Slashdot Mirror

← Back to Stories (view on slashdot.org)

Aussie Telco Caught Handing Over User Mobile Numbers To Websites Without Consent

Posted by Soulskill on from the upside-down-morals dept.

AlbanX writes: Australian telco Optus has been nabbed passing its customers' mobile phone numbers to third-party websites without the customers' knowledge or consent. The practice, known as HTTP header enrichment, aims to streamline the process of direct billing for customers, but they're not happy. The discovery was made by a user on the telco forum Whirlpool, and Optus confirmed it. They said, "Optus adds our customers' mobile number to the information in select circumstances where we have a commercial relationship with owners of particular websites."

35 comments

  1. Consent is a killer and also but a sideshow by Anonymous Coward · · Score: 1

    Why is it that telcos feel entitled to meddle in customers' data packets at all? "Adding headers"? I Think Not.

    1. Re:Consent is a killer and also but a sideshow by Anonymous Coward · · Score: 0

      Here, we fornicate under consent of the king, and we add our own headers. Many many headers. Not many packets though.

  2. What a coincidence by temcat · · Score: 1

    Just heard a rumor that some (unspecified) carriers do the same here in Russia, and there are even rogue sites that bill unsuspecting users via the carrier account for visiting them. No idea if it's true or even possible technically/legally, but how do I protect myself from a carrier sending my account data to the site?

    1. Re:What a coincidence by Anonymous Coward · · Score: 0

      ...but how do I protect myself from a carrier sending my account data to the site?

      You don't.

    2. Re: What a coincidence by Anonymous Coward · · Score: 0

      VPN into your home router.

    3. Re: What a coincidence by temcat · · Score: 1

      Well, the talk is about connecting straight from the phone or via tethering.

    4. Re:What a coincidence by petermgreen · · Score: 1

      It's perfectly possible technically.

      Your carrier can easilly find out what sites you are connecting to and what IPs/ports you are using to do it (and if they are using CGN how those IP/port combinations may through their nat). They can easilly pass that information on to the site operator. For unencrypted protocols they can trivilly inject additional headers. For encrypted protocols they can't inject headers as easilly but they could easilly arrange with the site owner to pass the information over another channel.

      Your only real defense is to use a VPN to hide the details of the mobile carrier from the target site and vice-versa. Yes this does mean additional cost and likely performance degredation.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    5. Re: What a coincidence by Anonymous Coward · · Score: 0

      Use https sites/tunnels.

  3. "Caught" would imply... by geekmux · · Score: 5, Insightful

    ...a crime was committed, or at minimum that we're going to actually do something to them.

    Of course, we all know nothing will come of this, or at best a slap-on-the-wrist fine, which they've probably already calculated as a standard business expense.

    Might as well just stop putting stories out like this until consumers are actually willing to act upon it. I'm willing to be there isn't enough consumer give-a-shit left in the world to tackle even this single issue, let alone tackle the mass arrogance that corporations pull off today at the expense of the customer.

    What does it matter if you label someone as "caught" if the reaction is nothing.

    1. Re:"Caught" would imply... by Psychotria · · Score: 2

      TL;DR... TH;DR Too Hard, Didn't React

    2. Re:"Caught" would imply... by Gadget_Guy · · Score: 3, Insightful

      "Caught" does not imply anything of the sort. If you were caught cheating on your wife, no crime is implied. If you were caught picking your nose, nothing would be done to you (unless you work in food preparation, perhaps).

      In this case, "caught" simply means that the telco was found to be doing something that they hadn't told their customers about (and would obviously prefer they didn't know about). And no, we shouldn't stop posting stories like this. Perhaps Optus will get away with it this time, but each time something similar comes to light it will build in the collective-minds of the public. Eventually something will be done to protect privacy; either at the legal level or the personal level like everyone starting to use VPNs. We will all say the VPNs are to protect us from corporate privacy issues, but really it will be to get around the Great Firewall of Australia or data retention laws.

    3. Re:"Caught" would imply... by Jawnn · · Score: 1

      ...a crime was committed...

      Not really. Laws, criminal codes to be more precise, apply to people, not corporations. Didn't you get the memo?

  4. I do want a HTTPS web by Lennie · · Score: 5, Informative

    See, this is exactly why I want a HTTPS web.

    I do think Let's Encrypt is on the right track. When they show their protocol and open source software works. I'm pretty sure other CA's will follow.

    Automating HTTPS deployment is a good thing.

