Capturing the data is trivial. But if you are aware of p0f you will be aware of its limitations. So first they would need to gather fingerprints of all possible devices that are permitted to use their service, and then compare against traffic seen, then double check any anomolies against firmware updates or any of the many different ways the fingerprint could have altered and then put it to the customer that they are in breach based on something so flakey. It sounds unfathomable that any carrier would do this.

User agent strings are the same. There are at at least four browsers I can run from my n900 and with any of them I can set the user agent string to whatever I like. There is nothing in the t&c that stipulates that you must use a specific user agent string I presume. Repeat for all user agent strings for all valid browsers for all handsets.

Neither effective or likely.