A Seattle, Wash.-based computer programmer has brought to light what some say is a serious privacy violation inside several new wireless Web services promoted by communications companies like Sprint. The perceived violation automatically displays the person's telephone number to every Web site visited.
The services from Sprint PCS and AT&T Wireless, which allow subscribers to browse a rudimentary version of the Web over a mobile telephone's tiny screen, use the phone numbers as a way of identifying the surfer as a customer and helping to personalize Web sites, the companies say.
That's the equivalent of automatically giving a Web surfer's unique email address to every Internet site visited--a prospect that horrifies some subscribers.
"Having a device that gives out your phone number is really bad," said Richard Smith, a Massachusetts-based programmer who has helped discover many previous online security holes, and who helped verify the Sprint issue. "I don't know why they send out any unique number. Web browsers don't do that."
Sprint, at least, is already moving quickly away from its current policy. In the next 30 days, the company will be introducing a new version of its product that no longer displays users' telephone numbers, executives said today.
"Like any industry, as we go forward, we will continue to perfect what we do," said Keith Paglusch, senior vice president of operations for Sprint PCS. "We're absolutely committed to customer privacy."
The privacy flare-up is the first big security issue to arise in the still-young world of the wireless Web. Similar issues concerning user privacy have dogged the broader Internet since its inception, most recently leading President Bill Clinton to issue an ultimatum to the Web industry ordering sites to pay more attention to privacy issues.
Today there are still few wireless Net subscribers in the United States, although the market in parts of Asia and Europe is growing far more quickly. According to a recent Banc of America report, about 6.6 million people around the world subscribe to wireless phone data service at the end of 1999, but this number will balloon to nearly 400 million by 2003.
With their eyes on these figures, cellular phone carriers and Silicon Valley companies have been doing all they can to boost their wireless Net businesses and product offerings. Most of the big carriers now offer or have plans to offer Web browsing services over their phones, and most of the biggest Web companies already have or are building versions of their portals or e-commerce sites that are available over the phones.
As with ordinary e-commerce companies, it's critical that the wireless sites win the confidence of shoppers, however. That's where the issue of personal information and privacy comes in.
Phone.com, the creator of the wireless phone browser used by Sprint, says the exchange of some information between the Web site and the Web browser is a part of the wireless data industry's technical standard.
"With phones you want a high degree of personalization," said Ben Linder, vice president of marketing for Phone.com. "That's very useful for many Web sites."
Linder said carriers can choose whether to use a subscriber's phone number or a random number, however.
Sprint says it chose a user's telephone number in order to speed communications with its own Web site, and to make personalization of Web sites simpler. All of the sites it has deals with--including Amazon.com, CNN.com and others--have strict privacy policies forbidding the use of the phone number for anything other than identification.
"The phone number was the least intrusive option," Paglusch said. "It's meaningless. You can't do anything with it."
That's not completely true, say critics. The phone number could be captured by any Web site visited by a Sprint subscriber and used to launch telemarketing campaigns, or to build a directory of wireless phone numbers, some say. That was the topic of a discussion on Internet bulletin boards late last year, when some subscribers saw language in the Sprint user contracts notifying them of the privacy issue.
"Given what has happened with email spam, I think this could become a serious problem," said Kevin Manley, an independent Seattle software developer who has helped publicize the issue. "Most people are not going to read deeply in their user agreement. They're going to be used to surfing the Web anonymously, and think it's the same on the wireless Web. But it's not."
AT&T Wireless spokesman Ken Woo said his company has had no problems with the policy, and declined comment on any future plans to change the system.
"We have not had any customer complaints," Woo said. "We have had no issue with it."
Other big carriers have already implemented policies that keep users' phone number from being displayed to outside Web sites. Bell Atlantic, for example, hides users' personal information, sending a different numerical "calling card" for each site visited. Thus, a user visiting Amazon.com five different times would send five different identifiers, a company spokesman said.
AirTouch Communications also said it does not display its customer telephone numbers to Web sites.
Privacy advocates compared the Sprint and AT&T issue with previous privacy concerns about products from Microsoft, Intel and Real Networks.
"This is a big problem," said David Banisar, deputy director of Privacy International, a Washington-based human rights advocacy group. "The current system of self-regulation doesn't seem to be making companies think about designing privacy into their products. They even seem to be designing privacy out."
The issue was first reported by the San Francisco Chronicle.