    Yes, the CA-system isn't a perfect system at all, but at least we are seeing some improvements in use of HTTPS:
    - https://en.wikipedia.org/wiki/... (better revocation of certificates and faster loading of sites and better privacy)
    - https://blog.mozilla.org/secur... (better revocation of certificates)
    - https://en.wikipedia.org/wiki/... (old browser finally dying)
    - HTTP/2 is faster than HTTP and sort of depends on HTTPS for backward compatibility for old proxy servers and public websites
    - finally we are getting rid of all the old protocols like SSLv3 and get our server configurations cleaned up

    Especially for regular visitors of a site things are improving:
    https://developer.mozilla.org/... (a CA can NOT issue a cert for a fake certificate - works in Firefox and Chrome)
    https://en.wikipedia.org/wiki/... (always HTTPS, no HTTP on the second visit)

    --
    New things are always on the horizon
    1. Re:I do want a HTTPS web by Anonymous Coward · · Score: 0

      . I'm pretty sure other CA's will follow.

      I hope so too because if a single security service is very easy to use the landscape will quickly turn into a security monoculture, which is not very secure. We do not want to be relying on the same root cert, but instead we need to have a choice of root certs from various countries with differing political and legal structures. The more options we have the easier it will be to route around insecurity if it should raise its ugly head.

    2. Re:I do want a HTTPS web by Anonymous Coward · · Score: 0

      LE is a distraction. The fact they want me to run their daemon on my web server means I never will. I'm sure there are other people who feel similarly. If they don't actually issue certs, then they're useless.

    3. Re:I do want a HTTPS web by WaffleMonster · · Score: 1

      See, this is exactly why I want a HTTPS web.

      Lets think about this critically for a moment.

      The mobile provider has a "relationship" with certain websites. When there is such collusion what is the basis for assuming SSL is at all helpful in this scenario?

      They are already operating a MITM proxy to inject the headers. Is any of the following at all unreasonable or impractical?

      1. Provider sees your going to a commercial relationship site by destination IP.

      2. Commercial relationship site has already provided ISP with certificates to MITM itself since ah they have a "commercial relationship".

      3. ISP injects the headers anyway behind your back by MITMing the SSL connection which you assumed was "secure" and private. Furthermore the presence of encryption makes it more difficult for anyone to figure out what is going on.

    4. Re:I do want a HTTPS web by Lennie · · Score: 1

      This only works if the website gives the ISP their private key. When the relationship between the website and the ISP is short, the website would probably be reluctant to do that.

      So I'm not so sure they would do that.

      But I agree if they have such a relationship an other way would be for the ISP to have a protocol where the website can get the information they currently put in a the header by requesting the information that goes with an IP/port combination. Just like haproxy/postfix does it:

      http://permalink.gmane.org/gma...

      But at least nobody else can get this information. For example when it's unencrypted any passive attacker could see the extra header that was added.

      --
      New things are always on the horizon
    5. Re:I do want a HTTPS web by WaffleMonster · · Score: 1

      This only works if the website gives the ISP their private key. When the relationship between the website and the ISP is short, the website would probably be reluctant to do that.

      It doesn't have to be private key to their primary domain it could be a subdomain created specifically for this purpose.

      But at least nobody else can get this information.
      For example when it's unencrypted any passive attacker could see the extra header that was added.

      Gremlins in the tubes are mostly red herrings. They exist and there is value in avoiding them yet most damage is inflicted by other means.

    6. Re:I do want a HTTPS web by Anonymous Coward · · Score: 0

      IP header extensions. Much easier to add than HTTP headers and work with any IP protocol.

  5. Nomenclature by Lightn · · Score: 2

    I don't think we should cede the rhetorical battle by letting them call it "header enrichment."

    I say we call it "tracking injection."

    1. Re:Nomenclature by Anne+Thwacks · · Score: 1

      What is wrong with the traditional "selling souls to the devil?"

      --
      Sent from my ASR33 using ASCII
    2. Re:Nomenclature by Anonymous Coward · · Score: 0

      We are used to that, and it doesn't describe the issue any more clearly than we already understand the problem of business.

    3. Re:Nomenclature by Anonymous Coward · · Score: 0

      This kind of "enrichment" is not unusual, it's also available in e.g. Germany from various operators. As far as i can tell it is _not_ enabled just for tracking purposes. It used to be limited to cases where access to an (otherwise) for pay service is either billed via the operator or free for customers of the operator, or there are other important reasons that the specific service cannot otherwise function.

    4. Re:Nomenclature by countach · · Score: 1

      More like "privacy hijacking" or "header hijacking"

  6. IP to Phone Number by Voice+of+Meson · · Score: 2

    They can talk about 'trusted partners' and 'optimising websites' all they want, but the main point here is that they are sending your phone number over HTTP. Anyone on a hop along the way or of course the end website and their 'trusted partners' can now link an IP address to a phone number. Via other cookies they can tie that IP address to your previous ones and suddenly they have a Phone Number to go with the previously anonymous browsing history and customer profile.

    Just imagine if that irritating banner ad could actually call you! It really is a phenomenal breach of privacy and security.

