guardian published an article about the breach. In the article, it said that a spokesman from the Information Commissioner's Office said there was no immediate breach of the Data Protection Act, as a mobile phone number on its own is not classed as "personally identifiable information".

This seemed nonsense to me, so I took a look at the legislation.

1.(1) states that "personal data" means data which relate to a living individual who can be identified -
        (a) from those data, or
        (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller.

I would argue that the phone number is personal data, as O2 can use it in conjunction with their billing records to identify the account holder.

1. (1) also states that "processing" in relation to data includes among other things, "disclosure of the information or data by transmission".

So, at this point, we can say that O2 have processed personal data by transferring it to websites visited by the user of the phone.  There are of course, many conditions laid out which govern the processing of data.  The first principle (set out in Schedule 1, Part 1, #1) reads:

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -
        (a) at least one of the conditions in Schedule 2 is met, and
        (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is met.

Well, this isn't sensitive personal data (which is limited to things like religion, political affiliation, sexual preference), so this means that O2 must satisfy at least one of the conditions in Schedule 2 before they can process the data. So, here are the conditions:

1. The data subject has given consent to the processing.
2. The processing is necessary for the performance of a contract to which the data subject is a party, or for entering into such a contract
3. The processing is necessary for compliance with a legal obligation
4. The processing is necessary in order to protect the vital interests of the data subject
5. The processing is necessary for the administration of justice, for the exercise of functions of either House of Parliament, for the exercise of any functions of the Crown, or for the exercise of any other functions of a public nature exercised in the public interest by any person.

So, a quick glance will tell you that O2 can only process this data if explicit permission has been given by the subject for them to do so.

Now, when signing up for a contract, you have to agree to the Privacy Policy of O2.  Section 5 is entitled "Disclosure of your Information" and guess what… it doesn't say that it will disclose it to every Tom, Dick or Harry who runs a website.  So, by agreeing to their terms and conditions, data subjects do not consent for their information to be used in this way.

I'd argue that this means that O2 are in breach of the Data Protection Act.  Case closed, although I'm no lawyer….

If you want to see whether you're affected, Lewis has written a quick web page which will tell you if it's being sent your phone number.  Visit it at http://lew.io/headers.php.

Update 25-Jan-2012 15:39

Since writing earlier today, O2 have issued an explanation of what went wrong on their blog. In it, they say that the problem has been occurring since 10th January owing to a bug. The reason it's even possible is that this data is designed to be sent to trusted third parties for purposes of age verification etc. (and this is permitted by their privacy policy). However, given that the data doesn't go over WiFi, then the trusted 3rd parties are only getting the information in certain cases, which makes it hard to understand how this could work for them.

The good news is that the data breach is now fixed, and O2 are co-operating with the Information Commissioner's Office and have notified OFCOM. Full marks to O2 on the transparent way they've handled this.