UK mobile operator O2 found themselves in trouble last week, when it was discovered they automatically sent the user’s telephone number to any website they visited. Any. The problem is fixed now, but the error that caused the privacy violation was created on January 10th and remained uncorrected until January 25th, according to O2’s blog. Whilst O2 were quick to resolve the issue once they had become aware of it, the most important lesson learned (we can only hope it is learned this time) is that customers have become adept at spotting the mistakes not caught by the operator’s formal testing. Lewis Peckover, a system administrator at a mobile gaming company, not only found the problem, but helpfully shared it with the world, writing a script so anyone could check if their O2 phone was broadcasting their number. You can see his script page here.
A knee-jerk reaction might be to demand more controls, more testing, more whatever. Without knowing how O2 works, I would not like to comment. Mistakes happen and will keep on happening; a demand for more and more controls can only lead us in ever decreasing circles. My reaction to this incident is quite different. First, O2 reacted quickly. That is important. Agility demonstrates concern and limits risk. Second, they were transparent. They did not keep quiet and hope the problem would disappear. Instead, they were proactive in talking to customers, press and regulators. This also limits the eventual damage done. Third, all telcos could benefit from making it easy for customers to give them information, and being responsive when acting upon it. It was easy for Lewis Peckover to tell the whole world about O2’s bug. O2 got the message, but they got it via a public route. If the same information had been passed to them privately, and if they responded as rapidly, no more harm would have been done to customers, but less harm would have been done to O2’s reputation. Customers can and will keep finding flaws, and the internet makes it easy for them to share them publicly. As with Facebook’s bug bounty, telcos can get error-spotting customers to work for the telco, not against the telco. Trying to avoid mistakes is obviously important and deserves the investment of time and effort. However, a tiny investment in helping customers to help the business means the issues can be resolved quickly and quietly – thus generating a positive return for the firm.
I agree that flaw could have been informed privately and that O2 answered rapidly to amend the situation.
But in the other hand, we should think that O2 must have had a privacy by design approach first, and that privacy infringment has been comitted in any case even if they could deserved just a warning letter from privacy watchdog