Aussie Telco Caught Handing Over User Mobile Numbers To Websites Without Consent 35
AlbanX writes: Australian telco Optus has been nabbed passing its customers' mobile phone numbers to third-party websites without the customers' knowledge or consent. The practice, known as HTTP header enrichment, aims to streamline the process of direct billing for customers, but they're not happy. The discovery was made by a user on the telco forum Whirlpool, and Optus confirmed it. They said, "Optus adds our customers' mobile number to the information in select circumstances where we have a commercial relationship with owners of particular websites."
Consent is a killer and also but a sideshow (Score:1)
Why is it that telcos feel entitled to meddle in customers' data packets at all? "Adding headers"? I Think Not.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
It's perfectly possible technically.
Your carrier can easilly find out what sites you are connecting to and what IPs/ports you are using to do it (and if they are using CGN how those IP/port combinations may through their nat). They can easilly pass that information on to the site operator. For unencrypted protocols they can trivilly inject additional headers. For encrypted protocols they can't inject headers as easilly but they could easilly arrange with the site owner to pass the information over another c
"Caught" would imply... (Score:5, Insightful)
...a crime was committed, or at minimum that we're going to actually do something to them.
Of course, we all know nothing will come of this, or at best a slap-on-the-wrist fine, which they've probably already calculated as a standard business expense.
Might as well just stop putting stories out like this until consumers are actually willing to act upon it. I'm willing to be there isn't enough consumer give-a-shit left in the world to tackle even this single issue, let alone tackle the mass arrogance that corporations pull off today at the expense of the customer.
What does it matter if you label someone as "caught" if the reaction is nothing.
Re: (Score:3)
TL;DR... TH;DR Too Hard, Didn't React
Re:"Caught" would imply... (Score:4, Insightful)
"Caught" does not imply anything of the sort. If you were caught cheating on your wife, no crime is implied. If you were caught picking your nose, nothing would be done to you (unless you work in food preparation, perhaps).
In this case, "caught" simply means that the telco was found to be doing something that they hadn't told their customers about (and would obviously prefer they didn't know about). And no, we shouldn't stop posting stories like this. Perhaps Optus will get away with it this time, but each time something similar comes to light it will build in the collective-minds of the public. Eventually something will be done to protect privacy; either at the legal level or the personal level like everyone starting to use VPNs. We will all say the VPNs are to protect us from corporate privacy issues, but really it will be to get around the Great Firewall of Australia or data retention laws.
Re: (Score:2)
...a crime was committed...
Not really. Laws, criminal codes to be more precise, apply to people, not corporations. Didn't you get the memo?
I do want a HTTPS web (Score:5, Informative)
See, this is exactly why I want a HTTPS web.
I do think Let's Encrypt is on the right track. When they show their protocol and open source software works. I'm pretty sure other CA's will follow.
Automating HTTPS deployment is a good thing.
Yes, the CA-system isn't a perfect system at all, but at least we are seeing some improvements in use of HTTPS:
- https://en.wikipedia.org/wiki/... [wikipedia.org] (better revocation of certificates and faster loading of sites and better privacy)
- https://blog.mozilla.org/secur... [mozilla.org] (better revocation of certificates)
- https://en.wikipedia.org/wiki/... [wikipedia.org] (old browser finally dying)
- HTTP/2 is faster than HTTP and sort of depends on HTTPS for backward compatibility for old proxy servers and public websites
- finally we are getting rid of all the old protocols like SSLv3 and get our server configurations cleaned up
Especially for regular visitors of a site things are improving:
https://developer.mozilla.org/... [mozilla.org] (a CA can NOT issue a cert for a fake certificate - works in Firefox and Chrome)
https://en.wikipedia.org/wiki/... [wikipedia.org] (always HTTPS, no HTTP on the second visit)
Re: (Score:2)
See, this is exactly why I want a HTTPS web.
Lets think about this critically for a moment.
The mobile provider has a "relationship" with certain websites. When there is such collusion what is the basis for assuming SSL is at all helpful in this scenario?
They are already operating a MITM proxy to inject the headers. Is any of the following at all unreasonable or impractical?
1. Provider sees your going to a commercial relationship site by destination IP.
2. Commercial relationship site has already provided ISP with certificates to MITM itself since ah
Re: (Score:2)
This only works if the website gives the ISP their private key. When the relationship between the website and the ISP is short, the website would probably be reluctant to do that.
So I'm not so sure they would do that.
But I agree if they have such a relationship an other way would be for the ISP to have a protocol where the website can get the information they currently put in a the header by requesting the information that goes with an IP/port combination. Just like haproxy/postfix does it:
http://permalink. [gmane.org]
Re: (Score:2)
This only works if the website gives the ISP their private key. When the relationship between the website and the ISP is short, the website would probably be reluctant to do that.
It doesn't have to be private key to their primary domain it could be a subdomain created specifically for this purpose.
But at least nobody else can get this information.
For example when it's unencrypted any passive attacker could see the extra header that was added.
Gremlins in the tubes are mostly red herrings. They exist and there is value in avoiding them yet most damage is inflicted by other means.
Nomenclature (Score:3)
I don't think we should cede the rhetorical battle by letting them call it "header enrichment."
I say we call it "tracking injection."
Re: (Score:2)
Worse than tracking (Score:1)
This is worse than even just tracking cookie injection. A tracking cookie may be used to trace traffic back to a particular user, but there's generally nothing overly special about the cookie data.
In this case, the Telco is not only providing the ability to track you to the third party, but giving away your phone #. As if people don't get enough calls from phone scams and malvertisors already.
Re: (Score:2)
More like "privacy hijacking" or "header hijacking"
IP to Phone Number (Score:2)
Just imagine if that irritating bann
Re: (Score:2)
If this ended up violating someone the subject of a domestic violence order or something, they could be sued for some serious money. I know a woman whose details were accidentally revealed to her ex by a company, and they had to give her $10,000 even though no actual harm came of it. Now if harm HAD come of it, should could have got some serious cash.
It's not my fault!!! Money made me do it!!! (Score:3, Insightful)
Someone needs to tell the weasel at Optus pushing this excuse that they have a COMMERCIAL RELATIONSHIP WITH THEIR CUSTOMERS TOO.
Re: (Score:3)
In the same sense that burglars and their victims have a relationship?
Re: (Score:2)
Of course they do. That commercial relationship is sealed in a contract which their customers signed expressly allowing them to share their phone number with 3rd parties.
ts the customers fault (Score:2)
Re: (Score:2)
Unsolicited Calls (Score:1)
This may be slightly off topic but I'm very careful whom I give my number to. I do get human calls from certain businesses like car servicing/hotel/insurance surveys and I'm comfortable with that as I gave them my contact number.
What gets me is I also receive calls from charities, solar sellers, telco sellers etc, so someone is trading my ph number. I have blocked these (many are voip) and currently I get none of them. However every time I'm asked for my number, I ask why and often refuse to give it to them