Wireless Web privacy hole still wide open

Mobile phone Web surfers from several service providers discovered last March that their wireless Web services were distributing their phone numbers to Web sites without telling them. The disclosure enraged privacy advocates and prompted at least one company--Sprint PCS--to promise quick changes.

Five months later, little has changed.

Sprint and AT&T Wireless say they're just weeks away from changing their technology to preserve their callers' privacy, but privacy advocates say the wireless companies aren't taking the issue seriously enough.

"It has taken longer than one would guess," said Richard Smith, chief technical officer for the Privacy Foundation and one of the figures who helped verify the issue months ago. "It seems like this should be pretty straightforward."

The privacy hole stems from callers using their mobile phones' tiny screens and slow connections to surf the Web. Although the number of people doing this on a regular basis is still small, at least in the United States, the sector has been the focus of intense financial and media attention during the past few months.

Because the technology is still relatively unfamiliar, the sector has yet to face the kind of intense privacy and security scrutiny that has been a feature of the wired Internet for years. A few groups have sprung up to combat intrusive ads over phones, although even those criticisms have been muted by the lack of pervasive technology.

But early this year, a Seattle programmer was one of several people to notice that people visiting his Web site with a Sprint telephone were leaving behind records of their telephone numbers.

It turned out that both Sprint and AT&T were using the phone number as a way to identify the surfer. This is a feature inside the phones' Web browsing software, created by Phone.com. But other services such as Bell Atlantic's Net access system use a randomly generated set of digits instead of the phone number to identify customers.

Sprint originally said it would change its system in April as part of an upgrade to the entire wireless Web system. A spokesman yesterday said that this timing was ambitious. The company still plans to take the telephone number out as an identifying feature but now says it will do the system-wide upgrade "by Labor Day."

Spring spokesman Tom Murphy noted that the company hasn't received any complaints from customers.

"We have had no customers calling us or saying that they've gotten any strange phone calls," Murphy said. "Which is not to downplay this or say that we don't take the issue seriously. We've said we would change this from the beginning."

Rival AT&T originally dismissed the issue, saying it had received no complaints. That's still the case, but the company now says it will change its customer identification system by the middle of next month.

"We've dealt with (this kind of issue) on the Net side of the house," said Rich Blasi, an AT&T Wireless spokesman. "It's a matter of doing it before it becomes a bigger issue."

The slow-motion way in which the issue has played itself out is in some regards a mark of the immaturity of wireless technology, advocates say.

Smith noted that the wired Web settled on "cookie" technology to let Web sites identify visitors long ago. That option still concerns some privacy backers, but Smith said it's still better than mobile phones' system of having a unique string of digits associated with each phone.

"(Phone manufacturers) should just support cookies," Smith said. "In spite of all the problems, that's a better way of doing it."