UPDATE: Seems like Telstra does it as well.
As we know already, carriers care about customers like a farmer cares about cows – only for maximum milk and meat production. This time around, Optus (a major local carrier) has been discovered willingly handing over customer’s private mobile number, to ‘partnered’ websites, when the customer visits that website via their mobile data connection. The carrier intercepts the HTTP connection, injects the customer’s mobile number into the header and sends it on it’s way, for the benefit of the website, security be damned.
For starters, you’re paying a hefty monthly subscription fee, but yet you’re still getting sold out – nobody willingly wants their mobile number spread all over the web. Secondly, when Optus says it’s for optimisation, they really mean ‘optimisation of our revenue stream, cha-ching’ – there’s no list of partnered websites, nor a guarantee that their intentions are good, or your number won’t be further sold again. Finally, blatantly injecting your mobile number over an unencrypted HTTP header violates even the most basic security protocol. If you suddenly receive a ton of spam SMS or strange calls, you know why. You can check if your HTTP headers have been fiddled with here. This is even more noxious than the supercookie fiasco in the US a few years ago.
“When consumers browse the internet, information about the device they’re using is passed on to website owners in order to optimise websites for those users,” the spokesperson said. “Optus adds our customers’ mobile number to the information in select circumstances where we have a commercial relationship with owners of particular websites.” The spokesperson insisted that numbers are only sent to “trusted partners”, where user authentication is required. It is used for the premium content services where billing is direct to Optus, as well as the My Optus app.”