Some wireless web browsers reveal your phone number to web servers you visit. As a result, advertisers can obtain your phone number to annoy you by running up your airtime. There is as of yet no way to disable this feature. Below I summarize the problem and provide a simple script to test if your phone is vulnerable. Note, SprintPCS users should not complain because you signed away your rights by accepting the "callerID cannot be disabled in the Wireless Web" section of your customer agreement.
The UP.Browser mini-web browser found on phones such as Qualcomm's QCP-1960 with SprintPCS cause your phone number to be broadcast in HTTP request headers. Whether your phone number is broadcast depends on your carrier. At the time of writing, SprintPCS still reveals phone numbers.
The press finally wrote about this privacy problem on CNet and the SF Chronicle.
If you have a wireless web phone, enter this URL on your phone to test if your phone number gets revealed:
To access this URL on your web phone, start the mini-browser and choose "Go to" from the main menu. Then type in the URL. The phone should display "HDML Privacy" after visiting the URL. At this point, hitting the appropriate button for OK will test your phone and display your phone number if the script can detect it.
Note that the script will not work unless you have the UP.Browser. You are welcome to download my short HDML Java Servlet. However, in return I ask that you let me know of any bugs you find in my code. Feel free to make improvements. I do not claim that the code is efficient, secure, correct, yada yada.
Wait. Hopefully the fix requires changes only on the UP.Link server. Your carrier will probably get rid of the phone number from HTTP headers soon. Otherwise only visit web sites that you trust not to use or disclose your phone number. Unfortunately, there is yet no mechanism to verify the authenticity of web servers from a wireless web phone.
My wife's Qualcomm QCP-1960 web phone did reveal her number (output changed to 6171234567):
(~/)% nc -l -p 8000 GET / HTTP/1.0 x-up-uplink: up2.upl.sprintpcs.com x-up-fax-accepts: none x-up-fax-limit: 0 User-Agent: UP.Browser/3.01-QC31 UP.Link/220.127.116.11 x-up-devcap-charset: US-ASCII Accept: application/x-hdmlc, application/x-up-alert, application/x-up-cacheop, application/x-up-device, application/x-up-digestentry, text/x-hdml;version=3.0, text/x-hdml;version=2.0, text/html,text/x-wap.wml,text/vnd.wap.wml, */* Accept-Charset: US-ASCII, UTF-8, * Accept-Encoding: 7bit, 8bit, binary x-up-subno: 6171234567_up2.upl.sprintpcs.com Accept-Language: en Connection: Keep-Alive Host: wmm.mit.edu
As you can see, the phone number exists in the x-up-subno header. Luckily a phone with a real TCP/IP connection such as the PDQ palm pilot phone does not have this particular problem.
At the time of writing, SprintPCS, Yahoo, and phone.com have not given me any helpful responses. Because this issue hit the media headlines, sending email to companies probably won't help much besides take away their time. So please give the developers a break by allowing them time to fix the problem.
Here's the dialog between me and various organizations when I tried to disable this feature. It's strange that Keith Paglusch claimed no knowledge of customer complaints. Sounds as if user feedback doesn't make it up the chain of command.
From: DoNotReply@sprintspectrum.com Date: Mon, 14 Feb 2000 17:07:37 -0600 (CST) Subject: Sprint PCS Case #641763 Notification Sender: DoNotReply@sprintspectrum.com To: fubob Dear Mr. Fu: Welcome to the Sprint PCS web site. You are correct. Sprint PCS does not give out subscriber phone numbers. The information that you refer to in your message is provided through Yahoo. When your PCS phone number is displayed on the header while accessing web servers, it is Yahoo's way of knowing which customer to bill. Your concern regarding the possible invasion of privacy should be directed to Yahoo. There should be an area on their home page where you may direct questions. Thank you for using the Sprint PCS web site. Sheila S. Thank you for submitting your request from the Sprint PCS web site. If you have any other questions or comments, please visit us again at http://www.SprintPCS.com/ -------- From: fubob To: Yahoo Support Date: Feb 26, 2000 Hi, How can I disable yahoo's forwarding of my phone number within the HTTP headers of my mini-browser? The SprintPCS help desk told me to contact you about a privacy problem when using a mini browser on my Qualcomm 1960 phone. SprintPCS says that you subcontract the "Up.Link" server which translates my mini browser requests to HTTP requests. I noticed that within the HTTP headers from the Up.Link server, my phone number is embedded. In other words, advertisers are collecting my phone number. Had I used a non-wireless browser, advertisers would only know my IP address and wouldn't have a way to run up my cell phone air time. Already I know of one instance where a person called a phone number in the HTTP headers. How can I turn this off? Kevin E. Fu (fubob) PGP key: https://snafu.fooworld.org/~fubob/pgp.html -------- To: email@example.com cc: fubob Subject: diabling phone number cookie in x-up-subno HTTP header Date: Sat, 26 Feb 2000 12:20:07 EST From: Kevin Fu fubob Hi, How can I disable either the Up.Link server or Up.Browser mini-browser from giving out my phone number? What's the wireless web equivalent of *67? Kevin E. Fu (fubob) PGP key: https://snafu.fooworld.org/~fubob/pgp.html
For more fun with HDML, see the SIPB HDML script.