    --
    Dammit! I had a good one.
    1. Re:IP to Phone Number by countach · · Score: 1

      If this ended up violating someone the subject of a domestic violence order or something, they could be sued for some serious money. I know a woman whose details were accidentally revealed to her ex by a company, and they had to give her $10,000 even though no actual harm came of it. Now if harm HAD come of it, should could have got some serious cash.

  7. It's not my fault!!! Money made me do it!!! by BringMyShuttle · · Score: 3, Insightful

    > "Optus adds our customers' mobile number to the information in select circumstances where we have a commercial relationship with owners of particular websites."

    Someone needs to tell the weasel at Optus pushing this excuse that they have a COMMERCIAL RELATIONSHIP WITH THEIR CUSTOMERS TOO.

    1. Re:It's not my fault!!! Money made me do it!!! by Anne+Thwacks · · Score: 2
      COMMERCIAL RELATIONSHIP WITH THEIR CUSTOMERS TOO.

      In the same sense that burglars and their victims have a relationship?

      --
      Sent from my ASR33 using ASCII
    2. Re:It's not my fault!!! Money made me do it!!! by Anonymous Coward · · Score: 0

      Yes, if a burgler is arrested, they can sue the victime for lost revenue.

    3. Re:It's not my fault!!! Money made me do it!!! by thegarbz · · Score: 1

      Of course they do. That commercial relationship is sealed in a contract which their customers signed expressly allowing them to share their phone number with 3rd parties.

  8. Worse than tracking by phorm · · Score: 1

    This is worse than even just tracking cookie injection. A tracking cookie may be used to trace traffic back to a particular user, but there's generally nothing overly special about the cookie data.

    In this case, the Telco is not only providing the ability to track you to the third party, but giving away your phone #. As if people don't get enough calls from phone scams and malvertisors already.

  9. ts the customers fault by Stan92057 · · Score: 1

    I'm sure they provide an opt-out so its not their fault, its the customers fault 100% they didn't opt-out.......

    --
    Jack of all trades,master of none
  10. How mobile billing worked (back in the day) by benjfowler · · Score: 1

    Mobile telcos have been doing this for years (at least a decade). But let me tell you right now, it's NOWHERE near as bad as it's being made out. Simply because the requirements to get on deck were so onerous, only a few people would bother with it at all.

    For webmasters who would like to figure out how to serve/bill stuff to users on mobile websites, you've got to have some way of passing some kind of UID for the user connecting. For magazine/media sites trying to actually run a business, being able to serve stuff to users with the ability and inclination to pay for content was pretty important.

    Back in the day before the iPhone (and I believe this was more common in the US than elsewhere), users on web-capable phones issued by carriers would start their browsers, and land on the carrier's home page or "home deck" (think WAP). I remember getting "on deck" (linked off the website at a carrier), was a massive pain in the arse, because you'd have to make sure the website work on their top 10 devices (a nuisance, because Netfront (and the phones it ran on) was a bigger piece of shit than Netscape 4 and IE6 combined), and then after all was said and done, you'd have to give the cellco a huge cut of any revenue you generated.

    (Note that I'm limiting the discussion to websites linked off the cellco's front page; not 'off deck' stuff, like those old magazine ads flogging rubbish ringtones off premium rate phone numbers. That's a different story and the billing works a bit differently.)

    Naturally, once you managed to get 'on deck', you'd get access to the cellco's billing infrastructure, which'd let you sell subscriptions and flog pay-per-event stuff like wallpapers and ringtones (which, back in the day, a rubbish poly ringtone costing £2.99, was HUGELY lucrative if you sold a few, and made SMSs seem like good value). But only after you managed to make it on deck (otherwise there's no traffic, and thus, no revenue). And then you still had to deal with a completely, utterly different billing interface for each carrier (some using transparent proxies, some using redirects, some using web services, etc). And of course, the dubious pleasure of dealing with the cockheads at the telcos themselves.

    Naturally, to keep this going, the cellco would only flip the big switch to pass through your phone number to that particular website in very specific circumstances (like, a tiny number of very well known websites owned by very well-known companies (like Disney)). It's a whitelist -- and a small one. Hardly the scale of threat being implied by the lede.

  11. Unsolicited Calls by Whiteox · · Score: 1

    This may be slightly off topic but I'm very careful whom I give my number to. I do get human calls from certain businesses like car servicing/hotel/insurance surveys and I'm comfortable with that as I gave them my contact number.
    What gets me is I also receive calls from charities, solar sellers, telco sellers etc, so someone is trading my ph number. I have blocked these (many are voip) and currently I get none of them. However every time I'm asked for my number, I ask why and often refuse to give it to them as there are other ways they can contact me.
    So you can be proactive here and not share your number especially if it is not required. Otherwise block, block, block!

    --
    Don't be apathetic. Procrastinate!