It's a shame they've come so close to an open and honest response and then detract from from it with phrases such as "possible in certain circumstances for other websites to see the mobile number." From what I understand it wasn't really certain circumstances, it was in almost all circumstances that the data was made available; whether the site knew it was available or chose to do anything about it was another matter.
I wonder if this means that Age verification can be spoofed by changing that header or if it's just one of several methods they use.
Its only the general circumstance because you are considering only this circumstance. I know you mean "all websites not some", but this is a non-technical public note for all O2 customers, to say "all circumstances" is wrong and misleading.
O2 also sell data plans for iPads, do email/webmail services, sell home ADSL connections, as well as provide cellphones. It would be bad if they left people believing their phone number was sent out on their O2 broadband when web browsing (are tethering users affected?), or perhaps it is only parts of the country which are affected, maybe some infrastructure was acquired from buyouts and phones connected to that weren't affected?
Covering their ass is a non-deceptive reason to say that - it's not all so they shouldn't say it. Maybe "many".
I wonder if this means that Age verification can be spoofed by changing that header or if it's just one of several methods they use.