One of the great things about the Internet is anonymity; one can surf the net without disclosing who he/she is and where he comes from (OK, your IP address can be used to track you, but then unless you go through the long process of getting your ISP to yield details about the IP address, such means can be safely ruled out). Also people using a shared IP address can be more anonymous. In Qatar, there is just one ISP with only one IP address. How can one trace an individual net-surfer from only that information?

No wonder, people expect to have the same kind of anonymity while surfing the web through their mobile devices too. The mobile operator does give you a shared IP address. Though surfing through mobile phones is still very painful in India (3KBps download speeds aren’t that great), mobile Internet access through GPRS is becoming cheaper every passing month; Airtel offers a HTTP only package for just Rs. 99 per month which would encourage more people to at least try mobile web surfing. But cheap access doesn’t translate into secure access.

I always used to wonder how various websites like Yahoo, Rediff et al could get access to mobile subscriber data and charge them for their products and services. So I created a small servlet at [Server is dead now]. And the results turned out to be shocking. I accessed the page from my friend’s phone and this is what I saw (the number was not masked, it has been done so to protect his privacy.

Host :

X-Wap-Profile : ""

Accept-Language : en

Accept : application/vnd.wap.xhtml+xml, application/vnd.wap.wmlc, application/xhtml+xml, image/gif, */*, text/vnd.wap.wml

User-Agent : SonyEricssonW700i/R1CA Browser/SEMC-Browser/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1

Accept-Charset : *

Accept-Encoding : deflate, gzip

TE : deflate, gzip
MSISDN : 9198xxxxxxxx</strong>

WAP-Connection : Stack-Type=HTTP

Cookie : $Version=0;User-Identity-Forward-<strong>msisdn=9198xxxxxxxx</strong>;&#8203;User-Identity-Forward-ppp-username=void&#8203;;Bearer-Type=w-TCP;&#8203;wtls-security-level=none;network-access-type=CSD;&#8203;nas-ip-address=;;<strong>imsi=404490016894720</strong>;&#8203;;&#8203;accounting-session-id=3D5FF84246578127;&#8203;accounting-authentication-method=2;&#8203;sgsn-ip-address=

SCRIPT_URL : /servlet/proteus.SmallFiles.WmlHead


Remote Address :

Remote Host :

Server Name :

Protocol : HTTP/1.1>

This is from Airtel network in Andhra Pradesh, India. As one can see it is transmitting your mobile number in plain text as well as your mobile operator information to each and every website you visit. It also has your IMSI number which, about which Wikipedia says “In order to avoid the subscriber being identified and tracked by eavesdroppers on the radio interface, the IMSI is sent as rarely as possible and a randomly generated TMSI is sent instead.”. This is potentially a great way for spammers to send you spam SMSs or track your surfing habits. They can put in a 0 X 0 pixel image on web pages and track you without you having to visit their site. Though much of this is what they can do through normal browsers on computers, here they can personally identify you through your phone number. You can visit the link [Server is dead now] given above to verify what headers you ISP is attaching to your outbound requests over GPRS. It is a WML page so even the oldest browsers should be able to open it.

It would be futile to even talk to your Customer Care guys about this, write to your ISP about this and ask them WHY they are exposing you to dangers which involve endangering your privacy. As a defense against this, you can use an anonymizing proxy like Opera Mini which will hide your information, but prevention is better than cure!

Source for the Java Servlet is available here

Remember you need to access the URL with your Mobile phones , accessing through your normal browser will display the header information of your PC Browser. Also you need a GPRS connection that allows you to surf external sites and not just those of your service provider’s.**_

For the curious, a script that displays the headers sent by your PC browsers is located here. The source for this one is available here.