There’s a mini firestorm brewing this morning around o2 UK. Earlier this morning, Matt Brian over at The Next Web broke the story about a ridiculously shocking privacy breach by o2.
Here’s a bit of Matt’s story:
If you reside in the UK and you are one of the millions of subscribers to mobile operator O2, you may be alarmed to learn that the carrier is sending your mobile number to every website you visit on your mobile phone.
The issue was brought to our attention by Lewis Peckover, who created a simple webpage to check the information that a mobile browser would send to a website when it requested data.
The story is still developing, however it’s clear that o2 has been passing your phone number to every website you visit. It’s passed in the headers — which most sites will ignore. Indeed, if your server isn’t looking for the field, then it’ll simply ignore it.
This is clearly a mistake and certainly not normal practice. If anything, I suspect it’s a misconfiguration or a standard configuration on a particular server, gateway or system at o2.
o2 will be horrified.
It’s going to be fascinating to see how they handle this. People are still hugely attached to their perceived privacy and the knowledge that every website you’ve visited via your phone could have retrieved your phone number will be massively discomforting.
The real problem is if the mainstream media pick it up. It looks like a bit of a slow news day — and it’s a terribly sexy issue, this, especially in the context of phone hacking. The headlines boiled down will make highly frustrating reading. I wouldn’t be surprised to see headlines like, “o2 exposes your phone number to every website” or “o2 gives your phone number to spammers” appearing shortly in the mainstream press.
o2 need to respond very, very quickly. I think they’ve got until midday to deliver a formal response. It’s 11am now. After midday the story could potentially gravitate from a Twitter firestorm into mainstream consciousness.
Can you imagine the implications of an adult website claiming that [insert famous person here] has visited their site 100 times in the last 2 days — and they’ve got the logs to prove it? Ooof!
What should o2 do?
Well I think that depends on how the media treat the issue. If it’s picked up by the Daily Mail anywhere near their front page, then they’ll need a mega response. Definitely.
Normal mobile users on o2 reading the story will go nuts. Folk will want to do something in response to the perceived privacy invasion, even if it didn’t actually affect them. The first instinct will be to cancel the line and churn to another network. The next instinct will be some kind of recompense — a free credit, some extra text messages or something like that. Quite possibly legions of users will demand that their phone numbers be changed.
Goodness me. It’s a bit of a mess.
There’s not much o2 can do, I don’t think, that would appease me as a normal user. I’d probably react very, very negatively to a £5 credit offer (“Is that what my privacy is worth?”).
The underlying issue here is the break down of trust that many o2 consumers will feel when they read the news. I think o2 should act decisively, positively — and if anything, they should over-react. Do everything. Offer everything. And put the CEO or a C-Level executive on camera right-away to speak to the media.
Of course we’re going to want to know how long this flaw has been live on the o2 systems; how many users have been potentially compromised and so on. That could take days to determine. So an immediate response is required now and then hourly updates should be issued throughout today and, say, tomorrow, until all the information is in o2’s hands.
We shall see.
If anyone can handle this kind of challenge, it’s o2. The team there are seriously capable. If anything, I think they could possibly use this as an opportunity to engage brilliantly with their customers and boost loyalty even more.
Bring it on, o2!
Update: Matt is back with a related post — How O2 could unwittingly help spammers conduct a nasty phishing campaign that’s worth a read.
Update 2: o2 has posted a public announcement on the matter (thanks Adrian)