Optus has admitted to handing over its customer's phone numbers to certain third-party websites accessed by the user.
As first flagged by a user on telco forum Whirlpool, when a user browses certain websites, Optus provides the customer's mobile phone number to the website operator where a "commercial relationship" exists.
The practice, known as HTTP header enrichment, includes a mobile browser's phone number in the HTTP header of the website request. The process aims to streamline direct billing for customers.
The Whirlpool user discovered the practice after receiving alerts about a subscription to a site they had not signed up to.
Optus confirmed its use of HTTP header enrichment to iTnews but said it only provided the details to certain sites involved in a "trusted" commercial relationship with the telco.
"When consumers browse the internet, information about the device they're using is passed on to website owners in order to optimise websites for those users," a spokesperson said.
"Optus adds our customers' mobile number to the information in select circumstances where we have a commercial relationship with owners of particular websites."
The telco said numbers were only sent to sites where user authentication is required - such as for premium content services with direct billing to Optus.
iTnews has contacted other telcos about their apparoach to the practice.
Optus customers have raised concerns about the privacy implications of these information sharing habits.
One user, who declined to be named, said there was no way for the end user to opt out of third-party sites being able to see their mobile number if they are an Optus customer.
"This raises huge privacy concerns," the user said.
Optus' privacy policy states that it may share some "personal information" with third parties, but does not specifically mention mobile numbers.
"We sometimes team up with other companies to offer products," the policy advises.
"If you purchase a product that is delivered by one of our partners, we'll give them the personal information they need to provide it and manage their relationship with you. In these circumstances, we have arrangements in place with our partners that limit their use or disclosure of your personal information to these purposes."
In the United States, Verizon Wireless’ use of HTTP header enrichment to track users with a “super cookie” became a privacy cause celebre, and led to a “please explain” letter from US senators in January this year.
Verizon Wireless modifies network traffic and injects an X-UIDH HTTP header that was thought to uniquely, and silently, identify the telco’s customers to advertisers.
The cellular provider denied the X-UIDH header contained customer information, instead calling it a temporary anonymous identifier sent to advertisers, and therefore not a privacy threat.
After official uproar arose over the practice, Verizon Wireless was forced to introduce an opt-out scheme for customers who did not want to be tracked in this manner.
